Managing administrators
Access to the SMC server in SSH or console mode
All administrators can now be assigned access privileges to the SMC server via the console on the hypervisor or in SSH. Previously, only the "root" user was allowed.
This change makes it possible to facilitate access to advanced management features on the SMC server and identify administrator connections and operations, as well as any elevation of privilege, in server logs.
Administrators who authenticate via LDAP or Radius authentication servers can also access SMC through the console on the hypervisor or in SSH. The super-administrator can grant them privileges through the administration interface.
Managing administrators from external authentication servers
Administrators and groups that have accounts on an LDAP authentication server can now be managed directly in the SMC server's web interface.
The rights.csv file is no longer used, and the commands smc-auth-check and smc-ui-password are no longer available.
Likewise, Radius user groups can be added to the interface, the same way they are added on SNS firewalls, by using a VSA
The OpenLDAP 2.5.x authentication server is now supported.
Defining a backup authentication server
To guarantee that administrators have uninterrupted access to the SMC server, you can define a backup LDAP or Radius authentication server that will take over when the main server fails.
Offline environment
Active Update server
The SMC server can now stand in for the Active Update server that communicates with Stormshield update servers, to distribute Active Update databases to SNS firewalls, even when they are not connected to the Internet. The service will automatically download databases on a regular basis. In this way, firewalls will always be equipped with the latest databases (context-based signatures, antivirus, Vulnerability Manager, etc.).
If the SMC server and SNS firewalls run in a closed network without Internet access, you can manually download Active Update databases and distribute them to SNS firewalls via the SMC server’s Active Update server.
Increased security
Compliance with ANSSI ‘Diffusion Restreinte' mode
The SMC server now makes it possible to implement Diffusion Restreinte mode on SNS firewalls. This mode complies with ANSSI recommendations with regard to sharing communications that pass through the IPsec VPN. A consistency check on the configuration of the server and firewalls will assist you in deploying this mode by automatically detecting the parameters that need to be changed.
When DR mode is enabled on the SMC server, the configuration will be deployed on SNS firewalls. The firewalls must then be manually restarted.
Configuration of SNS firewalls
Using custom firewall properties
Custom properties can now be created in addition to the default Name, Description and Location properties on firewalls, and specific values can be assigned to each firewall.
You can therefore filter the list of firewalls or perform searches based on these properties, which can be imported or exported in CSV format, and can also be found in exports of monitoring data.
SNS firewall monitoring
Exporting SNS firewall monitoring data
Exported monitoring data now consists only of firewall data displayed in the panel when the list is filtered.
Status of licensing options
The status icons in the upper banner of the administration interface and the Licensing options column in the firewall monitoring panel now alert the user when a license option or its maintenance package has expired or is about to expire.
Environment variables make it possible to configure alert thresholds.
Filter and NAT rules
Looking up local rules
Firewalls’ local rules are now displayed in read-only mode in the filter and NAT rule panel.
SMC server configuration
Dynamic address assignment via DHCP
You can now choose whether to assign a dynamic IP address to the SMC server via DHCP. This option is available in the SMC server initialization wizard, or in the server’s settings in the administration interface.
Authorities and certificates
Verification of the Certificate Revocation List (CRL)
The environment variable FWADMIN_VPN_CRL_REQUIRED is no longer supported to verify the validity of the certificates. The Check certificate validity checkbox is now available in the Configuration > Certificates panel.
In the certificate management panel, the administrator can now specify for each firewall:
-
The local IP address to renew SCEP/EST certificates on SNS firewalls,
-
The local IP address that allows the revocation list to be verified,
-
The frequency with which the revocation list is verified.
The value of the previous variable FWADMIN_VPN_CRL_REQUIRED will not be kept when the SMC server is updated, and the Outgoing interface field in the certificate renewal panel has been removed.
Local IP address for the renewal of certificates obtained via SCEP or EST
For SNS firewalls that have certificates obtained via SCEP or EST, you can now specify the local IP address that will be used to renew certificates for each firewall. Previously, the renewal address was indicated in the certification authority settings, and was therefore the same for all certificates issued by the same authority.
VPN topologies
Configuring PRF in encryption profiles
You can now choose an algorithm that must be negotiated as a PRF (Pseudo-Random Function) in the IKE tab in the encryption profiles used in VPN topologies. This option is supported from version 4.2.3 of SNS firewalls onwards and is only compatible with IKEv2 topologies.
New encryption profiles
The three encryption profiles offered by default on the SMC server – "Strong encryption", "Mobile encryption" and "Good encryption" – have been renamed "Strong encryption legacy", "Mobile encryption legacy" and "Good encryption legacy". If you have modified them, they will revert to their default configuration.
The "Good encryption legacy" profile now uses AES instead of Blowfish and Diffie-Hellman group 2 replaces Diffie-Hellman group 14 in phase 2.
Three new profiles – "Strong encryption", "Mobile" and "Good encryption" – replace the previous profiles.
All six profiles are in read-only mode.
Object database
Importing router objects
SNS firewalls in version 4.3.0 make it possible to export router objects and the associated gateways. The SMC server now supports importing/exporting router objects in the same format as SNS firewalls.
The use of the CSV format (before SMC 3.1) is no longer supported for router objects. The gateway configuration associated with a router object is not compatible with SMC in versions lower than 3.1.
Hosting Amazon Web Services
The SMC server can now be hosted by Amazon Web Services (AWS) in BYOL (Bring Your Own License) mode.
You can choose between several types of instances to adapt the SMC server’s resources as closely as possible to the number of firewalls to manage.