Verifying configuration consistency

The consistency checker is a tool that analyzes the consistency of your configuration in real time. In the lower panel of the SMC server web interface, it shows warnings and errors if it has detected any.

To show the consistency check:

  • Select Maintenance > Consistency check.

- or -

  • Open the lower panel of the screen by clicking on the black arrow at the bottom of the interface Arrow to show logs panel.

The consistency checker shows all warnings and errors affecting all firewalls. However, error analyses take priority over warning analyses. If a firewall reports at least one error, the analysis of warnings on this firewall will be canceled.

You can filter these warnings and errors by firewall or by inconsistency, or by entering a character string in the search field.

By clicking on certain items (filter or translation rules, objects, etc.), you can go straight to the panels or items in question.

The consistency checker also runs when configurations are deployed. However, only errors are checked; warnings are ignored. When an error is detected, the deployment will fail.

The consistency checker may affect the performance of the SMC server when it manages large pools (over 500 SNS firewalls).

The environment variable SMC_CFGCHECK_ENABLED makes it possible to disable the consistency check whenever necessary.

  1. Log in to the SMC server via the console of your hypervisor or in SSH.
  2. Edit the file /data/config/fwadmin-env.conf.local by adding the following line at the end: SMC_CFGCHECK_ENABLED=false.
  3. Restart the server with the command nrestart smc.

In this case, you can still manually launch the consistency check when required, by clicking on the Run verification button in the consistency checker interface.

When the consistency check is disabled, automatic checks will still be launched for each deployment, to guarantee the consistency of the configuration across firewalls.

The SMC_CFGCHECK_BEFORE_DEPLOY_ENABLED environment variable can be used to disable these automatic checks if required.

WARNING
Follow the recommendations given by the Stormshield Technical Assistance Center for these operations.

You can specifically disable checks in some areas or disable some of the configuration consistency checks. You can also change the "warning" or "error" levels in checks.

  1. Log in to the SMC server via the console of your hypervisor or in SSH.
  2. To know which entries can be disabled, refer to the file /opt/fwadmin-server/config/cfgcheck.ini without modifying it.
  3. In the /data/config/cfgcheck.ini file:
    • Add the keys to disable in the DOMAINS section of the file, by indicating false as the value,
    • Add checks in the CHECKS section of the file, by indicating error or warning as the level, or use false as the value to disable the check.
  4. Restart the server with the command nrestart smc.

EXAMPLE
/data/config/cfgcheck.ini file:

[DOMAINS]
RULE=false
IPSECDR=false

[CHECKS]
INVALID_INTERFACE_IN_STATIC_ROUTING=error
INVALID_INTERFACE_IN_RETURN_ROUTING=error
IP_COLLISION=warning
OVERLAPPING=warning
RETURN_ROUTE_GATEWAY_WITHOUT_MAC_ADDRESS=false
STATIC_ROUTE_WITHOUT_INTERFACE=false

The number of inconsistencies reported by the checker can be restricted by using the environment variable SMC_CFGCHECK_INCOHERENCIES_INT. By default, up to 100 inconsistencies are reported. Once this limit is reached, SMC will cancel all pending analyses.

  1. Log in to the SMC server via the console of your hypervisor or in SSH.
  2. In the file /data/config/fwadmin-env.conf.local, change the value of the environment variable: SMC_CFGCHECK_INCOHERENCIES_INT.
  3. Restart the server with the command nrestart smc.