Various versions of the IKE protocol supported on the same firewall
In VPN topologies, different versions of the IKE protocol can be supported on the same firewall only if there is a single firewall in common across several topologies. If several topologies configured with various versions of IKE have several firewalls in common, the version of the topology that was created first in the topology configuration screen will be the one deployed.
Using the All object in VPN topologies
Within a policy-based VPN topology, when two different peers use the All object to define traffic endpoints, then the connection between SMC and the SNS firewall may fail, unless you have configured policy-based routing rules to support this use case. In star topologies, the same problem occurs if the All object is used to define the center of the star and one of the satellites.
Using VTI objects generated by route-based VPN topologies
When a route-based VPN topology is modified or deleted in SMC, Host VTI objects that this topology automatically generates to represent remote peers will also be modified or deleted. If you are using such objects in the local configuration of your SNS firewalls, first ensure that you delete them before modifying or deleting a topology in SMC.
VPN topologies deployment
VPN topologies cannot be deployed from the SMC server if the name of a firewall is too long. The names of VPN topologies on firewalls cannot contain more than 127 characters.
Configuring routing on SMC
Several of the interfaces used for contacting the SMC server can be configured, but only one default gateway can be declared on a single interface. Routing must be configured manually for the other interfaces. An article in the Stormshield Knowledge base sets out the procedure to follow.
Using global network objects in a local configuration
On SNS firewalls, global objects may be used in local configurations. However, when SMC deploys a configuration on a firewall, existing global objects on the firewall will be deleted and replaced with objects defined in the SMC configuration. To keep the local configuration running, you need to impose the deployment of necessary global objects on affected firewalls.
For more information, refer to the section Warning before connecting SNS firewalls to the SMC server.
Migrating a V model virtual firewall to an EVA model
V-50, V-100 and V-200 virtual firewalls can no longer be upgraded to EVA models using the variable %FW_UPD_SUFFIX% in an SNS CLI script run from the SMC server.
To work around this issue, replace the variable %FW_SIZE% with the value "XL-VM" in the upgrade script.