Network configuration
SD-WAN - Selecting the best link
In SMC, specific criteria can be centrally managed to determine whether a WAN link meets the quality level adapted to its type of traffic (VoIP, video, etc.).
To do so, for each traffic type, you can set an SLA (Service Level Agreement) commitment based on one or several thresholds out of the criteria below:
-
Latency,
-
Jitter,
-
Packet loss,
-
Unavailability.
As soon as any threshold is not being met, the firewall will select another WAN link with a suitable SLA status for the traffic in question.
This SLA commitment is set through a new SLA object that you can use in several router objects.
Router objects now also include monitoring options that are the same for all gateways specified in the object.
Regardless of the type of traffic, you can also set up a more general configuration to ensure that all communications will automatically be redirected to a backup link when an Internet connection is down.
In the new Routers monitoring panel, the status of all gateways and the quality of connections can be looked up in real time, therefore saving time in the event of a failure. If a router issue is detected on a firewall, a probe will warn the user.
This monitoring data can be exported in .csv format.
SD-WAN can be managed from SMC on SNS firewalls in at least version 4.3.3.
Configuring routing from SMC
Routing can now be configured in SMC. It can be accessed in read/write mode on SNS firewalls in at least version 4.2.4, and in read-only mode on firewalls in version 3.7 and upwards. Only IPv4 is supported.
In SMC, in the new Routing tab of each firewall’s settings, configure and deploy:
-
static routes,
-
return routes,
-
a default route,
-
dynamic routing settings.
Routing configurations already found on SNS firewalls can now also be looked up in the Routing tab.
This new feature therefore makes it possible to look up routing configuration and prepare changes even when firewalls are offline.
For example, in the static route configuration in SMC, dedicated routes to Virtual IPsec interfaces (VTIs) can be created in route-based VPN topologies. Below is the feature allowing you to view all types of interfaces in SMC.
There are new consistency checks that allow you to check the compatibility of the routing configuration and guarantee the validity of the deployment.
Viewing all types of network interfaces
In SMC, some interface types could already be viewed, added and modified in the Interfaces tab of each firewall’s settings. It is now possible to retrieve all existing types of interfaces on SNS firewalls in SMC. Wi-Fi, dialup, IPsec, Loopback, GRETUN, GRETAP and USB/Ethernet interfaces are shown in read-only mode as “Other interface” in the Interfaces tab.
All of these interface types can be used in the SMC routing configuration.
Managing administrators
"root" account password
You can now set the “root” account password, which will allow you to access the SMC server in command line, when you manually initialize the server from the virtual environment. Previously, this password was set in the SMC initialization wizard, which can be accessed from your web browser.
Customizing the querying of LDAP authentication servers
You can now change the LDAP attributes used by default in SMC to query authentication servers, by using three new environment variables.
Filter and NAT rules
Naming copied rules
When a rule with a customized name is copied then pasted in the same context (firewall, folder or rule set), the “_copy” suffic is now added to the end of the name. This makes it possible to keep track of the relationship with the original rule and makes it easier to create rules with similar properties and names.
If the rule is pasted in a different context and a rule with the same name does not yet exist, the name will remain the same.
When a rule with a name generated by default by the system is copied and pasted, a new default name will be assigned to it.
Integrity of SMC server binary files
Checking the integrity of binaries
SMC binary files are now signed to guarantee better protection from corruption.
Refer to Downloading this version to find out the new procedure for checking binary files.