03-26-2021 11:07 AM - edited 03-26-2021 11:09 AM
I'm looking to make some modifications to Site-to-Site VPN IKE-Gateway/IPSec profiles and GlobalProtect IPSec Crypto Profile.
For GlobalProtect IPSec, I'd like to switch from aes-128-cbc to GCM. I know GCM is more secure and has better performance but what I'm unsure about is if I need aes-256-gcm or is aes-128-gcm acceptable.
For the site-to-site, both IKE and IPSec Crypto are both using aes-256-cbc. Should I be using aes-256-gcm or aes-128-gcm? What DH groups are acceptable to use with GCM? I currently have 14 and 5 in my list
I know one option is to add both and set the order to most secure, but just wondering if aes-256-gcm is overkill?
One last question, for globalprotect, is there a way to see what encryption the client is using? For instance, if I added aes-128-gcm and left aes-128-cbc as a second option, is there a command to see what was negotiated?
03-26-2021 11:20 AM
Hello,
So only my opinion, I would use the highest level that I could, so between the two choices, 256. The system logs are the ones that show VPN events so check there. I try to stay away from the cbc ciphers if gcm is available, more personal preference. I wouldnt set an order. Just set the ones you want to use and go from there. The GP clients should be OK. For the site-to-site tunnels, you'll need to use what is available on both sides.
Hope that helps.
03-26-2021 11:20 AM
Hello,
So only my opinion, I would use the highest level that I could, so between the two choices, 256. The system logs are the ones that show VPN events so check there. I try to stay away from the cbc ciphers if gcm is available, more personal preference. I wouldnt set an order. Just set the ones you want to use and go from there. The GP clients should be OK. For the site-to-site tunnels, you'll need to use what is available on both sides.
Hope that helps.
03-26-2021 11:32 AM
Thanks for the response.
You mentioned don't set an order, but I believe the first one listed would be used? So if aes-128-gcm was at the top of the list, then aes-gcm-256 would never be used?
03-26-2021 11:34 AM
So the answer there is it depends. Some systems first try the highest level of security before moving down the list until one is negotiated. You can force the setting by removing the 128 option and only having 256 as the option.
Hope that makes sense.
03-26-2021 11:59 AM
thanks @OtakarKlier
All my VPNs are Palo to Palo, so I should be okay. I was worried about encryption overhead causing performance issues by going too high with aes-256
I'm not in a government or finance sector, where I have stringent rules 🙂
03-26-2021 12:01 PM
Understandable. However if your PAN's are running low CPU's now. bumping it up shouldnt hurt. 128bit is still within FIPS standards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
