Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=Certifications-LINCE

National Essential Security Certification (LINCE)

LINCE is a public standard of Spain that defines security requirements for cryptographic modules.

Note

SFOS 20.0 MR1 and MR2 are LINCE-compliant.

LINCE-compliant algorithms

The following algorithms are available for VPN configurations on LINCE-compliant firewalls:

  • KexAlgorithms: diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, ecdh-sha2-nistp256, ecdh-sha2-nistp384, and ecdh-sha2-nistp521
  • Encryption: aes128-gcm@openssh.com and aes256-gcm@openssh.com
  • Public key authentication: hmac-sha2-256 and hmac-sha2-512
  • Server host key algorithms: rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, and ecdsa-sha2-nistp521

How to turn on LINCE

To turn on the LINCE mode, go to the command-line interface (CLI) and enter the following command:

system certification lince enable

Warning

The SSH service will restart, disconnecting existing SSH connections. If you use public key authentication, make sure the key pair uses one of the LINCE-compliant algorithms. See LINCE-compliant algorithms.

Turn LINCE mode on with high availability (HA) deployments as follows:

  • SFOS 21.5 GA: Turn on LINCE mode on any device first, then turn on HA.
  • SFOS 21.5 MR1 and later: Turn LINCE mode on for both devices first, then turn on HA.

Note

From SFOS 21.5 MR1, you can't turn LINCE mode on or off after HA is established.

Backup and restore with LINCE

You can restore backups with LINCE turned on or off on any compatible firewall version. The following table shows how this affects the LINCE mode in the restored configuration.

Note

From SFOS 21.5 MR1, you can't restore the backup if the backup and the HA devices to which you're restoring it don't have the same LINCE status.

Backup type Restore to firewall version that supports LINCE Restore to firewall version that doesn't support LINCE
LINCE was turned on

LINCE will be turned on

In an HA setup, LINCE will be turned on on both the HA nodes.

 LINCE won't be available
LINCE was turned off

LINCE will be turned off

In an HA setup, LINCE will be turned off on both the HA nodes.

 LINCE won't be available

Firmware upgrades with LINCE

If you migrate or upgrade the firmware and then turn on LINCE, you can roll back to the previous version where LINCE was turned off since the configuration is still available.