Security specifications

Communications TLSv1.3 is the default for all communications. When the peer does not support TLSv1.3 then TLSv1.2 will be used as a fallback. The tunnel protocol used for the VPN connection can be configured in Sites > General.	*Appliance to Appliance communication*	nginx_peer_ciphers = TLS13-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 Mutual certificate-based authentication with DN checking is used for communications between appliances (port 443)
	*Client and Admin to Appliance communication (defaults)*	nginx_client_ciphers = TLS13-AES256-GCM-SHA384:ECDHE-RSA-AES-256-GCM-SHA384 nginx client on 443 and 8443
	*SSH to Appliance*	Ciphers = AES-256-CTR, AES-192-CTR, AES-128-CTR
	*Client to Gateway tunnel*	Cipher = TLS13-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 Mutual certificate-based authentication with DN checking is used for communications
Single Packet Authorization		Cipher = AES-256-GCM
Appliance certificate generated by a Controller		SHA512 with RSA, keysize 4096 A Certificate Authority, Maximum number of intermediate CAs: 0, basicConstraints = critical, CA:true, pathlen:0, keyUsage = critical, digitalSignature, cRLSign, keyCertSign The CA cert is used for the controller-client authentication to communicate with appliances: extendedKeyUsage = clientAuth, serverAuth
Claim and entitlement token encryption		Cipher = AES-256-CTR
Database encryption		Cipher = AES-256-CTR
Backup file		Cipher = GPG symmetric (AES-256-CFB)
FIPS		6.4.1 and later desktop clients complies to FIPS 140-3. 6.4.1 and later appliances complies to FIPS 140-3 when it comes to appliance to appliance and client to appliance communication. See https://csrc.nist.gov/publications/detail/fips/140/3/final. AppGate ZTNA uses the wolfCrypt module. See https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Certificate/4718. 6.4.0 desktop clients and appliances complies to FIPS 140-2.

Common Criteria and NIAP Protection Profile (PP)	Cryptographic Module Validation Program	508 Compliance
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4 with the Functional Package for Transport Layer Security (TLS), Version 1.1 applied. AppGate ZTNA v6.4 Protection Profile for Application Software Version 1.4 Report	(CMVP) FIPS 140-3 using wolfCrypt. AppGate updates FIPS compliance as soon as there is a compliant cryptographic module available from wolfCrypt. AppGate ZTNA v6.4.1+ FIPS 140-3 Certificate	AppGate updates 508 compliance with each new major release, such as v6.0, or when a minor release materially impacts the existing 508 compliance. AppGate ZTNA v6.1 Web Content Accessibility Guidelines 2.0 Report

Common Criteria and NIAP Protection Profile (PP)

Cryptographic Module Validation Program

508 Compliance

Logo of Common Criteria representing global standards for IT security evaluation.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4 with the Functional Package for Transport Layer Security (TLS), Version 1.1 applied.

AppGate ZTNA v6.4

Protection Profile for Application Software Version 1.4

Report

CMVP logo emphasizing conformance through testing with a validation symbol.

(CMVP) FIPS 140-3 using wolfCrypt. AppGate updates FIPS compliance as soon as there is a compliant cryptographic module available from wolfCrypt.

AppGate ZTNA v6.4.1+

FIPS 140-3

Certificate

VPAT compliant certification with a checkmark and the number 508 displayed prominently.

AppGate updates 508 compliance with each new major release, such as v6.0, or when a minor release materially impacts the existing 508 compliance.

AppGate ZTNA v6.1

Web Content Accessibility Guidelines 2.0

Report