Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

National Essential Security Certification (LINCE)

LINCE is a public standard of Spain that defines security requirements for cryptographic modules.

Note

SFOS 20.0 MR1 and MR2 are LINCE-certified.

LINCE-compliant algorithms

The following algorithms are available for VPN configurations on LINCE-compliant firewalls:

  • KexAlgorithms: diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, ecdh-sha2-nistp256, ecdh-sha2-nistp384, and ecdh-sha2-nistp521
  • Encryption: aes128-gcm@openssh.com and aes256-gcm@openssh.com
  • Public key authentication: hmac-sha2-256 and hmac-sha2-512
  • Server host key algorithms: rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, and ecdsa-sha2-nistp521

How to turn on LINCE

To turn on the LINCE mode, go to the command-line interface (CLI) and enter the following command:

system certification lince enable

Warning

The SSH service will restart, disconnecting existing SSH connections. If you use public key authentication, make sure the key pair uses one of the LINCE-compliant algorithms. See LINCE-compliant algorithms.

To turn the LINCE mode on with high availability (HA) deployments, turn on the LINCE mode first, then turn on HA.

Backup and restore with LINCE

You can restore backups with LINCE turned on or off on any compatible firewall version. The following table shows how this affects the LINCE mode in the restored configuration.

Backup type Restore to firewall version that supports LINCE Restore to firewall version that doesn't support LINCE
LINCE was turned on

LINCE will be turned on

In an HA setup, LINCE will be turned on on both the HA nodes.

LINCE won't be available
LINCE was turned off

LINCE will be turned off

In an HA setup, LINCE will be turned off on both the HA nodes.

LINCE won't be available

Firmware upgrades with LINCE

If you migrate or upgrade the firmware and then turn on LINCE, you can roll back to the previous version where LINCE was turned off since the configuration is still available.