SMC certificate expiration on July 04, 2022, update your SMC !
Update is not possible? See the SMC not functionnal after the 4th of July 2022 article on the KB (authentication required).
Information prior to an update of the SMC server
Size of the System disk
After successive updates of the SMC server, it may happen that free space on the System disk is not enough to allow new updates to be installed:
Use the following command to check the state of the system disk:
df -h /
If the disk is almost full, you need to deploy a new virtual machine using the following procedure:
Update your new SMC server to the new 3.y version.
To update from a 3.1.4 version to a 3.1.6 version:
Back up the 3.1.4 SMC server configuration.
Shut down the server.
Deploy a new 3.1.4 server.
Restore the backed up configuration on the new 3.1.4 server.
Update the new server to version 3.1.6.
Address range of SMC micro-services
If the address range that your SNS firewalls use conflicts with the address range that micro-services on the SMC server use, you can change the address of the SMC server's "docker0” interface (172.17.0.1/16). To do so, follow the steps in the Stormshield Knowledge base article.
Access to the SMC server during updates
When you update your SMC server, we recommend that you prevent other administrators from accessing SMC for the duration of the update. If you do not do so, they will not be informed of updates in progress and any configurations they are working on will not be saved.
Minimum hardware recommendations
To ensure good performance of the SMC server, we recommend installing it on a virtual machine with at least 2 vCPUs and 4 GB of RAM.
Take note of the following information if you wish to associate the SMC server with a pool of SNS firewalls already used in production, and which contain global configuration items.
Whenever SMC deploys a configuration on a firewall, all global configuration items found on this firewall will be deleted and replaced with configuration items defined in the SMC configuration, if any.
- Global objects defined on the firewall,
- Global filter rules defined on the firewall,
- Global VPN tunnels defined on the firewall.
These items are not displayed by default in the SNS web configuration interface. To display them, go to the firewall Preferences, Application settings section and enable the option Display global policies (Filter, NAT, IPsec VPN and Objects).
By attaching an SNS firewall to SMC, you therefore accept that these global items, which could have been set up on this firewall, will be overwritten as soon as SMC deploys the configuration.
However, local objects, rules and VPN tunnels (which you handle by default in the firewalls' web administration interface) will never be modified or deleted when SMC deploys a configuration.
We therefore recommend that you recreate these global items in the form of local items on the firewall or rewrite rules in SMC before attaching the firewall to SMC, in order to avoid losing configuration items and disrupting production.
In most cases, in which the firewall to be connected does not have any global configuration items, no particular precautions need to be taken in attaching the firewall to SMC, and doing so will leave no impact on production.
In any case, we advise you to back up your firewall's configuration before connecting it to SMC.