National Essential Security Certification (LINCE)
LINCE is a public standard of Spain that defines security requirements for cryptographic modules.
Note
SFOS 20.0 MR1 and MR2 are LINCE-certified.
LINCE-compliant algorithms
The following algorithms are available for VPN configurations on LINCE-compliant firewalls:
- KexAlgorithms: diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, ecdh-sha2-nistp256, ecdh-sha2-nistp384, and ecdh-sha2-nistp521
- Encryption: aes128-gcm@openssh.com and aes256-gcm@openssh.com
- Public key authentication: hmac-sha2-256 and hmac-sha2-512
- Server host key algorithms: rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, and ecdsa-sha2-nistp521
How to turn on LINCE
To turn on the LINCE mode, go to the command-line interface (CLI) and enter the following command:
system certification lince enable
Warning
The SSH service will restart, disconnecting existing SSH connections. If you use public key authentication, make sure the key pair uses one of the LINCE-compliant algorithms. See LINCE-compliant algorithms.
To turn the LINCE mode on with high availability (HA) deployments, turn on the LINCE mode first, then turn on HA.
Backup and restore with LINCE
You can restore backups with LINCE turned on or off on any compatible firewall version. The following table shows how this affects the LINCE mode in the restored configuration.
Backup type | Restore to firewall version that supports LINCE | Restore to firewall version that doesn't support LINCE |
---|---|---|
LINCE was turned on | LINCE will be turned on In an HA setup, LINCE will be turned on on both the HA nodes. | LINCE won't be available |
LINCE was turned off | LINCE will be turned off In an HA setup, LINCE will be turned off on both the HA nodes. | LINCE won't be available |
Firmware upgrades with LINCE
If you migrate or upgrade the firmware and then turn on LINCE, you can roll back to the previous version where LINCE was turned off since the configuration is still available.