Deploying a configuration on firewalls
Every time a configuration is created or modified on the SMC server, you will need to deploy the configuration on firewalls.
All deployments are saved in the deployment history. Refer to the section Loading and deploying a former configuration.
During a deployment, the following information will be sent to the firewalls:
- Objects used in filter and NAT rules relating to the firewall or its parent folders.
- Objects you have chosen to deploy on all firewalls or for which you have selected the firewalls they will be deployed on. For more information, please refer to the section Managing network objects.
- If the firewall is part of a VPN topology: Network, Host and/or Group objects and the certification authority associated with this topology, as well as information on the certificate selected for this firewall in the topology (the certificate has already been installed on the firewall).
- Go to Deployment > Configuration deployment or click on the button in the upper banner of the interface. This button turns orange when changes have been made to the configuration.
- In the Firewalls selection tab, select firewalls.
- Enter a comment at the bottom of the panel if needed. This comment will be displayed in the deployment history.
- Click on Deploy configuration next to the comment field. The Deployment tab automatically opens. A status bar indicates the progress and the result of the deployment for each firewall.
When a deployment or an SNS CLI script is running, you cannot launch another deployment but preparing another deployment in the Firewalls selection tab is possible.
- During or after the deployment, you can click on the status bar of a firewall to display a summary of the deployment on this firewall. For more information regarding the deployment, use the command clogs in the command line interface.
- See the deployment summary at the bottom of the panel, showing successes, errors and the deployments postponed.
- You can also filter the list of firewalls by selecting a status in the drop down list at the top of the list.
If the deployment is successful, the deployment number will be incremented in the Deployment column.
If a configuration is deployed on disconnected firewalls, the deployment is postponed and firewalls retrieve the configuration the next time they are on line.
- In case of error, see the SMC server logs. You can also connect to the logs and activity reports of a firewall by clicking the icon in the Actions column and refer to the firewall logs.
The steps are the same as in the section above.
The configuration is first deployed on the active node of the cluster. The SMC server then synchronizes both nodes of the cluster.
If the passive node is not connected to the active node at the time of deployment, the SMC server will perform a synchronization between both nodes when the passive node connects again to the active node.
You can use the
smc-deploy command to deploy a configuration in command line.
Apply the command to the list of targeted firewalls (on which the configuration is to be deployed) using one of these options:
- --all: deploys on all firewalls,
- --firewall-list <firewallNames>: deploys on certain firewalls (separated by commas).
To see the other options that this command offers, type
At the beginning of the deployment, the deployment number will appear.
If you encounter issues while deploying a configuration, start by reading the following log files.
/var/log/fwadmin-server/cfg2ini.log, /var/log/fwadmin-server/server.log and /var/log/fwadmin-server/connections.log