Communications TLSv1.3 is the default for all communications. When the peer does not support TLSv1.3 then TLSv1.2 will be used as a fallback. The tunnel protocol used for the VPN connection can be configured in Sites > General. | Appliance to Appliance communication | nginx_peer_ciphers = TLS13-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 Mutual certificate-based authentication with DN checking is used for communications between appliances (port 443) |
Client and Admin to Appliance communication (defaults) | nginx_client_ciphers = TLS13-AES256-GCM-SHA384:ECDHE-RSA-AES-256-GCM-SHA384 nginx client on 443 and 8443 | |
SSH to Appliance | Ciphers = AES-256-CTR, AES-192-CTR, AES-128-CTR | |
Client to Gateway tunnel | Cipher = TLS13-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 Mutual certificate-based authentication with DN checking is used for communications | |
Single Packet Authorization | Cipher = AES-256-GCM | |
Appliance certificate generated by a Controller | SHA512 with RSA, keysize 4096 A Certificate Authority, Maximum number of intermediate CAs: 0, basicConstraints = critical, CA:true, pathlen:0, keyUsage = critical, digitalSignature, cRLSign, keyCertSign The CA cert is used for the controller-client authentication to communicate with appliances: extendedKeyUsage = clientAuth, serverAuth | |
Claim and entitlement token encryption | Cipher = AES-256-CTR | |
Database encryption | Cipher = AES-256-CTR | |
Backup file | Cipher = GPG symmetric (AES-256-CFB) | |
FIPS | 6.4.1 and later desktop clients complies to FIPS 140-3. 6.4.1 and later appliances complies to FIPS 140-3 when it comes to appliance to appliance and client to appliance communication. See https://csrc.nist.gov/publications/detail/fips/140/3/final. AppGate ZTNA uses the wolfCrypt module. See https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Certificate/4718. 6.4.0 desktop clients and appliances complies to FIPS 140-2. | |
Security specifications
- 1 minute read
Was this article helpful?