Explanations on usage when the TPM is initialized

This chapter includes explanations on usage when the TPM is initialized:

Backing up a configuration

You can manually or automatically back up the configuration of an SNS firewall. Specific conditions apply, depending on the method used.

NOTE
You are advised to protect the backup file with a password whenever possible.

Manual backups

From the web administration interface

This use case is exclusive to SNS 4.3 LTSB versions and SNS 4.7 and higher versions. On SNS 3.11 LTSB versions, backups must be performed from the CLI console.

  1. Go to Configuration > System > Maintenance, Backup tab.
  2. In the Advanced properties section:
    • You can protect the backup file with a password by filling in the Password field,
    • Enter the TPM password in the relevant field.
  3. Click on Download the configuration backup.

The backup will contain all private keys of certificates on the firewall, but the TPM-protected private keys that are included will be decrypted.

From the CLI console

Run the following command:

CONFIG BACKUP list=all password=<filepassword> tpmpassword=<tpmpassword> > /tmp/backup.na

  • password=<filepassword> makes it possible to protect the backup file with a password,
  • list=all backs up all modules on the firewall. You can replace all with the modules that you wish to back up (list=network,vpn-ssl),
  • By default, the backup will contain all private keys of certificates on the firewall, but the TPM-protected private keys that are included will be decrypted. To keep the keys encrypted, and if you intend to restore this backup on the same firewall, enter ondiskprotect=1,
  • If required, show command help with:

    CONFIG BACKUP HELP

To retrieve the backup, connect to the firewall with an SCP client. SSH access must be allowed on the firewall, and a filter rule must allow the connection.

From the SMC server

You can manually back up the configuration on an SNS firewall with a CLI script. To include private keys of certificates on the firewall (either TPM-protected or not), the script must contain the TPM password in plaintext.

CONFIG BACKUP list=all password=<filepassword> tpmpassword=<password> $SAVE_TO_DATA_FILE("Backup_with_decyphered_private_keys.na")

For more information on configuration tokens in the command, refer to the section From the CLI console above.

For more information on implementing the backup, see the section Backing up the configuration of firewalls in the SMC administration guide.

Automatic backup

From the web administration interface

  1. Go to Configuration > System > Maintenance, Backup tab.
  2. In the Automatic configuration backup section, enable automatic backups and fill in the required information. You can protect the backup file with a password by filling in the Backup file password field,
  3. Apply the configuration.

The backup will contain all private keys of certificates on the firewall, and the TPM-protected private keys that are included will be encrypted.

From the SMC server

The SMC server makes it possible to automatically back up the configuration on SNS firewalls. When the TPM is initialized on the SNS firewall, all private keys of certificates on the firewall (either TPM-protected or not) will be excluded from automatic backups.

For more information, see the section Backing up the configuration of firewalls in the SMC administration guide.

Summary

Manual backups Automatic backup
SNS web interface CLI console SMC (CLI script) SNS web interface SMC

All private keys are included.

 

TPM-protected private keys are decrypted.

All private keys are included when the tpmpassword token is entered.

 

TPM-protected private keys are decrypted, unless the ondiskprotect=1 token is entered.

All private keys are included.

 

TPM-protected private keys remain encrypted.

-

Restoring a configuration backup

Backups containing TPM-protected private keys of certificates can only be restored on the source firewall. Encrypted private keys cannot be decrypted on another firewall as the symmetric key will be different.

There are a few exceptions in the following cases:

Initial configuration via USB key

During the initial configuration of a firewall via USB key, certain operations allow you to interact with the SNS firewall's TPM:

  • The inittpm operation allows you to initialize the TPM. Its format is as follows:

    "serial | any", inittpm, "tpmpassword"

    • The mechanism that derives the symmetric key is enabled by default,
    • This operation must be performed before a private key is protected by the TPM.
  • The p12import operation allows you to import PKCS#12 files in .p12 format and protect the private key contained in the file with the TPM. Its format is as follows:

    "serial | any", p12import, none|ondisk, "p12file", "p12password"

For more information on implementing this procedure and other possible operations, refer to the technical note Initial configuration via USB key.

Calculating the high availability (HA) quality factor

This use case is exclusive to SNS 4.3 LTSB versions and SNS 4.7 and higher versions.

The status of the TPM can be applied to the calculation of the high availability (HA) quality factor. The configuration token TPMQualityIncluded=1 found in the [Global] section of the configuration file ConfigFiles/HA/highavailability indicates that the status of the TPM has been applied.

For more information on calculating the high availability (HA) quality factor, refer to the technical note High availability on SNS.