Producent oprogramowania Stormshield udostępnił najnowszą aktualizację dla Management Center o oznaczeniu 3.2.1. Dzięki nowszej wersji została usprawniona technologia SD-WAN, pozwalająca na definiowanie określonych reguł SLA dla każdej aplikacji bądź usługi. Ponadto producent umożliwił konfigurowanie routingu w oparciu o protokół IPv4, a od wersji 3.2.1 została rozwinięta zakładka odpowiedzialna za interfejsy- aktualnie znajdują się wszystkie możliwe rodzaje interfejsów. W nowszej wersji zostały również poprawione problemy dotyczące klastra HA, jak również technologii VPN. Po więcej ciekawych informacji zapraszamy do dalszej części posta.
Nowości:
Network configuration
SD-WAN – Selecting the best link
In SMC, specific criteria can be centrally managed to determine whether a WAN link meets the quality level adapted to its type of traffic (VoIP, video, etc.).
To do so, for each traffic type, you can set an SLA (Service Level Agreement) commitment based on one or several thresholds out of the criteria below:
- Latency,
- Jitter,
- Packet loss,
- Unavailability.
As soon as any threshold is not being met, the firewall will select another WAN link with a suitable SLA status for the traffic in question.
This SLA commitment is set through a new SLA object that you can use in several router objects.
Router objects now also include monitoring options that are the same for all gateways specified in the object.
Regardless of the type of traffic, you can also set up a more general configuration to ensure that all communications will automatically be redirected to a backup link when an Internet connection is down.
In the new Routers monitoring panel, the status of all gateways and the quality of connections can be looked up in real time, therefore saving time in the event of a failure. If a router issue is detected on a firewall, a probe will warn the user.
This monitoring data can be exported in .csv format.
SD-WAN can be managed from SMC on SMC firewalls in at least version 4.3.3.
Configuring routing from SMC
Routing can now be configured in SMC. It can be accessed in read/write mode on SNS firewalls in at least version 4.2.4, and in read-only mode on firewalls in version 3.7 and upwards. Only IPv4 is supported.
In SMC, in the new Routing tab of each firewall’s settings, configure and deploy:
- static routes,
- return routes,
- a default route,
- dynamic routing settings.
Routing configurations already found on SNS firewalls can now also be looked up in the Routing tab.
This new feature therefore makes it possible to look up routing configuration and prepare changes even when firewalls are offline.
For example, in the static route configuration in SMC, dedicated routes to Virtual IPsec interfaces (VTIs) can be created in route-based VPN topologies. Below is the feature allowing you to view all types of interfaces in SMC.
There are new consistency checks that allow you to check the compatibility of the routing configuration and guarantee the validity of the deployment.
Viewing all types of network interfaces
In SMC, some interface types could already be viewed, added and modified in the Interfaces tab of each firewall’s settings. It is now possible to retrieve all existing types of interfaces on SMC firewalls in SMC. Wi-Fi, dialup, IPsec, Loopback, GRETUN, GRETAP and USB/Ethernet interfaces are shown in read-only mode as “Other interface” in the Interfaces tab.
All of these interface types can be used in the SMC routing configuration.
Managing administrators
„root” account password
You can now set the “root” account password, which will allow you to access the SMC server in command line, when you manually initialize the server from the virtual environment. Previously, this password was set in the SMC initialization wizard, which can be accessed from your web browser.
Customizing the querying of LDAP authentication servers
You can now change the LDAP attributes used by default in SMC to query authentication servers, by using three new environment variables.
Filter and NAT rules
Naming copied rules
When a rule with a customized name is copied then pasted in the same context (firewall, folder or rule set), the “_copy” suffic is now added to the end of the name. This makes it possible to keep track of the relationship with the original rule and makes it easier to create rules with similar properties and names.
If the rule is pasted in a different context and a rule with the same name does not yet exist, the name will remain the same.
When a rule with a name generated by default by the system is copied and pasted, a new default name will be assigned to it.
Rozwiązane problemy:
SMC update
| Support reference | Description |
|---|---|
| 84277 | During the SMC update process, errors that were not serious and did not affect the update process would appear in command line mode. The server now only shows relevant errors. |
Managing administrators
| Support reference | Description |
|---|---|
| 84152 | In the LDAP authentication settings of the Administrators menu, the ID field of the connection account was renamed Administrator DN for OpenLDAP servers. The expected ID format for this field is a DN (without the base DN), such as „cn=administrator”. |
Configuration of SNS firewalls
| Support reference | Description |
|---|---|
| 84452 | The error message and audit log generated during an attempt to create a firewall with the same name as an object found in the database have been improved to indicate that a firewall or an object with the same name already exists. |
Configuration deployment
| Support reference | Description |
|---|---|
| 84333 | When the automatic synchronization of an HA cluster was disabled through the environment variable FWADMIN_HASYNC_ON_DESYNCHRO, deploying the configuration on a cluster would automatically desynchronize nodes. This issue has been fixed. |
VPN topologies
| Support reference | Description |
|---|---|
| 84230 | When an IKEv2 VPN topology is deployed from SMC, changing a peer’s settings directly on an SNS firewall no longer causes any serverd errors. |
| 84490 | The negotiation of a tunnel fails whenever a peer’s certificate contains the firewall’s contact IP address in the certificate’s Subject Alternative Name field. This is because the firewall will use this address as the peer’s Local ID.
To prevent this from happening, the use of the certificate’s Subject field as the peer’s Local ID can be forced by setting the FWADMIN_CERT_SUBJECT_AS_PEER_LOCALID variable to „True”. This variable is set to “False” by default. |
Reading logs
| Support reference | Description |
|---|---|
| 84279 | Logs regarding anonymous users were generated in audit logs. As such information is not relevant, these logs are no longer generated. |
Notatki producenta: SMC 3.2.1
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
