Managing SNS firewalls
Versions of managed firewalls
Firewalls in version 5 can now be managed from SMC version 3.8.
To know the highest versions that can be managed from a given version of SMC, refer to the Product life cycle guide.
Updating firewalls from SMC
Firewalls can now be updated directly from the SMC administration interface, and from the public API. Previously, updates could only be applied via SNS CLI script. Go to the new firewall update panel through the Deployment menu.
If a firewall is not connected when the update is launched, it will be postponed and launched the next time the firewall connects again.
Firewalls that use TPMs cannot be updated from this panel.
SNS firewall configuration
Firewall configuration consistency check
If you permanently disable the consistency check using the SMC_CFGCHECK_ENABLED environment variable, a new Run verification button manually launches a configuration verification from the consistency checker only when requested.
Furthermore, when the consistency checker is disabled, automatic checks are still conducted every time a configuration is deployed.
The new SMC_CFGCHECK_BEFORE_DEPLOY_ENABLED environment variable can be used to disable these automatic checks.
New consistency checks
New consistency checks make it possible to ensure the proper use of KEM (Key Encapsulation Mechanism) encryption algorithms in SMC.
Disabling Diffusion Restreinte (DR) mode
From version 3.8 upwards:
-
When DR mode is disabled on SMC, configurations are no longer deployed, and DR mode will be disabled on firewalls that are connected to SMC.
-
Firewalls in DR mode can be connected to an SMC server on which DR mode is not enabled.
VPN topologies
New encryption profiles
Two new encryption profiles are now available in the configuration of VPN topologies:
-
PQCEncryption
-
PQCTransition
They contain new key exchange algorithms that provide protection from "store now, decrypt later'' attacks (Quantum-safe Key Encapsulation Mechanism (KEM)).
Post-quantum pre-shared keys
Post-quantum pre-shared keys (PPK) can now be configured in the settings of VPN topologies that use X.509 certificate authentication.
Discontinuation of support for 3DES in encryption profiles
VPN topologies associated with an encryption profile that uses 3DES can no longer be deployed when a peer in the topology is in SNS version 5 and higher.
In addition, 3DES can no longer be selected in new encryption profiles.
Object database
Creating host and group objects from router objects
In the window to create and edit router objects, the following items can now be directly created:
-
Host objects from the Host column in the Gateways and Backup gateways tab.
-
Host or Group objects from the Device(s) for testing availability column in the Gateways and Backup gateways tab.
Using the @ character
The @ character can now be used in object comments.
Network configuration
Support for 50 and 100 Gbps full duplex media
In the advanced configuration of interfaces that support it, 50 and 100 Gbps full duplex media can now be selected for compatible firewall models.
System
Server diagnostics report
In the diagnostics report, a new section shows the serial numbers of firewalls that attempt to connect instead of another firewall that is connected with the same connecting package, for example.
Environment variables
SMC_MONITOR_ROUTE_POLLING_PERIOD_INT variable
With the new SMC_MONITOR_ROUTE_POLLING_PERIOD_INT environment variable, you can adjust the frequency with which a firewall is queried to monitor configured routes. The default value of the variable is 60000 milliseconds, which is the lowest value. To disable the variable and stop querying, indicate 0 as a value.
SMC public API
New API routes were added to SMC version 3.8. They are listed below. For more information about the SMC public API routes, refer to the online documentation. This documentation is also available from the SMC web administration interface.
Updating SNS firewalls
Five new API routes are available in the SMC public API to update SNS firewalls.
| Route | Makes it possible to |
|---|---|
| POST /papi/v1/sns-update/attachments |
Attach one or several firewall update files. |
| POST /papi/v1/sns-update |
Indicate the URL of an HTTPS server on which SMC can download the update files. |
| POST /papi/v1/sns-update/execute |
Run an update on one or several firewalls that are connected to SMC. Firewalls that use TPMs cannot be updated via SMC. |
| GET /papi/v1/sns-update/progress | Track the progress of an ongoing update on one or several firewalls. |
| POST /papi/sns-update/cancel | Cancel a pending update. |
Topologies and VPN tunnels
Two new API routes are available in the SMC public API to manage VPN topologies and tunnels:
| Route | Makes it possible to |
|---|---|
| POST /papi/v1/vpn/topologies | Add a VPN topology. |
| DELETE /papi/v1/vpn/topologies/{uuidOrName} | Delete a VPN topology. |
Firewalls
Two new API routes are available in the SMC public API to manage firewalls:
| Route | Makes it possible to |
|---|---|
| PUT /papi/v1/firewalls/{uuidOrName} |
Change a firewall's information. |
| DELETE /papi/v1/firewalls/{uuidOrName} |
Remove a firewall from the SMC server |