Managing administrators
Restricting administrators' access privileges
The SMC super administrator can now restrict administrators' write access privileges to only certain folders, and therefore to only certain firewalls. With this feature, you can strengthen security on your firewall pool by segmenting its administration. In this way, individual administrators manage their own SNS firewalls, while retaining read-only access to other firewalls connected to SMC.
This restriction can be configured in administrators' profiles.
Firewall configuration
Implementing QoS
You can now configure QoS (Quality of Service) on your SNS firewall pool from SMC.
In the new Configuration > Quality of Service menu, you can add queues and traffic shapers. A new QoS tab in the firewall settings then allows you to associate them with network interfaces on firewalls. You can also select queues that were created on SMC in filter rules.
SMC also allows you to retrieve the QoS configuration, if it already exists on your firewalls.
The implementation of QoS in SMC is compatible with SNS firewalls from version 4.3.15 LTSB and 4.5.3 upwards.
Dynamic routing with BIRD version 2
SMC 3.6 allows you to configure and deploy dynamic routing that uses version 2 of BIRD on SNS firewalls in version 4.8.1 EA and upwards. Version 1 of BIRD can still be used in SMC.
Do note that dynamic routing can no longer be managed on SNS firewalls in 4.8.1 EA versions and higher from a version of SMC below 3.6. The firewall will reject the deployment of the configuration, and report an error.
We advise you to read the following recommendation on updating SMC to version 3.6, and updating SNS firewalls to version 4.8.1 EA.
Firewall network interfaces
Broadcast mode is now available in SMC for aggregate interfaces. This mode is compatible with SNS firewalls in versions 4.3.25, 4.7.5, 4.8.1 and higher.
Please refer to the SNS release notes for more information.
Environment variables
SMC_PROXY_RESPONSE_TIMEOUT variable
The default value of the SMC_PROXY_RESPONSE_TIMEOUT variable has been increased from 120 seconds to 300 seconds. As some commands that SMC sends to SNS firewalls require more than 120 seconds to run, the higher value prevents them from failing.
VPN topologies
Using Diffie-Hellman groups in encryption profiles
On firewalls in version 4.8 and upwards, several Diffie-Hellman (DH) key exchange methods can now be configured in encryption profiles for IKE and IPsec proposals.
The SMC public API has been updated as a result, through routes on topologies. The "proposals" field now contains an additional detail named "dh". The "pfs" field is now a table, so that several values can be returned.
Obsolescence of Diffie-Hellman groups
The following DH groups are now obsolete in SMC, and on SNS firewalls. They now appear in encryption profiles with the caption 'obsolete'.
-
DH25 (ECDH with 192-bit NIST ECG)
-
DH26 (ECDH with 224-bit NIST ECG)
-
DH27 (ECDH with 224-bit Brainpool ECG)
System
Logging
The log files /var/log/fwadmin-server have been deleted and their content has been moved to /data/log/fwadmin-server.
SMC documentation
Access to documentation
In the SMC web administration interface, the link to documentation now leads to the Technical documentation website. This will provide you with all documentation on the latest version of the product.
To use SMC in offline more, you can download PDF and HTML versions of documents on the website.
SMC public API
New API routes were added to SMC version 3.6. They are listed below. For more information about the SMC public API routes, refer to the online documentation. This documentation is also available from the SMC web administration interface.
Customizing the port of the public API
Th default listening port on the SMC public API can now be changed by using the environment variable SMC_PUBLIC_API_PORT_INT.
Variables
Six new API routes are available in the public SMC API to manage the global variables and values that have been assigned to them for each firewall:
| Route | Makes it possible to |
|---|---|
| GET /papi/v1/variables | Lists all global variables and values assigned for each firewall. |
| POST /papi/v1/variables | Adds a global variable. |
| GET /papi/v1/variables/{uuidOrName}/uses | Lists the uses of a global variable in objects. |
| DELETE /papi/v1/variables/{uuidOrName} | Deletes a global variable. |
| PUT /papi/v1/variables/{uuidOrName} | Edits a global variable. |
| PUT /papi/v1/variables/{variableUuidOrName}/{firewallUuidOrName} | Assigns or modifies the value of a global variable on a firewall. |
Managing certificates
Four new API routes are available in the public SMC API to manage certificates:
| Route | Makes it possible to |
|---|---|
| GET /certificates | Lists certificates that have been imported on all firewalls and their respective properties. |
| GET /certificates/{uuid} | Lists the properties of a certificate that was imported on a firewall. |
| GET /certificates/authorities | Lists all certification authorities and their respective properties. |
| GET /certificates/authorities/{uuid} | Lists the properties of a certification authority. |
Interfaces
One new API route is available in the public SMC API to list the interfaces of a firewall:
| Route | Makes it possible to |
|---|---|
| GET /firewalls/{uuidOrName}/interfaces | Lists all interfaces on a firewall and their respective properties. |
Static
One new API route is available in the public SMC API to list routes:
| Route | Makes it possible to |
|---|---|
| GET /firewalls/{uuidOrName}/routes | Lists all routes on a firewall and their respective properties. |
QoS
15 new API routes are available in the public SMC API to manage the QoS configuration:
| Route | Makes it possible to |
|---|---|
| GET /qos/queues/ | Lists all queues added on SMC and their respective properties. |
| GET /qos/queues/{uuidOrName} | Lists the properties of a queue. |
| POST /qos/queues | Adds a queue. |
| PUT /qos/queues/{uuidOrName} | Edits a queue. |
| DELETE /qos/queues/{uuidOrName} | Deletes a queue. |
| GET /qos/traffic-shapers | Lists all traffic shapers added on SMC and their respective properties. |
| GET /qos/traffic-shapers/{uuidOrName} | Lists the properties of a traffic shaper. |
| POST /qos/traffic-shapers | Adds a traffic shaper. |
| PUT /qos/traffic-shapers/{uuidOrName} | Edits a traffic shaper. |
| DELETE /qos/traffic-shapers/{uuidOrName} | Deletes a traffic shaper. |
| GET/firewalls/{uuidOrName}/interfaces-with-qos | Lists all the interfaces on a firewall with which QoS data has been associated. |
| GET/firewalls/{uuidOrName}/interfaces-with-qos/{ifaceUuidOrName} | Lists QoS data associated with a specific interface on a firewall. |
| POST /firewalls/{uuidOrName}/interfaces-with-qos/{ifaceUuidOrName} | Associates a traffic shaper and queues with a network interface. |
| PUT /firewalls/{uuidOrName}/interfaces-with-qos/{ifaceUuidOrName} | Edits the QoS configuration on a network interface. |
| DELETE /firewalls/{uuidOrName}/interfaces-with-qos/{ifaceUuidOrName} | Deletes the QoS configuration on a network interface. |
Filter and NAT rules
Seven new API routes are available in the public SMC API to manage filter and NAT rules individually for firewalls and folders:
| Route | Makes it possible to |
|---|---|
| DELETE /rules/{uuid} | Deletes a filter rule, translation rule or separator. |
| POST /firewalls/{uuidOrName}/filter-policy/rules | Adds a filter rule on a firewall by selecting its position. |
| POST /firewalls/{uuidOrName}/nat-policy/rules | Adds a translation rule on a firewall by selecting its position. |
| POST /folders/{uuidOrName}/filter-policy/rules | Adds a filter rule in a folder by selecting its position. |
| POST /folders/{uuidOrName}/nat-policy/rules | Adds a translation rule in a folder by selecting its position. |
| PUT /filter-policy/rules/{uuid} | Edits a filter rule. |
| PUT /nat-policy/rules/{uuid} | Edits a translation rule. |