Recommendations

Information prior to an update of the SMC server

Update from version 2.x

To update a SMC server to version 3.5.4, intermediate updates may be required depending on its original version:

From a 2.X version Updating to version 3.1.6

For more information, you can view Stormshield Knowledge base.

Managing the configuration of SNS firewall network interfaces during an update from a version previous to 3.4 to a version higher than 3.4

After an update to a version higher than 3.4, the SMC server needs to retrieve again the configuration of interfaces and routing of SNS firewalls.

As such, please take note of the following points:

  1. Before updating SMC, make sure you deploy the current changes to the firewall network configuration. Otherwise, changes will be lost.

  2. Interface and route configuration remains read-only on SMC as long as the SNS firewall does not reconnect to SMC after the update.


After updating to a version higher than 3.4, if you manage a pool of over 200 firewalls, synchronizing the network configuration of SNS firewalls can cause the system to slow down. If this occurs, we recommend that you temporarily disable the consistency checker before updating SMC, and enabling it again later. To do so:

  1. Log in to the SMC server via the console of your hypervisor or in SSH.
  2. In the file /data/config/fwadmin-env.conf.local, add the environment variable: FWADMIN_ENABLED_CFGCHECK=false (replaced by the variable SMC_CFGCHECK_ENABLED from version 3.4 onwards).
  3. Restart the server with the command nrestart fwadmin-server.
  4. After the update, once all the firewalls are connected back, delete the line in the file and restart the server.

Interfaces with network or broadcast addresses

SMC no longer allows interfaces with network or broadcast addresses to be created so that interfaces correspond to SNS firewalls.

Before updating SMC, ensure that you do not have such interfaces in your configuration. Otherwise, the SMC administration interface will become unusable, and you will need to restore a snapshot or shadow copy of your virtual machine.


Size of the System disk

After successive updates of the SMC server, it may happen that free space on the System disk is not enough to allow new updates to be installed:

  1. Use the following command to check the state of the system disk:

    df -h /

    For example:

  2. If the disk is almost full, you need to deploy a new virtual machine using the following procedure:

    1. Back up the 3.x SMC server configuration.

    2. Shut down the SMC server.

    3. Deploy a new SMC server in the same 3.x version.

    4. Restore the the configuration from your backup on the new virtual machine.

  3. Update your new SMC server to the new 3.y version.

EXAMPLE
To update from a 3.1.4 version to a 3.1.6 version:

  1. Back up the 3.1.4 SMC server configuration.

  2. Shut down the server.

  3. Deploy a new 3.1.4 server.

  4. Restore the backed up configuration on the new 3.1.4 server.

  5. Update the new server to version 3.1.6.

To get help or more information on these procedures, please refer to the SMC Administration guide or contact the Technical Assistance Center.


Address range of SMC micro-services

If the address range that your SNS firewalls use conflicts with the address range that micro-services on the SMC server use, you can change the address of the SMC server's "docker0” interface (172.17.0.1/16). To do so, follow the steps in the StormshieldKnowledge base article.


Access to the SMC server during updates

When you update your SMC server, we recommend that you prevent other administrators from accessing SMC for the duration of the update. If you do not do so, they will not be informed of updates in progress and any configurations they are working on will not be saved.

Minimum hardware recommendations

To ensure good performance of the SMC server, we recommend installing it on a virtual machine with at least 2 vCPUs and 4 GB of RAM.

Warning before connecting SNS firewalls to the SMC server

Take note of the following information if you wish to associate the SMC server with an environment of SNS firewalls containing global configuration items already used in production.

Whenever SMC deploys a configuration on a firewall, all global configuration items found on this firewall will be deleted and replaced with configuration items defined in the SMC configuration, if any.

This includes:

  • Global objects defined on the firewall,
  • Global filter rules defined on the firewall,
  • Global VPN tunnels defined on the firewall.

These elements are not displayed by default in the SNS Web configuration interface. To display them, go to the firewall Preferences, section Application settings and enable the option Display global policies (Filter, NAT, IPsec VPN and Objects).

By connecting an SNS firewall to SMC, you therefore accept that these global items, which could have been set up on this firewall, will be overwritten as soon as SMC deploys the configuration.

However, local objects, rules and VPN tunnels (which you handle by default in the firewalls' web administration interface) will never be modified or deleted when SMC deploys a configuration.

We therefore recommend that you recreate these global items in the form of local items on the firewall or rewrite rules in SMC before connecting the firewall to SMC, in order to avoid losing configuration items and disrupting production.

In most cases, in which the firewall to be connected does not have any global configuration items, no particular precautions need to be taken in connecting the firewall to SMC, and doing so will leave no impact on production.

In any case, we advise you to perform a backup of your firewall's configuration before connecting it to SMC.