SMC 3.4 new features and enhancements

SMC public API

New public REST API

Your orchestration solutions can now communicate with SMC via a standard REST API. Via this API, you can now:

  • obtain monitoring information about SNS firewalls connected to SMC,

  • run scripts on SNS firewalls connected to SMC to perform all types of operations.

The use of the public API is secured by API keys that administrators generate. These keys have read/write or read-only privileges as well as a validity period that can be configured.

All operations performed via the public API are recorded in audit logs.

The SMC super administrator can disable the public API at any time. Acces to this API is disabled by default.

For easier use of the API, OpenAPI documentation is provided on the Stormshield technical documentation website as well as in SMC itself.

Find out more

Network configuration

Creating and managing IPsec virtual tunnel interfaces (VTI)

You can now create and manage virtual IPsec interfaces in SMC, from the IPsec interfaces (VTI) tab in an SNS firewall's settings. The firewall must be in at least version 4.2.3. These interfaces can then be used in the routing configuration.

Find out more

Automatic VTI creation

When you create a route-based VPN topology, the required virtual IPsec interfaces will now be automatically created in SMC for every firewall in the topology that has its network configuration managed by SMC. These interfaces can be seen in the IPsec interfaces (VTI) tab, and are classified by the VPN topology to which they belong.

On firewalls for which SMC does not manage the network configuration, you must continue to create the interfaces manually on the firewall itself.

Using SNS firewall interfaces

In filter and translation rules, the known interfaces of an SNS firewall that has already connected to SMC can now be selected.

However, this operation cannot be performed in folders and rule sets.

Checking the consistency of routes

A warning used to be raised by the consistency checker when an object was set as the gateway of a static route or return route, but did not belong to the interface address range used in this route. This warning has been removed as it could mislead the user when SMC does not know the address range of the interface used.

Filter and NAT rules

Filtering by web service

SMC now makes it possible to create web service filter rules. The list of web services can be found in the General tab of a filter rule's Source and Destination menus. This list has been grouped with the IP reputations list.

The file /data/config/smc-ip-reputation.local has been renamed /data/config/smc-webservices.local. During the update to SMC version 3.4, data found in this file will be kept.

However, the following IP reputations have been migrated to web services:

IP reputations Web services
office365 o365common
skypeforbusiness o365skype
exchangeonline o365exchange
sharepointonline o365sharepoint

The IP reputations microsoftauth and officeonline have been removed.

Find out more

VPN topologies

Improvements to the .csv configuration file for IPsec interfaces.

The .csv configuration file for IPsec interfaces, suggested for download after the creation of a route-based VPN topology, contains new information. It now indicates the name of the Host object representing the virtual IPsec interface found on the remote firewall and its IP address. With this information, return routes can be created automatically with an SNS CLI script.


Keeping the connection between SMC and SNS firewalls

The keepalive mechanism that maintains the connection between SMC and SNS firewalls is now the same for all firewalls. It can be configured on the SMC side using the environment variable SMC_FW_CONNECTION_TIMEOUT_INT. The default value is 60 seconds. On the SNS side, SMC no longer recognizes the PingValidity token.

Environment variables

Environment variables renamed in SMC_XXX format

The FWADMIN_XXX environment variables used in version 3.3.3 and earlier versions for the configuration of the SMC server have been replaced with SMC_XXX variables. Older variables will continue to be available and operational but will be removed in future versions.

To find out the new versions of variables, refer to the Administration guide.