SMC 3.8 new features and enhancements

Managing SNS firewalls

Versions of managed firewalls

Firewalls in version 5 can now be managed from SMC version 3.8.

To know the highest versions that can be managed from a given version of SMC, refer to the Product life cycle guide.

Updating firewalls from SMC

Firewalls can now be updated directly from the SMC administration interface, and from the public API. Previously, updates could only be applied via SNS CLI script. Go to the new firewall update panel through the Deployment menu.

If a firewall is not connected when the update is launched, it will be postponed and launched the next time the firewall connects again.

Firewalls that use TPMs cannot be updated from this panel.

Find out more

SNS firewall configuration

Firewall configuration consistency check

If you permanently disable the consistency check using the SMC_CFGCHECK_ENABLED environment variable, a new Run verification button manually launches a configuration verification from the consistency checker only when requested.

Furthermore, when the consistency checker is disabled, automatic checks are still conducted every time a configuration is deployed. The new SMC_CFGCHECK_BEFORE_DEPLOY_ENABLED environment variable can be used to disable these automatic checks.

Find out more

New consistency checks

New consistency checks make it possible to ensure the proper use of KEM (Key Encapsulation Mechanism) encryption algorithms in SMC.

Disabling Diffusion Restreinte (DR) mode

From version 3.8 upwards:

  • When DR mode is disabled on SMC, configurations are no longer deployed, and DR mode will be disabled on firewalls that are connected to SMC.

  • Firewalls in DR mode can be connected to an SMC server on which DR mode is not enabled.

Find out more

VPN topologies

New encryption profiles

Two new encryption profiles are now available in the configuration of VPN topologies:

  • PQCEncryption

  • PQCTransition

They contain new key exchange algorithms that provide protection from "store now, decrypt later'' attacks (Quantum-safe Key Encapsulation Mechanism (KEM)).

Post-quantum pre-shared keys

Post-quantum pre-shared keys (PPK) can now be configured in the settings of VPN topologies that use X.509 certificate authentication.

Find out more

Discontinuation of support for 3DES in encryption profiles

VPN topologies associated with an encryption profile that uses 3DES can no longer be deployed when a peer in the topology is in SNS version 5 and higher.

In addition, 3DES can no longer be selected in new encryption profiles.

Object database

Creating host and group objects from router objects

In the window to create and edit router objects, the following items can now be directly created:

  • Host objects from the Host column in the Gateways and Backup gateways tab.

  • Host or Group objects from the Device(s) for testing availability column in the Gateways and Backup gateways tab.

Using the @ character

The @ character can now be used in object comments.

Network configuration

Support for 50 and 100 Gbps full duplex media

In the advanced configuration of interfaces that support it, 50 and 100 Gbps full duplex media can now be selected for compatible firewall models.

System

Server diagnostics report

In the diagnostics report, a new section shows the serial numbers of firewalls that attempt to connect instead of another firewall that is connected with the same connecting package, for example.

Environment variables

SMC_MONITOR_ROUTE_POLLING_PERIOD_INT variable

With the new SMC_MONITOR_ROUTE_POLLING_PERIOD_INT environment variable, you can adjust the frequency with which a firewall is queried to monitor configured routes. The default value of the variable is 60000 milliseconds, which is the lowest value. To disable the variable and stop querying, indicate 0 as a value.

SMC public API

New API routes were added to SMC version 3.8. They are listed below. For more information about the SMC public API routes, refer to the online documentation. This documentation is also available from the SMC web administration interface.

Updating SNS firewalls

Five new API routes are available in the SMC public API to update SNS firewalls.

Route Makes it possible to
POST /papi/v1/sns-update/attachments

Attach one or several firewall update files.

POST /papi/v1/sns-update

Indicate the URL of an HTTPS server on which SMC can download the update files.

POST /papi/v1/sns-update/execute

Run an update on one or several firewalls that are connected to SMC. Firewalls that use TPMs cannot be updated via SMC.

GET /papi/v1/sns-update/progress Track the progress of an ongoing update on one or several firewalls.
POST /papi/sns-update/cancel Cancel a pending update.

Topologies and VPN tunnels

Two new API routes are available in the SMC public API to manage VPN topologies and tunnels:

Route Makes it possible to
POST /papi/v1/vpn/topologies Add a VPN topology.
DELETE /papi/v1/vpn/topologies/{uuidOrName} Delete a VPN topology.

Firewalls

Two new API routes are available in the SMC public API to manage firewalls:

Route Makes it possible to
PUT /papi/v1/firewalls/{uuidOrName}

Change a firewall's information.

DELETE /papi/v1/firewalls/{uuidOrName}

Remove a firewall from the SMC server