SMC public API
New public REST API
Your orchestration solutions can now communicate with SMC via a standard REST API. Via this API, you can now:
-
obtain monitoring information about SNS firewalls connected to SMC,
-
run scripts on SNS firewalls connected to SMC to perform all types of operations.
The use of the public API is secured by API keys that administrators generate. These keys have read/write or read-only privileges as well as a validity period that can be configured.
All operations performed via the public API are recorded in audit logs.
The SMC super administrator can disable the public API at any time. Acces to this API is disabled by default.
For easier use of the API, OpenAPI documentation is provided on the Stormshield technical documentation website as well as in SMC itself.
Network configuration
Creating and managing IPsec virtual tunnel interfaces (VTI)
You can now create and manage virtual IPsec interfaces in SMC, from the IPsec interfaces (VTI) tab in an SNS firewall's settings. The firewall must be in at least version 4.2.3. These interfaces can then be used in the routing configuration.
Automatic VTI creation
When you create a route-based VPN topology, the required virtual IPsec interfaces will now be automatically created in SMC for every firewall in the topology that has its network configuration managed by SMC. These interfaces can be seen in the IPsec interfaces (VTI) tab, and are classified by the VPN topology to which they belong.
On firewalls for which SMC does not manage the network configuration, you must continue to create the interfaces manually on the firewall itself.
Using SNS firewall interfaces
In filter and translation rules, the known interfaces of an SNS firewall that has already connected to SMC can now be selected.
However, this operation cannot be performed in folders and rule sets.
Checking the consistency of routes
A warning used to be raised by the consistency checker when an object was set as the gateway of a static route or return route, but did not belong to the interface address range used in this route. This warning has been removed as it could mislead the user when SMC does not know the address range of the interface used.
Filter and NAT rules
Filtering by web service
SMC now makes it possible to create web service filter rules. The list of web services can be found in the General tab of a filter rule's Source and Destination menus. This list has been grouped with the IP reputations list.
The file /data/config/smc-ip-reputation.local has been renamed /data/config/smc-webservices.local. During the update to SMC version 3.4, data found in this file will be kept.
However, the following IP reputations have been migrated to web services:
| IP reputations | Web services |
|---|---|
| office365 | o365common |
| skypeforbusiness | o365skype |
| exchangeonline | o365exchange |
| sharepointonline | o365sharepoint |
The IP reputations microsoftauth and officeonline have been removed.
VPN topologies
Improvements to the .csv configuration file for IPsec interfaces.
The .csv configuration file for IPsec interfaces, suggested for download after the creation of a route-based VPN topology, contains new information. It now indicates the name of the Host object representing the virtual IPsec interface found on the remote firewall and its IP address. With this information, return routes can be created automatically with an SNS CLI script.
System
Keeping the connection between SMC and SNS firewalls
The keepalive mechanism that maintains the connection between SMC and SNS firewalls is now the same for all firewalls. It can be configured on the SMC side using the environment variable SMC_FW_CONNECTION_TIMEOUT_INT. The default value is 60 seconds. On the SNS side, SMC no longer recognizes the PingValidity token.
Environment variables
Environment variables renamed in SMC_XXX format
The FWADMIN_XXX environment variables used in version 3.3.3 and earlier versions for the configuration of the SMC server have been replaced with SMC_XXX variables. Older variables will continue to be available and operational but will be removed in future versions.
To find out the new versions of variables, refer to the Administration guide.
The environment variables FWADMIN_SERVICES_NUM_INSTANCES_CFGCHECK and FWADMIN_SERVICES_NUM_INSTANCES_CFG2INI are no longer recognized.