Sns en SMC Administration - Guide v3.6
Sns en SMC Administration - Guide v3.6
Sns en SMC Administration - Guide v3.6
STORMSHIELD MANAGEMENT
CENTER
ADMINISTRATION GUIDE
Version 3.6
Table of contents
1. Getting started with the SMC server
9
9
11
1.3.1 Troubleshooting
11
11
1.4.1 Recommendations
1.4.2 Configurations and usage mode subject to the evaluation of SNS firewalls
17
17
18
19
19
21
21
22
23
24
24
24
25
26
26
26
28
28
28
28
29
29
30
30
32
32
32
33
34
35
35
35
36
36
37
37
Page 2/185
19
21
12
14
38
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4.1.2 Editing the value of a custom firewall property
4.1.3 Importing/exporting custom firewall properties
39
39
40
42
42
42
42
43
43
44
45
45
46
46
46
47
47
48
48
41
41
48
49
49
50
50
51
51
52
52
52
53
53
55
56
5. Managing objects
5.1 Deploying objects on firewalls
5.2 Creating variable objects
5.3 Checking usage of an object in the configuration
5.4 Importing objects
5.4.1 Creating the CSV file
5.4.2 Importing objects from the web interface
5.4.3 Importing objects in command line
59
60
60
60
61
61
62
63
63
64
64
65
66
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
67
67
67
68
68
69
70
73
74
74
75
77
77
78
80
82
7.2.1 Configuring a route-based mesh topology
7.2.2 Configuring a route-based star topology
7.2.3 Defining IPsec VTIs on SNS firewalls
7.2.4 Defining the traffic routing policy
7.2.5 Editing the VTI network pool
7.2.6 Troubleshooting
84
86
88
88
89
91
91
92
92
93
93
93
94
94
95
96
96
96
96
Page 4/185
70
71
72
73
97
97
97
98
98
99
99
100
101
101
102
102
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8.2.2 Managing an environment with shared and specific rules
102
8.2.3 Managing a multi-site environment with shared and specific rules and
delegated filtering 103
8.2.4 Managing a multi-site pool with shared rule sets
104
104
105
105
105
106
106
106
108
110
111
122
124
124
9.2.1 Requirements
9.2.2 Enabling SMC to manage an SNS firewall's network
9.2.3 Configuring QoS on an interface
9.2.4 Forcing the retrieval of the QoS configuration on a firewall
124
124
125
125
125
Page 5/185
116
117
118
122
115
122
10.3 Running the SNS CLI script from the web interface
10.4 Running the SNS CLI script in command line
113
113
114
119
120
9. Configuring QoS
111
112
119
106
107
107
108
108
108
126
126
127
127
127
127
128
129
129
129
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10.4.3 Adding scripts
10.4.4 Deleting scripts
10.4.5 Displaying the list of scripts
10.4.6 Examples of the use of scripts in command line with a CSV file
131
132
132
133
133
134
134
135
136
136
137
137
137
137
138
138
138
139
139
11.2 Updating firewalls
11.3 Replacing an SNS firewall through an RMA
140
140
141
142
142
142
142
142
143
143
143
143
145
145
147
152
155
158
158
159
160
Page 6/185
130
130
130
130
160
161
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13.7.3 Restoring server configuration from the web interface
13.7.4 Restoring server configuration from the command line interface
13.7.5 Restoring server configuration from the initialization wizard
162
162
163
163
163
164
164
164
164
165
165
165
165
166
166
166
167
168
168
169
170
170
171
171
172
172
173
173
173
173
173
174
174
175
Page 7/185
161
162
162
175
176
176
177
178
178
179
181
184
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
Page 8/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
NOTE
We recommend that you customize the certificate of the SMC server web interface.
For more
information, refer to the section Customizing the certificate of the SMC server web
interface.
Page 9/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
In SSH connections, if you enter the wrong ID five consecutive times, you must wait
15 minutes
before you can log in again.
To connect transparently via SSH, you can also configure authentication using SSH
keys. For
more information, refer to the section Connecting to the command line interface via
SSH keys.
For details on commands that can be used to administer SMC, refer to the section
Details of
smc-xxx commands.
The default “admin” user does not have access to SMC in console or SSH. Only access
to SMC
via the web interface is possible.
Page 10/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
1.3.1 Troubleshooting
The SMC server rejects all new firewall connections
l
Situation: The SMC server rejects all new firewall connections but keeps ongoing
connections.
Cause: You do not have a license, your license has expired, or you may have reached
the
maximum number of firewalls allowed to connect to the server according to your
license.
Solution: Look up the server logs and contact your Stormshield support center in
order to
obtain a valid license. A tool tip and the Last activity column will also provide
an indication.
Situation: You have restored the configuration of the SMC server, and your license
is no
longer valid.
Cause: When a configuration is being restored, the license that was installed at
time of the
backup will be restored. If it expired in the interim, you no longer have a valid
license.
Solution: Once you have restored the configuration, reinstall your most recent
license.
IMPORTANT
l
Page 11/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
1.4.1 Recommendations
Physical security measures
SNS firewalls and the SMC server are must be installed and stored according to the
state of the
art regarding sensitive security devices: secured access to the premises, shielded
cables with
twisted pairs, labeled cables, etc.
IMPORTANT
The default password of the super administrator must be changed the very first time
the SNS
firewall is used.
Password
User and administrator passwords must be chosen in such a way that it will take
longer to
successfully crack them, by implementing a policy that regulates how they are
created and
verified (e.g., mix of alphanumeric characters, minimum length, inclusion of
special characters,
no dictionary words, etc.).
Administrators can change their password in the web administration interface of:
l
SNS in Configuration > System > Administrators, Administrator account tab,
l
SMC in Maintenance > SMC Server > Administrators.
Administrators are aware of these best practices through their duties and are
responsible for
making users aware of these practices (see the next section User Awareness).
Good information flow control policies
The information flow control policies to be implemented, for equipments on the
trusted
networks to be protected, are defined as such:
l Complete: standard usage scenarios of how equipments are used have all been
considered
when defining the rules and their authorized limits have been defined,
l Strict: only the necessary uses of equipments are authorized,
l Correct: rules do not contradict each other,
l Unambiguous: the list of rules provides all the relevant elements for direct
configuration of
the SNS firewall by a qualified administrator.
Cryptographic keys
Cryptographic keys that were generated outside the SNS firewall and injected into
it must have
been generated according to the general security guidelines defined by the French
National
Page 12/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
Cybersecurity Agency (ANSSI) in the Référentiel général de sécurité (RGS) document
(in
French).
Human agents
Administrators are non-hostile, competent persons with the necessary means for
accomplishing their tasks. They have been trained to perform operations for which
they are
responsible. Their skills and organization mean that:
l Different administrators with the same privileges do not perform contradictory
administrative actions (e.g., inconsistent modifications to the information flow
control
policy),
l Logs are used and alarms are processed within the appropriate time frames.
IT security environment
SNS firewalls
SNS firewalls are installed in compliance with the current network interconnection
policy and
are the only passage points between the various networks on which the information
flow
control policy has to be applied. They are sized according to the capacities of
adjacent devices
or these devices limit the number of packets per second, set slightly below the
maximum
processing capacities of each SNS firewalls installed in the network architecture.
Besides the application of security functions, SNS firewalls do not provide any
network service
other than routing and address translation (e.g., no DHCP, DNS, PKI, application
proxies, etc.).
SNS firewalls are not configured to forward IPX, Netbios, AppleTalk, PPPoE or IPv6
information
flows.
SNS firewalls do not depend on external “online” services (DNS, DHCP, RADIUS, etc.)
to apply
the information flow control policy.
The IT environment provides:
l
NTP reliable timestamps,
l
Up to date X.509 certificate revocation status, both for peers and administrators,
l
A reliable enrolment infrastructure.
SMC server
A traffic control policy must be applied to the SMC server to allow only its
administrators and
managed SNS firewalls to log in to it.
The virtual machine must be appropriately scaled (RAM, CPU, disk space) to enable
administration on SNS firewalls managed by the SMC server. The SMC operating system
must
never be modified, so that it can meet needs other than those it was designed to
meet.
There must be sufficient and available bandwidth at all times between the SMC
server and SNS
firewalls so that all administration operations can be performed. The administrator
must
configure and even disable certain features to meet this requirement, otherwise
restrict the
number of packets per second to give priority to administration traffic.
The production and distribution of connecting packages, which allow the SMC server
to manage
SNS firewalls, must be managed and entrusted to individuals who are familiar with
security
requirements. Such packages must only be shared through secure channels (encrypted
emails, secured USB keys, etc.) between the SMC server and SNS firewalls.
Interconnectivity
Remote administration workstations are secured and kept up to date on all known
vulnerabilities affecting operating systems and hosted applications. They are
installed in
Page 13/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
premises with protected access and are dedicated exclusively to the administration
of SNS
firewalls, the SMC server and the storage of backups.
Network appliances with which the SNS firewall sets up VPN tunnels are subject to
restrictions
regarding physical access control, protection and control over their configuration,
equivalent to
the restrictions placed on SNS firewalls.
Workstations on which the VPN clients of authorized users are launched are subject
to
restrictions regarding physical access control, protection and control over their
configuration,
equivalent to the restrictions placed on workstations in trusted networks. They are
secured and
kept up to date on all known vulnerabilities affecting operating systems and hosted
applications.
1.4.2 Configurations and usage mode subject to the evaluation of SNS firewalls
The usage mode subject to evaluation has the following characteristics.
l
The evaluation covers the Stormshield UTM / NG-Firewall Software Suite installed on
all
versions of Stormshield firewalls, from the SN210 to SN6100 range, including
industrial
models SNi20 and SNi40. Certain models do not have large local log storage
capacities and
have to send events via syslog,
l
SNS firewalls have to be stored in a location with secured access. Such measures,
as well
as organizational procedures for the operating environment, have to guarantee that
the only
physical access to the SNS firewalls take place under the surveillance of the super
administrator,
l
The local console is not used in production. Only the super administrator can log
on to it,
and hypothetically, such interventions are performed only when a decision has been
made
to make an exception to the operating context – to conduct a maintenance operation
or a
re-installation,
l
Workstations on which the web administration interface will be used are secured,
dedicated
to such use, and up to date on all patches concerning the respective operating
systems
and the applications installed on them,
l
The Stormshield Network IPsec VPN Client software is not part of the evaluation.
Users can
use an IPsec VPN client of their choice, however, these client workstations have to
be
secured as rigorously as remote administration workstations,
l
When external services are used by the SNS firewall, they are not part of the
evaluation.
However, these servers have to be dedicated to such use, and up to date on all
patches
concerning the respective operating systems and the applications installed on them.
External services are:
o The NTP time servers,
o The LDAP administrator and IPSec user directory server,
o The syslog server,
o The CRL or OCSP server,
o The SMC server,
o The EST certificate enrolment server.
Page 14/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
l
Page 15/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
l
Page 16/185
The usage mode subject to evaluation excludes the fact that the SNS firewall relies
on
services other than previously mentioned services. The optional modules provided by
Stormshield to manage these services are disabled by default and have to stay that
way.
Specifically, these are:
o Modules that allow handling external servers (e.g., Kerberos, RADIUS, etc.),
o The dynamic routing module,
o The static multicast routing module,
o The internal public key infrastructure (PKI),
o The SSL VPN module (Portal and Tunnel),
o DNS cache,
o Antivirus engines,
o SSH, DHCP, MPD and SNMPD servers,
o The DHCP client,
o The DHCP relay,
o Wifi connection for equipped devices,
o Host reputation,
o For SNi40 and SNi20 models: the hardware bypass capabilities,
o Any custom IPS patterns,
o FQDN objects (require external DNS services),
o IPFIX messages,
o Telemetry,
o Breathfighter (Sandboxing),
o Network Vulnerability Manager (SNVM).
Administration and monitoring tools provide a way of checking at any moment during
operation of these modules are disabled.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
l
IPsec DR
Identification
Authentication/Integrity
Key negotiation
Diffie-Hellman group 28
Encryption
(1): The smallest size of an RSA key must be 2048 bits, or 3072 bits for use beyond
2030.
(2): The smallest size of a key must be 256 bits.
(3): Although the use of RSA keys is prohibited in a DR environment, an RSA root
certificate
can be used to sign an intermediate certificate dedicated to IPsec for example,
when the
certification authority used as the anchor on the firewall is the intermediate
certificate.
(4): For use beyond 2030, the smallest group to use must be Diffie-Hellman group
15.
These cryptographic algorithms are needed for compliance with the general security
guidelines defined by the French National Cybersecurity Agency (ANSSI) in the
Référentiel
général de sécurité (RGS) document (in French).
Do note that the recommendations on implementing the strengthened IPsec mode called
Diffusion Restreinte (DR) mode that complies with ANSSI's reference document for
IPsec DR
are given in the SNS Technical note "IPsec - Diffusion Restreinte mode".
Page 17/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
Type of password
Number of
characters
Number of passwords
Cracking time
Special
250000
< 1 second
Lowercase only
26
208827064576
9-hour graph
Lowercase + 1 uppercase
26/special
1670616516608
3 days
53459728531456
96 days
Letters + numbers
62
218340105584896
1 year
Printable characters
95
6634204312890620
30 years
128
72057594037927900
350 years
Another tendency which has been curbed but which is still happening is worth
mentioning:
those now-famous post-its pasted under keyboards.
The administrator has to organize actions (training, creating user awareness, etc)
in order to
modify or correct these “habits”.
EXAMPLE
l
l
l
l
One classic method of choosing a good password is to choose a sentence that you
know by
heart (a verse of poetry, lyrics from a song) and to take the first letter of each
word. This set of
characters can then be used as a password.
EXAMPLE
“Stormshield Network, Leading French manufacturer of FIREWALL and VPN appliances…”
The password can then be the following: SNLFmoFaVa.
Page 18/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
The ANSSI (French Network and Information Security Agency) offers a set of
recommendations
for this purpose to assist in defining sufficiently robust passwords.
Page 19/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
1. GETTING STARTED WITH THE SMC SERVER
We recommend that you recreate these global items in the form of local items on the
firewall or
rewrite the rules in SMC before connecting the firewall to SMC, in order to avoid
losing any
configuration items and disrupting production.
In most frequent cases, the firewall does not have any global configuration
elements and then
no special precaution must be taken before connecting the firewall to SMC.
Production will not
be impacted.
In any case, we advise you to perform a backup of your firewall's configuration
before
connecting it to SMC.
Page 20/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
2. Complete the firewall properties. The Description and Location fields are just
filled in for
information and do not have any impact on the configuration.
3. For more information on the VPN contact address, refer to the section Defining
the contact
IP address of firewalls for VPN topologies.
4. For more information on the VPN output interface, refer to the section Selecting
the output
interface of firewalls for VPN topologies.
5. Select the folder in which you wish to organize the firewall. Folders are
created in the
Configuration > Firewalls and folders menu on the left. For more information,
please refer to
the section Organizing firewalls by folders. You need to hold write access
privileges on the
folder. For more information, refer to the section Restricting folder
administrators' access
privileges.
Page 21/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
TIP
You can build the package later, by editing the firewall in the Firewalls menu.
2. Click on Create.
3. In the Generating the connecting package panel, click on Next then select The
firewall still
has a factory configuration.
4. On next panel, select the version of the firewall and complete the minimum
network
configuration information for the firewall that would enable access to the SMC
server.
Page 22/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
5. Fill in the information to connect to the SMC server. According to the firewall
version, the
panel is not the same. In 3.9.0 and higher versions:
l IP address or FQDN: the firewall connects using these addresses to contact the
SMC
server. Depending on network topology, they can either be the SMC server's IP
addresses or external IP addresses that the firewall can reach, and which are
redirected
to the SMC server through destination translation. You can set up to ten addresses
or
FQDNs to contact the SMC server, by order of priority. The firewall browses the
addresses
from 1 to 10 and connects to the SMC server through the first address reachable. If
the
address currently used has not the highest priority, the firewall regularly tries
to reach
an address with greatest priority.
l Port: depending on network topology, they can either be the SMC server's ports
(1754 by
default) or external ports that the firewall can reach, and which are redirected to
the SMC
server's port through destination translation.
l Local address: you can specify a different outgoing interface for each contact
address.
l For firewalls in version 3.7.X to 3.8.X, only one outgoing interface can be
specified, and
which will apply for all contact addresses.
6. Click on Generate and download.
2.1.3 Installing the connecting package on the firewall from a USB drive
IMPORTANT
The connecting package makes it possible to establish a connection from the
firewall to the SMC
server. Share this package only with users who have been made aware of security.
Such
packages must only be shared through secure channels (encrypted e-mails, secured
USB keys,
etc.) between SMC and SNS firewalls. We advise against installing the same package
on several
firewalls.
1. Provide the connecting package to the administrator in charge of deploying the
new firewall
on the remote site.
2. Ensure the administrator:
l copies the connecting package (.pack) and a SNS update file (.maj) to an empty
USB
drive. The required formats of the drive is FAT32, FAT16 or UFS. The version 2.3.0
of SNS
is the minimum version required.
l plugs the USB drive into the new firewall and connects the OUT interface to the
network.
l starts the firewall. The firewall first installs the SNS update file and reboots.
After
restarting, the firewall installs the connecting package: the IP addresses of the
SMC
server and of the OUT interface of the firewall are configured and the firewall
connects to
the SMC server.
3. In the SMC server web interface, verify that the state of the firewall changes
in the Firewalls
menu. It must be "On line".
Page 23/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
4. To ensure the security of your appliance, log on directly to the firewall's
administration
interface by clicking on the
icon and changing the firewall's administration password.
For more information on direct access to the firewall's interface, refer to the
section
Accessing the web administration interface of firewalls.
TIP
The firewall administrator can see the connection settings to the SMC server on the
firewall web
administration interface: in the dashboard component and in the menu Configuration
> System >
Management Center. He/she can also install a new connecting package from the web
administration interface.
TIP
You can build the package later, by editing the firewall in the Firewalls menu.
2. Click on Create.
Page 24/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
3. In the Generating the connecting package panel, click on Next then select This
firewall is
already in production.
4. On next panel, select the version of the firewall. Verify and edit the
information to connect to
the SMC server if needed. The panel varies according to the version of the
firewall. In 3.9.0
and higher versions:
l IP address or FQDN: the firewall connects using these addresses to contact the
SMC
server. Depending on network topology, they can either be the SMC server's IP
addresses or external IP addresses that the firewall can reach, and which are
redirected
to the SMC server through destination translation. You can set up to ten addresses
or
FQDNs to contact the SMC server, by order of priority. The firewall browses the
addresses
from 1 to 10 and connects to the SMC server through the first address reachable. If
the
address currently used has not the highest priority, the firewall regularly tries
to reach
an address with greatest priority.
l Port: depending on network topology, they can either be the SMC server's ports
(1754 by
default) or external ports that the firewall can reach, and which are redirected to
the SMC
server's port through destination translation.
l Local address: you can specify a different outgoing interface for each contact
address.
l For firewalls in version 3.7.X to 3.8.X, only one outgoing interface can be
specified, and
which will apply for all contact addresses.
5. Click on Generate and download.
IMPORTANT
The connecting package makes it possible to establish a connection from the
firewall to the SMC
server. Share this package only with users who have been made aware of security.
Such
Page 25/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
packages must only be shared through secure channels (encrypted e-mails, secured
USB keys,
etc.) between SMC and SNS firewalls. We advise against installing the same package
on several
firewalls.
1. Provide the connecting package to the administrator in charge of managing the
firewall on
the remote site.
2. Ensure the administrator connects to the web administration interface of the
firewall.
3. In the Configuration > System > Management Center menu of the firewall
administration
interface, ensure that the administrator selects the connecting package. After the
package
has been installed, the administrator can see the SMC server connection settings in
the
same menu. They are also displayed in the SMC dashboard component.
4. In the SMC server web interface, verify that the state of the firewall changes
in the Firewalls
menu. It must be "On line".
Page 26/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
1. In the same window, select Generate the connecting package to generate the
package while
adding the new firewall. This connecting package will have to be installed on the
firewall to
connect to the SMC server.
TIP
You can build the package later, by editing the firewall in the Firewalls menu.
2. Click on Create.
3. In the Generating the connecting package panel, click on Next then select This
firewall is
already in production.
4. On next panel, select the version of the firewall. Verify and edit the
information to connect to
the SMC server if needed. The panel varies according to the version of the
firewall. In 3.9.0
and higher versions:
l IP address or FQDN: the firewall connects using these addresses to contact the
SMC
server. Depending on network topology, they can either be the SMC server's IP
addresses or external IP addresses that the firewall can reach, and which are
redirected
to the SMC server through destination translation. You can set up to ten addresses
or
FQDNs to contact the SMC server, by order of priority. The firewall browses the
addresses
from 1 to 10 and connects to the SMC server through the first address reachable. If
the
address currently used has not the highest priority, the firewall regularly tries
to reach
an address with greatest priority.
l Port: depending on network topology, they can either be the SMC server's ports
(1754 by
default) or external ports that the firewall can reach, and which are redirected to
the SMC
server's port through destination translation.
l Local address: you can specify a different outgoing interface for each contact
address.
l For firewalls in version 3.7.X to 3.8.X, only one outgoing interface can be
specified, and
which will apply for all contact addresses.
5. Click on Generate and download.
Page 27/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
2.3.3 Installing the connecting package on the active node of the cluster
IMPORTANT
The connecting package makes it possible to establish a connection from the
firewall to the SMC
server. Share this package only with users who have been made aware of security.
Such
packages must only be shared through secure channels (encrypted e-mails, secured
USB keys,
etc.) between SMC and SNS firewalls. We advise against installing the same package
on several
firewalls.
1. Provide the package to the administrator in charge of managing the cluster on
the remote
site.
2. Ensure that the administrator:
l connects to the web administration interface of the active node of the cluster.
l selects the connecting package In the menu Configuration > System > Management
Center of the firewall administration interface. After the package has been
installed, the
administrator can see the SMC server connection settings in the same menu. They are
also displayed in the SMC dashboard component.
l performs a synchronization of both nodes from the administration interface of the
active
node. The passive node retrieves then the configuration contained in the firewall
connecting package.
3. In the SMC server web interface, verify that the state of the cluster changes in
the Firewalls
menu. It must be "On line". The mode icon changes as well:
.
In case of failover, the passive node will become active and will automatically
connect to
the SMC server.
4. To view different types of information about both nodes of the cluster, edit the
cluster in the
Firewalls menu and open the High availability tab.
The SMC server regularly synchronizes both nodes in the high availability clusters
of firewalls
that it manages. To disable this automatic synchronization, refer to the section
Disabling
automatic synchronization of high availability clusters.
Page 28/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
IMPORTANT
Ensure that the CSV file editor has not changed the "," separator character, in
which case the file
may not be imported on the SMC server. For more information on the separator
character, refer to
the section Choosing the separator character in CSV files.
Page 29/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
IMPORTANT
When several administrators are connected at the same time, we recommend that you
import
firewalls from the web interface instead of in command line, so that each
administrator will be
informed when changes are applied.
1. Start by copying the CSV file on the SMC server using the SSH protocol in the
/data/tmp
folder for example. This example is used in the procedure below.
2. Log in to the SMC server via the console of your hypervisor or in SSH.
3. Enter the command:
smc-import-firewalls /data/tmp/filename.csv.
To change the value of the delimiter character, use the environment variable
SMC_CSV_
DELIMITER. For more information, refer to the section Choosing the separator
character in CSV
files.
Generated connecting packages are available in the folder /tmp/import-firewalls-
[date of
import].
The status of an import will be indicated for each firewall, as well as a summary
when the
import is complete.
Page 30/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
2. CONNECTING SNS FIREWALLS TO THE SMC SERVER
Page 31/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
3. MONITORING SNS FIREWALLS
TIP
Click on the Stormshield logo in the upper banner to go back to the firewalls
monitoring screen.
Page 32/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
3. MONITORING SNS FIREWALLS
- or l Use the status drop-down menu above the firewall list. The Connected filter
displays
firewalls that are Running, Not critical and Critical.
For each connected firewall, information about the CPU, the memory used and the
disk space
used are available. The values displayed about the CPU and memory apply to the
latest hour.
Move the mouse over the diagrams to see more details.
The "Local modification” and “Configuration validation” health indicators are
provided by the
SMC server and relate to deployment issues. For more information, refer to
Detecting changes
to the local configuration on firewalls and Validation of the deployment failed.
Troubleshooting
The firewall does not display a valid maintenance end date
l Situation: In Monitoring view, the column indicating the date on which
maintenance of the
firewall ends is empty.
l Cause: Firewall license is not valid.
l Solution: Contact your Stormshield support center to obtain a valid license.
Page 33/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
3. MONITORING SNS FIREWALLS
TIP
The Search field in the list of firewalls in Monitoring > Firewalls also applies to
folder names.
Creating folders
1. Go to the Firewalls and sub-folders tab in Configuration > Firewalls and sub-
folders.
2. Click on Create a sub-folder when you are in the desired parent folder.
Organizing firewalls
There are several ways to do so:
l When you create a new firewall from Monitoring > Firewalls or Configuration >
Firewalls and
folders, in the Firewalls and sub-folders tab, you can choose its location.
l You can move an existing firewall from the same panels by clicking on Move 1
firewall.
Multiple firewalls may be selected.
Page 34/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
3. MONITORING SNS FIREWALLS
known as a "folder administrator", for security reasons. This administrator can
look up the
configuration of other firewalls that are connected to SMC, but in read-only
access. The super
administrator and general administrator can still access all folders in write mode.
Folder administrators can create and delete folders only in the folders on which
they have write
access privileges.
For more information on restricting folder administrators' access, refer to the
section Restricting
folder administrators' access privileges.
Removing folders
In the Firewalls and sub-folders tab in Configuration > Firewalls and folders,
scroll over the
folder name and select the red cross.
If you delete a folder, firewalls and rules in this folder will be moved by default
to the parent
folder.
Page 35/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
3. MONITORING SNS FIREWALLS
In SMC, you can access the interface of your SLS server by using a shortcut that
can be
configured in SMC.
You can also go straight to the SLS view, filtered by logs for a given firewall.
An SLS icon
Page 36/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
TIP
The Search field in the firewalls list also applies to the Description and Location
fields.
Page 37/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
WARNING
Folder administrators whose read access privileges are restricted to certain
folders on SMC
cannot perform this operation. For more information, refer to the section
Restricting folder
administrators' access privileges.
With custom properties, description criteria for firewalls can be added. In this
way, firewalls can
be identified and filtered more efficiently, using characteristics other than their
names, versions
or comments.
Such custom properties are therefore particularly useful for managing large
firewall pools.
They can either be created directly in SMC or imported.
NOTE
Custom properties are meant only for administration via SMC, so are not deployed on
the
corresponding firewalls.
Firewalls can be filtered by their custom properties in the following modules:
l Firewall and folder monitoring,
l Peer selection in a VPN topology,
l Firewall selection for the deployment of a configuration,
l Results of configuration deployments,
l Firewall selection for the deployment of CLI scripts,
l Results of CLI script deployments.
You can display the columns that represent these custom properties in the firewall
monitoring
and configuration windows.
Page 38/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
1. In a firewall's System > Configuration tab, click on Manage global customized
properties.
2.
3.
4.
5.
Page 39/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
4. Open or save the export file containing custom properties.
5. Click on Close.
NOTE
The structure of an export file containing custom properties is as follows:
#property,#firewall,#value
Cp1, Fw2, value_cp1
Cp2, Fw1, value_cp2
Cp3, Fw1, value_cp3
etc.
Page 40/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
To set the values of each variable for specific firewalls, you need to go to the
properties of the
firewalls in question, provided that you hold write access privileges on these
firewalls.
Custom variables can be modified or deleted, as long as they are not used in the
configuration
of firewalls on which you do not have write access privileges. You can check where
firewalls are
being used as shown below. For more information, refer to the section Restricting
folder
administrators' access privileges.
You can create as many customized variables as needed.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
Page 42/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
variable: SMC_CFGCHECK_INCOHERENCIES_INT.
3. Restart the server with the command nrestart fwadmin-server.
Page 43/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
7. You can also filter the list of firewalls by selecting a deployment result in
the drop down list
at the top of the list.
TIP
If a configuration is deployed on disconnected firewalls, the deployment is
postponed
and firewalls retrieve the configuration the next time they are on line.
8. In case of error, see the SMC server logs. You can also connect to the logs and
activity
reports of a firewall by clicking the icon
in the Actions column and refer to the firewall
logs.
9. If the firewall requires a reboot to finalize the deployment, this is indicated
by the health
status "Reboot required". You can start the reboot directly from the deployment
window by
clicking on the Reboot button at the bottom of the window. You can also restart the
firewall
at a later point in time from the supervision, configuration and deployment windows
or by
clicking on the information displayed on the right-hand side in the top banner of
the
application:
10. After a configuration is deployed for the first time, the SMC server will
regularly check
whether the configuration deployed from the firewall continues to match the
configuration
on SMC. Refer to Detecting changes to the local configuration on firewalls.
Page 44/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
WARNING
This feature includes the following limitations:
l
l
l
Page 45/185
SMC displays a warning only when it detects changes made to the configuration from
the web administration interface. Changes made via the command line interface and
the SMC public API are not taken into account.
All changes to a firewall's configuration will trigger a warning, regardless of
which
firewalls are selected for the deployment, and even when the firewall in question
is not
part of the selection, or is not part of the administration perimeter of the
administrator
deploying the configuration.
Any time a resource is created, i.e., an object or rule set, even if it is not in
use or has
been deleted immediately, a warning will be triggered.
Any operation involving rule separators (collapsing/expanding) will trigger a
warning.
During a deployment, the list of pending changes will be purged, regardless of
which
firewalls are selected for the deployment. This means that if you make changes to
firewall A, and another administrator deploys the configuration first on firewall B
then
on firewall A, the warning will appear only during the first deployment.
If an administrator restores a backup on SMC, the list of pending changes will be
purged. No warnings will be shown during the next deployment.
When a configuration deployment fails on a firewall, the list of pending changes
will be
purged.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
Description
Sets the amount of time in seconds that SMC will attempt to
reconnect. Once this duration is exceeded, the previous
configuration will be restored.
SMC side
/data/log/fwadmin-server/server.log
Firewall side
/log/l_system
4.4.7 Troubleshooting
Validation of the deployment failed
l
Situation: After the configuration was deployed on the firewall, the status of the
firewall
switched to Critical and indicated “Configuration validation”. The command CONFIG
STATUS VALIDATE therefore failed.
Cause: The password used to validate the configuration on the SNS firewall was
probably
changed and no longer matched the one saved on SMC. Check the server's logs to find
out
the exact cause.
Solution: Connect to the firewall to fix the issue. If the reason is an invalid
password; run the
command CONFIG STATUS REMOVE.
Page 46/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
l
Solution: Wait until the script finishes executing, or until the firewall
reconnects so that the
execution can complete. You can also cancel the execution of the script from the
SNS CLI
scripts menu.
NOTE
The deployment history is cleared every time the SMC server is updated, therefore
containing
only the revisions of a current version. The history cannot be used to restore the
configuration of
an older version after the update.
Page 47/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
Once you have viewed the comparison, a status icon can be seen in the Deployment
column
indicating that:
l
: the status is unknown, or the last comparison is no longer valid. Click on the
icon to
refresh the status.
To view changes to the local configuration on a firewall after it has been
deployed, refer to
Detecting changes to the local configuration on firewalls.
Description
The variable defines the frequency with which SMC will check the
configuration on firewalls.
The value is defined in milliseconds.
Setting a variable to 0 disables the feature; the configuration on firewalls will
no longer be verified.
If SMC detects changes to the configuration that were made locally, the status of
the firewall
switches to Critical and the “Local modification” health indicator will appear.
The version number will therefore be struck through in red because it no longer
matches the
configuration on the firewall.
When a firewall is being updated, the detection of local changes is disabled until
the next time
the configuration is deployed. After a new deployment, SMC will resume monitoring
local
changes.
Page 48/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
firewall web interface. For more information, refer to the section Managing
administrator
privileges as super administrator.
1. Go to Monitoring > Firewalls.
2. Scroll over the name of a firewall. The firewall must be on line.
3. Click on the
icon.
Authentication on the firewall is automatic:
l You do not need to set a login on this firewall,
l You do not need to configure any authorized administration host in the web
administration
interface of the firewall,
l Logging out from the SMC server web interface automatically disconnects the user
from the
firewall's web administration interface.
TIP
The indication "Managed by SMC" appears at the top of the firewall administration
interface.
For more information about the web administration interface, refer to the SNS User
guide.
If the firewall is not in an administrator's administration perimeter, direct
access to the firewall's
administration interface is still possible, but in read-only mode. For more
information, refer to
the section Restricting folder administrators' access privileges.
TIP
The indication "Managed by SMC - Emergency mode" appears at the top of the firewall
web
administration interface.
4.10 Converting a firewall connected to the SMC server into a high availability
cluster
A standalone firewall connected to the SMC server can be converted into a high
availability
cluster:
1. From the SMC server web interface, connect to the web administration interface
of the
firewall by clicking the icon
in the list of firewalls in the Monitoring menu.
2. Refer to the section High availability in the SNS User Guide to find out how to
add a passive
node. In a failover, the passive node will become active and will automatically
connect to
the SMC server
TIP
The icon
in the Mode column is updated in the list of firewalls on the SMC server web
interface. To view details about both nodes of the cluster, edit the cluster in the
Firewalls menu
and open the System > High availability tab.
Page 49/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
Page 50/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
1. In the Monitoring > Firewalls menu, scroll over the name of a connected firewall
and click on
the icon.
-or1. In the Configuration > Certificates, click on Import certificate at the top
of the grid. For further
information regarding the Certificates menu, refer to Managing certificates and
certification
authorities.
-or1. During the configuration of a VPN topology, when choosing peers, click on the
icon on
the line of a firewall. For more information, please refer to the section Creating
policy-based
VPN topologies.
The option Use this certificate by default on this firewall allows you to select
the certificate to
be used for VPN negotiations. There can only be one default certificate for each
firewall. To
change the default certificate later, refer to the section Changing the certificate
used by default
in VPN topologies.
TIP
Display help using the option --help:
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
4.11.4 Troubleshooting
The Import button remains grayed out
l
Situation: You have selected the certificate and entered the password but the
Import button
remains grayed out.
Cause: When running a script or deploying a configuration, you will not be able to
import
any certificates for any firewalls.
Solution: Wait for the script to finish its run or for the configuration to be
fully deployed.
Situation: When you import a certificate on a firewall, the SMC server returns the
error
"Insufficient privileges".
Cause: You are unable to import a certificate on a firewall on which a session has
been
opened either directly or via SMC.
Solution: Log off from the firewall and attempt to import the certificate again.
Page 52/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
To change the certificate used by default, select another certificate from the
drop-down list or
import a new certificate.
You cannot delete the certificate used by default if it is in use in a VPN
topology.
Page 53/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
4. In the Bases automatic update area, click on Update bases now.
The SMC server connects to the Stormshield update server and downloads the
databases.
5. If you want the databases to update automatically every three hours, select
Update
databases automatically.
To change the frequency of updates or the number of databases to update, refer to
Customizing Active Update settings.
Page 54/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
5. Copy and run the script activeupdate-fetch.sh on a Linux machine with an
Internet
connection. You must have enabled DNS resolution on the machine. By default, the
script
retrieves all databases from the URL https://update1-sns.stormshieldcs.eu/package.
If you
want to specify which databases to retrieve, or a different URL, run the script by
modifying
its parameters. For more information, refer to the help for the script
activeupdatefetch.sh -h.
6. In the Active Update data field, select the archive generated by the script.
7. Click on Update the databases.
8. Repeat these steps regularly so that the Active Update databases are always up
to date on
the SMC distribution point.
c. Create the Active Update configuration script with the commands described in the
following example by replacing server.crt if necessary with the file name of your
certificate:
PKI IMPORT format=pem type=ca $FROM_DATA_FILE("server.crt")
d. Follow the usual steps for running a script, as shown in the section Running the
SNS CLI
script from the web interface by selecting the file of the certificate in the
Attachments
related to the script menu.
Page 55/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
2. Create objects on the SNS firewalls that would make it possible to verify the
SMC certificate:
a. Create the object creation script with the commands described in the following
example.
CONFIG OBJECT
or public SMC
CONFIG OBJECT
or public SMC
CONFIG OBJECT
The value of the name setting consists of an object name of your choice followed by
the
domain name. The private IP address is the one that can be seen in the IP address
column in the Configuration > Active Update server panel in SMC.
b. Follow the usual steps for running a script, as shown in the section Running the
SNS CLI
script from the web interface.
3. Create the Active Update configuration script with the commands described in the
following
example.
CONFIG AUTOUPDATE SERVER
url=https://activeupdate0.smc.local:8081/activeupdate
CA="CN=*.smc.local" state=on
CONFIG AUTOUPDATE ACTIVATE
You will find the value of the url and CA settings in the Contact URL and Server
certificate
fields in Configuration > Active Update server.
You can add custom settings to the script. For further information, refer to the
CLI Serverd
Commands Reference Guide.
TIP
To specify several URLs and CAs, separate them with commas:
url=https://activeupdate0.smc.local:8081/activeupdate,https://ac
tiveupdate1.smc.local:8081/activeupdate/activeupdate
CA="CN=*.smc.local,CN=*.smc.local" state=on
4. Follow the usual steps for running a script, as shown in the section Running the
SNS CLI
script from the web interface.
Page 56/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
2. Change the settings as desired:
State
Port
Host
Source
URL of the Stormshield server from which Active Update databases are
downloaded.
Categories
List of Active Update databases that you wish to download from the SMC
server. The values of the database categories are as follows. Separate
them with commas.
Database category
Value
All databases
ALL
ANTISPAM
VADERETRO
URLFILTERING
CLAMAV
KASPERSKY
PATTERNS
ROOTCERTS
Geolocation/Public IP reputation
IPDATA
Vulnerability management
SEISMO
METADATA
Tries
AutoUpdatePeriod
Page 57/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
Once the certificate has expired, the firewall's health status will become Critical
.
The firewall will start displaying a Not critical status by default 30 days before
the expiry of the
certificate.
The environment variable SMC_SNS_CERTS_PROBE_EXPIRATION_INT allows this period to
be
configured. The lowest value allowed is one day.
To change the default 30-day period:
1. Log in to the SMC server via the console of your hypervisor or in SSH.
2. Change the value of the environment variable SMC_SNS_CERTS_PROBE_EXPIRATION_
INT. For example: SMC_SNS_CERTS_PROBE_EXPIRATION_INT= 20
3. Restart the server with the command nrestart fwadmin-server
4. Deploy the configuration again on the firewalls.
The imminent expiry of certificates is also indicated in the Configuration >
Certificates panel.
If you have changed the warning period, but have not yet redeployed the
configuration on the
firewalls, the status of certificates indicated in the Certificates panel
(information provided by
the SMC server) may not immediately match the firewall health status indicated in
the
monitoring panel (information provided by firewalls).
For further information regarding the Certificates panel, refer to the section
Managing
certificates and certification authorities.
4.14 Configuring the warning for the imminent expiry of license options
The status icons that appear in the upper banner of the interface as well as the
Licensing
options column in the firewall monitoring panel may show a Critical or Not critical
status when
subscribed license options (Breach Fighter, Extended Web Control, Advanced
Antivirus,
Stormshield Vulnerability Manager, Industrial Security Pack) have expired or are
about to
expire.
This warning is disabled by default.
The environment variables SMC_FW_LICENSE_WARNING_INT and SMC_FW_LICENSE_
CRITICAL_INT make it possible to enable warnings and configure time frames.
To enable warnings:
Page 58/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
1. Log in to the SMC server via the console of your hypervisor or in SSH.
2. Add the environment variables SMC_FW_LICENSE_WARNING_INT = 90 and SMC_FW_
LICENSE_CRITICAL_INT = 30.
3. Restart the server with the command nrestart fwadmin-server.
In this example, a firewall will start displaying a Not critical status beginning
90 days before
license options expire and Critical beginning 30 days before license options
expire.
Page 59/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
4. CONFIGURING SNS FIREWALLS
l
In a firewall's System > IPsec VPN properties, the status Protected is indicated in
the X509
certificate's characteristics.
Whenever you install a new certificate on the firewall, the status will also be
indicated in the
window showing the results of the installation of a certificate.
To enable TPM protection on a private key that has already been installed on a
firewall, run
the following SNS CLI script from the Scripts/SNS CLI scripts menu:
Page 60/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
5. MANAGING OBJECTS
5. Managing objects
The Objects menu on the left side of the web interface makes it possible to create,
edit or
remove an object from the configuration deployed on firewalls.
All objects created from the SMC server belong to the firewall's global policy.
They are available
in the firewall web administration interface.
For more information on global objects, refer to the SNS user guide.
Objects can be modified or deleted only when:
l
They are not used in any firewall configuration,
l
They are used in the configuration of firewalls on which you have write access
privileges.
To check whether an object is in use, refer to the section Checking usage of an
object in the
configuration.
If you need to modify an existing object in order to use it in the configuration of
your firewalls,
and it is being used in the configuration by a firewall on which you do not have
write access
privileges, you will be prevented from modifying it. We recommend that you
duplicate the
object. To do so, go to the object editing panel.
For more information on the restriction of access privileges, refer to the section
Restricting
folder administrators' access privileges.
IMPORTANT
Before removing an object from the SMC server, ensure that doing so will not affect
the operation
of your firewalls.
Page 61/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
5. MANAGING OBJECTS
).
Page 62/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
5. MANAGING OBJECTS
1. In the Objects menu, create a Host, Network or IP address range object.
2. Fill in the IPv4 address or IPv6 address field with a %CUSTOM_X% variable. The
value of this
customized variable is defined in the Customized variables tab in the Edit firewall
panel
accessible by double clicking on the line of a firewall in monitoring view.
l You can view the list of available variables by clicking on Manage global
variables. Use
the Copy to clipboard button to copy them to the desired field.
EXAMPLE
Enter the address 10.1.%CUSTOM_IP%.0/24. If for a given firewall, the customized
variable equals "1" in its parameters, the address will be 10.1.1.0/24 for this
firewall
in the filter rule or in the VPN topology.
3. Complete the creation of the object.
For more information on the customized variables, refer to the section Creating
custom
variables.
3. In the results panel that opens in the lower part of the window, you can click
on items to
display and modify them.
Page 63/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
5. MANAGING OBJECTS
IMPORTANT
If you are modifying a CSV file that was exported from a firewall, check that the
editing software
has not modified the contents of the file, in which case the file may not be
imported on the SMC
server.
To create a new CSV file, and to find out details about header lines and the
parameters to
specify according to the object's category, you may:
l Choose to export objects from a firewall,
l Look up the example given on the SMC server as indicated above.
2. Enter the values corresponding to the parameters in the lines after the header
for each Host
object to be imported (example):
host,dns1.google.com,8.8.8.8,2001:4860:4860::8888,,,ALL,"Google
Public DNS Server"
The prescribed values of the #resolve parameter are "dynamic" and "static".
The #deployment parameter may take on any of the following values:
l Empty or DEFAULT: this is its default behavior - the object is deployed only on
the firewalls
that use it.
l ALL: the object is deployed on all firewalls.
l "Firewall 1,Firewall 2": list of firewall names between quotation marks and
separated by
commas. The object is deployed on these firewalls as well as the firewalls that use
it.
Page 64/185
icon.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
5. MANAGING OBJECTS
4. If necessary, select the option that allows you to update existing objects by
replacing them
with objects found in the file.
In case of error, refer to the import summary.
No other actions can be performed on the server while objects are being imported.
EXAMPLE
To import only Host and IP address range objects from a CSV file, enter the
command:
smc-import-objects --csv-file /tmp/file.csv --host --range
Command
Host
--host
--fqdn
Network
--network
IP address range
--range
Router
--router
SLA
--sla
Group 1
--group
IP protocol
--protocol
Service (port)
--service
Port group
--servicegroup
Time
--time
Customized variables such as %CUSTOM_X% can be used instead of IPv4 or IPv6 address
values
in Host, Network and IP address range objects. These customized variables are
defined in the
Customized variables tab in the Edit firewall panel accessible by double clicking
on the line of a
firewall in monitoring view.
If an imported object already existed in SMC, an error will appear. You may use the
--update
option to overwrite the existing object with the one indicated in the CSV file.
Page 65/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
5. MANAGING OBJECTS
1 When importing a group, objects included in the group must already exist on the
SMC server,
otherwise the group will not be created. Import them beforehand through another CSV
file or
create them manually in the web interface.
Page 66/185
icon.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
6. CONFIGURING THE NETWORK AND ROUTING
Next, go to the Interfaces > Interfaces and Interfaces > IPsec interfaces (VTI)
tabs to configure
the interfaces.
If this option is not selected, SMC will not manage the network for this firewall
and the firewall’s
Interfaces tab will be in read-only mode.
If you select this option when a firewall is already part of a route-based VPN
topology, any
associated IPsec interfaces (VTI) that are missing will automatically be created
and shown in
the IPsec interfaces (VTI) tab. For further information, refer to the section
Configuring Ipsec
interfaces (VTI).
Page 67/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
6. CONFIGURING THE NETWORK AND ROUTING
When you force a firewall's interfaces to be retrieved, and if the firewall has
virtual IPsec
interfaces (VTI), we recommend that you look up the server's logs to ensure that
there is no
conflict in the interface name, IP address or mask between the IPsec interfaces
created on SMC
and the IPsec interfaces created on the firewall. Identical names or addresses may
delete
interfaces used in routes or rules.
Page 68/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
6. CONFIGURING THE NETWORK AND ROUTING
When SMC retrieves the routes displayed in a firewall's Routing tab, the interfaces
will also be
retrieved automatically. If any interfaces were created on SMC but were not
deployed, they will
be overwritten when routes are retrieved.
When deploying the network configuration, the existing VLAN, aggregate and bridge
interfaces
on the firewall are not preserved. The network configuration deployed from the SMC
server will
overwrite the local configuration on the firewall.
l
l
l
The IPsec interfaces on firewalls can be used in route-based VPN topologies, and in
the
configuration of routes and policy-based routing filter rules.
For more information on IPsec interfaces, refer to Creating or modifying an IPsec
interface
(VTI) in the SNS user guide and in the technical note IPsec virtual interfaces.
IPsec interfaces shown in SMC originate from three different sources, and behavior
may vary
depending on whether the firewall's network configuration is managed by SMC or not:
Page 69/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
6. CONFIGURING THE NETWORK AND ROUTING
The firewall
belongs to a
route-based VPN
topology
SMC will automatically create the associated IPsec interfaces if SMC manages the
firewall's network configuration.
The interfaces are classified by VPN topology in the grid. They can neither be
modified
nor deleted.
The See VPN configuration button makes it possible to go to the configuration panel
of
the VPN topology in question.
The IPsec
interfaces were
created on the
firewall
SMC will retrieve them automatically during the migration from SMC version 3.3 to
version 3.4, even if SMC does not manage the firewall's network configuration.
If SMC manages the firewall's network configuration, you can force the interfaces
to be
retrieved at any time, as explained in Configure network interfaces.
If they are used in a route-based VPN topology created from SMC, they will be
associated with the topology in question in the grid of the IPsec interfaces (VTI)
tab.
If the network configuration is managed by SMC from version 3.4 onwards, we
recommend that you no longer create IPsec interfaces directly on firewalls, as they
will
be overwritten the next time the configuration is deployed.
IPsec interfaces
were created
manually from
SMC
This can be done only if SMC manages the firewall's network from version 3.4
onwards.
You can modify or delete IPsec interfaces only for firewalls for which SMC manages
the network
configuration, and if they do not belong to a route-based VPN topology.
As for IPsec interfaces used in route-based VPN topologies, some changes made in a
topology
may have an impact on the configuration of IPsec interfaces. In this case, the
impact will
immediately be replicated on the IPsec interfaces of firewalls for which SMC
manages the
network configuration.
As for firewalls with network configurations that SMC does not manage, changes made
in a
topology have the following consequences:
l
If a topology is deleted, the associated IPsec interfaces will not be automatically
deleted,
l
If you change the name of a topology or a peer, the comment associated with the
IPsec
interface and shown in the IPsec interfaces (VTI) tab will not be automatically
updated,
l
If you change the VTI network pool of the topology, IP addresses of IPsec
interfaces will be
modified, and you must replicate the change manually on SNS firewalls.
WARNING
As of SNS version 4.8.1 EA, you will need at least version 3.6 to manage dynamic
routing from
SMC. You will not be able to deploy configurations with dynamic routing from SMC in
a version
lower than 3.6 on SNS firewalls in 4.8.1 EA versions and higher.
Page 70/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
6. CONFIGURING THE NETWORK AND ROUTING
Go to the System > Configuration tab of the firewall in question and select
Configure the
network for this firewall in SMC.
The first time you select this option, SMC retrieves automatically the firewall’s
routes in the
Routing tab, if it is connected. SMC also retrieves the objects used in the routes.
In the Routing tab, you will be able to configure the following from a central
point:
l
static routes,
l
return routes,
l
default route,
l
dynamic routing.
Static and
return
routes
To create new static and return routes, click on Add at the top of the grid.
Dynamic
routing
Double-click on the line where dynamic routing appears in the grid. Select the BIRD
version to
use (v1 or v2). You can change the routing configuration to the format of the
selected BIRD
version, and select advanced options. For more information, refer to the Dynamic
routing
section in the SNS User guide.
NOTE
SMC does not support IPv6 for the BIRD configuration.
Default
route
When the configuration is deployed, the network configuration deployed from SMC
takes
priority over the firewall’s local configuration and overwrites it.
For more information on route configuration, refer to the Routing section in SNS
User Manual.
If the Configure the network for this firewall in SMC checkbox is not selected, the
firewall's
Routing tab will be in read-only mode. SMC then retrieves the firewall's routes
every time the
tab is opened. The objects contained in read-only routes will not be retrieved on
SMC.
Page 71/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
6. CONFIGURING THE NETWORK AND ROUTING
3. Expand Firewall information and configuration retrieval (advanced) and click on
Retrieve
configuration of interfaces and routing.
Exporting routes
The smc-export-routes command makes it possible to generate a CSV file that
includes the
static routes, return routes and default routes of firewalls in at least version
4.2.4 and for which
the network configuration is managed in SMC.
The command generates the CSV file in the /tmp folder by default.
To export a firewall's routes:
1. Log in to the SMC server via the console of your hypervisor or in SSH.
2. Enter the command smc-export- routes. To change the default name of the output
file
(smc_routes_date.time.csv), add an argument to the command. For example: smc-
exportroutes /data/tmp/my_routes.csv.
Importing routes
The smc-import-routes command makes it possible to import from a CSV file to SMC
the
routes of firewalls in at least version 4.2.4 and for which the network
configuration is managed
in SMC. Running the command overwrites the routes that are already visible in SMC.
EXAMPLE
The structure of an import file containing routes is as follows:
#firewall,#type,#status,#destination,#gateway,#interface,#comment
SNS1,default,Enabled,any,gateway,auto,
SNS2,reverse,Enabled,,update1-sns.stormshieldcs.eu,out,
...
To import routes:
1. To create the CSV file, you can export routes as shown above and use the
generated file as
a base,
2. Copy the CSV file to the SMC server using the SSH protocol in the /tmp folder
for example,
3. Log in to the SMC server via the console of your hypervisor or in SSH.
4. Enter the command smc-import-routes followed by the path to the CSV file as the
argument.
Page 72/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
6. CONFIGURING THE NETWORK AND ROUTING
If the routes reference items from your SNS configuration that are not already in
the SMC
configuration (objects/interfaces), you must import them beforehand on the server.
l
l
NOTE
If you modify a monitored router object or an SLA object, you must deploy the
configuration
again to refresh the monitored data.
In the monitoring panel, you can export and download monitoring data to a CSV file:
1. Click on Exporting monitoring data at the top of the panel,
2. Save the CSV file.
If you have filtered the data, only the lines that can be seen in the grid will be
exported.
By default, data in the file is separated by commas. You can change the delimiter
using the
environment variable SMC_CSV_DELIMITER.
Page 73/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
6. CONFIGURING THE NETWORK AND ROUTING
EXAMPLE
Create filter rules to optimize the selection of links for VoIP traffic.
For more information about the SD-WAN feature on SNS firewalls, refer to the
technical note SDWAN - Selecting the best network access.
To do so, for each traffic type, set an SLA commitment based on one or several
thresholds out
of the criteria below:
l
Latency,
l
Jitter,
l
Packet loss rate,
l
Unavailability rate.
As soon as any threshold is exceeded, the firewall will select another WAN link
with a suitable
SLA status for the traffic in question.
This SLA commitment is set through an SLA object that you can use in several router
objects.
Page 74/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
6. CONFIGURING THE NETWORK AND ROUTING
For the definition of these four commitment criteria, refer to the Router section
in the SNS User
guide.
To create a SLA object:
1. Create an SLA object in the Objects menu,
2. Configure the thresholds that must not be exceeded, for SMC to consider that a
link meets
the expected quality level and can be used by traffic. If any of its thresholds are
exceeded,
traffic will be directed to another gateway that meets the SLA commitment criteria.
Refer to the next section for information on how to use the SLA object in a router
object.
SMC offers two SLA objects by default: Visio and SaaS/Productivity.
NOTE
SLA objects cannot be seen on SNS firewalls.
In the router monitoring panel, the status of connections and gateways associated
with an SNS
firewall can be monitored. For more information, refer to the section Monitoring
router objects.
Page 75/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
6. CONFIGURING THE NETWORK AND ROUTING
NOTE
If you modify a monitored router object or an SLA object, you must deploy the
configuration
again to refresh the monitored data.
Page 76/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
WARNING
Write access privileges on all peers are required to create, modify or delete a VPN
topology. For
more information, refer to the section Restricting folder administrators' access
privileges.
Page 77/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
In this section, we describe two use case scenarios, a policy-based mesh topology
and a
policy-based star topology. For further detail on each menu and option for
configuring VPN
tunnels, refer to the SNS User guide.
To configure VPN tunnels between the four sites, follow the steps below.
Page 78/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
On the SMC server, you must declare the certification authorities to be trusted by
the firewalls
that SMC manages.
In order for the topology to be deployed, the SMC server must know the
certification authorities'
entire chain of trust. For further information and to find out how to add
certification authorities,
refer to the section Managing certificates and certification authorities.
IMPORTANT
It is not possible to use groups containing variable objects in VPN topologies. VPN
tunnels
configuration would be invalid.
Page 79/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
1. In Configuration > VPN topologies, click on Add a VPN topology at the top of the
screen and
select Mesh.
2. In the window that opens, select Policy-based VPN and click on Create the
topology.
3. Enter a name. A description is optional.
4. Select X.509 certificate authentication and select the certification authorities
that issued
the certificates for the firewalls involved in the VPN topology. If an authority’s
CRL has
expired, a warning appears in the list of the VPN topologies menu.
5. Select the encryption profile. The SMC server offers pre-configured profiles.
Create your
customized profiles in Configuration > Encryption profiles. Refer to the SNS User
guide for
more information on encryption profile options.
6. Select your topology peers. You can select connected or offline firewalls. You
can also
select firewalls that have never connected, on the condition that you have set a
default
custom or dynamic contact address in the System > IPsec VPN tab in the firewall
settings.
You need to hold write access privileges on the firewalls that you wish to select
as peers.
For more information, refer to the section Restricting folder administrators'
access
privileges.
7. Select the traffic endpoints associated with each of your peers. For further
information on
the Contact address and Local address settings, refer to the sections Defining the
contact IP
address of firewalls for VPN topologies and Selecting the output interface of
firewalls for VPN
topologies.
8. Click on Apply.
9. Deploy the configuration on the firewalls involved in the topology. The VPN
configuration
belongs to the firewall's global policy.
Page 80/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
The company has just acquired a new organization that also has an Accounting
department and
whose network is protected by a firewall from another vendor.
The administrator needs to know the address range of this firewall, which will be
declared as an
external peer, and the address range of the sub-network.
The chosen authentication method is by pre-shared key (PSK).
To configure VPN tunnels between the four sites, follow the steps below.
IMPORTANT
It is not possible to use groups containing variable objects in VPN topologies. VPN
tunnels
configuration would be invalid.
Page 81/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
1. In Configuration > VPN topologies, click on Add a VPN topology at the top of the
screen and
select Star.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
In the window that opens, select Policy-based VPN and click on Create the topology.
Enter a name. A description is optional.
Select pre-shared key authentication.
Generate a random key.
The strongest encryption profile is selected by default. The SMC server offers pre-
configured
profiles. Create customized profiles in Configuration > Encryption profiles. Refer
to the SNS
User guide for more information on encryption profile options.
Choose the center of your topology. It will then show a star icon in the list of
firewalls below,
and the firewall will appear in bold.
If needed, check the option Do not initiate the tunnels (Responder-only) if the IP
address of
the center of the topology is dynamic. Only the peers will then be able to mount
the VPN
tunnel.
Select your topology peers. You can select connected or offline firewalls. You can
also
select firewalls that have never connected, on the condition that you have set a
default
custom or dynamic contact address in the System > IPsec VPN tab in the firewall
settings.
You need to hold write access privileges on the firewalls that you wish to select
as peers.
For more information, refer to the section Restricting folder administrators'
access
privileges.
Select the traffic endpoints associated with each of your peers. For further
information on
the Contact address and Local address settings, refer to the sections Defining the
contact IP
address of firewalls for VPN topologies and Selecting the output interface of
firewalls for VPN
topologies.
Click on Apply.
Deploy the configuration on the firewalls involved in the topology. The VPN
configuration
belongs to the firewall's global policy.
Page 82/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
These IPsec VTIs act as the traffic endpoints of tunnels, and all packets routed to
these
interfaces are then encrypted. This traffic is described by routes in a routing
table or by policybased routing (PBR) filter rules.
The following are some of the advantages of route-based VPN topologies:
l Routing by IPsec VTIs takes priority over a policy match in standard IPsec
tunnels.
l They require fewer tunnels than in a standard IPsec topology. Only one tunnel is
needed
between two firewalls, regardless of the number of networks that the firewall
protects.
NOTE
Route-based topologies cannot include external peers, i.e., SNS firewalls or any
other type of VPN
gateway not managed by the SMC server.
From the SMC server, you can:
l
Create route-based VPN topologies,
l
Monitor these topologies,
l
Define filter rules. SMC automatically generates VTI objects that represent peers
in the
topology, which can be used in these rules,
l
Configure static routes and return routes if necessary and/or enable dynamic
routing.
Virtual IPsec interfaces (VTI) are automatically created on firewalls with network
configurations
that SMC manages. These interfaces are listed in the IPsec interfaces (VTI) tab in
a firewall's
settings. For further information, refer to the section Configuring Ipsec
interfaces (VTI).
If the topology contains firewalls with network configurations that SMC does not
manage, you
must manually create virtual IPsec interfaces on each firewall. The Network managed
by SMC
column during the selection of peers for a topology indicates whether the network
configuration
of the firewall is managed by SMC.
For more information, see the next sections.
NOTE
Modifying a route-based VPN topology may cause changes on associated virtual IPsec
interfaces.
For further information, refer to the section Configuring Ipsec interfaces (VTI).
SMC offers two VPN topologies: mesh or star.
l Mesh: all remote sites are interconnected,
l Star: a central site is connected to several satellite sites. Satellite sites do
not communicate
with one another.
If X509 certificate authentication is selected, prior to configuring your
topologies, you must
import a certificate for all the firewalls in your topologies that SMC manages, and
also declare
certification authorities. The corresponding procedures are described in the
section Configuring
a policy-based mesh topology.
In this section, we describe the configuration of a route-based mesh topology and
the
configuration of a route-based star topology. For further detail on each menu and
option for
configuring VPN tunnels, refer to the SNS User guide.
For further information on setting up IPsec VTIs on firewalls, refer to the
relevant Technical note.
NOTE
Comments associated with IPsec interfaces created by SMC are generated from the
names of the
Page 83/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
topology and of peers. If comments exceed 127 characters, they will be truncated.
The same
applies to comments for host VTI objects if they exceed 255 characters.
2.
3.
4.
5.
Page 84/185
In the window that opens, select Route-based VPN and click on Create the topology.
Enter a name. A description is optional.
Choose the authentication type in the next step.
Select the encryption profile. The SMC server offers pre-configured profiles.
Create your
customized profiles in Configuration > Encryption profiles. Refer to the SNS User
guide for
more information on encryption profile options.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
6. If you need to edit the default network pool for IPsec VTIs, expand the Advanced
properties
section. For more information on the VTI network pool field, refer to the section
Editing the
VTI network pool.
7. Select your topology peers in the next step. You can select connected or offline
firewalls.
You can also select firewalls that have never connected, on the condition that you
have set
a default custom or dynamic contact address in the System > IPsec VPN tab in the
firewall
settings.
To ensure optimal performance, you can select up to 50 peers by default. The
environment
variable SMC_VPN_MESH_ROUTE_BASED_MAX_PEERS_INT makes it possible to configure
this limit. This limitation is valid only for mesh VPN topologies.
You need to hold write access privileges on the firewalls that you wish to select
as peers.
For more information, refer to the section Restricting folder administrators'
access
privileges.
8. In the next step, double-click on the line of a firewall to open the Peers and
VTI window:
l For further information on the Contact address and Local address settings, refer
to the
sections Defining the contact IP address of firewalls for VPN topologies and
Selecting the
output interface of firewalls for VPN topologies.
l IPsec VTIs will automatically be generated after the topology is created. Host
VTI objects
that represent remote peers will also be automatically generated. They can be used
in
routes or filter rules to set up routing. You will see them in your object database
as "VTI_
on_FW1_with_FW2_in_topologyname". These objects are automatically deployed on
firewalls. For further information, refer to the section Defining the traffic
routing policy.
9. Click on Apply to close the window.
10. Click on Apply again at the end of step 4/4 to generate the topology.
Page 85/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
11. If the topology contains firewalls with network configurations that SMC does
not manage,
SMC will offer to download the IPsec interface .csv configuration file. IPsec
interfaces must
be created manually on these firewalls. Refer to the section Defining IPsec VTIs on
SNS
firewalls for further information. For firewalls with network configurations that
SMC
manages, SMC will automatically create the IPsec interfaces. Refer to Configuring
IPsec
interfaces (VTI). The .csv file indicates in the "created_by_smc" column whether
interfaces
were automatically created by SMC.
12. Deploy the configuration on the firewalls in the topology. The VPN
configuration belongs to
the firewall's global policy.
Your topology is still not operational at this stage. Follow the instructions in
Defining IPsec VTIs
on SNS firewalls if the topology includes firewalls with network configurations
that SMC does
not manage and Defining the traffic routing policy to complete the process of
setting up a routebased VPN topology.
2.
3.
4.
5.
Page 86/185
In the window that opens, select Route-based VPN and click on Create the topology.
Enter a name. A description is optional.
Choose the authentication type in the next step.
Select the encryption profile. The SMC server offers pre-configured profiles.
Create
customized profiles in Configuration > Encryption profiles. Refer to the SNS User
guide for
more information on encryption profile options.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
6. If you need to edit the default network pool for IPsec VTIs, expand the Advanced
properties
section. For more information on the VTI network pool field, refer to the section
Editing the
VTI network pool.
7. Choose the center of your topology. It will then show a star icon in the list of
firewalls below,
and the firewall will appear in bold.
8. If needed, check the option Do not initiate the tunnels (Responder-only) if the
IP address of
the center of the topology is dynamic. Only the peers will then be able to mount
the VPN
tunnel. This option is available from the version 3.6.0 of the SNS firewalls.
9. Select your topology peers. You can select connected or offline firewalls. You
can also
select firewalls that have never connected, on the condition that you have set a
default
custom or dynamic contact address in the System > IPsec VPN tab in the firewall
settings.
You need to hold write access privileges on the firewalls that you wish to select
as peers.
For more information, refer to the section Restricting folder administrators'
access
privileges.
10. In the next step, double-click on the line of a firewall to open the Peers and
VTI window:
l For further information on the Contact address and Local address settings, refer
to the
sections Defining the contact IP address of firewalls for VPN topologies and
Selecting the
output interface of firewalls for VPN topologies.
l IPsec VTIs will automatically be generated after the topology is created. Host
VTI objects
that represent remote peers will also be automatically generated. They can be used
in
routes or filter rules to set up routing. You will see them in your object database
as "VTI_
on_FW1_with_FW2_in_topologyname". These objects are automatically deployed on
firewalls. For further information, refer to the section Defining the traffic
routing policy.
11. Click on Apply to close the window.
12. Click on Apply again at the end of step 4/4 to generate the topology.
Page 87/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
13. If the topology contains firewalls with network configurations that SMC does
not manage,
SMC will offer to download the IPsec interface .csv configuration file. IPsec
interfaces must
be created manually on these firewalls. Refer to the section Defining IPsec VTIs on
SNS
firewalls for further information. For firewalls with network configurations that
SMC
manages, SMC will automatically create the IPsec interfaces. Refer to Configuring
IPsec
interfaces (VTI). The .csv file indicates in the "created_by_smc" column whether
interfaces
were automatically created by SMC.
14. Deploy the configuration on the firewalls in the topology. The VPN
configuration belongs to
the firewall's global policy.
Your topology is still not operational at this stage. Follow the instructions in
Defining IPsec VTIs
on SNS firewalls if the topology includes firewalls with network configurations
that SMC does
not manage and Defining the traffic routing policy to complete the process of
setting up a routebased VPN topology.
Page 88/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
1. Create filter rules for each firewall to allow traffic to go through the tunnel.
The remote peer
must be defined as the Gateway – router. To do so, in the Action menu, General tab
in rules,
select the VTI object that SMC automatically generated, representing the remote
peer.
WARNING
Folder administrators whose read access privileges are restricted to certain
folders on SMC
cannot perform this operation. For more information, refer to the section
Restricting folder
administrators' access privileges.
When a route-based VPN topology is being created, the SMC server selects the IP
addresses of
IPsec VTIs from a private sub-network defined by default.
This sub-network is a reserve of available addresses and must be included in (or
equal to) one
of these three sub-networks:
l 10.0.0.0/8
l 172.16.0.0/12
l 192.168.0.0/16
The sub-network suggested by default is 172.25.0.0/16.
This default network pool is the same across all topologies. If necessary, you can
edit the global
pool, or a pool specific to a topology.
IMPORTANT
If you edit a topology’s network pool of IPsec interfaces after the topology is
created and
deployed, you should verify the configuration of the interfaces already created on
your firewalls,
if SMC does not manage the network configuration.
Page 89/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
The default network pool is the pool that is used when a new topology is created.
To edit it:
1. In Configuration > VPN topologies, click on the icon on the top right side of
the screen
and select Edit default VTI network pool.
Page 90/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
7.2.6 Troubleshooting
Refer to this section to resolve frequently encountered issues while creating
route-based VPN
topologies.
Tunnels in route-based VPN topologies are not operational.
l
Situation: In Monitoring view, a topology appears as non-operational.
l
Cause: If the topology includes SNS firewalls with network configurations that SMC
does not
manage, it is possible that not all the virtual IPsec interfaces were created
manually on the
firewalls in question.
l
Solution: Ensure that all the virtual IPsec interfaces were created on the
firewalls. To see the
list of firewalls in the topology with network configurations that SMC does not
manage, refer
to the Network managed by SMC column during the selection of peers for a topology.
To
access this step, in Configuration > VPN topologies, double-click in the Peers
column of the
topology in question.
For more information, refer to Configuring a route-based mesh topology and Defining
IPsec VTIs
on SNS firewalls.
X509 certificates
SCEP/EST certificates
Icons when
scrolling over
the line
Possible
actions
l
l
l
l
l
l
l
l
WARNING
The following characters are not supported in certificate names:
Page 91/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
"
double space
Refer to the procedures below for more information on each of these actions.
2. Select a file in .pem, .cer, .crt or .der format and click on Add.
3. Add the addresses of the distribution point(s) for the certificate revocation
list (CRL). For
more information, refer to the section Setting the CRL distribution points.
4. If you renew firewall certificates via SCEP or EST, associate an SCEP or EST
server with the
certification authority in the Certificate renewal tab.
5. After the authority has been declared, you can change it or check its usage by
scrolling over
the name of the authority in the table to display the action icons in the
Certificate status
column.
You can also add a new authority during the configuration of a VPN topology, during
the
selection of the authentication method, by clicking on Add an authority.
Page 92/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
Whenever you update a certification authority, the name, comments and list of
certificate
revocation list distribution points, if there is one, will be kept.
The public key must be the same as the one for the previous authority.
l To update a certification authority, scroll over the name of the certification
authority and
click on the icon in the Certificate status column.
Page 93/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
2. For each certificate, configure if necessary the local IP address to use for the
verification
and frequency of verifications. To do so:
a. Show the Local IP address for CRL verification and/or CRL verification frequency
columns
by scrolling over the name of a column and clicking on the arrow, then on Columns.
b. Select a certificate.
c. In the Local IP address for CRL verification column, select the desired address.
Any can
be used by default.
d. In the CRL verification frequency column, enter the number of seconds between
each
verification. The default frequency is 21600 seconds, or 6 hours.
Page 94/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
1. Click on Renew certificates... at the top of the table,
TIP
To renew a single certificate, scroll over its line in the table and click on
status column.
in the Certificate
Page 95/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
The Unknown status applies only to certificates obtained via SCEP or EST. SCEP or
EST
certificates may be Unknown if the SMC server does not yet know the certificate.
This happens
when the SCEP or EST server cannot be reached or the firewall has not connected
since the
certificate was created.
The Nearly expired status appears by default 30 before the expiry of the
certificate. To
configure the warning when a certificate is close to expiry, refer to the section
Configuring the
warning for an imminent certificate expiry.
IMPORTANT
As the SMC server does not manage certificate revocation, revoked certificates will
appear as
"Valid".
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
1. In SMC, create the Host object that corresponds to the desired interface,
2. In SMC, select the output interface,
3. If necessary, configure a static route on the firewall.
Page 97/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
red cross.
IMPORTANT
When a route-based VPN topology is modified or deleted in SMC, VTI objects will
also be modified
or deleted. If you are using such objects in the local configuration of your SNS
firewalls, first
ensure that you delete them before modifying or deleting a topology in SMC.
To check whether VTI objects are in use:
By checking the usage of a route-based VPN topology, you can find out whether VTI
objects,
which SMC automatically generates when the topology is created, are used in a
component of
the configuration, such as a filter rule.
You cannot delete a route-based topology or remove peers from the topology as long
as any of
its objects is in use.
To check whether generated VTI objects are in use:
l
Scroll over the name of the topology in the list and click on the
icon. The results will be
displayed in the lower panel. You can double-click on a result to view details.
Page 98/185
Description
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
Path MTU
Discovery
Fragment
size
For further information on the corresponding Serverd commands that will be updated
on the
relevant SNS firewalls, refer to the section IPsec config update in the CLI / SSH
Commands
Reference Guide.
NOTE
To be able to monitor the status of VPN topologies containing SNS firewalls in
version 4.2 or
higher, you need to use an SMC server in at least version 2.8.1.
Scroll over the status icon of a tunnel to show a tool tip indicating its status as
well as the
status of peers.
Page 99/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
7. CREATING AND MONITORING VPN TUNNELS
In the Topology identifier (rulename) column, you can search for topologies by the
rulename
identifiers used in VPN audit logs on SNS firewalls.
When the SMC server is updated, the configuration must be deployed again on
firewalls so that
the rulename identifier can be seen in logs.
NOTE
To ensure compatibility with “Diffusion Restreinte (DR)" mode, the PRF of an IKEv2
encryption
profile must be set to SHA256. For more information on DR mode, refer to Using
“Diffusion
Restreinte” mode on SNS firewalls.
To create an encryption profile and configure the PRF:
1. In Configuration > Encryption profiles, click on Create an encryption profile.
2. Enter a name and description if necessary.
3. In the IKE tab, indicate the algorithm that must be negotiated as a PRF (Pseudo-
random
function field).
4. Fill in the other fields. For information on the fields, refer to the SNS User
guide.
5. Click on Create.
Page 100/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
Filter and NAT rules applied to a given firewall are the combination of two types
of rules created
in SMC:
l Rules shared by several firewalls, created in the folders (folder to which the
firewall and its
parent folders belong),
l Rules specific to the firewall, created in the firewall's settings. In the
firewall monitoring
view, the Number of specific rules column indicates the number of specific rules
that each
firewall has.
These rules are deployed in the firewall's global security policy. After these
rules, the firewall's
local security policy rules, if any, will be applied.
The firewall inherits rules from the folder it belongs to, as well as rules from
its parent folders,
which are applied in the following order:
Page 101/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
l
l
l
High-priority rules configured in the folders, from the most general to the most
specific,
Firewall's specific rules,
Low-priority rules configured in the folders, from the most specific to the most
general.
EXAMPLE
A high-priority rule in the MySMC folder cannot be overwritten by another rule, it
will always be
the first rule to be applied. A low-priority rule in the MySMC folder will be
overloaded by all the
other rules defined in the folders or for a specific firewall.
Page 102/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
8.2.3 Managing a multi-site environment with shared and specific rules and
delegated
filtering
We shall use the example of a trading company that has a warehouse, offices,
hypermarkets
and supermarkets spread out over several sites:
l The central administrator uses two levels of sub-folders under the root folder to
organize its
firewalls,
l Filter and NAT rules apply to all firewalls, and other rules apply only to
certain folders,
l The administrator wishes to delegate the administration of certain traffic to
local
administrators in order to give them the possibility of implementing local rules on
specific
services, protocols, users or networks. A store may, for example, need to
communicate with
a CCTV service provider.
Page 103/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
l
l
l
l
Define the rules shared by all firewalls in the MySMC folder using variable
objects. For more
information, please refer to the section Managing objects.
Define rules shared by warehouses/offices/stores in the corresponding folders and
subfolders.
Set specific rules on some firewalls from SMC, by going to the firewall's Filtering
and
translation tab.
Select the action Delegate for the rules concerned in the rule Action menu.
Define a “Block all” rule as the last low priority rule on the root folder MySMC.
Deploy the configuration on the firewalls. These rules will be deployed in the
firewalls'
global security policy.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
4. Configure the rule:
l When Host, Network or IP address range objects are used in the rule, you can use
variable objects, whose IP addresses will be the value corresponding to the
relevant
firewall. For more information, please refer to the section Managing objects.
l Objects can be dragged and dropped between filter and translation rules or from
the
Objects menu into rules.
l You can create separators between rules in order to organize them by clicking on
Add.
These separators do not impact the security policy in any way. Click on the title
of a
separator to change its name or assign a color to it.
l
The following parameters cannot be completed with data returned by firewalls and
must
therefore be entered manually through text fields:
o In Source > General > Incoming interface, click on Customized interface (if the
rule
applies to a folder or rule set).
o In Destination > Advanced configuration > Outgoing interface, click on Customized
interface (if the rule applies to a folder or rule set).
o Menu Action > Quality of Service > Queue.
o Menu Action > Quality of Service > ACK queue.
l Refer to the SNS User guide for more details on other menus and options.
5. Once the configuration of rules is complete, deploy the configuration on the
firewalls
concerned.
In addition to the rules of the current folder or of the firewall, the Filter rules
and NAT rules tabs
display the rules of parent folders and local rules in read-only. You can therefore
view all the
rules that apply to a firewall on a single screen, in the order in which they are
applied.
Page 105/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
In Configuration > Rule set:
Select the rule sets from the list on the left. In the Firewalls tab, select the
firewalls to
which you wish to assign the rule sets, and click on Apply. You can choose to add
the
rule sets to specific rules on the selected firewalls in the first or last
position.
l
In the security policy of a firewall in the Filter rules and NAT rules tabs:
Click on Add > Add a rule set.
During the next deployment, the rule sets assigned to the firewall will be added to
the selected
firewalls. They will appear in the firewall's global policy as separators followed
by their rules.
l
Page 106/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
Select the rule, separator or rule set, and use the toolbar’s Up
buttons.
and Down
-orl
-orl
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
4. Scroll over the Columns menu,
5. Select the Name column.
- or 1. Double click on a rule to show its properties,
2. Display the General tab.
3. In Advanced properties, you can copy the name of the rule to perform a search in
the SNS
logs or in the firewall interface.
Press DELETE.
Page 108/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
3. At the top of the panel, choose whether to display the global or local policy
that you wish to
export. Only rules from the active slot will be exported.
4. Click on Export.
IMPORTANT
Ensure that the CSV file editor has not changed the "," separator character, in
which case the file
may not be imported on the SMC server. For more information on the separator
character, refer to
the section Choosing the separator character in CSV files.
To create a new CSV file, and to find out details about header lines, you may:
l Choose to export rules from a firewall,
l Look up the example given on the SMC server as indicated above.
Do note that you must create a CSV file for each rule folder and a CSV file per
firewall for the
firewall's specific rules.
NOTE
If you wish to import a security policy that contains rule sets, you must create
them first on the
SMC server. For more information, refer to the section Creating rule sets.
In case of error, refer to the import summary.
No other actions can be performed on the server while rules are being imported.
Page 109/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
In both of the following cases, for each rule imported, the status of the import
will be displayed.
If there is a failure while importing a rule, the reason will be given and no rules
or objects will be
imported. However, the entire CSV file will be scanned so that the SMC server can
detect
potential errors. Correct any errors before attempting a new import.
Rules that were imported in command line are added after existing rules.
If the rules reference objects from your SNS configuration that are not already in
the SMC
configuration, you can also import them on the server together with the rules.
If you are importing rules and objects referenced in rules:
1. Export the list of objects in CSV format from an SNS firewall by following the
procedure in
the section Creating the CSV file.
2. Copy both CSV files (rules and objects) on the SMC server using the SSH protocol
in the
/tmp folder for example.
3. Log in to the SMC server via the console of your hypervisor or in SSH.
4. Depending on the rule destination, type the command:
l
firewall,
l
the destination of these rules is a folder. Rules are imported to the high-priority
rules of a
folder by default. To import rules to low-priority rules, add --low-priority at the
end
of the command or indicate the value "low" in the column #smc_folder_prio in the
CSV file
(last column). If the file was exported from a firewall, there is no such column;
add it
manually.
Page 110/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
1. In Configuration > Firewalls and Folders, browse until you reach the level of
the folder or the
firewall from which you want to export rules.
2. Open the Filtering and translation tab and select Filter rules or NAT rules tab.
Both types of
rules can be exported from either tab and to the same CSV file. Rules are
distinguished by
type in the #type_slot column.
3. Click on Export in the toolbar.
4. Save the CSV file.
When rules are exported from a folder, only the rules found in the folder are
exported, not the
rules in parent folders. The #smc_folder_prio column in the file indicates the
priority of the rule.
When rules are exported from a firewall (in SMC), the entire policy is exported –
the rules of the
firewall and its parent folders. The #folder column in the file shows the name of
the folder that
contains each rule. The #ruleid and #rankid columns indicate the number that
identifies the
rule in the policy and its position in a folder. For more information, refer to the
section
Identifying the rules.
If your security policy contains rule sets, they will be converted to separators
followed by their
rules in the CSV export file.
Page 111/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
5. If necessary, define a "Block all" rule as the last low-priority rule in the
MySMC folder in
order to ignore the rules found in the firewalls' local security policy.
6. When the process is complete, delete the rules that have been migrated from the
firewall's
local policies to SMC.
If you do not create a "Block all" as the last rule in SMC, local filter and NAT
rules, i.e., those
created directly on a firewall, will be read after global rules (originating from
SMC).
However you cannot set up these profiles directly in SMC and they may be different
on each
firewall even if they have the same identifier.
This section explains how to deploy a common URL filtering policy on all or part of
your firewalls
thanks to SMC, based on the URL filtering policy configured on a “template”
firewall.
You will need two scripts to do so: a first one which allows collecting the URL
filtering policy
from the template firewall and another one which allows deploying this policy on
the selected
firewalls.
IMPORTANT
The template firewall and the target firewalls must be in the same version.
To apply this procedure, follow the three steps below in the order given.
Page 112/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
Page 113/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
4. Select the firewall which URL filtering policy must be collected.
Script required if using filtering with an advanced Stormshield URL base (with the
option
Extended Web Control):
#################################################################
# Restore URLs, Certificate names, URL and CN groups and the URL#
# base of a SNS firewall
#
Page 114/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
#################################################################
CONFIG OBJECT URLGROUP SETBASE base=CLOUDURL
# Restore the configuration
CONFIG RESTORE list=urlfiltering fwserial=local $FROM_DATA_FILE("backupURL.na")
Page 115/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
However you cannot set up these profiles directly in SMC and they may be different
on each
firewall even if they have the same identifier.
This section explains how to deploy common IPS Inspection profiles on all or part
of your
firewalls thanks to SMC, based on the profiles configured on a “template” firewall.
You will need two scripts to do so: a first one which allows collecting the
profiles from the
template firewall and another one which allows deploying these profiles on the
selected
firewalls.
IMPORTANT
The template firewall and the target firewalls must be in the same version.
To apply this procedure, follow the three steps below in the order given.
Page 116/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
Page 117/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
Page 118/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
Page 119/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
1. On an updated SNS firewall, run the command config object list type=iprep.
2. The name of the web service to be used to add it to the SMC server is the value
of the
"name" field, e.g. "skypeforbusiness" as in the image below.
Page 120/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
8. CREATING FILTER AND NAT RULES
3. In the server's web interface, refresh the display to view the new web services
in the Source
and Destination menus in filter rules:
Page 121/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
9. CONFIGURING QOS
9. Configuring QoS
QoS, or quality of service, refers to any technology that is capable of managing
data
transmission while reducing packet loss, latency and jitter on high-priority
network traffic. The
aim of this concept is to monitor and manage network resources by prioritizing
certain types of
data and network traffic.
In SMC, you can configure QoS on SNS firewalls as of version 4.3.15 LTSB and 4.5.3.
To configure QoS in SMC:
1. Add queues and traffic shapers in the Configuration menu.
2. Associate these queues and traffic shapers with interfaces in the firewall
settings. These
queues will be the default queues.
3. Configure QoS in filter rules in the firewall settings, to assign specific
queues to different
sets of network traffic.
NOTE
QoS cannot be monitored from SMC. To monitor QoS on a firewall, log in directly to
the firewall's
web administration interface.
For more information on QoS and details on how to configure it on firewalls, refer
to the
technical note Configuring QoS on SNS firewalls.
Page 122/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
9. CONFIGURING QOS
1. Click on Add in the upper part of the panel,
Prioritizes packets with a ranking from priority 0 (traffic with the highest
priority)
to priority 7 (traffic with the lowest priority).
Packets associated with a filter rule that uses a PRIQ are processed before packets
that are not assigned to a PRIQ, or which are attached to a PRIQ with lower
priority.
Class Based Used for reserving or limiting bandwidth, by indicating the guaranteed
or
Queue (CBQ) maximum amount of bandwidth to apply to outgoing traffic, and for
return traffic
on connections. At least one of the values has to be a value other than 0.
Monitoring
Queue
(MONQ)
Does not have any influence on network traffic, but makes it possible to save the
bandwidth information used by monitored traffic.
3. In the window that opens, name the queue and fill in the mandatory fields
according to the
chosen queue type. Custom variables can be used for CBQ to indicate bandwidth
values. In
this case, copy and paste the name of the desired variable (e.g., %CUSTOM_VAR1%).
The unit
used is kbit/s.
4. Add the queue.
For a traffic shaper:
1. Click on Add in the lower part of the panel,
2. Name the traffic shaper,
3. In the Outgoing bandwidth column, enter the value corresponding to 90% of the
bandwidth
on the link attached to the interface.
4. In the Unit column, indicate the bandwidth unit.
5. In the Incoming bandwidth column, enter the value corresponding to 90% of the
bandwidth
on the link attached to the interface,
Page 123/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
9. CONFIGURING QOS
6. In the Unit column, indicate the bandwidth unit.
7. Confirm by clicking on Apply.
Custom variables can be used to indicate bandwidth values. In this case, copy and
paste the
name of the desired variable (e.g., %CUSTOM_VAR2%). The unit used is kbit/s.
For detailed advice on the configuration of queues and traffic shapers, refer to
the technical
note Configuring QoS on SNS firewalls.
9.2.1 Requirements
l
The implementation of QoS in SMC is compatible with SNS firewalls from version
4.3.15
LTSB and 4.5.3 upwards.
You need to configure queues and traffic shapers on SMC in advance. To configure
them,
refer to the section Configuring queues and traffic shapers.
Network management from SMC has to be enabled on each relevant firewall.
Page 124/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
9. CONFIGURING QOS
Page 125/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
3. Perform an action (create an object for example) that you wish to repeat in the
script.
4. Copy the commands that were run to produce the action.
5. Paste them in your script.
To adapt commands to each firewall, use variables surrounded with the symbol %. To
find out
which variables to use, please refer to the section Using variables.
Page 126/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
Page 127/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
CSV files can only be used in the command line interface. Variables associated with
firewalls
will then be read from this file and the script will be duplicated as many times as
the number of
lines in the CSV file for a given firewall.
An example of a CSV file "example-sns-cli-script.csv" is available on the server,
in the folder
/opt/stormshield/examples/csv/.
To find out how to use CSV files in the command line interface, refer to the
section Examples of
the use of scripts in command line with a CSV file.
10.3 Running the SNS CLI script from the web interface
1. In the web interface of the SMC server, select Deployment > SNS CLI scripts.
2. In the Firewalls selection tab, select the script to run.
l You can store a list of scripts on the SMC server,
l
The
button makes it possible to show the raw contents of the script as it is found
on your workstation.
3. In the Attachments related to the script menu, add the relevant files to attach
to the script.
These files will be deleted from the SMC server after the script has been
successfully
executed. For more information, please refer to the section Attaching files to a
script and
receiving files generated by script.
4. In the second part of the Firewalls selection tab, select the firewalls on which
the script will
be run. For each firewall:
l
The
icon indicates, where applicable, that the firewall cannot be selected to run the
script. The row will be grayed out in this case. Scroll over the icon with your
mouse to
find out why.
The
icon makes it possible to view the contents of the script, including variables
replaced with values associated with the firewall in question. The icon becomes
if
there is an error during the analysis of the script (missing attached file or
unknown
variable). View the contents of the script to find out which row is causing the
issue.
5. Click on Execute script at the bottom of the tab. The Execution tab
automatically opens.
6. Track the progress and results of the execution of scripts on each selected
firewall.
During the execution of a script or deployment of a configuration, you will not be
able to run
another script but you can prepare it in the Firewalls selection tab.
IMPORTANT
Executing script automatically adopts the reading/writing privileges on any
administration sessions already open on the firewalls in question.
7. A summary of the execution process can be seen at the bottom of the panel,
displaying
successful operations, errors and the firewalls on which the script could not be
deployed.
8. You can also filter the list of firewalls by selecting a status in the drop down
list at the top of
the list.
TIP
If the script has been executed on offline firewalls, the actual execution will be
postponed until the next time the firewalls are connected.
Page 128/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
9. In case of error, see the SMC server logs. You can also connect to the logs and
activity
reports of a firewall by clicking on the icon
Each of these commands has specific options. To display them, type smc-sns-
cliscript <name_of_action> -h.
To add a script on the SMC server and run it immediately, use the command:
smc-sns-cli-script exec <file_path>
To run a script that has already been stored on the SMC server, use the command:
smc-sns-cli-script run <script_name>
From the options that come with these commands, you must choose one of the
following:
l --firewall-list: to be followed by a list of firewall names separated by commas,
l --all: indicates that the script will be run on all firewalls,
l --csv-file: to be followed by a path to a CSV file containing the list of
firewalls and the
associated variables. The command will then list the firewalls specified in this
file. For more
information, please refer to the section Using a CSV file.
Page 129/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
The option --csv-file can be used together with the options --firewall-list and --
all. In this case,
both of these options specify the list of firewalls on which the script is to be
run.
The following options are not mandatory:
l --dry-run: allows displaying the contents of the script including the variables
associated
with each firewall, for the purpose of reference only.
l --raw-output: allows showing how the script was run in raw text,
l --update: makes it possible to force the script to be added on the server if a
script with the
same name already exists. This option is only available for the command exec.
When the deployment of a configuration is in progress, or another script is being
run, a new
script cannot be run in command line. An error message will appear if the
deployment has not
fully ended on all connected firewalls or if the script has not finished running.
Firewalls on
which the configuration was deployed in batches will not prevent scripts from
running.
To send or receive files attached to a script, please refer to the section
Attaching files to a script
and receiving files generated by script.
WARNING
Folder administrators whose read access privileges are restricted to certain
folders on SMC
cannot perform this operation. For more information, refer to the section
Restricting folder
administrators' access privileges.
To add a script in the script folder on the SMC server, use the command smc-sns-
cliscript add <file_path>.
Option--update: makes it possible to force the script to be added on the server if
a script with
the same name already exists.
10.4.6 Examples of the use of scripts in command line with a CSV file
The following is an example of how a CSV file can be used with a script. For all
firewalls in a pool
(two in this example), we wish to create an object that represents the main Active
Directory
server and an object that represents the backup AD server, taking into account the
following
conditions:
l The main AD server has to be an object with static IP address resolution,
l The backup AD server has to be an object with dynamic IP address resolution,
l The name of each object has to indicate whether it is a main or backup server,
Page 130/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
The comments of each object must indicate the name of the firewall on which it will
be
created.
l The IP address of each AD server is different for each firewall.
1. Create the script /data/tmp/ad.script:
l
2. Create the CSV file /data/tmp/ad.csv for the pool of two firewalls:
firewall;type;ip_addr;mode
paris;Main;1.1.1.1;static
paris;Backup;1.1.2.2;dynamic
lyon;Main;4.4.4.4;static
lyon;Backup;4.4.5.5;dynamic
The following is the expected result for each of the firewalls paris and lyon:
CONFIG OBJECT HOST NEW name=MainAD.paris.com comment="Main AD server for
FW paris" ip="1.1.1.1" resolve=static
100 code=00e01700 msg="Object successfully added"
CONFIG OBJECT ACTIVATE
100 code=00a00100 msg="Ok"
CONFIG OBJECT HOST NEW name=BackupAD.paris.com comment="Backup AD server
for FW paris" ip="1.1.2.2" resolve=dynamic
100 code=00e01700 msg="Object successfully added"
CONFIG OBJECT ACTIVATE
100 code=00a00100 msg="Ok"
CONFIG OBJECT HOST NEW name=MainAD.lyon.com comment="Main AD server for FW
lyon" ip="4.4.4.4" resolve=static
100 code=00e01700 msg="Object successfully added"
CONFIG OBJECT ACTIVATE
100 code=00a00100 msg="Ok"
CONFIG OBJECT HOST NEW name=BackupAD.lyon.com comment="Backup AD server
for FW lyon" ip="4.4.5.5" resolve=dynamic
100 code=00e01700 msg="Object successfully added"
CONFIG OBJECT ACTIVATE
100 code=00a00100 msg="Ok"
In CSV files, fields are often separated by a comma or semi-colon. The smc-sns-cli-
script
command interprets semi-colons (;) as separators by default. The separator may be
different
depending on the CSV file. To change the separator expected by the command, the
value of the
variable SMC_SNS_CLI_CSV_DELIMITER must be changed:
1. Log in to the SMC server via the console of your hypervisor or in SSH.
2. In the file /data/config/fwadmin-env.conf.local, change the value of the
environment
variable: SMC_SNS_CLI_CSV_DELIMITER=,.
3. Restart the server with the command nrestart fwadmin-server.
Page 131/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
The script is first run on the active node of the cluster. The SMC server then
synchronizes both
nodes of the cluster.
If the passive node is not connected to the active node at the time of execution,
the SMC server
will perform a synchronization between both nodes when the passive node connects
again to
the active node.
Example
The following command makes it possible to generate the backup file of a firewall
named
backup-22-09-16.na on the SMC server:
CONFIG BACKUP list=all $SAVE_TO_DATA_FILE("backup-22-09-2016.na")
TIP
You can use variables in the syntax for sending or receiving files. For example, to
create
Page 132/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
configuration backups for several firewalls, write the following command:
CONFIG BACKUP list=all $SAVE_TO_DATA_FILE("backup-%FW_NAME%.na")
TIP
You can change the default folder in the environment variable
SMC_SNS_CLI_ATTACHMENTS_
DIR located in the file /data/config/fwadmin-env.conf.local. You will then need to
restart the
server: nrestart fwadmin-server.
Page 133/185
icon
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
TIP
You can change the default folder in the environment variable
SMC_SNS_CLI_OUTPUT_DIR
located in the file /data/config/fwadmin-env.conf.local. You will then need to
restart the server:
nrestart fwadmin-server.
Example
When this command is run
CONFIG BACKUP list=all $SAVE_TO_DATA_FILE("backup-%FW_NAME%.na")
Page 134/185
The
icon indicates, where applicable, that the firewall cannot be selected to run the
script. The row will be grayed out in this case. Scroll over the icon with your
mouse to
find out why.
The
icon makes it possible to view the contents of the script, including variables
replaced with values associated with the firewall in question. The icon becomes
if
there is an error during the analysis of the script (missing attached file or
unknown
variable). View the contents of the script to find out which row is causing the
issue.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
5. Click on Schedule script at the bottom of the tab.
6. Indicate the date and time to run the script. The time chosen here corresponds
to the time
on the SMC server.
7. Click on Apply.
l An indicator at the top of the tab serves as a reminder of the script schedule.
The only
actions that can be performed are viewing the script, downloading the script or
canceling
the scheduled run.
8. View the results of the script run in the Execution tab when it is complete.
Only one script run can be scheduled at a time.
You cannot run another script while a script has been scheduled and is awaiting its
run.
IMPORTANT
The read/write privileges on any administration sessions already open on the
firewalls in
question are automatically adopted when a script is run.
5. After the scheduled date and time of the run, you can check the results in the
folder
/data/tmp/sns-cli/output/. This folder contains a set of sub-folders named
according to the
date on which the scripts were run. To view the results of the execution of a
script on a
given firewall, look up the file output.log in one of these sub-folders.
If you need to attach files to the script, refer to the section Attaching files to
a script and
receiving files generated by script.
To see the list of scheduled tasks, use the atq command.
To delete a scheduled task, use the atrm command.
Page 135/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
For clusters:
o Passive nodes:
SYSTEM UPDATE UPLOAD fwserial=passive $FROM_DATA_FILE
("fwupd-3.7.1-%FW_UPD_SUFFIX%")
SYSTEM UPDATE ACTIVATE fwserial=passive
o
Active nodes:
SYSTEM UPDATE UPLOAD fwserial=active $FROM_DATA_FILE
("fwupd-3.7.1-%FW_UPD_SUFFIX%")
SYSTEM UPDATE ACTIVATE fwserial=active
2. In the web interface of the SMC server, select Deployment > SNS CLI scripts.
3. In the Firewalls selection tab, select the script to run.
4. In the Optional: attachments related to the script menu, select the update
file(s)
corresponding to the models and versions of your firewalls. For example, to update
your
SN510 and SN6000 firewalls to version 3.7.1, the attachments that need to be
provided are
fwupd-3.7.1-SNS-amd64-M.maj and fwupd-3.7.1-SNS-amd64-XL.maj.
5. Next, follow the usual steps for running a script, as shown in the section
Running the SNS
CLI script from the web interface from step 4 onwards.
NOTE
After an update script has been run on a cluster, the SMC server's automatic
synchronization of both nodes will always fail as the update would have made one of
the nodes unavailable. Details of this error, which does not prevent the update
from
proceeding properly, are provided in the Execution tab.
6. After a few minutes, check in the Monitoring > Firewalls panel that the version
number has
indeed changed in the Version column.
10.9 Troubleshooting
Refer to this section in order to resolve frequently encountered issues while using
SNS CLI
scripts.
Page 136/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
10. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS
l
l
Situation: When a script file is selected, an error message indicates that the
script is too
large.
Cause: The size of the file must not exceed 5 MB by default.
Solution: If necessary, increase the limit by adding the line below to the file
/data/config/fwadmin-env.conf.local. Set the limit to 10 MB for example:
SMC_SNS_CLI_SCRIPT_MAX_UPLOAD_SIZE_INT=$((10*1024*1024))
l
l
Situation: The Execution tab in the SNS CLI scripts menu indicates errors.
Cause: The script calls up customized variables and/or attachments which are
missing. The
encoding of the script is wrong. Other problems may be the cause of the script's
failure to
run.
Solutions:
o Look for the cause of the error which appears in the status bar when the script
is run for
a given firewall.
o Look up the server's log file in /data/log/fwadmin-server/server.log for further
detail.
o Before running the script, you can view it for a given firewall in the Firewalls
selection
tab. Certain errors may be indicated.
Page 137/185
Situation: Firewalls have been selected for the execution of a script but the
execution
button remains grayed out, or some firewalls cannot be selected.
Cause: A script is currently being executed or a configuration is being deployed or
delayed
on a firewall. Scripts therefore cannot be executed on this firewall for the
moment.
Solution: Wait until the script execution or deployment ends, or until the firewall
reconnects
so that the deployment can complete.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
11. MAINTAINING SNS FIREWALLS
WARNING
On firewalls equipped with initialized TPM modules (Trusted Platform Module),
private keys are
excluded from automatic backups by default.
Retrieving a backup
l
Click on
in the Actions column.
The archive contains a metadata file, the backup of the SMC server's configuration
and the
backups of each firewall's configuration in .na format.
Restoring a backup
To find out how to restore a backup of the SMC server's configuration, refer to the
section Saving
and restoring the SMC server configuration.
To find out how to restore a backup of a firewall's configuration, refer to the SNS
user guide.
Page 138/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
11. MAINTAINING SNS FIREWALLS
l
WARNING
On firewalls equipped with initialized TPM modules (Trusted Platform Module),
private keys are
excluded from automatic backups by default.
Page 139/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
11. MAINTAINING SNS FIREWALLS
Page 140/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
12. REMOVING SNS FIREWALLS FROM THE SMC SERVER
Page 141/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
Page 142/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
3. Restart the server with the command reboot. This step is required in order for
the new time
zone to be applied to all services.
4. Enter the command smc-date-time to check that the change has been properly
applied.
NTP server with a comma if there are several. NTP servers may also be idenified by
their IP
addresses or DNS names.
2. Enter the command date to check the modification has been properly applied.
To disable NTP, you need to go back to manual date mode.
The polling frequency of an NTP server is the default frequency of the NTP daemon.
smc-date-time
TIMEZONE=Asia/Dubai
NTPSERVERS=none
LOCALDATE=2016-05-18 09:05:19
Page 143/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
Super administrator
Administrators
Add/Remove/Edit
SNS firewall
configuration
l
l
l
Add/Remove/Edit
Deployment
Automatic and manual backup
General administrator
Modify personal
password
l
l
l
Add/Remove/Edit
Deployment
Manual backup
Folder administrator
Modify personal
password
Only in folders on
which the
administrator has
write access:
l
l
l
SMC
maintenance
l
l
l
l
l
l
l
l
l
Generate a
diagnostics report
Enable consistency
check for DR mode
Manage access to
SLS server
Add/Remove/Edit
Deployment
Manual backup
Generate a
diagnostics report
Page 144/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
l
l
over the administrator name and select the pencil icon . An administrator's
Read/WriteSMC privilege cannot be withdrawn if this administrator holds active API
keys
that also have the Read/Write privilege. For more information, please refer to the
section
Enabling and managing SMC's public API.
l To remove an administrator, move the mouse over the administrator name and select
the
red cross icon . Administrators that hold active API keys cannot be deleted. For
more
information, please refer to the section Enabling and managing SMC's public API.
The admin user cannot be removed.
NOTE
Only the super administrator is allowed to update the SMC server, back up and
restore the SMC
configuration and enable or disable automatic backups from the web administration
interface.
Page 145/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
Description
ID
Name
3. Select the access privileges. For more information, refer to the section
Managing
administrator privileges as super administrator and the section Restricting folder
administrators' access privileges.
4. Set a password for the administrator in line with the password policy described
in the
following section.
The following terms are reserved on SMC, so cannot be used as IDs: root, daemon,
bin, sys,
sync, games, man, lp, mail, news, uucp, proxy, www-data, backup, list, irc, gnats,
sshd, dhcpcd,
messagebus, fwadmin-server, nobody.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
Passwords that were set before this policy was applied will remain valid but we
recommend
that you change them to comply with the set policy.
The 128-character limit also applies to administrators’ logins and names.
Page 147/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
1. Go to Maintenance > SMC Server > Administrators, and click on Edit local
authentication settings,
Page 148/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
3. Fill in the following fields:
Field
Description
Server type
Host
Backup host
Port
Base DN
Base DN that enables access to the LDAP server and uses the
following format: dc=sub,dc=domain,dc=com. With an OpenLDAP
server, the Base DN can also refer to a more specific location, e.g., an
organizational unit: ou=unit,dc=domain,dc=com
ID
Administrator DN
Password
Check identity of
the LDAP server
CA
Certificate
In this field, the certificate of the certification authority that signed the
certificate that the LDAP server used for the secure SSL connection
can be forwarded to the SMC server.
NOTE
All fields are case sensitive. We recommend that you carefully check the
configuration of your
LDAP directory.
Page 149/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
To test the connection to an LDAP server, use the ldapsearch tool available in
command line on
the SMC server.
Use the following parameters with the ldapsearch command to test the connection to
an
LDAP server and perform a search in the directory:
Parameter
Description
-H
IP address or FQDN of the LDAP server, preceded by ldap:// and followed by the port
number
(port 389 is used by default).
-D
-W
-b
Branch of the LDAP tree in which you want to launch the search. To search in the
entire
directory, indicate the base DN. For example: DC=mydomain,DC=com.
EXAMPLES
For Active Directory:
ldapsearch -H ldap://1.2.3.4:536 -D "[email protected]" -W -b
"DC=mydomain,DC=com"
For OpenLDAP:
ldapsearch -H ldap://1.2.3.4:536 -D
"cn=Administrator,dc=mydomain,dc=com" -W -b "dc=mydomain,dc=com"
The search can be filtered by adding attributes after the command. Add for example
the
attribute "member" to show group members.
EXAMPLE
ldapsearch -H ldap://1.2.3.4:536 -D "[email protected]" -W -b
"CN=Users,DC=mydomain,DC=com" member
Page 150/185
Description
ID
LDAP
DN
Name
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
3. Select the access privileges. For more information, refer to the section
Managing
administrator privileges as super administrator and the section Restricting folder
administrators' access privileges.
4. Unselect This administrator can use local authentication if you do not wish to
define local
authentication for the LDAP user.
The following terms are reserved on SMC, so cannot be used as IDs: root, daemon,
bin, sys,
sync, games, man, lp, mail, news, uucp, proxy, www-data, backup, list, irc, gnats,
sshd, dhcpcd,
messagebus, fwadmin-server, nobody.
NOTE
The IDs of users authenticated via the LDAP directory must not contain spaces in
order to be able
to connect to the SMC server.
group.
2. Fill in the following mandatory fields:
Field
Description
LDAP
DN
DN of the LDAP group to which LDAP users belong. This field corresponds to the
DistinguishedName and dn attributes, regardless of the LDAP server configured.
Name
3. Select the access privileges. For more information, refer to the section
Managing
administrator privileges as super administrator.
If an administrator has a personal account in his/her name, and is also a member of
one or
several groups, the privileges that apply will be those assigned to the personal
account.
Page 151/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
NOTE
The IDs of users authenticated via the LDAP directory must not contain spaces in
order to be able
to connect to the SMC server.
SMC also relies on the memberOf attribute to search for groups in which users
belong. It may
have to be configured manually on some LDAP servers.
The following environment variables make it possible to change these three
attributes:
l
SMC_LDAP_FIELD_NAME_LOGIN
SMC_LDAP_FIELD_NAME_DN
SMC_LDAP_FIELD_NAME_MEMBEROF
Page 152/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
1. Go to Maintenance > SMC Server > Administrators, and click on Edit local
authentication
settings,
Description
Main server
Host
Port
Pre-shared key
Port
Pre-shared key
EXAMPLE
radtest <user-id> <user-password> <radius-server-ip>:<radius-serverport> <NAS-
server-port> <pre-shared-key>
Page 153/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
To allow Radius users to authenticate on the SMC server, the super administrator
must add
them to the list of administrators in the web administration interface.
1. Go to Maintenance > SMC Server > Administrators, and click on Add an
administrator.
2. Fill in the following mandatory fields:
Field
Description
ID
Name
3. Select the access privileges. For more information, refer to the section
Managing
administrator privileges as super administrator and the section Restricting folder
administrators' access privileges.
4. Unselect This administrator can use local authentication if you do not wish to
define local
authentication for the Radius user.
The following terms are reserved on SMC, so cannot be used as IDs: root, daemon,
bin, sys,
sync, games, man, lp, mail, news, uucp, proxy, www-data, backup, list, irc, gnats,
sshd, dhcpcd,
messagebus, fwadmin-server, nobody.
NOTE
The IDs of users authenticated via the Radius directory must not contain spaces in
order to be
able to connect to the SMC server.
group.
2. Fill in the following mandatory fields:
Field
Description
Radius identifier
Name
3. Select the access privileges. For more information, refer to the section
Managing
administrator privileges as super administrator.
If an administrator has a personal account in his/her name, and is also a member of
one or
several groups, the privileges that apply will be those assigned to the personal
account.
Page 154/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
NOTE
The IDs of users authenticated via the Radius directory must not contain spaces in
order to be
able to connect to the SMC server.
EXAMPLE
If your firewall pool extends across several countries or continents, you can
choose to assign a
different administrator for each country or continent. Individual administrators
can then manage
only firewalls in the folder corresponding to their zone. They can also look up the
configuration of
other firewalls and of the SMC server in read-only mode.
Only the super administrator can restrict other administrators' write access
privileges to certain
folders.
The super administrator can then define two administrator profiles that hold write
access
privileges:
General
administrator
l
l
Folder
administrator
l
l
l
l
l
Holds write access privileges to the root SMC folder, meaning all sub-folders, and
therefore all SNS firewalls.
Can change the configuration of all SNS firewalls connected to SMC.
Can create and change all configuration items found in SMC (objects, rules, VPN
topologies, QoS, certificates, encryption profiles, etc.).
Can perform certain maintenance operations on the SMC server.
Write access privileges are restricted to one or several folders, and to the
firewalls
contained in them.
Can change only the configuration on firewalls that they manage.
Can create configuration items and use them for firewalls that they manage.
Can create VPN topologies only with the firewalls that they manage.
Can directly access the interface of firewalls that they manage via SMC in
read/write.
Can access in read-only mode the configuration of firewalls outside their
administration
perimeter, all configuration items found in SMC, and the configuration of the SMC
server.
Can directly access the interface of firewalls outside their administration
perimeter via
SMC, but in read-only mode.
Page 155/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
these folders, any sub-folders and the firewalls that they contain, as well as
future sub-folders
or firewalls.
The folder administrator can always view in read-only mode the configuration of
firewalls
outside their administration perimeter.
To restrict an administrator's privileges:
1. Go to Maintenance > SMC Server > Administrators.
2. Double-click on the row of the administrator.
3. In the Folders drop-down list, select the folder(s) that the administrator will
be able to
manage.
4. Apply changes.
In the firewall monitoring view, folder administrators see only the firewalls in
their
administration perimeter by default, meaning the firewalls that belong in the
folders to which
they have write access.
To display all firewalls, click on See read-only folders.
Page 156/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
EXAMPLE
Page 157/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
13.4.6 Troubleshooting
Refer to this section for solutions to issues that may arise when managing
administrators.
Administrators whose IDs contain accented characters are unable to log in to SMC.
l
Situation: When an administrator from an LDAP authentication server uses an ID that
contains an accented character, the connection to SMC is denied.
l
Cause: When you add an administrator from an LDAP server in SMC with a name that
contains an accented character (LDAP DN field), the accent in the SMC ID is not
supported.
l
Solution: To log in, administrators have to enter their logins without accents.
Page 158/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
NOTE
The SMC server keeps logs of the past 12 weeks up to 100 MB per file. To provide
legally required
archiving for a year, send logs to a remote Syslog server.
To find out how to send logs to a remote Syslog server, refer to the section
Sending SMC logs to
a remote server in Syslog format.
13.6.4 Troubleshooting
Page 159/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
Situation: You have specified the name of the remote Syslog server using its FQDN
but the
server remains unreachable.
Cause: The DNS service was probably not configured properly or is unable to resolve
the
FQDN.
Solution: Check the resolution of the DNS server by typing the command nslookup
server-syslog.domain.com in the SMC command line interface.
When logs are forwarded with encryption, the remote server does not receive SMC
logs
l
Situation: You have configured logs to be sent to a remote Syslog server with
encryption.
You have provided the certificates required, but the Syslog server did not accept
the
encrypted communication.
Cause: The remote Syslog server probably did not accept the certificates as they
may have
expired or been revoked.
Solution: Check the error message that the remote Syslog server returned by typing
the
following commands in the SMC command line interface:
MY_SERVER_ADDR=xxx.xxx.xxx.xxx
MY_SERVER_PORT=xxxx
openssl s_client -connect ${MY_SERVER_ADDR}:${MY_SERVER_PORT} -cert
/data/certs/syslog-ng/xxxx.pem -key /data/certs/syslog-ng/xxxx.pem -CAfile
/data/certs/syslog-ng/xxxx.pem
TIP
The following restriction applies to the restoration of a server configuration: the
SMC server
version must be the same as the version of the server from which the backup file
was generated.
Server logs are not contained in the backup file.
You can also define automatic backups of firewall configurations as well as the
configuration of
the SMC server. For more information, see the section Backing up the configuration
of firewalls.
Page 160/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
SMC makes it possible to encrypt the backup by setting a password. The password
must
comply with the password policy set for administrators who have local accounts.
The configuration backup file can be restored from:
l The SMC server web interface,
l The command line interface,
l The SMC server initialization wizard.
For more information, refer to sections Restoring server configuration from the web
interface,
Restoring server configuration from the command line interface and Restoring server
configuration from the initialization wizard.
13.7.2 Saving the server configuration from the command line interface
1. To back up the server configuration from the command line interface as the
"root" user,
connect to the SMC server via the console of your hypervisor or in SSH.
2. Enter the command
smc-config-backup
To know how to create a server backup, refer to sections Saving the server
configuration from
the web interface and Saving the server configuration from the command line
interface.
Page 161/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
To know how to create a server backup, refer to sections Saving the server
configuration from
the web interface and Saving the server configuration from the command line
interface.
The integrity of the backup file is verified before being restored and then logging
in again is
required.
Page 162/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
1. In Maintenance > SMC Server > Maintenance, click Download the report in the
Server
diagnostics report pane.
The report is presented as a tar.gz archive with its name containing the date and
time of
creation.
2. Double-click on the index.html file to open the report in HTML format.
TIP
Depending on the configuration of your hypervisor, the update can take some time.
To monitor
the progress of the update, see the file /var/log/update.log.
Page 163/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
Download the update archive on your workstation from your MyStormshield personal
area.
Copy the archive in /data/tmp on the SMC server using SSH.
Log in to the SMC server via the console of your hypervisor or in SSH.
Enter the command smc-update -u /data/tmp/archivename. Replace archivename
with the name of your archive.
For versions of SMC lower than 2.6, the command to enter is fwadmin-update -u
/data/tmp/archivename.
5. Wait for the update to end. During the process, the server remains available
within the
current version.
6. Enter the command reboot. The updated system restarts.
Command
nstart snmpd ; update-rc.d -f snmpd remove ; update-rc.d
snmpd defaults 98
Page 164/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
RFC
MIB
system
RFC 1213
.1.3.6.1.2.1.1
ifaces
RFC 1213
RFC 2863
.1.3.6.1.2.1.2
.1.3.6.1.2.1.31
ips
RFC 1213
.1.3.6.1.2.1.4
tcp
RFC 1213
.1.3.6.1.2.1.6
udp
RFC 1213
.1.3.6.1.2.1.7
snmp
RFC 1213
.1.3.6.1.2.1.11
mem
UCD-SNMP-MIB
.1.3.6.1.4.1.2021.4
disk
UCD-SNMP-MIB
.1.3.6.1.4.1.2021.9
load
UCD-SNMP-MIB
.1.3.6.1.4.1.2021.10
cpu
UCD-SNMP-MIB
.1.3.6.1.4.1.2021.11
sysstats
UCD-SNMP-MIB
.1.3.6.1.4.1.2021.11
perf
RFC 1514
.1.3.6.1.2.1.25.4
.1.3.6.1.2.1.25.5
Page 165/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
1. Use the command smc-gen-autosigned-cert by indicating the destination folder and
subject of the certificate. This command makes it possible to generate the SSL
certificate
presented to the web browser one more time. This certificate is self-signed.
smc-gen-autosigned-cert /etc/certs/uiserver/ <subject of the
certificate>
EXAMPLE
If you want to switch from a pre-production environment to a production
environment, you may
need to reset the certification authority due to the different security constraints
in both
environments.
To reset the internal certification authority:
1. Log in to the SMC server via the console of your hypervisor or in SSH.
2. Enter the command smc-reset-ca.
3. After the script is run, SNS firewalls that were connected to the SMC server
will be
disconnected. Generate new connecting packages for each firewall and install them.
13.14.1 Enabling the consistency check for the “Diffusion Restreinte” mode
WARNING
Folder administrators whose read access privileges are restricted to certain
folders on SMC
Page 166/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
cannot perform this operation. For more information, refer to the section
Restricting folder
administrators' access privileges.
A consistency checker in SMC makes it possible to verify whether the configurations
on
connected firewalls are compatible with DR mode requirements:
l Signature algorithms and key sizes of firewall and authority certificates,
l Encryption profiles, authentication method and IKE version in VPN topologies. We
recommend that you use the DR encryption profile that SMC provides by default. To
look up
this profile, go to Configuration > Encryption profiles. For more information on
selecting
encryption profiles in topologies, refer to Creating and monitoring VPN tunnels.
l Versions of firewalls connected to SMC.
This consistency check is mandatory prior to enabling DR mode.
To enable the DR mode consistency check:
1. Go to Maintenance > SMC Server > Settings tab > “ANSSI Diffusion Restreinte
(DR)" mode.
2. Select Enable consistency check for the “Diffusion Restreinte (DR)” mode.
3. Click on Apply.
If there are any messages indicating that there are incompatibilities in the
configuration, they
will be shown in the consistency check at the bottom of the screen. You can select
Display only
DR mode inconsistencies to see only messages from the DR mode consistency check.
Page 167/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
To enable DR mode:
1. Enable the consistency checker as described in the previous section.
2. Enable ANSSI “Diffusion Restreinte (DR)" mode.
3. Accept the conditions and click on Enable DR mode.
When DR mode is enabled on the SMC server, an automatic deployment enables DR mode
on the firewalls connected to the server.
4. Immediately restart the firewalls manually.
Enabling DR mode on the SMC server has the following consequences:
l Anomalies relating to the consistency check in DR mode are reported in the form
of errors
instead of warnings,
l SMC connecting packages can only be created on firewalls in SNS version 4.3 or
higher,
l Firewalls on which DR mode has never been enabled can no longer be connected to
SMC.
Page 168/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
13. MANAGING AND MAINTAINING THE SMC SERVER
Page 169/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
14. SETTING UP SMC SERVER REDUNDANCY
Page 170/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
14. SETTING UP SMC SERVER REDUNDANCY
As a result, if you make changes directly to any of the files in the /data/config
folder (e.g.,
the file cfgcheck.ini or smc-webservices.local), they will only be synchronized the
next time
changes are made to the configuration either via the web administration interface,
the public
API or an smc-* command.
When the following operations are performed via the web administration interface,
they will not
warrant a synchronization:
l
Changes to the SMC network settings,
l
When new administrators are added,
l
Changes to the consistency checker for the “Diffusion Restreinte” mode
l
When SNS CLI scripts are run.
As such, the first three operations must be performed manually on both nodes.
3. Run the following command to forward the public key to the opposite node:
scp /data/redundancy/keys/redundancy.pub root@<REMOTE_
IP>:/data/ssh/authorized_keys.root
Page 171/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
14. SETTING UP SMC SERVER REDUNDANCY
NOTE
The main node uses the IP address of its first network interface to communicate
with the backup
node. The backup node uses the IP address indicated in the command above.
If the IP address of either node is changed, redundancy will no longer function,
and must be
enabled again with the new address.
If you are using external severs in your configuration, such as a remote syslog
server to send
SMC logs, or an LDAP or Radius server to authenticate administrators, ensure that
both nodes
can communicate with these servers. Both nodes must be able to reach the IP address
or the
domain name of the external server.
In the example above, the main node has the address 105.0.0.100 and the backup node
has
the address 105.0.0.101.
Page 172/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
14. SETTING UP SMC SERVER REDUNDANCY
The command smc-import-firewalls makes it possible to generate several connecting
packages simultaneously. For more information, refer to the section Importing
firewalls in
command line.
Page 173/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
14. SETTING UP SMC SERVER REDUNDANCY
14.9 Using the SMC Active Update server when redundancy is enabled
SMC can be used as an Active Update distribution point.
If you wish to use this feature and redundancy has been enabled, follow the
procedure
indicated in Using the SMC Active Update server on each firewall cluster by
indicating the
information of each node. Firewalls will then have the IP addresses and
certificates with which
they can use both nodes as Active Update distribution points.
If you wish to manually update the Active Update databases using the Update bases
now
button in the web administration interface, or via the databases' download script,
this operation
must be performed on both nodes. For more information, see the section Downloading
Active
Update databases.
Page 174/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
15. ENABLING AND MANAGING SMC'S PUBLIC API
NOTE
In case of intensive use of the API, i.e., several write requests within a few
seconds, while other
users are using the administration web interface at the same time, the performance
of SMC may
be impacted. Some requests may fail.
Likewise, if you plan a regular intensive use, we recommend that you disable
configuration
consistency checking to avoid impacting SMC performance. For more information, see
the
section Verifying configuration consistency.
Page 175/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
15. ENABLING AND MANAGING SMC'S PUBLIC API
1. In Maintenance > SMC server, show the Public API tab,
2. Select Enable Public API.
The Public API tab displays the API keys created by other administrators. The super
administrator cannot create API keys, but can revoke them. For more information on
revoking
keys, refer to Revoking API keys.
Permissions to create and revoke API keys are granted by the super administrator,
in
administrators' profiles.
NOTE
The super administrator cannot create API keys.
To grant an administrator permissions to create and revoke API keys:
1. In Maintenance > SMC server, show the Administrators tab,
2. Double-click on the profile of an administrator,
3. Select API keys creation/revocation in Access privileges.
This option is grayed out if the public API is disabled.
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
15. ENABLING AND MANAGING SMC'S PUBLIC API
The super administrator can set a default validity period for API keys. When
another
administrator creates a key, the validity period set by the super administrator
will then be
suggested by default in the Expiry date field, which the administrator can edit.
To edit the API key global policy:
1. In Maintenance > SMC server, show the Public API tab,
2. Click on Edit the API key global policy.
3. Set the validity period suggested by default to administrators when they create
a key, and
apply. This period cannot exceed 25 years.
3. Enter a name and expiry date. The default validity period is set by the super
administrator.
For more information, refer to the section Editing the API key global policy.
4. In the Usage field, select the desired option. You cannot select Write if you do
not hold this
permission yourself in SMC as an administrator.
5. When you click on Apply, the key will not be saved in the database. It must be
copied and
stored in a safe place as it will no longer be available later.
API keys can be used in API documentation to test requests:
1. Click on the See API documentation link in the API keys tab in Administrator
view, or in the
Public API tab in Super administrator view.
Page 177/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
16. FURTHER READING
2. Click on
.
3. Enter the API key in the Value field.
4. Click on Authorize then on Close.
When the profile of an SMC administrator is deleted, API keys associated with this
administrator
will be automatically deleted if they had been revoked earlier. For more
information on
revocation, see the next section.
Page 178/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
APPENDIX A. DETAILS OF SMC-XXX COMMANDS
Action
smc-config-backup
Saves the configuration of the SMC server. See section Saving the server
configuration from the command line interface.
smc-config-restore
Restores the configuration of the SMC server. See section Restoring server
configuration from the command line interface.
smc-date-time
Displays and configures the system's date, time and time zone. See section
Changing the SMC server time zone and date.
smc-deploy
smc-diag
smc-export-routes
Exports to a CSV file the static routes, return routes and default routes of
firewalls in at least version 4.2.4 and for which the network configuration is
managed in SMC. See section Configuring routing.
smc-importfirewalls
Creates firewalls in SMC and their connecting package. See section Importing
SNS firewalls from a CSV file.
smc-import-routes
Imports the routes of firewalls in at least version 4.2.4 and for which the
network configuration is managed in SMC. See section Configuring routing.
smc-genautosigned-cert
smc-import-crl
smc-import-objects
Imports objects originating from a firewall export in CSV format. See section
Importing objects.
smc-import-rules
Imports filter and NAT rules, and the objects linked to these rules, from the
export of a SNS firewall rules in the CSV format. See section Importing rules
from connected firewalls.
smc-installcertificate
smc-keyboard
Page 179/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
APPENDIX A. DETAILS OF SMC-XXX COMMANDS
smc-logs
Displays logs of all actions saved on the SMC server. Equivalent to the nlogs
command.
smc-redundancy -secundaryIP
<BACKUP_NODE_IP>
smc-reset-ca
Resets the internal certification authority of the SMC server. See section
Resetting the internal certification authority of the SMC server.
smc-sns-cli-script
Runs SNS CLI commands on a pool of firewalls. See section Running SNS CLI
commands on an environment of firewalls.
smc-syslog-ng
Configures the logging service in Syslog format. See section Sending SMC logs
to a remote server in Syslog format.
smc-update
Updating the SMC server See section Updating the SMC server.
smc-version
Displays the version of the SMC server. See section Verifying the SMC server
version in command line.
Page 180/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
APPENDIX B. DETAILS OF SMC_XXX ENVIRONMENT VARIABLES
Old name
New name
Unit
Default value
FWADMIN_AUTOBACKUP_EXCLUDE_
PRIVATE_KEY
SMC_AUTOBACKUP_EXCLUDE_
PRIVATE_KEY_ENABLED
false
FWADMIN_ENABLED_BASE_STATION
SMC_BASE_STATION_ENABLED
false
FWADMIN_CERT_SUBJECT_AS_PEER_
LOCALID
SMC_CERT_SUBJECT_AS_PEER_
LOCALID_ENABLED
false
FWADMIN_ENABLED_CFGCHECK
SMC_CFGCHECK_ENABLED
true
FWADMIN_CFGCHECK_
INCOHERENCIES_LIMIT
SMC_CFGCHECK_
INCOHERENCIES_INT
100
FWADMIN_CONFIG_STATUS_CHECK_
PERIOD
SMC_CONFIG_STATUS_CHECK_
PERIOD_INT
FWADMIN_CSV_DELIMITER
SMC_CSV_DELIMITER
FWADMIN_DECBACKUP_DIR
SMC_DECBACKUP_DIR
/opt/stormshield/security
FWADMIN_SNS_DEPLOYMENT_
TIMEOUT_BEFORE_ROLLBACK
SMC_DEPLOYMENT_TIMEOUT_
BEFORE_ROLLBACK_INT
sec
30
FWADMIN_EXPORT_TIMEOUT
SMC_EXPORT_TIMEOUT_INT
msec
30000
FWADMIN_FW_CONFIG_GENERATION_
TIMEOUT
SMC_FW_CONFIG_GENERATION_
TIMEOUT_INT
msec
900000
FWADMIN_DEFAULT_FW_
CONNECTION_TIMEOUT
SMC_FW_CONNECTION_TIMEOUT_
INT
sec
60
Page 181/185
msec
120000
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
APPENDIX B. DETAILS OF SMC_XXX ENVIRONMENT VARIABLES
FWADMIN_FW_DEPLOYMENT_
DISABLE_ROLLBACK
SMC_FW_DEPLOYMENT_
ROLLBACK_ENABLED
true
FWADMIN_FW_DEPLOYMENT_
TIMEOUT
SMC_FW_DEPLOYMENT_TIMEOUT_ sec
INT
300
FWADMIN_FW_DEPLOYMENT_VPN_
PEER_INACTIVITY
SMC_FW_DEPLOYMENT_VPN_
PEER_INACTIVITY_INT
FWADMIN_FW_LICENSE_CRITICAL
SMC_FW_LICENSE_CRITICAL_INT
days
FWADMIN_FW_LICENSE_WARNING
SMC_FW_LICENSE_WARNING_INT
days
FWADMIN_FW_TPM_DISABLED
SMC_FW_TPM_ENABLED
FWADMIN_GETSA_POLLING_PERIOD
SMC_GETSA_POLLING_PERIOD_
INT
msec
30000
FWADMIN_GETSPD_POLLING_PERIOD
SMC_GETSPD_POLLING_PERIOD_
INT
msec
30000
FWADMIN_HAINFO_POLLING_PERIOD
SMC_HAINFO_POLLING_PERIOD_
INT
msec
30000
FWADMIN_HASYNC_ON_DESYNCHRO
SMC_HASYNC_ON_DESYNCHRO_
ENABLED
FWADMIN_LDAP_FIELD_NAME_DN
SMC_LDAP_FIELD_NAME_DN
FWADMIN_LDAP_FIELD_NAME_LOGIN
SMC_LDAP_FIELD_NAME_LOGIN
FWADMIN_LDAP_FIELD_NAME_
MEMBEROF
SMC_LDAP_FIELD_NAME_
MEMBEROF
FWADMIN_MESSAGING_RESPONSE_
CHUNK_TIMEOUT
SMC_MESSAGING_RESPONSE_
CHUNK_TIMEOUT_INT
sec
30
FWADMIN_MESSAGING_RESPONSE_
DEFAULT_TIMEOUT
SMC_MESSAGING_RESPONSE_
DEFAULT_TIMEOUT_INT
sec
120
FWADMIN_MONITOR_STAT_POLLING_
PERIOD
SMC_MONITOR_STAT_POLLING_
PERIOD_INT
msec
60000
FWADMIN_PROXY_RESPONSE_
TIMEOUT
SMC_PROXY_RESPONSE_
TIMEOUT_INT
sec
300
FWADMIN_SNS_CERTS_PROBE_
EXPIRATION_DELAY
SMC_SNS_CERTS_PROBE_
EXPIRATION_INT
days
30
FWADMIN_SNS_CLI_ATTACHMENTS_
DIR
SMC_SNS_CLI_ATTACHMENTS_DIR
/data/tmp/sns-cli/input
FWADMIN_SNS_CLI_CSV_DELIMITER
SMC_SNS_CLI_CSV_DELIMITER
FWADMIN_SNS_CLI_OUTPUT_DIR
SMC_SNS_CLI_OUTPUT_DIR
/data/tmp/sns-cli/output
FWADMIN_SNS_CLI_SCRIPT_MAX_
UPLOAD_SIZE
SMC_SNS_CLI_SCRIPT_MAX_
UPLOAD_SIZE_INT
bytes
2097152
FWADMIN_SNS_CLI_STEP_TIMEOUT
SMC_SNS_CLI_STEP_TIMEOUT_INT
sec
120
Page 182/185
true
true
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
APPENDIX B. DETAILS OF SMC_XXX ENVIRONMENT VARIABLES
FWADMIN_SNS_DEPLOYMENT_
TIMEOUT_ROLLBACK
SMC_SNS_DEPLOYMENT_
ROLLBACK_TIMEOUT_INT
sec
180
FWADMIN_SYSTEM_PROP_POLLING_
PERIOD
SMC_SYSTEM_PROP_POLLING_
PERIOD_INT
msec
3600000
FWADMIN_UI_PORT
SMC_UI_PORT_INT
443
FWADMIN_UI_SERVER_CERT_PATH
SMC_UI_SERVER_CERT_PATH
/etc/certs/uiserver
FWADMIN_VPN_MESH_ROUTE_BASED_ SMC_VPN_MESH_ROUTE_BASED_
MAX_PEERS
MAX_PEERS_INT
Page 183/185
50
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
APPENDIX C. COMPATIBILITY OF SMC/SNS FIREWALLS
Version of
SMC
3.0
3.7.0
3.0.1
4.2.3
3.1
3.1
4.3.3
3.1.3
3.7.0
3.2
3.7.0
3.2
4.2.3
SD-WAN support
3.2
4.3.3
4.2.3
3.4
4.4
QoS configuration
3.6
3.6
4.8.1
NOTE
To be able to monitor the status of VPN topologies containing SN firewalls in
version 4.2 or higher,
you need to use an SMC server in version 3.0 or higher.
Page 184/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024
SMC - ADMINISTRATION GUIDE - V 3.6
[email protected]
All images in this document are for representational purposes only, actual products
may differ.
Copyright © Stormshield 2024. All rights reserved. All other company and product
names
contained in this document are trademarks or registered trademarks of their
respective
companies.
Page 185/185
sns-en-SMC-administration_guide-v3.6 - 07/30/2024