SMC 3.6 new features and enhancements

Managing administrators

Restricting administrators' access privileges

The SMC super administrator can now restrict administrators' write access privileges to only certain folders, and therefore to only certain firewalls. With this feature, you can strengthen security on your firewall pool by segmenting its administration. In this way, individual administrators manage their own SNS firewalls, while retaining read-only access to other firewalls connected to SMC.

This restriction can be configured in administrators' profiles.

Find out more

Firewall configuration

Implementing QoS

You can now configure QoS (Quality of Service) on your SNS firewall pool from SMC.

In the new Configuration > Quality of Service menu, you can add queues and traffic shapers. A new QoS tab in the firewall settings then allows you to associate them with network interfaces on firewalls. You can also select queues that were created on SMC in filter rules.

SMC also allows you to retrieve the QoS configuration, if it already exists on your firewalls.

The implementation of QoS in SMC is compatible with SNS firewalls from version 4.3.15 LTSB and 4.5.3 upwards.

Find out more

Dynamic routing with BIRD version 2

SMC 3.6 allows you to configure and deploy dynamic routing that uses version 2 of BIRD on SNS firewalls in version 4.8.1 EA and upwards. Version 1 of BIRD can still be used in SMC.

Do note that dynamic routing can no longer be managed on SNS firewalls in 4.8.1 EA versions and higher from a version of SMC below 3.6. The firewall will reject the deployment of the configuration, and report an error.

We advise you to read the following recommendation on updating SMC to version 3.6, and updating SNS firewalls to version 4.8.1 EA.

Find out more

Firewall network interfaces

Broadcast mode is now available in SMC for aggregate interfaces. This mode is compatible with SNS firewalls in versions 4.3.25, 4.7.5, 4.8.1 and higher.

Please refer to the SNS release notes for more information.

Find out more

Environment variables

SMC_PROXY_RESPONSE_TIMEOUT variable

The default value of the SMC_PROXY_RESPONSE_TIMEOUT variable has been increased from 120 seconds to 300 seconds. As some commands that SMC sends to SNS firewalls require more than 120 seconds to run, the higher value prevents them from failing.

Find out more

VPN topologies

Using Diffie-Hellman groups in encryption profiles

On firewalls in version 4.8 and upwards, several Diffie-Hellman (DH) key exchange methods can now be configured in encryption profiles for IKE and IPsec proposals.

The SMC public API has been updated as a result, through routes on topologies. The "proposals" field now contains an additional detail named "dh". The "pfs" field is now a table, so that several values can be returned.

Obsolescence of Diffie-Hellman groups

The following DH groups are now obsolete in SMC, and on SNS firewalls. They now appear in encryption profiles with the caption 'obsolete'.

  • DH25 (ECDH with 192-bit NIST ECG)

  • DH26 (ECDH with 224-bit NIST ECG)

  • DH27 (ECDH with 224-bit Brainpool ECG)

SMC documentation

Access to documentation

In the SMC web administration interface, the link to documentation now leads to the Technical documentation website. This will provide you with all documentation on the latest version of the product.

To use SMC in offline mode, you can download PDF and HTML versions of documents on the website.

SMC public API

New API routes were added to SMC version 3.6. They are listed below. For more information about the SMC public API routes, refer to the online documentation. This documentation is also available from the SMC web administration interface.

Customizing the port of the public API

Th default listening port on the SMC public API can now be changed by using the environment variable SMC_PUBLIC_API_PORT_INT.

Find out more

Variables

Six new API routes are available in the public SMC API to manage the global variables and values that have been assigned to them for each firewall:

Route Makes it possible to
GET /papi/v1/variables Lists all global variables and values assigned for each firewall.
POST /papi/v1/variables Adds a global variable.
GET /papi/v1/variables/{uuidOrName}/uses Lists the uses of a global variable in objects.
DELETE /papi/v1/variables/{uuidOrName} Deletes a global variable.
PUT /papi/v1/variables/{uuidOrName} Edits a global variable.
PUT /papi/v1/variables/{variableUuidOrName}/{firewallUuidOrName} Assigns or modifies the value of a global variable on a firewall.

Managing certificates

Four new API routes are available in the public SMC API to manage certificates:

Route Makes it possible to
GET /certificates Lists certificates that have been imported on all firewalls and their respective properties.
GET /certificates/{uuid} Lists the properties of a certificate that was imported on a firewall.
GET /certificates/authorities Lists all certification authorities and their respective properties.
GET /certificates/authorities/{uuid} Lists the properties of a certification authority.

Interfaces

One new API route is available in the public SMC API to list the interfaces of a firewall:

Route Makes it possible to
GET /firewalls/{uuidOrName}/interfaces Lists all interfaces on a firewall and their respective properties.

Static

One new API route is available in the public SMC API to list routes:

Route Makes it possible to
GET /firewalls/{uuidOrName}/routes Lists all routes on a firewall and their respective properties.

QoS

15 new API routes are available in the public SMC API to manage the QoS configuration:

Route Makes it possible to
GET /qos/queues/ Lists all queues added on SMC and their respective properties.
GET /qos/queues/{uuidOrName} Lists the properties of a queue.
POST /qos/queues Adds a queue.
PUT /qos/queues/{uuidOrName} Edits a queue.
DELETE /qos/queues/{uuidOrName} Deletes a queue.
GET /qos/traffic-shapers Lists all traffic shapers added on SMC and their respective properties.
GET /qos/traffic-shapers/{uuidOrName} Lists the properties of a traffic shaper.
POST /qos/traffic-shapers Adds a traffic shaper.
PUT /qos/traffic-shapers/{uuidOrName} Edits a traffic shaper.
DELETE /qos/traffic-shapers/{uuidOrName} Deletes a traffic shaper.
GET/firewalls/{uuidOrName}/interfaces-with-qos Lists all the interfaces on a firewall with which QoS data has been associated.
GET/firewalls/{uuidOrName}/interfaces-with-qos/{ifaceUuidOrName} Lists QoS data associated with a specific interface on a firewall.
POST /firewalls/{uuidOrName}/interfaces-with-qos/{ifaceUuidOrName} Associates a traffic shaper and queues with a network interface.
PUT /firewalls/{uuidOrName}/interfaces-with-qos/{ifaceUuidOrName} Edits the QoS configuration on a network interface.
DELETE /firewalls/{uuidOrName}/interfaces-with-qos/{ifaceUuidOrName} Deletes the QoS configuration on a network interface.

Filter and NAT rules

Seven new API routes are available in the public SMC API to manage filter and NAT rules individually for firewalls and folders:

Route Makes it possible to
DELETE /rules/{uuid} Deletes a filter rule, translation rule or separator.
POST /firewalls/{uuidOrName}/filter-policy/rules Adds a filter rule on a firewall by selecting its position.
POST /firewalls/{uuidOrName}/nat-policy/rules Adds a translation rule on a firewall by selecting its position.
POST /folders/{uuidOrName}/filter-policy/rules Adds a filter rule in a folder by selecting its position.
POST /folders/{uuidOrName}/nat-policy/rules Adds a translation rule in a folder by selecting its position.
PUT /filter-policy/rules/{uuid} Edits a filter rule.
PUT /nat-policy/rules/{uuid} Edits a translation rule.