Operation and limitations

Authentication modes on the SNS firewall compatible with TOTP

The TOTP solution makes it possible to increase the security of the following authentication modes on the SNS firewall:

• Captive portal,

• SSL VPN tunnels (OpenVPN technology only),

• Web administration interface,

• Console or SSH,

• IPsec VPN tunnels in IKEv1 (Xauth method only).

Built-in and autonomous TOTP solution on each SNS firewall

The TOTP solution is built into each SNS firewall and operates autonomously, except on firewalls in high availability clusters. Users who authenticate on several SNS firewalls on which TOTP has been enabled must first enroll on each firewall in question and use a TOTP corresponding to the relevant firewall in order to authenticate.

How time-based one-time passwords work

The TOTP solution relies on the use of time-based one-time passwords, also known as TOTPs. A TOTP is valid for only a set period and can be used for only one authentication throughout this period. The same TOTP therefore cannot be used for two consecutive authentications, for example to connect via VPN, then via SSH. The user must wait for a new code to be generated before proceeding with the second authentication.

This system can only function if the date and time on the SNS and the various Authenticators are synchronized.

Managing TOTP with the admin account on the SNS firewall

The admin account on the SNS firewall cannot use TOTP. However, logging in with the admin account is necessary in order to perform certain operations, such as resetting an administrator's TOTP enrollment, or the TOTP enrollment of all users.