SMC certificate expiration on July 04, 2022, update your SMC !
Update is not possible? See the SMC not functionnal after the 4th of July 2022 article on the KB (authentication required).
Deploying a configuration on firewalls
Every time a configuration is created or modified on the SMC server, you will need to deploy the configuration on firewalls.
All deployments are saved in the deployment history. Refer to the section Loading and deploying a former configuration.
During a deployment, the following information will be sent to the firewalls:
- Objects used in filter and NAT rules relating to the firewall or its parent folders.
- Objects you have chosen to deploy on all firewalls or for which you have selected the firewalls they will be deployed on. For more information, please refer to the section Managing objects.
- If the firewall is part of a VPN topology: Network, Host and/or Group objects and the certification authority associated with this topology, as well as information on the certificate selected for this firewall in the topology (the certificate has already been installed on the firewall).
- Go to Deployment > Configuration deployment or click on the button in the upper banner of the interface. This button turns orange when changes have been made to the configuration.
- In the Firewalls selection tab, select firewalls.
- Enter a comment at the bottom of the panel if needed. This comment will be displayed in the deployment history.
- Click on Deploy configuration next to the comment field. The Deployment tab automatically opens. A status bar indicates the progress and the result of the deployment for each firewall.
When a deployment or an SNS CLI script is running, you cannot launch another deployment but preparing another deployment in the Firewalls selection tab is possible.
- During or after the deployment, you can click on the status bar of a firewall to display a summary of the deployment on this firewall. For more information regarding the deployment, use the command clogs in the command line interface.
- See the deployment summary at the bottom of the panel, showing successful operations, warnings, errors and postponed deployments.
- You can also filter the list of firewalls by selecting a deployment result in the drop down list at the top of the list.
If the deployment is successful, the deployment number will be incremented in the Deployment column.
If a configuration is deployed on disconnected firewalls, the deployment is postponed and firewalls retrieve the configuration the next time they are on line.
- In case of error, see the SMC server logs. You can also connect to the logs and activity reports of a firewall by clicking the icon in the Actions column and refer to the firewall logs.
- If the firewall requires a reboot to finalize the deployment, this is indicated by the health status "Reboot required". You can start the reboot directly from the deployment window by clicking on the Reboot button at the bottom of the window. You can also restart the firewall at a later point in time from the supervision, configuration and deployment windows or by clicking on the information displayed on the right-hand side in the top banner of the application:
- After a configuration is deployed for the first time, the SMC server will regularly check whether the configuration deployed from the firewall continues to match the configuration on SMC. Refer to Detecting changes to the local configuration on firewalls.
The steps are the same as in the section above.
The configuration is first deployed on the active node of the cluster. The SMC server then synchronizes both nodes of the cluster.
If the passive node is not connected to the active node at the time of deployment, the SMC server will perform a synchronization between both nodes when the passive node connects again to the active node.
You can use the
smc-deploy command to deploy a configuration in command line.
Apply the command to the list of targeted firewalls (on which the configuration is to be deployed) using one of these options:
- --all: deploys on all firewalls,
- --firewall-list <firewallNames>: deploys on certain firewalls (separated by commas).
To see the other options that this command offers, type
At the beginning of the deployment, the deployment number will appear.
Before a new configuration deployed by SMC is installed on an SNS firewall, its configuration will be backed up. So if a deployment alters the connection between the SMC server and an SNS firewall, the most recent backup will be restored. This mechanism guarantees that the SMC server will always be able to reach the SNS firewall. You can manage this feature for individual firewalls by using three environment variables:
By default: 30 seconds
Sets the amount of time in seconds that SMC will attempt to reconnect. Once this duration is exceeded, the previous configuration will be restored.
By default: 180 seconds
Sets the amount of time in seconds between the restoration of the configuration and the reconnection to the SMC server. If the connection is not up again after this duration, the deployment will be considered a failure.
We do not recommend setting a value lower than the default value.
|FWADMIN_FW_DEPLOYMENT_DISABLE_ROLLBACK||Makes it possible to disable the feature, which is enabled by default (value set to False).|
If you encounter issues while deploying a configuration, start by reading the following log files.
/var/log/fwadmin-server/cfg2ini.log, /var/log/fwadmin-server/server.log and /var/log/fwadmin-server/connections.log
Situation: After the configuration was deployed on the firewall, the status of the firewall switched to Critical and indicated “Configuration validation”. The command CONFIG STATUS VALIDATE therefore failed.
Cause: The password used to validate the configuration on the SNS firewall was probably changed and no longer matched the one saved on SMC. Check the server's logs to find out the exact cause.
Solution: Connect to the firewall to fix the issue. If the reason is an invalid password; run the command CONFIG STATUS REMOVE.