Configuring routing

Configuring routes from SMC

Go to the System > Configuration tab of the firewall in question and select Configure the network for this firewall in SMC.

The first time you select this option, SMC retrieves automatically the firewall’s routes in the Routing tab, if it is connected. SMC also retrieves the objects used in the routes.

In the Routing tab, you will be able to configure the following from a central point:

static routes,
return routes,
default route,
dynamic routing.

Static and return routes

To create new static and return routes, click on Add at the top of the grid.

Dynamic routing

Double-click on the line where dynamic routing appears in the grid. Select the BIRD version to use (v1 or v2). You can change the routing configuration to the format of the selected BIRD version, and select advanced options. For more information, refer to the Dynamic routing section in the SNS User guide.

NOTE
SMC does not support IPv6 for the BIRD configuration.

Default route

Double-click on the line in the grid and select a gateway.

When the configuration is deployed, the network configuration deployed from SMC takes priority over the firewall’s local configuration and overwrites it.

For more information on route configuration, refer to the Routing section in SNS User Manual.

If the Configure the network for this firewall in SMC checkbox is not selected, the firewall's Routing tab will be in read-only mode. SMC then retrieves the firewall's routes every time the tab is opened. The objects contained in read-only routes will not be retrieved on SMC.

Forcing the retrieval of the firewall's routes

When the Routing tab is in read-only mode, SMC retrieves the firewall's routes every time the tab is opened. This is not the case when routing and network configuration is managed by SMC.

In the firewall's settings, you can then force the retrieval of the interface and routing configuration:

Go to the firewall's settings,
In the System > Configuration tab, select Configure the network for this firewall in SMC if it has not already been selected,
Expand Firewall information and configuration retrieval (advanced) and click on Retrieve configuration of interfaces and routing.

Importing and exporting routes

Routes can be manually imported and exported in command line.

Exporting routes

The smc-export-routes command makes it possible to generate a CSV file that includes the static routes, return routes and default routes of firewalls in at least version 4.2.4 and for which the network configuration is managed in SMC.

The command generates the CSV file in the /tmp folder by default.

To export a firewall's routes:

Log in to the SMC server via the console of your hypervisor or in SSH.
Enter the command smc-export- routes. To change the default name of the output file (smc_routes_date.time.csv), add an argument to the command. For example: smc-export-routes /data/tmp/my_routes.csv.

Importing routes

The smc-import-routes command makes it possible to import from a CSV file to SMC the routes of firewalls in at least version 4.2.4 and for which the network configuration is managed in SMC. Running the command overwrites the routes that are already visible in SMC.

EXAMPLE
The structure of an import file containing routes is as follows:
#firewall,#type,#status,#destination,#gateway,#interface,#comment
SNS1,default,Enabled,any,gateway,auto,
SNS2,reverse,Enabled,,update1-sns.stormshieldcs.eu,out,
...

To import routes:

To create the CSV file, you can export routes as shown above and use the generated file as a base,
Copy the CSV file to the SMC server using the SSH protocol in the /tmp folder for example,
Log in to the SMC server via the console of your hypervisor or in SSH.
Enter the command smc-import-routes followed by the path to the CSV file as the argument.

If the routes reference items from your SNS configuration that are not already in the SMC configuration (objects/interfaces), you must import them beforehand on the server.

Limitations to the route configuration from the SMC server

Currently, configuration in IPv6 is not supported.
SMC can retrieve the routes of an SNS firewall and the associated objects by enabling the network configuration management or by forcing the retrieval of the routes. If a retrieved object already exists on SMC (same type and name), the values of the object existing on SMC are then the values used in the configuration.
If the default gateway set on an SNS firewall does not match any object in the firewall's object database, route retrieval will not be supported. An error log will be generated in the server's logs, explaining that the IP address must be represented by an object.
Objects containing only IPv6 and/or MAC addresses cannot be used.
Router objects can be used as gateways to a static route on SNS firewalls in at least version 4.3.0.
In SMC, "firewall_" objects are used in routes in exactly the same way they are used on SNS firewalls. So during a deployment, if the firewall detects such objects being used wrongly, the deployment will fail.
Dynamic routing - The deployment of configurations with dynamic routing on SNS firewalls in 4.8.1 versions and higher from SMC in versions below 3.6 is not supported.
Dynamic routing - SMC does not support the following parameters. If necessary, configure them directly from the SNS firewall. They will not be overwritten by the routing configuration originating from SMC:
- the "[BGPAuth]” section,
- the exclusion of IP address ranges in routes. For more information, refer to the Stormshield Knowledge base.