Deploying a configuration on firewalls
Every time a configuration is created or modified on the SMC server, you will need to deploy the configuration on firewalls.
All deployments are saved in the deployment history. Refer to the section Loading and deploying a former configuration.
During a deployment, the following information will be sent to the firewalls:
- Objects used in filter and NAT rules relating to the firewall or its parent folders.
- Objects you have chosen to deploy on all firewalls or for which you have selected the firewalls they will be deployed on. For more information, please refer to the section Managing objects.
- If the firewall is part of a VPN topology: Network, Host and/or Group objects and the certification authority associated with this topology, as well as information on the certificate selected for this firewall in the topology (the certificate has already been installed on the firewall).
You need to hold write access privileges on the firewalls to perform this operation. For more information, refer to the section Restricting folder administrators' access privileges.
- Go to Deployment > Configuration deployment or click on the button in the upper banner of the interface. This button turns orange when changes have been made to the configuration.
- In the Firewalls selection tab, select firewalls.
- Enter a comment at the bottom of the panel if needed. This comment will be displayed in the deployment history.
- Click on Deploy configuration next to the comment field. The Deployment tab automatically opens. A status bar indicates the progress and the result of the deployment for each firewall.
When a deployment is in progress or an SNS CLI script is running, you cannot launch another deployment but you can prepare another deployment in the Firewalls selection tab. - During or after the deployment, you can click on the status bar of a firewall to display a summary of the deployment on this firewall. For more information regarding the deployment, use the command clogs in the command line interface.
- See the deployment summary at the bottom of the panel, showing successful operations, warnings, errors and postponed deployments.
- You can also filter the list of firewalls by selecting a deployment result in the drop down list at the top of the list.
If the deployment is successful, the deployment number will be incremented in the Deployment column.TIP
If a configuration is deployed on disconnected firewalls, the deployment is postponed and firewalls retrieve the configuration the next time they are on line. - In case of error, see the SMC server logs. You can also connect to the logs and activity reports of a firewall by clicking the icon in the Actions column and refer to the firewall logs.
- If the firewall requires a reboot to finalize the deployment, this is indicated by the health status "Reboot required". You can start the reboot directly from the deployment window by clicking on the Reboot button at the bottom of the window. You can also restart the firewall at a later point in time from the supervision, configuration and deployment windows or by clicking on the information displayed on the right-hand side in the top banner of the application:
- After a configuration is deployed for the first time, the SMC server will regularly check whether the configuration deployed from the firewall continues to match the configuration on SMC. Refer to Detecting changes to the local configuration on firewalls.
The steps are the same as in the section above.
The configuration is first deployed on the active node of the cluster. The SMC server then synchronizes both nodes of the cluster.
If the passive node is not connected to the active node at the time of deployment, the SMC server will perform a synchronization between both nodes when the passive node connects again to the active node.
You can use the smc-deploy
command to deploy a configuration in command line.
Apply the command to the list of targeted firewalls (on which the configuration is to be deployed) using one of these options:
- --all: deploys on all firewalls,
- --firewall-list <firewallNames>: deploys on certain firewalls (separated by commas).
To see the other options that this command offers, type smc-deploy --help
.
At the beginning of the deployment, the deployment number will appear.
When you are about to deploy a configuration on a pool of firewalls, SMC may show a warning to inform you that other administrators have made changes to the configuration since it was last deployed.
You can then choose to either cancel the deployment or continue. If you choose to proceed with the deployment, changes made by other administrators will also be deployed on the selected firewalls.
This feature is disabled by default. To enable it:
- Log in to the SMC server via the console of your hypervisor or in SSH.
- In the file /data/config/fwadmin-env.conf.local, add the environment variable
SMC_WARNING_MODIFICATION_ENABLED=true
. - Restart the server with the command
nrestart smc
.
This feature includes the following limitations:
SMC displays a warning only when it detects changes made to the configuration from the web administration interface. Changes made via the command line interface and the SMC public API are not taken into account.
All changes to a firewall's configuration will trigger a warning, regardless of which firewalls are selected for the deployment, and even when the firewall in question is not part of the selection, or is not part of the administration perimeter of the administrator deploying the configuration.
Any time a resource is created, i.e., an object or rule set, even if it is not in use or has been deleted immediately, a warning will be triggered.
Any operation involving rule separators (collapsing/expanding) will trigger a warning.
During a deployment, the list of pending changes will be purged, regardless of which firewalls are selected for the deployment. This means that if you make changes to firewall A, and another administrator deploys the configuration first on firewall B then on firewall A, the warning will appear only during the first deployment.
If an administrator restores a backup on SMC, the list of pending changes will be purged. No warnings will be shown during the next deployment.
When a configuration deployment fails on a firewall, the list of pending changes will be purged.
Before a new configuration deployed by SMC is installed on an SNS firewall, its configuration will be backed up. So if a deployment alters the connection between the SMC server and an SNS firewall, the most recent backup will be restored. This mechanism guarantees that the SMC server will always be able to reach the SNS firewall. You can manage this feature for individual firewalls by using three environment variables:
Variable | Description |
---|---|
SMC_DEPLOYMENT_TIMEOUT_BEFORE_ROLLBACK_INT By default: 30 seconds |
Sets the amount of time in seconds that SMC will attempt to reconnect. Once this duration is exceeded, the previous configuration will be restored. |
SMC_SNS_DEPLOYMENT_ROLLBACK_TIMEOUT_INT By default: 180 seconds |
Sets the amount of time in seconds between the restoration of the configuration and the reconnection to the SMC server. If the connection is not up again after this duration, the deployment will be considered a failure. We do not recommend setting a value lower than the default value. |
SMC_FW_DEPLOYMENT_ROLLBACK_ENABLED | Makes it possible to disable the feature. It is enabled by default. |
If you encounter issues while deploying a configuration, start by reading the following log files.
SMC side
/data/log/fwadmin-server/server.log
Firewall side
/log/l_system
Validation of the deployment failed
-
Situation: After the configuration was deployed on the firewall, the status of the firewall switched to Critical and indicated “Configuration validation”. The command CONFIG STATUS VALIDATE therefore failed.
-
Cause: The password used to validate the configuration on the SNS firewall was probably changed and no longer matched the one saved on SMC. Check the server's logs to find out the exact cause.
-
Solution: Connect to the firewall to fix the issue. If the reason is an invalid password; run the command CONFIG STATUS REMOVE.
Configurations cannot be deployed on some firewalls
-
Situation: Some firewalls cannot be selected for the deployment.
-
Cause: An SNS CLI script is currently being executed or delayed on the firewall, so configurations cannot be deployed on this firewall for the moment.
-
Solution: Wait until the script finishes executing, or until the firewall reconnects so that the execution can complete. You can also cancel the execution of the script from the SNS CLI scripts menu.