Configuring routing

From the SMC server, you can manage and configure the static, dynamic, return and default routes of your firewalls in version 4.2.3 and upwards.

Go to the System > Configuration tab of the firewall in question and select Configure network interfaces and routing for this firewall from SMC.

option to configure interfaces and routing

The first time you select this option, SMC retrieves automatically the firewall’s routes in the Routing tab, if it is connected. SMC also retrieves the objects used in the routes.

In the Routing tab, you will be able to configure the following from a central point:

  • static routes,

  • return routes,

  • default route,

  • dynamic routing.

Static and return routes To create new static and return routes, click on Add at the top of the grid.
Dynamic routing

Double-click on the line where dynamic routing appears in the grid. You can change the routing configuration to BIRD format and select advanced options. For more information, refer to the Dynamic routing section in the Stormshield Network User Configuration Manual.

NOTE
SMC does not support IPv6 for the BIRD configuration.
Default route

Double-click on the line in the grid and select a gateway.

When the configuration is deployed, the network configuration deployed from SMC takes priority over the firewall’s local configuration and overwrites it.

For more information on route configuration, refer to the Routing section in the Stormshield Network User Configuration Manual.

If the option Configure network interfaces and routing for this firewall from SMC is not selected, the firewall’s Routing tab will be in read-only mode. SMC retrieves then the firewall's routes every time the tab is opened. The objects contained in read-only routes will not be retrieved on SMC.

When the Routing tab is in read-only mode, SMC retrieves the firewall's routes every time the tab is opened. This is not the case when routing and network configuration is managed by SMC.

In the firewall's settings, you can then force the retrieval of the interface and routing configuration:

  1. Go to the firewall's settings,

  2. In the System > Configuration tab, select Configure network interfaces and routing for this firewall from SMC if it has not already been selected.

  3. Expand Firewall information and configuration retrieval (advanced) and click on Retrieve configuration of interfaces and routing.Buttons to retrieve information

Routes can be manually imported and exported in command line.

Exporting routes

The smc-export-routes command makes it possible to generate a CSV file that includes the static routes, return routes and default routes of firewalls in at least version 4.2.4 and for which the network configuration is managed in SMC.

The command generates the CSV file in the /tmp folder by default.

To export a firewall's routes:

  1. Log in to the SMC server via the console of your hypervisor or in SSH.

  2. Enter the command smc-export- routes. To change the default name of the output file (smc_routes_date.time.csv), add an argument to the command. For example: smc-export-routes /data/tmp/my_routes.csv.

Importing routes

The smc-import-routes command makes it possible to import from a CSV file to SMC the routes of firewalls in at least version 4.2.4 and for which the network configuration is managed in SMC. Running the command overwrites the routes that are already visible in SMC.

EXAMPLE
The structure of an import file containing routes is as follows:
#firewall,#type,#status,#destination,#gateway,#interface,#comment
SNS1,default,Enabled,any,gateway,auto,
SNS2,reverse,Enabled,,update1-sns.stormshieldcs.eu,out,
etc.

To import routes:

  1. To create the CSV file, you can export routes as shown above and use the generated file as a base,

  2. Copy the CSV file to the SMC server using the SSH protocol in the /tmp folder for example,

  3. Log in to the SMC server via the console of your hypervisor or in SSH.

  4. Enter the command smc-import-routes followed by the path to the CSV file as the argument.

If the routes reference items from your SNS configuration that are not already in the SMC configuration (objects/interfaces), you must import them beforehand on the server.

  • Currently, configuration in IPv6 is not supported.

  • SMC can retrieve the routes of an SNS firewall and the associated objects by enabling the network configuration management or by forcing the retrieval of the routes. If a retrieved object already exists on SMC (same type and name), the values of the object existing on SMC are then the values used in the configuration.

  • If the default gateway set on an SNS firewall does not match any object in the firewall's object database, route retrieval will not be supported. An error log will be generated in the server's logs, explaining that the IP address must be represented by an object.

  • Objects containing only IPv6 and/or MAC addresses cannot be used.

  • Router objects can be used as gateways to a static route on SNS firewalls in at least version 4.3.0.

  • In SMC, "firewall_" objects are used in routes in exactly the same way they are used on SNS firewalls. So during a deployment, if the firewall detects such objects being used wrongly, the deployment will fail.

  • Dynamic routing - SMC does not support the following parameters. If necessary, configure them directly from the SNS firewall. They will not be overwritten by the routing configuration originating from SMC:

    • the "[BGPAuth]” section,

    • the exclusion of IP address ranges in routes. For more information, refer to the Stormshield Knowledge base.