Explanations on usage when the TPM is initialized
This section explains how to back up and restore a configuration, how to set up the initial configuration using a USB key, and how to calculate the high availability quality factor once the TPM has been initialized.
Backing up a configuration
The configuration of the SNS firewall can be manually or automatically backed up from the web administration interface, the CLI console, or from the SMC server.
Depending on the method used, there are specific conditions on the presence of protected private keys in the backup file, and on their encryption status.
Manual backups | Automatic backups | |||
---|---|---|---|---|
SNS interface | CLI console | SMC (CLI script) | SNS interface | SMC interface |
![]() |
![]() |
|||
Protected private keys are decrypted |
Protected private keys are decrypted They can be kept encrypted with the token ondiskprotect=1 |
Protected private keys remain encrypted |
N/A |
For more information on backing up a configuration:
- Go to Maintenance > Backup tab in the v4.8 or v4.3 LTSB SNS User guide, depending on the version used.
-
Use the CLI command
CONFIG BACKUP
:CONFIG BACKUP HELP
-
Go to Backing up the configuration of firewalls in the SMC administration guide.
IMPORTANT
The SMC server makes it possible to automatically back up the configuration on SNS firewalls. When the TPM is initialized, all private keys of certificates, regardless of whether they are TPM-protected, will be excluded from automatic backups.
Restoring a configuration backup
Backups containing encrypted private keys can only be restored on the original firewall. Encrypted private keys cannot be decrypted on another SNS firewall as the symmetric key is assumed to be different.
There are a few exceptions in the following cases:
- If the symmetric key derivation mechanism was used to generate the symmetric key from the TPM password, and the TPM password is the same on both SNS firewalls. In this case, the symmetric key is the same on both SNS firewalls. Do note that this applies to SNS firewalls that are part of a high availability cluster, and those that are not.
- Following the exchange of a firewall (RMA) configured in high availability. For more information, refer to the instructions in the Stormshield knowledge base article Following an RMA, how can I synchronize the configuration and the content of the TPM? (authentication required).
Initial configuration via USB key
During the initial configuration of an SNS firewall via USB key, two operations allow you to interact with the TPM:
-
The initTPM operation allows you to initialize the SNS firewall's TPM. This step must be carried before the p12import operation. If the SNS firewall is part of a high availability cluster, the mechanism that derives the symmetric key will automatically be used.
-
The p12import operation allows you to import PKCS#12 files in .p12 format and protect the private key contained in the file with the TPM.
For more information on implementing this procedure and other possible operations, refer to the technical note Initial configuration via USB key.
Calculating the high availability (HA) quality factor
The status of the TPM can be applied to the calculation of the high availability (HA) quality factor.
The configuration token TPMQualityIncluded=1
found in the [Global] section of the configuration file ConfigFiles/HA/highavailability indicates that the status of the TPM has been applied.
NOTE
On SNS versions 4.8.7 and higher, if the Secure Boot feature is disabled, the status of the TPM will not be taken into account when calculating the high availability quality factor.
For more information on calculating the high availability (HA) quality factor, refer to the technical note High availability on SNS.