SMC 3.9.1 new features and enhancements

Object database

Using objects in groups

Groups can now contain the same object twice, if the object belongs to two separate sub-groups.

Such groups can be used in filter rules and translation rules.

Pagination of objects in groups

In the window where object groups, port groups and region groups can be added and edited, available objects and objects belonging to the group are now shown by page. With this enhancement, objects can be instantly displayed.

Managing SNS firewalls

Deleting firewalls in SMC

When a firewall or cluster is deleted in SMC, the operation will now automatically delete the configuration that connects these firewalls to SMC, on firewalls in version 4.8.14 and higher, and version 5.0.2 and higher. As a result, these firewalls will no longer attempt to connect to SMC after they have been deleted from the server. For this condition to apply, the firewalls have to be connected to SMC when they are deleted.

Deleting firewalls from SMC does not affect the firewall's global configuration.

Find out more

Updating SNS firewalls

As of SNS version 4.8.9, firewalls and clusters on which the TPM is initialized can be updated from SMC.

Find out more

Environment variables

SMC_IMPORT_RULES_FROM_SNS_TIMEOUT_INT variable

The new environment variable SMC_IMPORT_RULES_FROM_SNS_TIMEOUT_INT makes it possible to set the maximum time allowed for retrieving local and global rules from a firewall that is connected to SMC.

The default timeout is 600 seconds, and the minimum accepted value is 30 seconds.

SMC_BULK_RULES_OPERATIONS_TIMEOUT_INT variable

The new environment variable SMC_BULK_RULES_OPERATIONS_TIMEOUT_INT makes it possible to set the timeout after which copied/pasted or cut/pasted filter and translation rules expire.

The default timeout is 600 seconds, and the minimum accepted value is 30 seconds.

Description of environment variables in the Administration guide

A description, as well as the highest and lowest values where applicable, have been added for each environment variable in the section Details of SMC_XXX environment variables in the SMC Administration guide.

Routing configuration

BIRD dynamic routing

These three new tokens can be used in BIRD v1 and BIRD v2 configurations:

rcvbuflen
sndbuflen
connect

Configuring virtual IPsec interfaces (VTIs)

SMC 3.9 supports the new Destination IPv4 address field on virtual IPsec interfaces. This field is available as of SNS version 5.1.0. The address must belong to the interface's address range.

The API route PUT /papi/v1/firewalls/{uuidOrName}/interfaces also supports this new field. When the field is used with SNS in a version lower than 5.1.0, an error will appear.

A new column, "ipv4_dst_address", can now be found in the .csv file used in the configuration of IPsec interfaces. SMC suggests downloading this file when you create a route-based topology that includes firewalls with network configurations that SMC does not manage. This feature shows an IP address for firewalls in version 5.1.0 and higher. For more information on the use of the file, refer to the section Configuring a route-based mesh topology in the Administration guide.

Refer to the Recommendations section prior to any update.

Configuring routes on firewalls that have never connected

SMC now makes it possible to configure routes in advance on an SNS firewall that has never connected to the server, by using the API route PUT /papi/v1/firewalls/{uuidOrName}/routes.

Routes that are created in this way can be seen in the SMC web administration interface, and are deployed during the firewall's initial connection.

VPN topologies

Optimized VPN tunnel monitoring

Efficiency and resource usage are now optimized during the retrieval and display of IPsec VPN tunnels.

Administrator authentication

Hardened password policy

A minimum entropy value can now be imposed to increase the strength of administration passwords that are set in SMC. The default value is 64 bits.

In addition, after an update to version 3.9, passwords have to meet the following default requirements:

Minimum length of 16 characters,
At least one alphanumeric character,
At least one special character,
Entropy of 64 bits.

These values can be configured in the password policy in SMC server > Administrators.

These hardening measures do not apply to passwords that are already in use, which will continue to function.

Find out more

Automatic switching between Radius and LDAP servers

When both LDAP and Radius are enabled for user authentication, SMC will verify accounts in the following order:

Radius server
LDAP server
Local accounts

Prior to SMC version 3.9, whenever the Radius server was unavailable, the account verification would automatically switch to the LDAP server, potentially creating a security vulnerability.

The automatic switch is now disabled by default. A new checkbox in the Radius settings allows the user to enable it.

WARNING
By enabling this option, during a switch, the security level of your authentication will be same level that you have set in your LDAP configuration.

However, during the update to version 3.9, the checkbox will be selected by default if both authentication methods had already been enabled.

Reading logs

Display of the SMC server name in auth.log

The name that is given to the SMC server now appears in the log auth.log. This file logs every operation that was performed to access the SMC server in SSH or console mode. The displayed name makes it easier to use filters in external log aggregators.

Find out more

System

Optimized usage checks

The feature that checks how various items (objects, certificates, interfaces, etc.) are used has been optimized. The optimization allows SMC to reduce its resource consumption and respond more quickly.

Public SMC API - New routes

New API routes were added to SMC version 3.9. They are listed below. For more information on the public SMC API routes, refer to the online documentation. This documentation is also available from the SMC web administration interface.

Automatic backups of the SMC configuration and SNS firewall configuration

A new API route is available in the public SMC API to download a backup of SMC and firewall configurations.

Route Makes it possible to

POST /papi/v1/backup/download

Route	Makes it possible to
POST /papi/v1/backup/download	Download the latest automatic backup of the SMC server configuration and firewall configuration. The downloaded file latest-backup.tar.gz.enc is protected by a password that must meet the requirements in the SMC user password policy. Use the following OpenSSL command to decrypt the file: `openssl enc -d -aes-256-cbc -pbkdf2 -iter 200000 -md sha256 -in latest-backup.tar.gz.enc -out latest-backup.tar.gz && tar -xzf latest-backup.tar.gz`

Download the latest automatic backup of the SMC server configuration and firewall configuration. The downloaded file latest-backup.tar.gz.enc is protected by a password that must meet the requirements in the SMC user password policy.

Use the following OpenSSL command to decrypt the file:

openssl enc -d -aes-256-cbc -pbkdf2 -iter 200000 -md sha256 -in latest-backup.tar.gz.enc -out latest-backup.tar.gz && tar -xzf latest-backup.tar.gz

Managing object groups

Two new routes are available in the public SMC API to granularly manage members of object groups:

Route	Makes it possible to
POST /papi/v1/objects/groups/{uuidOrName}/members	Add one or several objects individually to a group.
DELETE /papi/v1/objects/groups/{uuidOrName}/members	Delete one or several objects individually from a group.