SMC 3.5.3 fixes

SMC update

Support reference 85420

Configuration of translation rules

When translation rules are imported from a CSV file, the "random" value can no longer be used in the "nat_from_port_load_balancing" field if the "nat_from_port" field is empty.

If you have imported translation rules with this configuration, updating your firewall to version 3.5.3 will fix this inconsistency. If nothing was entered in the "nat_from_port" field, the value of the "nat_from_port_load_balancing" will automatically be cleared.

Special characters "<", ">" and "@"

The presence of the characters "<" and ">" in the descriptions or comments of filter and NAT rules, separators and objects no longer causes SMC updates to version 3.5.x to fail. However, during the update to version 3.5.3, these characters will be deleted and the rest of the description or comment will be kept.

Likewise, the "@" character is now supported once again in the descriptions of rules and rule separators.

Active Update server

Support reference 85414

When the Active Update server feature was enabled on SMC, the two following issues could occur, and have been fixed:

  • SMC would become unreachable when it could not connect to Stormshield update servers to download databases. When there are connection issues now, SMC remains accessible and an error will be reported in the server's logs.

  • When the Active Update server feature was disabled, the automatic update of databases would continue. The automatic update is now disabled.

Network configuration

Changes to the dynamic routing configuration on the SNS firewall

Support reference 85427

You can now directly access the interface of an SNS firewall from SMC and change its dynamic routing configuration without making SMC unavailable in some cases.

Object database

Object database export

Support reference 85367

The object database can be exported once again to CSV files.

Filter and NAT rules

Importing the global rules of an SNS firewall

Support reference 85144

When a firewall's global rules are imported in SMC, if one of the rules uses an object containing a custom variable, the value of the firewall's variable no longer overwrites the value in SMC.

Rules applying to web services

Support reference 85251

When filter rules that apply to web services are imported via a CSV file, if some web services are not known to SMC, an error will now be generated for each web service that SMC does not recognize.

Synchronizing the connection in an HA cluster

Support reference 84975

In the Action menu of a filter rule, under the Advanced properties tab, the option Synchronize this connection between firewalls (HA) can now be unselected.

Importing the rules from a firewall into SMC

Support reference 84919

When the local rules of an SMC firewall are imported into SNS, the import would fail when a host object on the firewall and a DNS name (FQDN) object in SMC have the same name. Such rules can now be imported without overwriting the DNS name object.

Renaming of application protocols dcerpc and steam

Support reference 85307

The protocols dcerpc and steam, available in filter and NAT rules, have been renamed dcerpc_tcp and steam_udp to make them compatible with the naming system of such protocols on SNS firewalls.

Size of QoS Queue and QoS ACK Queue fields

Support reference 84935

The maximum size of the QoS Queue and QoS ACK Queue fields has been raised from 9 to 31 characters.

Do note that this change takes effect on firewalls from SNSversion 4.3.0 onwards. The deployment of a configuration on a firewall in a version lower than 4.3.0 will fail if the value of the QoS Queue and QoS ACK Queue fields exceeds 9 characters.

Custom variables in filter rules

Support reference 84616

The "%" character can no longer be used in the Group name and Domain name fields in a filter rule's Source menu. Custom variables are therefore no longer supported in these fields.

Configuring SNS firewalls

Importing SNS firewalls via a CSV file

Support reference 85093

When firewalls are imported via a CSV file from the SMC web administration interface, and when the Generate connecting packages checkbox is selected, the files required to generate packages may randomly become corrupted during the import. Connecting packages are now correctly generated when firewalls are imported via a CSV file.

Deploying VPN topologies

Support reference 85016

When a VPN topology that is based on X.509 certificate authentication is deployed, and if the Local IP address for CRL verification field is entered, this IP address is now correctly deployed on SNS firewalls that belong to the topology.

Direct access to a firewall interface

Support reference 83550

When you directly access a firewall's interface via SMC, the last page visited will be shown. If you access the interface for the first time, the main page of the firewall's administration interface will now appear. Previously, the last page visited on another firewall would be shown.