The 2FA authentication method, which uses time-based one-time passwords (TOTP), increases the security of authentications that the firewall manages.
This additional step to protect access is built into the firewall and does not require any third-party TOTP solution. Users who authenticate with an SNS TOTP only need to use an application on their smartphones or in their browsers to generate TOTPs.

The advantage of this method is that it can be enabled for all types of authentication: captive portal, SSL VPN tunnel, web administration interface, console or SSH connections and IPsec/Xauth VPN tunnels.

Since this 2FA method is built into each firewall, users must use as many TOTPs as the number of firewalls to which they must connect.

Stormshield strongly recommends that you enable NTP time synchronization for the firewall by selecting Synchronize firewall time (NTP), and by specifying the NTP servers (System module > Configuration > General configuration tab ).

Time-based one-time password (TOTP)

Select the authentication methods that the firewall manages and which will use TOTP.
The possible types of authentication are:

  • Captive portal,
  • SSL VPN tunnels,
  • Web administration interface,
  • SSH/Console,
  • IPsec/Xauth.

TOTP code settings

This information will be presented on the firewall’s captive portal during the user’s TOTP enrollment.

Time-based one-time password (TOTP)
Issuer Specify the issuer of the TOTP (e.g., the name of your company).
The default value is Stormshield Network Security.

Customize the TOTP user enrollment message

Time-based one-time password (TOTP)
Message to display (max. 1024 characters) You can set the message (optional) that will be shown on the firewall’s captive portal during the user’s TOTP enrollment.
Enter this message in the text field within the limit of 1024 characters.

Advanced configuration

If you are using Google Authenticator or Microsoft Authenticator, changing these settings will prevent TOTP authentication from functioning.

Time-based one-time password (TOTP)
Lifetime (s) Specify the validity period of a TOTP.
The user’s application will automatically generate a new TOTP when this period expires.
The default value is 30 seconds.
Code size Indicate the length (number of characters) of generated TOTPs.
The default value suggested is 6.
Number of valid codes before and after current code When the time on the firewall and the device that hosts the TOTP code generator (e.g., smart phone or computer) is slightly desynchronized, or to give the user a reasonable time frame to enter the code, this option allows you to specify how many codes generated before or after the currently valid code will be considered valid and accepted for authentication.
Hash algorithm

Select the hash algorithm used when generating TOTPs.
The possible values are:

  • SHA1,
  • SHA256,
  • SHA512.

The default value is SHA1.


The two buttons found in this section allow you to perform operations on the database of users who have completed TOTP enrollment.

Reset the TOTP database

Clicking on this button will reset the entire database of users who have completed their TOTP enrollment.
Users will then need to start the whole process of TOTP enrollment all over again the next time they authenticate.


If you wish to reset the entire TOTP database:

  1. Click on Reset TOTP database.
    A warning window will appear.
  2. Confirm by clicking on Continue.

The user must be connected with the admin account to reset the TOTP database.

Show TOTP orphans

Orphan users are those found in the TOTP database but cannot be found in the LDAP directories configured on the firewall, and who last used a TOTP at least 3 months ago.

This button makes it possible to show orphan users and delete them from the TOTP database (deletes all TOTP orphans).


If you wish to show the orphan users found in the TOTP database:

  1. Click on Show TOTP orphans.
    A selection window appears.
  2. In the calendar, select the date on which the orphan users you wish to show last used a TOTP.
    The default date is 3 months before the current date.
    The relevant users will be shown.

To delete all the orphan users listed in this grid:

  1. Click on Delete.
  2. Confirm deleting all orphan users by clicking on OK.

To quit the grid without deleting orphan users, click on Cancel.