Recommendations

Before upgrading to version 2.1.0 and upwards

Network interfaces of the SMC server

In your hypervisor, you can define several interfaces on various networks for the SMC server. However you cannot define an IP address included in the 172.17.0.0/16 range because it is reserved for internal use only.


Syslog server

If you use a remote server in Syslog format to collect SMC logs, you need to configure again the remote server after updating the SMC server, through the command smc-syslog-ng. This operation is no longer required from version 2.6 of SMC.


SMC server operating system

From version 2.1.0 of the SMC server, changes have been made to the operating system so that a larger amount of data can be managed, especially by the new feature that automatically backs up the configuration of the server and of SN firewalls.

We recommend that you deploy a new .OVA, .VHD or .qcow2 to get the best results from the following modifications:

  • more efficient virtual interface,
  • increased disk space to support the automatic backup feature.

We also advise you to enable the automatic backup feature only after a new machine has been deployed.

Follow the procedure below to deploy a new .OVA, .VHD or .qcow2:

  1. Start by upgrading your machine to version 2.1.0 or upwards from an upgrade archive.
  2. Back up the configuration of the server and of any logs you wish to back up.
  3. Deploy a new .OVA, .VHD or .qcow2 in version 2.1.0 or upwards.
  4. Through the SMC initialization wizard, restore the backed up configuration on the new machine.

To get help or more information on these procedures, please refer to the SMC Administration guide or contact the Technical Assistance Center.

Feel free to look up the SNS knowledge base as well in your MyStormshield area. The knowledge base explains how to manually increase disk size and modify the virtual interface.

Warning before connecting SN firewalls to the SMC server

Take note of the following information if you wish to associate the SMC server with a pool of SN firewalls already used in production, and which contain global configuration items.

Whenever SMC deploys a configuration on a firewall, all global configuration items found on this firewall will be deleted and replaced with configuration items defined in the SMC configuration, if any.

This includes:

  • Global objects defined on the firewall,
  • Global filter rules defined on the firewall,
  • Global VPN tunnels defined on the firewall.

These elements are not displayed by default in the SNS Web configuration interface. To display them, go to the firewall Preferences, section Application settings and enable the option Display global policies (Filter, NAT, IPsec VPN and Objects).

By attaching an SN firewall to SMC, you therefore accept that these global items, which could have been set up on this firewall, will be overwritten as soon as SMC deploys the configuration.

However, local objects, rules and VPN tunnels (which you handle by default in the firewalls' web administration interface) will never be modified or deleted when SMC deploys a configuration.

We therefore recommend that you recreate these global items in the form of local items on the firewall or rewrite rules in SMC before attaching the firewall to SMC, in order to avoid losing configuration items and disrupting production.

In most cases, in which the firewall to be attached does not have any global configuration items, no particular precautions need to be taken in attaching the firewall to SMC, and doing so will leave no impact on production.

In any case, we recommend that you back up your firewall's configuration before attaching it to SMC.