Diffusion Restreinte option

When an SNS firewall is used in a “restricted” context (Diffusion Restreinte), additional constraints must be implemented to comply with the appropriate protection rules. These constraints are explained in the Stormshield technical note IPsec VPN - Diffusion Restreinte mode.

The management of the primary cryptographic hardware components in particular must be adapted when the set of instructions from the (co)-processor does not provide sufficient guarantees regarding their use and their protection (risk of data leaks or disclosure). The downside of using this option is that it affects the encryption functions and decryption performance of SNS firewalls equipped with such (co)-processors.

R19 | SNS | Enable the Diffusion Restreinte option
Diffusion Restreinte mode should be enabled in Configuration > System > Configuration > General configuration when the SNS firewall is located on a network with the same restricted status and its cryptographic functions are used.

R19 | SMC | Enable the Diffusion Restreinte option
Diffusion Restreinte mode should be enabled on the SMC server in Maintenance > SMC server > Settings.

INFORMATION
When Diffusion Restreinte mode is enabled on the SMC server, an automatic deployment enables Diffusion Restreinte mode on SNS firewalls connected to the SMC server. Once the mode is enabled, SNS firewalls on which Diffusion Restreinte mode has never been enabled can no longer be connected to the SMC server.