Updating firewalls

SMC makes it possible update your firewall pool.

You need to hold write access privileges on the firewalls in order to update them. For more information, refer to the section Restricting folder administrators' access privileges.

Firewalls on which the TPM has been enabled cannot be updated from SMC.

  1. Download the relevant update files in advance from your secure MyStormshield area (.maj).
  2. In the web interface of the SMC server, select Deployment > Updating firewalls.
  3. In the first part of the Firewall selection tab, import one or several update files in .maj format by clicking on :
    • Imported files are stored on the SMC server. They are kept for 14 days by default. With the environment variable SMC_SNS_UPDATE_MAX_KEEP_DAYS_INT, the duration for the storage of update files can be changed.

      WARNING
      Ensure that you have enough disk space to store the files, as disk saturation may cause malfunctions.

    • The button makes it possible to indicate the URL of an HTTPS server from which SMC can import update files.
    • The View script button button allows you to view the header of the update file, to confirm that the file is compatible with the version of the firewalls to be updated.
    • The Save the active partition on the backup partition before updating the firewall checkbox offers the option of saving the system's active partition on the backup partition, to keep a record of it. Depending on the size of the partition, configuration and firewall model, the operation may last a while. The environment variable SMC_SNS_UPDATE_SYSTEM_CLONE_TIMEOUT_INT makes it possible to configure the maximum amount of time allowed for the backup.
      For EVA firewalls that do not have backup partitions, selecting this checkbox does not prevent the firewall from being updated, but the update will run without backing up the active partition. We recommend that you back up a snapshot of the host before updating it.
  4. Select the update file to be applied.
  5. In the second part of the Firewall selection tab, select the firewalls to be updated.
    • The Firewall which cannot be selected icon icon indicates, where applicable, that the firewall cannot be selected to run the update. In this case, the row will be grayed out. Scroll over the icon with your mouse to find out why.
    • Offline firewalls can be selected. Updates for these firewalls are postponed and launched the next time the firewalls connect. When a firewall reconnects, if SNS CLI script executions or configuration deployments are already pending, the update will be run first, followed by the script execution or configuration deployment.
    • In a high availability cluster, the passive firewall is updated first. When it restarts, it becomes the active firewall while the other firewall is updated. This ensures service continuity.
  6. Click on Update firewalls at the bottom of the tab. The Execution tab automatically opens.
  7. Track the progress and results of the update on each selected firewall.
    When an update is pending on a firewall, you cannot run SNS CLI scripts or deploy configurations on this firewall, and vice versa. You can launch updates on other firewalls.

    IMPORTANT
    The read/write privileges on any administration sessions already open on the firewalls in question are automatically adopted when an update is run.

  8. Filter the list of firewalls by selecting a status in the drop down list at the top of the list, if necessary.
  9. In case of error, see the SMC server logs. You can also connect to the logs and activity reports of a firewall by clicking on the icon Logs icon in the Actions column.
  10. After a few minutes, check in the Monitoring > Firewalls panel that the version number has indeed changed in the Version column.

Firewalls can also be updated from SMC, by using SNS CLI scripts. To perform this operation, refer to the section Updating firewalls by using SNS CLI scripts.