System
SMC server redundancy
IMPORTANT
This is an early-access feature.
Refer to the Administration guide before enabling this feature.
You can now set up a redundancy system between two SMC servers, which makes it possible to guarantee service continuity. When the main node fails, SNS firewalls automatically connect to the backup node. The configuration on both nodes is synchronized every hour.
Changes to system folders
Files saved in the folder /var/tmp have been moved to /data/tmp.
The folder /var/fwadmin has been deleted and its files have been moved to /data/fwadmin.
The symbolic link between the folders /var/tmp and /data/tmp has been deleted. Files saved in /var/tmp will no longer be kept from one update to another.
SMC server diagnostics report
The server's diagnostics report contains a new section that provides statistics on the size of your configurations in SMC: number of firewalls managed, number of rules, routes, interfaces, etc. With these statistics, performance issues can be more easily diagnosed.
Logging
The log files /var/log/fwadmin-server/cfg2ini.log and /var/log/fwadmin-server/connections.log have been deleted and their content has been moved to the file /var/log/fwadmin-server/server.log.
MAC-then-Encrypt mechanisms
For security reasons, MAC-then-Encrypt mechanisms have been removed from the SMC server.
Configuring SNS firewalls
Warning when firewall configuration is modified
IMPORTANT
This is an early-access feature.
Refer to the list of limitations in the Administration guide before enabling this feature.
This new feature is disabled by default. When it is enabled, a warning now appears when the configuration is deployed on SNS firewalls, if other administrators have made changes to the configuration since the last deployment. The administrator can then choose whether to continue with the deployment or cancel it.
Network configuration
Blackhole keyword
From SNS firewalls in these versions onwards:
-
4.3.21 LTSB and higher 4.3 LTSB versions,
-
4.7 and upwards,
You can now select the blackhole keyword as the gateway of the default route or of a static route that aims to destroy a specific traffic stream.
Among other uses, this mechanism can be used in a configuration that contains IPsec tunnels - when a tunnel is down, packets that were meant for it will therefore be destroyed instead of being redirected to the firewall's default gateway.
Microsoft Windows compatibility
Windows Server 2022 support
SMC is now compatible with Microsoft Hyper-V for Windows Server 2022 hypervisors with regard to installation. It is also compatible with LDAP and Radius servers on Windows Server 2022 with regard to user authentication.
Authentication
Protection from brute force attacks
When administrators connect to the SMC command line interface via their SSH accounts or the SSH root account, the connection will now be suspended for 15 minutes after five consecutive authentication errors.
Configuring a Radius server
Support reference 85187
The values of the attributes NAS-IP-Address and NAS-IP-Identifier, used in Radius requests, can now be configured with the environment variables:
-
SMC_RADIUS_NAS_IP_ADDRESS
-
SMC_RADIUS_NAS_IDENTIFIER
SMC public API
Topologies and VPN tunnels
Three new API routes are available in the public SMC API to manage VPN topologies and tunnels:
| Route | Makes it possible to |
|---|---|
| GET /papi/v1/vpn/topologies |
List all the VPN topologies configured in SMC, regardless of whether they are deployed. The route indicates all configuration components, such as the name of the topology, authentication method, the name and content of the encryption profile, peers, etc. With the route, topologies can also be filtered by name or IKE version used. The "name" field enables partial case-insensitive searches. |
| GET /papi/v1/vpn/topologies/{uuid} |
List all the configuration components of a specific VPN topology configured in SMC, regardless of whether it is deployed. |
| GET /papi/v1/vpn/tunnels |
List all the VPN tunnels deployed in SMC. The route indicates all the monitoring properties of a VPN tunnel, such as the name of the topology, the status of the tunnel, traffic endpoints, etc. With the route, tunnels can also be filtered by topology name, type, form or status. The "topologyName" field enables partial case-insensitive searches. |
Configuration deployment
Two new API routes are available in the public SMC API to manage configurations deployed:
| Route | Makes it possible to |
|---|---|
| POST /papi/v1/deployment | Deploy the configuration on the firewalls. |
| GET /papi/v1/deployment | Find out the status of the current deployment or last deployment. |
Filter and NAT rules
Eight new API routes are available in the public SMC API to manage the filter and NAT rules that are specific to a firewall or shared by several firewalls:
| Route | Makes it possible to |
|---|---|
| GET /papi/v1/folders/{uuidOrName}/filter-policy | List all the filter rules found in a folder. Only rules contained in the folder are indicated, not rules in the parent folder or in sub-folders. Rules are sorted by priority (high or low). |
| GET /papi/v1/folders/{uuidOrName}/nat-policy | List all the NAT rules found in a folder. Only rules contained in the folder are indicated, not rules in the parent folder or in sub-folders. Rules are sorted by priority (high or low). |
| PUT /papi/v1/folders/{uuidOrName}/filter-policy | Edit the filter rules found in a folder. |
| PUT /papi/v1/folders/{uuidOrName}/nat-policy | Edit NAT rules found in a folder. |
| PUT /papi/v1/firewalls/{uuidOrName}/filter-policy | Define filter rules for a specific firewall. |
| PUT /papi/v1/firewalls/{uuidOrName}/nat-policy | Define NAT rules for a specific firewall. |
| GET /papi/v1/firewalls/{uuidOrName}/filter-policy | List filter rules for a specific firewall. Only the rules that are specific to the firewall are listed, not rules found in the folder to which the firewall belongs. |
| GET /papi/v1/firewalls/{uuidOrName}/nat-policy | List NAT rules for a specific firewall. Only the rules that are specific to the firewall are listed, not rules found in the folder to which the firewall belongs. |
Folders
One new API route is available in the public SMC API to manage folders:
| Route | Makes it possible to |
|---|---|
| GET /papi/v1/folders |
List all folders found in SMC, and for each folder, its name, UUID and the firewalls that it contains. |
Object database
27 new API routes are available in the public SMC API to manage the object database:
| Route | Makes it possible to |
|---|---|
| GET /papi/v1/objects |
List all objects found in the SMC object database. |
| POST /papi/v1/objects/[object type] |
Add host, group, network, port, DNS name, time, router, SLA, IP protocol, address range, port group and geolocation objects. For example: POST /papi/v1/objects/hosts |
| PUT /papi/v1/objects/[object type]/{uuidOrName} |
Edit host, group, network, port, DNS name, time, router, SLA, IP protocol, address range, port group and geolocation objects. For example: PUT /papi/v1/objects/hosts/{uuidOrName} |
| DELETE /papi/v1/objects/{type}/{name} DELETE /papi/v1/objects/{uuid} |
Delete objects from the SMC object database based on their names or UUID. |