Diffusion Restreinte option

When an SNS firewall is used in a “restricted” context (Diffusion Restreinte), additional constraints must be implemented to comply with the appropriate protection rules (in French). These constraints are explained in the the Stormshield technical note IPsec VPN - Diffusion Restreinte mode.

The management of the primary cryptographic hardware components in particular must be adapted when the set of instructions from the (co)-processor does not provide sufficient guarantees regarding their use and their protection (risk of data leaks or disclosure). The downside of using this option is that it affects the encryption functions and decryption performance of SNS firewalls equipped with such (co)-processors.

R19 | SNS | Enable the Diffusion Restreinte option
Diffusion Restreinte mode must be enabled in Configuration > System > Configuration > General configuration when the SNS firewall is located on a network with the same restricted status and its cryptographic functions are used.

R19 | SMC | Enable the Diffusion Restreinte option
We recommend enabling Diffusion Restreinte mode on the SMC server in Maintenance > SMC server > Parameters.

INFORMATION
When Diffusion Restreinte mode is enabled on the SMC server, an automatic deployment enables Diffusion Restreinte mode on SNS firewalls that are connected to the SMC server. Once this mode is enabled, SNS firewalls on which Diffusion Restreinte mode has never been enabled will no longer be able to connect to the SMC server.
For more information, refer to the SMC server documentation.