Getting started

Products concerned: SNS in 4.3.21 LTSB and higher versions of 4.3 LTSB, SNS 4.7 and higher versions, VPN Client Exclusive in 7.4 and higher versions

"Diffusion Restreinte (DR)” (restricted) mode forces the firewall to comply with the ANSSI’s (French national information security agency) recommendations on the use of coprocessors and cryptographic accelerators on products to be qualified. This mode must be enabled on networks that fall under the “Restricted” category.

This mode relies in particular on the use of software versions for asymmetric and symmetric cryptographic algorithms and random key generation algorithms.

In this technical note, "Diffusion Restreinte (DR)" mode is referred to in its short form "DR mode".

The sections in this technical note explain the operations that you can perform on SNS firewalls. Continue according the actions that you wish to perform:


Date Description
December 13, 2023

- Spelling correction of custom parameter NoNATTNegotiation ("Creating a DR mode-compatible tunnel on SN VPN Client Exclusive" section)

November 2, 2023

- SNS 4.7 release

October 18, 2023

- Changes to sections "Assessing the impact of enabling DR mode", "Updating an SNS firewall that has already been configured in DR mode" and "Ensuring the compliance of the SNS firewall's configuration with DR mode"

- Addition of section "Ensuring the compliance of a mobile IPsec client's configuration with DR mode"

September 12, 2022

- Addition of section "Stormshield IPsec VPN client"

- Changes to the section "Selecting authentication and encryption algorithms"

December 08, 2021

- Changes to the section "Enabling verification of peer certificate revocation"

August 27, 2021

- Changes to section "Evaluating the impact of DR mode (SNS v4.2 and upwards)"

August 25, 2021

- New document