SMC 3.5.3 new features and enhancements

System

SMC server redundancy

IMPORTANT
This is an early-access feature.
Refer to the Administration guide before enabling this feature.

You can now set up a redundancy system between two SMC servers, which makes it possible to guarantee service continuity. When the main node fails, SNS firewalls automatically connect to the backup node. The configuration on both nodes is synchronized every hour.

Find out more

Changes to system folders

Files saved in the folder /var/tmp have been moved to /data/tmp.

The folder /var/fwadmin has been deleted and its files have been moved to /data/fwadmin.

The symbolic link between the folders /var/tmp and /data/tmp has been deleted. Files saved in /var/tmp will no longer be kept from one update to another.

SMC server diagnostics report

The server's diagnostics report contains a new section that provides statistics on the size of your configurations in SMC: number of firewalls managed, number of rules, routes, interfaces, etc. With these statistics, performance issues can be more easily diagnosed.

MAC-then-Encrypt mechanisms

For security reasons, MAC-then-Encrypt mechanisms have been removed from the SMC server.

Configuring SNS firewalls

Warning when firewall configuration is modified

IMPORTANT
This is an early-access feature.
Refer to the list of limitations in the Administration guide before enabling this feature.

This new feature is disabled by default. When it is enabled, a warning now appears when the configuration is deployed on SNS firewalls, if other administrators have made changes to the configuration since the last deployment. The administrator can then choose whether to continue with the deployment or cancel it.

Find out more

Network configuration

Blackhole keyword

From SNS firewalls in these versions onwards:

  • 4.3.21 LTSB and higher 4.3 LTSB versions,

  • 4.7 and upwards,

You can now select the blackhole keyword as the gateway of the default route or of a static route that aims to destroy a specific traffic stream.

Among other uses, this mechanism can be used in a configuration that contains IPsec tunnels - when a tunnel is down, packets that were meant for it will therefore be destroyed instead of being redirected to the firewall's default gateway.

Microsoft Windows compatibility

Windows Server 2022 support

SMC is now compatible with Microsoft Hyper-V for Windows Server 2022 hypervisors with regard to installation. It is also compatible with LDAP and Radius servers on Windows Server 2022 with regard to user authentication.

Authentication

Protection from brute force attacks

When administrators connect to the SMC command line interface via their SSH accounts or the SSH root account, the connection will now be suspended for 15 minutes after five consecutive authentication errors.

Configuring a Radius server

Support reference 85187

The values of the attributes NAS-IP-Address and NAS-IP-Identifier, used in Radius requests, can now be configured with the environment variables:

  • SMC_RADIUS_NAS_IP_ADDRESS

  • SMC_RADIUS_NAS_IDENTIFIER

SMC public API

Topologies and VPN tunnels

Three new API routes are available in the public SMC API to manage VPN topologies and tunnels:

Route Makes it possible to
GET /papi/v1/vpn/topologies

List all the VPN topologies configured in SMC, regardless of whether they are deployed. The route indicates all configuration components, such as the name of the topology, authentication method, the name and content of the encryption profile, peers, etc. With the route, topologies can also be filtered by name or IKE version used. The "name" field enables partial case-insensitive searches.

GET /papi/v1/vpn/topologies/{uuid}

List all the configuration components of a specific VPN topology configured in SMC, regardless of whether it is deployed.

GET /papi/v1/vpn/tunnels

List all the VPN tunnels deployed in SMC. The route indicates all the monitoring properties of a VPN tunnel, such as the name of the topology, the status of the tunnel, traffic endpoints, etc. With the route, tunnels can also be filtered by topology name, type, form or status. The "topologyName" field enables partial case-insensitive searches.

Configuration deployment

Two new API routes are available in the public SMC API to manage configurations deployed:

Route Makes it possible to
POST /papi/v1/deployment Deploy the configuration on the firewalls.
GET /papi/v1/deployment Find out the status of the current deployment or last deployment.

Filter and NAT rules

Eight new API routes are available in the public SMC API to manage the filter and NAT rules that are specific to a firewall or shared by several firewalls:

Route Makes it possible to
GET /papi/v1/folders/{uuidOrName}/filter-policy List all the filter rules found in a folder. Only rules contained in the folder are indicated, not rules in the parent folder or in sub-folders. Rules are sorted by priority (high or low).
GET /papi/v1/folders/{uuidOrName}/nat-policy List all the NAT rules found in a folder. Only rules contained in the folder are indicated, not rules in the parent folder or in sub-folders. Rules are sorted by priority (high or low).
PUT /papi/v1/folders/{uuidOrName}/filter-policy Edit the filter rules found in a folder.
PUT /papi/v1/folders/{uuidOrName}/nat-policy Edit NAT rules found in a folder.
PUT /papi/v1/firewalls/{uuidOrName}/filter-policy Define filter rules for a specific firewall.
PUT /papi/v1/firewalls/{uuidOrName}/nat-policy Define NAT rules for a specific firewall.
GET /papi/v1/firewalls/{uuidOrName}/filter-policy List filter rules for a specific firewall. Only the rules that are specific to the firewall are listed, not rules found in the folder to which the firewall belongs.
GET /papi/v1/firewalls/{uuidOrName}/nat-policy List NAT rules for a specific firewall. Only the rules that are specific to the firewall are listed, not rules found in the folder to which the firewall belongs.

Folders

One new API route is available in the public SMC API to manage folders:

Route Makes it possible to
GET /papi/v1/folders

List all folders found in SMC, and for each folder, its name, UUID and the firewalls that it contains.

Object database

27 new API routes are available in the public SMC API to manage the object database:

Route Makes it possible to
GET /papi/v1/objects

List all objects found in the SMC object database.

POST /papi/v1/objects/[object type]

Add host, group, network, port, DNS name, time, router, SLA, IP protocol, address range, port group and geolocation objects.

For example: POST /papi/v1/objects/hosts

PUT /papi/v1/objects/[object type]/{uuidOrName}

Edit host, group, network, port, DNS name, time, router, SLA, IP protocol, address range, port group and geolocation objects.

For example: PUT /papi/v1/objects/hosts/{uuidOrName}

DELETE /papi/v1/objects/{type}/{name}
DELETE /papi/v1/objects/{uuid}

Delete objects from the SMC object database based on their names or UUID.