Explanations on usage when the TPM is initialized
This section explains how to back up and restore a configuration, how to set up the initial configuration using a USB key, and how to calculate the high availability quality factor once the TPM has been initialized.
Backing up a configuration
The configuration of the SNS firewall can be manually or automatically backed up from the web administration interface, the CLI console, or from the SMC server.
Depending on the method used, there are specific conditions on the presence of protected private keys in the backup file, and on their encryption status.
| Manual backups | Automatic backups | |||
|---|---|---|---|---|
| SNS interface | SNS CLI console | SMC (CLI script) | SNS interface | SMC interface |
 Includes private keys (may or may not be TPM-protected) |
 Excludes private keys |
|||
|
Protected private keys are decrypted |
Protected private keys are decrypted They can be kept encrypted with the token ondiskprotect=1 |
Protected private keys remain encrypted |
N/A | |
For more information on backing up a configuration:
- For the SNS firewall web administration interface, go to Maintenance > Backup tab in the v4.8 or v4.3 LTSB SNS User guide, depending on the version used.
-
For the SNS firewall CLI console, by using the
CONFIG BACKUPcommand:CONFIG BACKUP HELP
-
For the SMC server, go to Backing up the configuration of firewalls in the SMC administration guide.
IMPORTANT
The SMC server makes it possible to automatically back up the configuration on SNS firewalls. When the TPM is initialized, all private keys of certificates, regardless of whether they are TPM-protected, will be excluded from automatic backups.
Restoring a configuration backup
Backups containing encrypted private keys can only be restored on the original firewall. Encrypted private keys cannot be decrypted on another SNS firewall as the symmetric key is assumed to be different.
There are a few exceptions in the following cases:
- If the symmetric key derivation mechanism was used to generate the symmetric key from the TPM password, and this password is the same on both SNS firewalls. In this case, the symmetric key is the same on both SNSfirewalls.
- Following the exchange of a firewall (RMA) configured in high availability. For more information, refer to the instructions in the Stormshield knowledge base article Following an RMA, how can I synchronize the configuration and the content of the TPM? (authentication required).
Initial configuration via USB key
During the initial configuration of an SNS firewall via USB key, two operations allow you to interact with the TPM:
-
The initTPM operation allows you to initialize the SNS firewall's TPM. If the SNS firewall is part of a high availability cluster, the mechanism that derives the symmetric key will automatically be used.
-
The p12import operation allows you to import PKCS#12 files in .p12 format and protect the private key contained in the file with the TPM. The initTPM operation must be carried before the p12import operation.
For more information on implementing this procedure and other possible operations, refer to the technical note Initial configuration via USB key.
Calculating the high availability (HA) quality factor
The status of the TPM can be applied to the calculation of the high availability (HA) quality factor.
The configuration token TPMQualityIncluded=1 found in the [Global] section of the configuration file ConfigFiles/HA/highavailability indicates that the status of the TPM has been applied.
On SNS versions 4.8.7 and higher, the status of the TPM will not be taken into account when calculating the high availability quality factor if Secure Boot is disabled.
IMPORTANT
As a reminder, the integrity of the SNS firewall and its TPM will be compromised if Secure Boot is not enabled.
For more information on calculating the high availability (HA) quality factor, refer to the technical note High availability on SNS.