Getting started

Product concerned: SNS 4.2 and higher versions

The Enable “ANSSI Diffusion Restreinte (DR)” mode option forces the firewall to comply with the ANSSI’s (French national information security agency) recommendations on the use of coprocessors and cryptographic accelerators on products to be qualified. It is an imperative on networks that fall under the “Restricted” mention.
This mode relies in particular on the use of software versions for asymmetric and symmetric cryptographic algorithms and random key generation algorithms. As for symmetric encryption algorithms, "AES-NI" instructions available on certain products (SNi20, SNi40, SN510, SN710, SN910, SN2000, SN2100, SN3000, SN3100, SN6000 et SN6100) are exempt as they are made up only of “simple acceleration instructions” of certain cryptographic operations.

IMPORTANT
The ANSSI Diffusion Restreinte (DR) mode in SNS 4.2 versions and higher is not compatible with DR mode in earlier SNS versions.
Likewise, a firewall in DR mode cannot set up IPsec VPN tunnels with an SNS firewall or third-party device in “standard” IPsec mode.

 

Date Description
September 12, 2022

New section Stormshield IPsec VPN client

Section Selecting authentication and encryption algorithms modified

December 08, 2021

Section Enabling verification of peer certificate revocation modified

August 27, 2021 Section Assessing the impact of implementing DR mode (SNS v4.2 and higher) modified
August 25, 2021 New document