Frequently Asked Questions



  • Are Certes Enforcement Points (CEP) needed at each network location?

    Yes, if you want to encrypt all your data in transit at Layer 4 you will need a CEP at each location.  And, the installation of CEPs are simple, scalable and uncomplicated without any disruption to your applications or network infrastructure.

  • Are Certes encryption technology FIPS 140-2 and Common Criteria Certified?

    Yes, most of our CEP appliances are both FIPS 140-2 and Common Criteria certified to meet regulations like CJIS. CryptoFlow® Net Creator 5.3 software is also FIPS 140-2 and Common Criteria certified.

  • Does installation disrupt current applications and network infrastructure and will current systems need to be removed or replaced?

    The simplicity of installing the Certes Layer 4 solution is that it is independent of your applications and network and does not disrupt the network nor place any additional burden on staff.  The encryption technology is network agnostic and can be applied enterprise-wide regardless of network, application or user.

  • How does the network infrastructure continue to interoperate with high availability?

    The network will remain the same before and after installation and high availability will not be affected.  Nothing will change.

  • Are both multi-layer and virtual encryption devices available?

    Certes offers both types of encryption devices.  From a software perspective, functionality is the same fit, form and function for both multi-layer and virtual encryption appliances.

  • Does Certes encrypt on Layer 2 and Layer 3?

    Yes, we do encrypt data using IPsec at Layer 2 and Layer 3. However, with standard IPsec encryption there is no visibility of network traffic unlike the Certes Layer 4 solution which unblinds network administrators so that network traffic is visible.



  • How are policy keys managed and rotated?

    Through the CryptoFlow® Net Creator platform, policy keys are managed through a single, centralized system management console whereby deployment is fully automated and rotation of keys are scheduled at intervals that you choose.  Once keys are scheduled, rotations are automatic without the need for staff oversight.

  • How are multiple data types such as encryption regulations separated?

    The CryptoFlow® Net Creator platform allows for crypto segmentation and enables separate and unique policies and keys to be generated with cryptographic boundaries for each data flow.

  • Do you have audit reporting and system log capabilities?

    Yes, both login and auditing reporting are built into the CryptoFlow® Net Creator platform enabling the export of logs to offsite servers for archiving and auto reporting.

  • Is the key management system platform multi-user and multi-role?

    Yes, our CryptoFlow® Net Creator platform offers the ability to assign multiple users with different roles from operations to platform administrators.

  • How do I fail?

    If a software failure occurs on the CryptoFlow® Net Creator, all encryption devices will continue with the most current keys and policies preventing any interruption to secure traffic flow. If a software failure occurs on an encryption device it will “fail closed”. This “fail closed” behavior is for security. Certes made the choice to “fail closed” to prevent any data from being sent or transmitted without secure encryption.

  • As a system operator, do I have visibility to determine the status of my deployed policies?

    CryptoFlow® Net Creator and its management interface has colored keys or status indicators to differentiate between the states/status of the CEP appliances and your policies at any time.



  • What is Observability?

    Observability is the transparency and related benefits brought by explicit narration of the internal state of a system. It helps users uncover security blind spots in their application infrastructure, or oversights in their policies.

  • How does it work?

    CEPs are configured to encrypt all business data between network sites. 

    The NetFlow data is exported by the CEP and contains Certes-specific metadata. This combination of data can be used to analyze and gain deeper understanding of network policy deployment and enforcement to analyze every application that tries to communicate across the network, all the while monitoring pathways for potential threats now that each policy is observable. 

    The exports may be collected by a purpose-built third-party analyzer software that can interpret the standard NetFlow format data. Further, such a software may present user-friendly visualization of the information for easy understanding of the information exchange among the participating entities — internal or external to the user’s network domain.

    Additionally, whole packets may also be captured by CEPs. The captured packets may be retrieved from CEPs using CFNC GUI. Viewing individual packets and their sequence may help troubleshoot issues experienced in a deployment.

  • Why use Observability?

    With the Certes Networks Observability feature, you no longer are just trying to monitor and identify threats to keep them out of your network.  You’re analyzing every application that tries to communicate across your network, monitoring all traffic inside, and limiting the pathways potential threats can travel. 

    Through the configuration of our Certes Enforcement Points (CEPs) data is encrypted between network sites.  The NetFlow data is exported by the CEP and contains Certes-specific metadata.  This combination of data can be used to analyze and gain deeper understanding of network policy deployment and enforcement to analyze every application that tries to communicate across the network, all the while monitoring pathways for potential threats now that each policy is observable.  This analysis, and the resulting control that can be applied, provides complete control of your network access and data security.

  • Why use NetFlow format?

    NetFlow is an industry standard to describe information flows occurring on a network. Numerous network device vendors generate flow information in that format. So, all leading analyzer software products readily interpret such data to render analytics and visualization for actionable insights. So, Certes CEPs also export information in NetFlow format to allow its users benefit from the standard analyzer software available in the market.

  • Do all CEPs export Observability information?

    Yes, all CEPs running 5.6 or higher are capable of exporting flow data combined with Certes-specific metadata.

  • Where do the NetFlows exported from CEPs go?

    CFNC configuration requires users to specific the IP address of a server that will receive and collect NetFlow exports.

  • What about users’ privacy concerns?

    Given the sensitivity of the information carried by NetFlow exports, the exports are encrypted by Certes CEPs before sending to the receiving collector. Further, a user may disable our Observability feature globally on all CEPs, or only on specified CEPs. Of course, it may be re-enabled later at the user’s choice. This is fully secure as the control of the encryption keys and key rotations are managed by our CFNC software.

  • All network products export NetFlows. What's the big deal that Certes does, too?

    Information about the network flows may be ordinary. However, only Certes CEPs can export information about Certes-proprietary constructs such as the names of the CEPs, the network sets, policies in action and enforced, set of flows that share the same group encryption key, etc. With this proprietary information, an analyzer can reveal actionable insights at a global level. Also, such information serves as historic evidence during future security audits, or formal reports to the organization’s senior management.


A technology solution that is simple, scalable and uncomplicated.

Get In Contact Today

Want to learn more? One of our team members would be happy to help!