Stormshield Management Center Administration guide v2.1

STORMSHIELD MANAGEMENT

CENTER

ADMINISTRATION GUIDE

Date

6 April 2017

Version

V 2.1

Reference : sns-en-SMC-administration_guide-v2.1

Details

Update

SMC - ADMINISTRATION GUIDE 2.1

Page 2/66

Table of contents

1. Getting started

1.1 Connecting to the SMC server's web interface

1.2 Connecting to the command line interface

1.3 Installing the SMC license

1.3.1 Troubleshooting

2. Warning before connecting SN firewalls to the SMC server

3. Connecting SN firewalls to the SMC server

3.1 Connecting a firewall with a factory configuration to the SMC server

3.1.1 Declaring the firewall in the SMC server web interface

3.1.2 Building the firewall connecting package

3.1.3 Installing the connecting package on the firewall from a USB drive

3.1.4 Installing the connecting package on the firewall from the installation wizard

3.2 Connecting a firewall already in production to the SMC server



3.2.3 Installing the connecting package on the firewall

3.3 Connecting a high availability cluster to the SMC server

3.3.1 Declaring the cluster in the SMC server web interface

3.3.2 Building the cluster connecting package

3.3.3 Installing the connecting package on the active node of the cluster

3.4 Troubleshooting with the server's logs

3.4.1 Generating a firewall's connecting package

3.4.2 Installing the connecting package on the SN firewall

3.5 Importing SN firewalls from a CSV file

3.5.1 Creating the CSV file

3.5.2 Importing firewalls

4. Supervising SN firewalls

4.1 Monitoring and organizing firewalls

4.1.1 Getting information about firewalls

4.1.2 Organizing firewalls by folders

4.1.3 Check usage of a firewall in the configuration

4.2 Accessing the logs and activity reports of firewalls

5. Configuring SN firewalls

5.1 Editing firewalls

5.2 Managing objects

5.2.1 Deploying objects on SN firewalls

5.2.2 Creating variable objects

5.2.3 Check usage of an object in the configuration

5.2.4 Importing objects from a CSV file

5.3 Deploying a configuration on firewalls

5.3.1 Deploying a configuration on a firewall

5.3.2 Deploying a configuration on a high availability cluster

5.3.3 Troubleshooting with the server's logs

5.4 Loading and deploying a former configuration

5.5 Accessing the web administration interface of firewalls

5.6 Using the Emergency mode

5.7 Converting a firewall connected to the SMC server into a high availability cluster

7

8

8

9

10

8

8

11

11

11

12

12

12

13

13

14

14

14

14

14

15

17

17

17

17

19

19

5

5

5

5

5

20

24

24

25

25

25

26

26

20

20

21

21

22

22

23

sns-en-SMC-administration_guide-v2.1 - Copyright © Stormshield 2017

Page 3/66


5.8 Importing a certificate for an SN firewall

5.8.1 Importing a certificate from the server's web interface

5.8.2 Importing a certificate from the command line interface

5.8.3 Importing a certificate on a high availability cluster


6. Creating and monitoring VPN tunnels

6.1 Configuring a mesh topology

6.1.1 Importing certificates for SN firewalls

6.1.2 Declaring the certificate authority

6.1.3 Creating objects included in the topology

6.1.4 Creating the VPN topology

6.2 Configuring a star topology



6.3 Editing and deleting a VPN topology

6.4 Monitoring the status of VPN tunnels

6.5 Defining the public IP address of SN firewalls for VPN topologies

7. Creating and organizing filter and NAT rules 36

7.1 Understanding the order in which rules are read

7.2 Creating filter and NAT rules

7.3 Use case examples

36

37

37

7.3.1 Managing an environment without rule sharing

7.3.2 Managing an environment with shared and specific rules

37

38

7.3.3 Managing a multi-site environment with shared and specific rules and delegated filtering 38

7.4 Managing the migration of a firewall environment in production in SMC 40

8. Running SNS CLI commands on an environment of firewalls

8.1 Creating the CLI command script

8.2 Using variables

8.2.1 Using variables specific to firewalls

8.2.2 Using global variables

8.2.3 Using a CSV file

8.3 Running the SNS CLI script from the web interface

8.4 Running the SNS CLI script in command line

8.5 Running the SNS CLI script on a high availability cluster

8.6 Attaching files to a script and receiving files generated by script

8.6.1 Command arguments to be used in the script

8.6.2 Attaching files to a script

8.6.3 Receiving files generated by a script

8.7 Troubleshooting

8.7.1 The script file is too large

8.7.2 Certain characters are not supported in the script

8.7.3 The script fails to run on certain firewalls

8.7.4 The Execute script button remains grayed out

41

45

46

46

47

47

48

48

48

48

49

41

42

42

42

42

43

43

9. Backing up the configuration of firewalls and SMC

9.1 Automatic backups of the configuration of the server and firewalls

9.2 Backing up the configuration of firewalls manually

10. Removing SN firewalls from the SMC server

50

50

50

52

29

29

30

30

31

31

32

33

33

34

35

35

26

26

27

27

27


Page 4/66


11. Managing and maintaining the SMC server

11.1 Verifying the SMC server version in command line

11.2 Changing the SMC server time zone and date

11.2.1 Changing the time zone

11.2.2 Changing the date manually

11.2.3 Changing the date via NTP

11.2.4 Displaying a comprehensive summary of the SMC server's date/time

11.3 Managing administrators

11.3.1 Managing administrators when connected as the "admin" user

11.3.2 Managing administrators when connected as a user other than the "admin" user

11.4 Consulting and saving the SMC server's logs locally

11.4.1 Viewing server.log logs from the web interface

11.4.2 Saving server logs

11.5 Sending SMC logs to a remote server in Syslog format

11.5.1 Sending logs to a remote server without encryption

11.5.2 Sending logs to a remote server with encryption

11.5.3 Disabling the sending of logs to a remote server


11.6 Saving and restoring the SMC server configuration

11.6.1 Saving the server configuration from the web interface

11.6.2 Saving the server configuration from the command line interface

11.6.3 Restoring server configuration from the web interface

11.6.4 Restoring server configuration from the command line interface

11.6.5 Restoring server configuration from the initialization wizard

11.7 Updating the SMC server from the command line interface

11.8 Resetting "root" and administrator passwords

11.8.1 Resetting the "root" administrator password

11.8.2 Resetting the administrator password

11.9 Disabling automatic synchronization of high availability clusters

11.10 Monitoring SMC with SNMP

11.10.1 Using the SNMP service

11.10.2 Using MIBs

Annexe A. Examples of the use of SNS CLI scripts

A.1 Backing up the configuration of firewalls

A.2 Updating firewalls

Annexe B. Details of fwadmin-xxx commands

Annexe C. Compatibility of SMC/SN firewalls

53

56

56

57

57

57

58

58

58

59

55

55

55

55

55

56

59

60

60

60

60

60

53

53

53

53

53

54

54

54

54

54

62

62

63

64

65

In the documentation, Stormshield Management Center is referred to in its short form: SMC and

Stormshield Network in its short form: SN.

All images in this document are for representational purposes only, actual products may differ.


Page 5/66


1. GETTING STARTED

1. Getting started

To administer or maintain the SMC server, you can either connect to the web interface with a web browser or directly to the command line interface.

If you have forgotten your password, refer to the section

Resetting "root" and administrator passwords .

1.1 Connecting to the SMC server's web interface

1. Through your web browser, log on to the IP address of the SMC server preceded by https://.

2. Enter your user name and password or use the default admin user and password.

1.2 Connecting to the command line interface

Connecting to the SMC server in command line is required to perform maintenance or advanced operations on the server. You can connect: l l

Via the console port from VMware hypervisor,

In SSH on port 22.

In both cases, connect with the "root" user and password specified when you initialized the server. For more information, refer to the Stormshield Management Center Installation Guide.

For details on commands that can be used to administer SMC, refer to the Appendix

Details of fwadmin-xxx commands

1.3 Installing the SMC license

Your license determines the maximum number of firewalls that can log on simultaneously to the

SMC server.

To install the license:

1. Go to SMC server > License.

2. Select the license file. If a license has already been installed, its information will appear.

3. Click Apply.


The SMC server rejects all new firewall connections

l

Situation: The SMC server rejects all new firewall connections but keeps ongoing connections.

l

Cause: Either you do not have a license or your license has expired; or you may have reached the maximum number of firewalls allowed to connect to the server using your license.

l

Solution: Look up the server logs and contact your Stormshield support center in order to obtain a valid license. A tool tip and the Last activity column will also provide an indication

Your license is no longer valid after the restoration or backup of a configuration

l

Situation: You have restored the configuration of the SMC server and your license is no longer valid.



1. GETTING STARTED l

Cause: During the restoration of the configuration, the license that had been installed at time of the backup will be restored. So if it had expired in the meantime, you no longer have a valid license.

l

Solution: Once you have restored the configuration, install your most recent license again.

Page 6/66 sns-en-SMC-administration_guide-v2.1 - Copyright © Stormshield 2017


2. WARNING BEFORE CONNECTING SN FIREWALLS TO THE SMC SERVER

2. Warning before connecting SN firewalls to the

SMC server

Take note of the following information if you wish to associate the SMC server with an environment of SN firewalls containing global configuration items already used in production.

When SMC deploys a configuration on a firewall, all existing global configuration items on this firewall will be deleted and replaced with configuration items defined in the SMC configuration, if any.

This includes: l

Global objects defined on the firewall, l

Global filter rules defined on the firewall, l

Global VPN tunnels defined on the firewall.

These elements are not displayed by default in the SNS Web configuration interface. To display them, go to the firewall Preferences, section Application settings and enable the option Display global policies (Filter, NAT, IPsec VPN and Objects).

If you connect an SN firewall to SMC, you accept that any global items you may have created on this firewall will be overwritten as soon as the first configuration is deployed by SMC.

However, local objects, rules and VPN tunnels (used by default in the firewall web administration interface) will never be modified or deleted by SMC in a configuration deployment.

We recommend that you recreate these global items in the form of local items on the firewall or rewrite the rules in SMC before connecting the firewall to SMC, in order to avoid losing any configuration items and disrupting production.

In most frequent cases, the firewall does not have any global configuration elements and then no special precaution must be taken before connecting the firewall to SMC. Production will not be impacted.

In any case, we advise you to perform a backup of your firewall's configuration before connecting it to SMC.



3. CONNECTING SN FIREWALLS TO THE SMC SERVER

3. Connecting SN firewalls to the SMC server

Connecting a SN firewall to the SMC server allows you to administer the firewall from the SMC server web interface. A connecting package generated by the SMC server must be installed on the

SN firewall.

SMC 2.1 is compatible with Stormshield Network Security from version 2.3.0 upwards. Some features such as filter and NAT rules and VPN tunnels require SNS in at least version 3.0. For further detail, refer to the Appendix

Compatibility of SMC/SN firewalls

.

3.1 Connecting a firewall with a factory configuration to the SMC server


1. In the SMC server web interface, select Monitoring > Firewalls and click Create a firewall.

Page 8/66

2. Complete the firewall properties. The Firewall name, Description and Location fields are just filled in for information and do not have any impact on the configuration.

3. For more information on the public IP address, refer to the section

Defining the public IP address of SN firewalls for VPN topologies

.

4. Select the folder in which you wish to organize the firewall. Folders are created in the

Configuration > Firewalls and folders menu on the left. For more information, please refer to the section

Monitoring and organizing firewalls

.


1. In the same window, select Generate the connecting package to generate the package while adding the new firewall. This connecting package will have to be installed on the firewall to connect to the SMC server.

TIP

You can build the package later, by editing the firewall in the Firewalls menu.

2. Click on Create.




3. In the Generating the connecting package panel, click on Next then select The firewall still has a factory configuration.

Page 9/66

4. On next panel, select the version of the firewall and complete the minimum network configuration information for the firewall that would enable access to the SMC server.

5. Verify and edit the information to connect to the SMC server if needed: l

IP address or FQDN to reach : the firewall connects to this address to reach the SMC server. Depending on network topology, it is either the SMC server IP address or an external

IP address reachable by the firewall and redirected towards the SMC server through a destination translation.

l

Public port number: the firewall connects to this port to reach the SMC server. Depending on network topology, it is either the SMC server port (1754 by default) or an external port reachable by the firewall and redirected towards the SMC server port through a destination translation.

6. Click Generate and download.

7. To install the connecting package on the firewall, select one of the two procedures below.

3.1.3 Installing the connecting package on the firewall from a USB drive

1. Provide the connecting package to the administrator in charge of deploying the new firewall on the remote site.

2. The administrator must copy the connecting package (.pack) and a SNS update file (.maj) to an empty USB drive. The required formats of the drive is FAT32, FAT16 or UFS. The version

2.3.0 of SNS is the minimum version required.

3. The administrator must plug the USB drive into the new firewall and connect the OUT interface to the network.

4. The administrator must start the firewall. The firewall first installs the SNS update file and reboots. After restarting, the firewall installs the connecting package: the IP addresses of the

SMC server and of the OUT interface of the firewall are configured and the firewall connects to the SMC server.




5. In the SMC server web interface, verify that the state of the firewall changes in the Firewalls menu. It must be "On line".

6. To ensure the security of your appliance, log on directly to the firewall's administration interface by clicking on the icon and changing the firewall's administration password. For more information on direct access to the firewall's interface, refer to the section

Accessing the web administration interface of firewalls

.

TIP

The administrator can see the connection settings to the SMC server on the firewall web administration interface: in the SMC dashboard component and in the menu Configuration

> System > Management Center. He/she can also install a new connecting package from the web administration interface.

3.1.4 Installing the connecting package on the firewall from the installation wizard

1. Provide the connecting package to the administrator in charge of deploying the new firewall on the remote site.

2. The administrator must install the package from the firewall installation wizard.


Page 10/66

4. To ensure the security of your appliance, log on directly to the firewall's administration interface by clicking on the icon and changing the firewall's administration password. For more information on direct access to the firewall's interface, refer to the section

Accessing the web administration interface of firewalls

.




TIP

The administrator can see the connection settings to the SMC server on the firewall web administration interface: in the SMC dashboard component and in the menu Configuration

> System > Management Center. He/she can also install a new connecting package from the web administration interface.

3.2 Connecting a firewall already in production to the SMC server


1. In the SMC server web interface, select Monitoring > Firewalls and click Create a firewall.

2. Complete the firewall properties. The Firewall name, Description and Location fields are just filled in for information and do not have any impact on the configuration.



.

4. Select the folder in which you wish to organize the firewall. Folders are created in the



.



TIP


2. Click on Create.

3. In the Generating the connecting package panel, click on Next then select This firewall is already in production.




4. On next panel, select the version of the firewall and verify and edit the information to connect to the SMC server if necessary: l



l



3.2.3 Installing the connecting package on the firewall

1. Provide the connecting package to the administrator in charge of administrating the firewall on the remote site.

2. The administrator must connect to the web administration interface of the firewall.

3. In the menu Configuration > System > Management Center of the firewall administration interface, the administrator must select the connecting package. After installing the package, the administrator can see the connection settings to the SMC server in the same menu. They are also displayed in the SMC dashboard component.


Page 12/66

3.3 Connecting a high availability cluster to the SMC server

3.3.1 Declaring the cluster in the SMC server web interface

1. In the SMC server web interface, select Monitoring > Firewalls and click Create a firewall. The new firewall stands for the cluster; you do not need to declare both nodes of the cluster.

2. Complete the cluster properties. The Firewall name, Description and Location fields are just filled in for information and do not have any impact on the configuration.



.

4. Select the folder in which you wish to organize the cluster. Folders are created in the



.




3.3.2 Building the cluster connecting package


TIP


2. Click on Create.

3. In the Generating the connecting package panel, click on Next then select This firewall is already in production.

Page 13/66

4. On next panel, select the version of the firewall and verify and edit the information to connect to the SMC server if necessary: l



l



3.3.3 Installing the connecting package on the active node of the cluster

1. Provide the connecting package to the administrator in charge of administrating the cluster on the remote site.

2. The administrator must connect to the web administration interface of the active node of the cluster.


Page 14/66



3. In the menu Configuration > System > Management Center of the firewall administration interface, the administrator must select the connecting package. After installing the package, the administrator can see the connection settings to the SMC server in the same menu. They are also displayed in the SMC dashboard component.

4. The administrator must then perform a synchronization of both nodes from the administration interface of the active node. The passive node retrieves then the configuration contained in the firewall connecting package.

5. In the SMC server web interface, verify that the state of the cluster changes in the Firewalls menu. It must be "On line". The mode icon changes as well: .

In case of failover, the passive node will become active and will automatically connect to the

SMC server.

6. To view different types of information about both nodes of the cluster, edit the cluster in the

Firewalls menu and open the High availability tab.

The SMC server regularly synchronizes both nodes in the high availability clusters of SN firewalls that it manages. To disable this automatic synchronization, refer to the section

Disabling automatic synchronization of high availability clusters

3.4 Troubleshooting with the server's logs

If you encounter issues while connecting an SN firewall to the SMC server, start by looking up the following log files.

3.4.1 Generating a firewall's connecting package

Look up the logs on the SMC server, in /var/log/fwadmin-server/server.log

3.4.2 Installing the connecting package on the SN firewall

Look up the logs on the SN firewall, in /log/l_system (and /log/verbose.cad if verbose mode has been enabled).

3.5 Importing SN firewalls from a CSV file

To quickly import a large number of firewalls in SMC and generate their connecting package, you can use a CSV file and import it on the server from the command line interface.

An example of a CSV file "example-firewalls-and-packages.csv" is available on the server, in the folder /var/fwadmin/examples/csv.

3.5.1 Creating the CSV file

The file may contain the following parameters organized in columns and separated by commas.

Only the first column #fwname is mandatory: l

#fwname: firewall's name, l

#fwversion: version of the firewall used for determining the version of the generated connecting package. If this field is empty, version 3.1 will be used.

l

#fwdesc: firewall's description, l

#fwplace: location of the firewall,



3. CONNECTING SN FIREWALLS TO THE SMC SERVER l l l l

#fw-public-ip: public IP address of the firewall manually defined in its parameters,

#pkg-fw-address: public IP address of the firewall detected by SMC,

#pkg-fw-mask: subnet mask,

#pkg-fw-gateway: the firewall's default gateway, l

#pkg- smc- address: IP address of the SMC server - this information is needed for the connecting package, l l

#pkg- smc- port: port of the SMC server - this information is needed for the connecting package,

#custom1 to #custom10: customizable fields numbered from 1 to 10, which can be used in variable network objects and in SNS CLI scripts.

The order of parameters must always be the same.

3.5.2 Importing firewalls

1. Start by copying the CSV file on the SMC server using the SSH protocol in the /tmp folder for example.

2. Connect to the SMC server via the console port or SSH connection with the "root" user.

3. Enter the command: fwadmin-firewalls-and-packages --csv-file /tmp/filename.csv

.

Generated connecting packages are available in the folder /tmp/packages.

Whether each firewall has been imported will be indicated, as well as a summary when the import is complete.

Page 15/66

You can also: l

Import firewalls without generating connecting packages, using the option

--firewallonly

: fwadmin-firewalls-and-packages --csv-file /tmp/filename.csv --firewall-only l

Generate only connecting packages, using the option

--package-only

: fwadmin-firewalls-and-packages --csv-file /tmp/filename.csv --package-only




If an imported firewall already existed in SMC, an error will appear. You may use the

--forceupdate option to overwrite the existing firewall with the one indicated in the CSV file.


Page 17/66


4. SUPERVISING SN FIREWALLS

4. Supervising SN firewalls

Different types of information about each firewall are displayed in Monitoring > Firewalls and allow seeing and supervising firewalls. Direct access to the logs and activity reports of a firewall is also possible.

4.1 Monitoring and organizing firewalls

Look up the status of your environment in real time and organize your firewalls by a hierarchy of folders and sub-folders to which you can apply shared or specific filter and NAT rules.

4.1.1 Getting information about firewalls

From the Monitoring > Firewalls menu, you can see varied information about each firewall such as its connection state, IP address, model, deployment number, maintenance end date, etc. You can also edit the configuration, access the web administration interface, logs and activity reports of a firewall, import a certificate on a firewall, check its usage and remove a firewall from the list.

Three different icons indicate the connection state of the firewalls in the first column of the list: l the firewall is connected, l l the firewall is disconnected, the firewall has never been connected.

The number of firewalls and the connection states are recalled under the firewalls list:

.

TIP

Click the icons to filter the firewalls list.

For each connected firewall, information about the CPU, the memory used and the disk space used are available. The values displayed about the CPU and memory apply to the latest hour.

Move the mouse over the diagrams to see more details.

Troubleshooting

The firewall does not display a valid maintenance end date l

Situation: In Monitoring view, the column indicating the date on which maintenance of the firewall ends is empty.

l l

Cause: Either the firewall's license is not valid or its version is lower than 2.5. The SMC server does not manage the maintenance end date for firewalls in versions 2.3 and 2.4.

Solution: Contact your Stormshield support center in order to obtain a valid license or upgrade the firewall to version 2.5 or higher.

4.1.2 Organizing firewalls by folders

In order to manage firewalls and their configuration, the SMC server relies on hierarchically organized folders to which firewalls are attached.

Since folders are dynamically managed, you can create, move and delete folders at any time.




Folders contain firewalls as well as global filter and NAT rules. A firewall attached to a sub-folder inherits rules configured in its parent folders. For more information on filter and NAT rules, refer to the section

Creating and organizing filter and NAT rules

.

A firewall can belong to only one folder at a time.

The default root folder MySMC cannot be deleted, but can be renamed. If you do not create any folder trees, all firewalls will be attached to this root folder.

The tree is limited to four levels of sub-folders.

TIP

The Search field in the list of firewalls in Monitoring > Firewalls also applies to folder names.

Creating folders

1. Go to the Firewalls and sub-folders tab in Configuration > Firewalls and sub-folders.

2. Click on Create a sub-folder when you are in the desired parent folder.

Organizing firewalls

There are several ways to do so: l

When you create a new firewall from Monitoring > Firewalls or Configuration > Firewalls and folders, in the Firewalls and sub-folders tab, you can choose its location.

l

You can move an existing firewall from the same panels by clicking on Move 1 firewall .

Multiple firewalls may be selected.

Removing folders

In the Firewalls and sub-folders tab in Configuration > Firewalls and folders, scroll over the folder name and select the red cross.

Page 18/66

If you delete a folder, firewalls and rules in this folder will be moved by default to the parent folder.




4.1.3 Check usage of a firewall in the configuration

In order to check whether a firewall is used:

1. Go to Monitoring > Firewalls or Configuration > Firewalls and folders.

2. Scroll over the name of the firewall and click on the icon . The results will be displayed in the column on the left. You can double-click on a result to view details.

4.2 Accessing the logs and activity reports of firewalls

From the SMC server, you can directly access the logs and activity reports of connected firewalls.

In Monitoring > Firewalls, move the mouse next to the name of a firewall and click the icon .

Authentication on the firewall is automatic: l

You do not need to set a login on this firewall, l

You do not need to configure any authorized administration host in the web administration interface of the firewall, l

Logging out from the SMC server web interface automatically disconnects the user from the

Logs and activity reports interface of the firewall.

For more information about the logs and activity reports interface, refer to the Stormshield Network

user configuration manual.


Page 20/66


5. CONFIGURING SN FIREWALLS

5. Configuring SN firewalls

Configure your firewalls, objects, rules and VPN topologies in the SMC server web interface and deploy the configuration on the firewalls. Direct access to the web administration interface of a firewall is also possible.

Certain configuration operations cannot be performed from the web interface of the SMC server.

You can perform them using SNS CLI commands. For more information, please refer to the chapter

Running SNS CLI commands on an environment of firewalls

.

5.1 Editing firewalls

To edit the settings of a firewall:

1. Go to Monitoring > Firewalls or Configuration > Firewalls and folders.

2. Scroll over to the name of the firewall and click the pen icon

, or double-click the line on which the firewall is found.

The series of tabs that appears will allow you to: l

Modify the location of the firewall in the folder tree, l

Define the public IP address to be used in VPN topologies, l

Generate a connecting package for the firewall. For more information about this package, refer to

Connecting SN firewalls to the SMC server

.

l

Add customized variables used in SNS CLI scripts or in network objects, l l

Add a certificate on the firewall,

Obtain information about high availability when clusters are used, l

Create and manage filter and NAT rules, l

See the list of objects deployed on the firewall.

The Firewall name, Description and Location fields in the Parameters tab are just filled in for information and do not have any impact on the configuration.

TIP

The Search field in the firewalls list also applies to the Description and Location fields.

5.2 Managing objects

The menu Network Objects on the left of the web interface allows creating, editing or removing an object from the configuration deployed on SN firewalls.

All objects created from the SMC server belong to the firewall's global policy. They are available in the firewall web administration interface.

For more information about global objects, refer to the Stormshield Network user configuration

manual.




WARNING

Before removing an object from the SMC server, ensure that doing so will not affect the operation of your SN firewalls.

5.2.1 Deploying objects on SN firewalls

By default, objects are deployed only on the firewalls that use them. However, you can force them to be deployed on certain firewalls or on all firewalls:

1. In the window for creating or editing objects, click on Deployment on firewalls to the right.

Page 21/66

2. Force deployment on a selection of firewalls or on all firewalls.

3. Deploy the configuration.

In the list of objects in the Network objects menu, various icons allow identifying objects that have been forcibly deployed on a selection of firewalls ( ) or on all firewalls ( ).

5.2.2 Creating variable objects

Variable objects are Host, Network and IP address range objects whose IPv4 or IPv6 addresses vary according to the firewall on which they have been installed.

1. In the Network objects menu, create a Host or Network object.

2. Fill in the IPv4 address or IPv6 address field with the variable %FW_ CUSTOMx%. This customized variable is defined in the Customized variables tab in the Edit firewall panel accessible by double clicking on the line of a firewall in monitoring view. "x" represents a number between 1 and 10.

l

For example: enter the address 10.1.%FW_ CUSTOM1%.0/24. If for a given firewall, the customized field 1 in its parameters equals "1", the address will be 10.1.1.0/24 for this firewall in the filter rule or in the VPN topology.


3. Complete the creation of the object.

5.2.3 Check usage of an object in the configuration

1. In the Network objects menu, select an object.

2. Click on the icon and select Check usage of objectname.



Page 22/66

5.2.4 Importing objects from a CSV file

To quickly import a large number of existing objects on SN firewalls or to easily create objects, you can use a CSV file and import it on the server from the command line interface.

An example of a CSV file "example-import-objects.csv" is available on the server, in the folder

/var/fwadmin/examples/csv.

Creating the CSV file

You can either export existing objects from an SN firewall or create a new CSV file.

To export the CSV file from an SN firewall:

1. On the firewall, go to Objects > Network objects.

2. Click on the Export button.

This file contains all the network objects and groups on your SN firewall.

To create a new CSV file, and to find out details about headers and the parameters to specify according to the object's category, you may: l

Choose to export objects from your SN firewall, l

Look up the example given on the SMC server as indicated above.

Importing objects

1. Start by copying the CSV file on the SMC server using the SSH protocol in the /tmp folder for example.


3. To import all object types, enter the command: fwadmin-import-objects --csv-file /tmp/fichier.csv

.

4. To view imported objects in the SMC web interface, refresh the page or log off and log on again.

Whether each object or group has been imported will be indicated, as well as a summary when the import is complete.




Page 23/66

You can also choose the types of objects to import. For example, to import only Host and IP address range objects, enter the command: fwadmin-import-objects --csv-file /tmp/fichier.csv --host --iprange

The commands to be entered according to the type of object are:

Object type Command

Host

DNS name (FQDN)

Network

IP address range

Group

IP protocol

Port

Port group

--host

--fqdn

--network

--iprange

--group

--protocol

--port

--servicegroup

Customized variables such as %FW_CUSTOMx% can be used instead of IPv4 or IPv6 address values in Host, Network and IP address range objects. These customized variables are defined in the Customized variables tab in the Edit firewall panel accessible by double clicking on the line of a firewall in monitoring view.

If an imported object already existed in SMC, an error will appear. You may use the

--update option to overwrite the existing object with the one indicated in the CSV file.

5.3 Deploying a configuration on firewalls

Every time a configuration is created or modified on the SMC server, you will need to deploy the configuration on SN firewalls.

All deployments are saved in the deployment history. Refer to the section

Loading and deploying a former configuration .

During a deployment, the following information will be sent to the firewalls: l l l

Objects used in filter and NAT rules relating to the firewall or its parent folders.

Objects you have chosen to deploy on all firewalls or for which you have selected the firewalls they will be deployed on. For more information, please refer to the section

Managing objects .

If the firewall is part of a VPN topology: Network, Host and/or Group objects and the certificate authority associated with this topology, as well as information on the certificate selected for this firewall in the topology (the certificate has already been installed on the firewall).




5.3.1 Deploying a configuration on a firewall

1. Go to Deployment > Configuration deployment or click on Perform a new deployment in the upper banner of the interface. This button turns orange when changes have been made to the configuration.

2. In the Firewalls selection tab, select firewalls. They are all selected by default.

3. Enter a comment at the bottom of the panel if needed. This comment will be displayed in the deployment history.

4. Click Deploy configuration next to the comment field. The Deployment tab automatically opens. A status bar indicates the progress and the result of the deployment for each firewall.

When a deployment or an SNS CLI script is running, you cannot launch another deployment but preparing another deployment in the Firewalls selection tab is possible.

5. See the deployment summary at the bottom of the panel, showing successes, errors and the deployments postponed.

6. You can also filter the list of firewalls by selecting a status in the drop down list at the top of the list.

Page 24/66

If the deployment is successful, the deployment number will be incremented in the

Deployment column.

TIP

If a configuration is deployed on disconnected firewalls, the deployment is postponed and firewalls retrieve the configuration the next time they are on line.

7. In case of error, see the SMC server logs. You can also connect to the logs and activity reports of a firewall by clicking the icon in the Actions column and refer to the firewall logs.

5.3.2 Deploying a configuration on a high availability cluster

The steps are the same as in the section above.

The configuration is first deployed on the active node of the cluster. The SMC server then performs a synchronization of both nodes of the cluster.

If the passive node is not connected to the active node at the time of deployment, the SMC server will perform a synchronization between both nodes when the passive node connects again to the active node.


Page 25/66



5.3.3 Troubleshooting with the server's logs

If you encounter issues while deploying a configuration, start by looking up the following log files.

SMC side

/var/log/fwadmin-server/server.log

SN firewall side

/log/l_system

5.4 Loading and deploying a former configuration

Each configuration deployed on firewalls is saved in the deployment history and can be loaded and deployed again.

To see the deployment history and deploy a configuration again:

1. Go to Deployment > Deployment history.

2. Select a deployment and click the icon to restore the configuration. Ongoing changes in the current configuration will be lost.

3. Repeat the steps described in the section

Deploying a configuration on firewalls

to deploy a configuration on firewalls.

4. If you load a configuration which is not the latest in the history, a warning message appears at the top of the window. The message remains until you deploy the configuration on firewalls or until you load the latest configuration deployed.

5.5 Accessing the web administration interface of firewalls

The SMC server web interface does not allow configuring all parameters of a firewall. To complete the configuration, it is possible to connect directly to the web administration interface of a firewall, without the need to authenticate.

1. Go to Monitoring > Firewalls.

2. Scroll over the name of a firewall. The firewall must be on line.

3. Click the icon

.

Authentication on the firewall is automatic: l

You do not need to set a login on this firewall, l

You do not need to configure any authorized administration host in the web administration interface of the firewall, l

Logging out from the SMC server web interface automatically disconnects the user from the firewall's web administration interface.

TIP

The indication "Managed by SMC" appears at the top of the firewall administration interface.

For more information about the web administration interface, refer to the Stormshield Network user

configuration manual.


Page 26/66



5.6 Using the Emergency mode

In case of temporary unavailability of the SMC server, if you need to edit the configuration of a firewall, connect directly to the IP address of the web administration interface of the firewall.

TIP

The indication "Managed by SMC - Emergency mode" appears at the top of the firewall web administration interface.

5.7 Converting a firewall connected to the SMC server into a high availability cluster

A standalone firewall connected to the SMC server can be converted into a high availability cluster:

1. From the SMC server web interface, connect to the web administration interface of the firewall by clicking the icon in the list of firewalls in the Monitoring menu.

2. Refer to the Stormshield Network user configuration manual under High availability to add a passive node. In case of failover, the passive node will become active and will automatically connect to the SMC server.

TIP

The icon in the Mode column is updated in the list of firewalls on the SMC server web interface. To view details about both nodes of the cluster, edit the cluster in the Firewalls menu and open the High availability tab.

5.8 Importing a certificate for an SN firewall

A PKCS#12 or PEM certificate is required for each SN firewall that is part of a VPN topology using

.X509 authentication.

The certificate can be installed from the server web interface or from the command line interface.

Several certificates may be imported for a single firewall.

5.8.1 Importing a certificate from the server's web interface

There are three ways to import a certificate for a firewall from the web interface.

1. In the Monitoring > Firewalls menu, double click on a connected SN firewall.

2. In the Certificates tab, select the relevant certificate or click on Import a new certificate.

or

1. In the Monitoring > Firewalls menu, scroll over the name of a connected firewall and click on the icon.

2. In the window that opens, select the relevant certificate.

3. Choose whether to use this certificate as the default certificate used in VPN topologies.

or

1. During the configuration of a VPN topology, when choosing peers, click on the icon on the line of a firewall. For more information, please refer to the section

Creating and monitoring

VPN tunnels .




5.8.2 Importing a certificate from the command line interface

1. To import a certificate from the command line interface, connect to the SMC server via the console port or SSH connection with the "root" user.

2. Enter the command fwadmin-install-certificate

TIP

Display help using the option --help:

Page 27/66

Three of these options are mandatory: l l

--certificate: path of the certificate (.p12 or .pem) to be installed,

--firewall: name of the firewall on which the certificate needs to be installed, l

--password: password that protects the certificate if a .p12 file is used.

The operation will be saved in the log file/var/log/misc/install-certificate.log.

5.8.3 Importing a certificate on a high availability cluster

Import the certificate for the active node of the cluster.

The SMC server will then synchronize both nodes of the cluster.


The Import button remains grayed out

l

Situation: You have selected the certificate and entered the password but the Import button remains grayed out.

l

Cause: During the execution of a script or deployment of a configuration, you will not be able to import any certificates for any firewalls.

l

Solution: Wait for the ongoing execution or deployment to end.




Importing the certificate on a firewall causes an error

l

Situation: When you import a certificate on an SN firewall, the SMC server returns the error

"Insufficient privileges".

l

Cause: You are unable to import a certificate on a firewall on which a session has been opened either directly or via SMC.

l

Solution: Log off from the firewall and attempt to import the certificate again.

Other possible causes:

l l

The file exceeds the maximum limit allowed, which is 1 MB.

The file format is neither .p12 nor .pem. The SMC server only supports .p12 or .pem files.

l

You have entered the wrong password.


Page 29/66


6. CREATING AND MONITORING VPN TUNNELS

6. Creating and monitoring VPN tunnels

This feature is available for SN firewalls in version 3.0 upwards.

Stormshield Management Center allows creating and managing VPN tunnels that link networks or sub-networks protected by firewalls. These firewalls or gateways act as entry and exit points for tunnels and may be: l

SN firewalls in version 3 and up, managed by the SMC server, l

External peers, meaning SN firewalls or any other type of VPN gateway not managed by the

SMC server.

SMC offers two types of VPN topology: mesh or star.

l

Mesh: all remote sites are able to communicate among themselves, l

Star: a central site communicates with several satellite sites. Satellite sites do not communicate with one another. The central site must be an SN firewall managed by the SMC server.

Before configuring your topologies, you need to: l

Create your traffic endpoints beforehand (Network, Host or Group) in the Network objects menu. For more information, please refer to the section

Managing objects

.

l

Create Host objects beforehand for your external peers if your topologies include them.

l

If X509 certificate authentication has been selected, import a certificate beforehand for your

SN firewalls managed by SMC included in your topologies and declare certificate authorities beforehand as well. The corresponding procedures are described in the section

Configuring a mesh topology .

SMC 2.1 does not support VPN topologies in IPv6. If a topology includes network objects in IPv6, they will be ignored. If a topology relies on network objects with dual IPv4/IPv6 configuration, only the configuration in IPv4 will be applied and the IPv6 configuration ignored.

In this section, we describe two use case scenarios, a mesh topology and a star topology. For further detail on each menu and option for configuring VPN tunnels, refer to the SN firewall User


6.1 Configuring a mesh topology

Example of a scenario:

A company has its headquarters and two other sites in England and one site abroad. Every site has its own Research and Development department and the four R&D sub-networks need to share information. Every site is protected by an SN firewall managed by the SMC server.

The authentication method selected is X509 certificate authentication.

The certificate authority that issues certificates can be found on one of the SN firewalls, such as the headquarters, for example, or may be an external authority.




Page 30/66

To configure VPN tunnels between the four sites, follow the steps below.

6.1.1 Importing certificates for SN firewalls

To import a certificate in PKCS#12 or PEM format from the SMC server web interface, refer to the section

Importing a certificate from the server's web interface

.

Certificates can also be imported from the command line interface. Refer to the section

Importing a certificate from the command line interface

6.1.2 Declaring the certificate authority

On the SMC server, you need to declare the certificate authorities that SN firewalls managed by

SMC will trust.

In a VPN topology, you can add only one certificate authority, meaning that all the certificates of firewalls involved in the topology will need to be signed by the same certificate authority.




1. In Configuration > Certification Authorities, click on Add an authority.

Page 31/66

2. Select a certificate file in .pem, .cer, .crt or .der.

3. Once the authority has been declared, you can edit it, check its usage or delete it by scrolling over the name of the authority in order to make the icons appear.

A new authority can also be added during the configuration of the VPN topology, during the selection of the authentication method, by clicking on Add an authority.


Go to the Network objects menu on the left.

You need to create as many objects as the number of traffic endpoints or hosts that will be included in your VPN topology, i.e., four objects in our example.

These may be Network, Host or Group objects.


You now have all the necessary elements for configuring your VPN topology. Before creating a topology, if you wish to modify the public IP address of the firewalls, refer to the section

Defining the public IP address of SN firewalls for VPN topologies .

1. In Configuration > Topologies, click on Add a VPN topology at the top of the screen and select Mesh.




Page 32/66

2. Enter a name. A description is optional.

3. Select X.509 certificate authentication and select the certification authority that issued the certificates for the firewalls involved in the VPN topology.

4. Select the encryption profile The SMC server offers three pre-configured profiles. Create your customized profiles in VPN > Encryption profiles. Refer to the SN firewall User configuration

manual for more information on encryption profile options.

5. Select your topology peers. You can only select connected or offline firewalls, and in at least version 3.

6. Select the traffic endpoints associated with each of your peers.

7. Click on Apply.

8. Deploy the configuration on the firewalls involved in the topology. The VPN configuration belongs to the firewall's global policy.

6.2 Configuring a star topology

Example of a scenario:

A company with its head office in Paris has two branches in Bordeaux and Madrid. The

Accounting sub-network at the head office needs to exchange information with the Accounting sub-networks in the branches. The company's three sites are protected by SN firewalls managed by the SMC server.

The company has just acquired a new organization that also has an Accounting department and whose network is protected by a firewall from another vendor.

The administrator needs to know the address range of this firewall, which will be declared as an external peer, and the address range of the sub-network.

The chosen authentication method is by pre-shared key (PSK).




To configure VPN tunnels between the four sites, follow the steps below.


Go to the Network objects menu on the left.

You need to create as many objects as the number of traffic endpoints or hosts that will be included in your VPN topology, i.e., four Network objects in our example.

Your topology includes an external peer. You need to create a Host object for this firewall.

These may be Network, Host or Group objects.


You now have all the necessary elements for configuring your VPN topology. Before creating a topology, if you wish to modify the public IP address of the firewalls, refer to the section

Defining the public IP address of SN firewalls for VPN topologies .

1. In Configuration > Topologies, click on Add a VPN topology at the top of the screen and select Star.




Page 34/66

2. Enter a name. A description is optional.

3. Select pre-shared key authentication.

4. Generate a random key.

5. The strongest encryption profile is selected by default. The SMC server offers three preconfigured profiles. Create customized profiles in Configuration > Encryption profiles. Refer to the SN firewall User configuration manual for more information on encryption profile options.

6. Choose the center of your topology. It will then show a "star" icon in the list of firewalls below, and the firewall will appear in bold.

7. Select your topology peers. You can only select connected or offline firewalls, and in at least version 3.

8. Select the traffic endpoints associated with each of your peers.

9. Click on Apply.

10. Deploy the configuration on the firewalls involved in the topology. The VPN configuration belongs to the firewall's global policy.

6.3 Editing and deleting a VPN topology

Edit or delete a topology from the list of your VPN topologies in the Configuration > VPN topologies menu.

To edit: l

Double-click on the line of a topology, or l

Scroll over a line to make the pen icon appear. The icon will appear in each column and allows directly opening the wizard corresponding to the column.

To delete: l

Scroll over the name of the firewall in the list and click on the red cross.

In both cases, redeploy the configuration after these operations.




6.4 Monitoring the status of VPN tunnels

The Monitoring > VPN menu allows looking up the status of each tunnel configured in each topology.

Scroll over the status icon of a tunnel to display a tooltip indicating its status as well as the status of peers.

6.5 Defining the public IP address of SN firewalls for VPN topologies

By default, in a VPN topology, the public IP address of a SN firewall that other peers must reach is the address with which the firewall is identified by the SMC server when it connects for the first time.

To avoid using a private corporate network address over the Internet, it is possible to specify to the peers the IP address they must contact to reach the firewall:

1. In the Monitoring > Firewalls menu, double click on the SN firewall.

2. In the Settings tab, unselect Always use the IP address detected by SMC.

3. Enter an address in the Public IP address field.



7. CREATING AND ORGANIZING FILTER AND NAT RULES

7. Creating and organizing filter and NAT rules

This feature is available for SN firewalls in version 3.0 upwards.

SMC allows deploying filter and NAT rules in your environment of firewalls. Rules apply to sets of firewalls (folders and sub-folders) or are specific to certain firewalls, therefore making it possible to configure a rule shared by several sites just once, while continuing to be able to deploy specific rules on a given site.

To organize your firewalls by folders, refer to the section

Organizing firewalls by folders

. Rules applied to the default root folder MySMC apply to the entire firewall environment.

For further detail on each menu and option for configuring rules, refer to the SN firewall User


Rules can be defined in the Filter rules and NAT rules tabs from the Configuration > Firewalls and folders menu or from a firewall's settings.

7.1 Understanding the order in which rules are read

Page 36/66

Filter and NAT rules applied to a given firewall are the combination of two types of rules created in

SMC: l

Rules shared by several firewalls, created in the folders (folder to which the firewall and its parent folders belong), l

Rules specific to the firewall, created in the firewall's settings. In the firewall monitoring view, the Number of specific rules column indicates the number of specific rules that each firewall has.

These rules are deployed in the SN firewall's global security policy. After these rules, the firewall's local security policy rules, if any, will be applied.

The firewall inherits rules from the folder it belongs to, as well as rules from its parent folders, which are applied in the following order: l l

High-priority rules configured in the folders, from the most general to the most specific,

Firewall's specific rules, l

Low-priority rules configured in the folders, from the most specific to the most general.

For example, a high-priority rule in the MySMC folder cannot be overloaded by another rule. A lowpriority rule in the MySMC folder will be overloaded by all the other rules defined in the folders or for a specific firewall.




7.2 Creating filter and NAT rules

1. In Configuration > Firewalls and folders, browse until you reach the level of the folder to which you wish to apply a rule or until you reach a specific firewall. In the case of specific rules, go directly to the firewall's settings as well from Monitoring view.

2. Open the Filter rules or NAT rules tab.

3. Click on Add and select either a low- or high-priority rule, taking into account the desired order of application, as explained in the previous section.

Page 37/66

4. Configure the rule: l

When Host, Network or IP address range objects are used in the rule, you can use variable objects, whose IP addresses will be the value corresponding to the relevant firewall. For more information, please refer to the section

Creating variable objects .

l

The following parameters cannot be completed with data returned by firewalls and must therefore be entered manually through text fields: o

In Source > General > Incoming interface, click on Customized interface, o

In Destination > Advanced properties > Outgoing interface, click on Customized interface.

l

Refer to the SN firewall User configuration manual for more details on menus and options.

5. Once the configuration of rules is complete, deploy the configuration on the firewalls concerned.

In addition to the rules of the current folder or of the firewall, the Filter rules and NAT rules tabs display the rules of parent folders in read-only. You can therefore view all the rules that apply to a firewall on a single screen, in the order in which they are applied.

You can modify the order in which rules are applied using the Up and Down buttons.

7.3 Use case examples

7.3.1 Managing an environment without rule sharing

We shall use the example of a service provider who administers SN firewalls for several clients: l l

Each client only has one firewall,

All firewalls are located in the MySMC root folder, and no sub-folders are used, l

The firewalls do not have any filter rules or NAT rules in common, l

The service provider does not wish to connect to each firewall in real time to define rules.

The service provider must therefore: l

Define specific rules on each firewall in SMC, going to the firewall's Filter rules or NAT rules tab.


Page 38/66


7. CREATING AND ORGANIZING FILTER AND NAT RULES l

If necessary, define a "Block all" rule as the last rule on each firewall in order to ignore the rules found in the firewalls' local security policy. For more information on how to configure the

"Block all" rule, refer to the SN firewall User configuration manual.

l

Deploy the configuration on the firewalls. These rules will be deployed in the firewalls' global security policy.

7.3.2 Managing an environment with shared and specific rules

We shall use the example of a service provider who also administers SN firewalls for several clients: l

Each client only has one firewall, l

The firewalls are organized in sub-folders named after clients, l

The firewalls have filter rules or NAT rules in common and specific rules.

The service provider must therefore: l

Define the rules shared by all firewalls in the MySMC folder, for example to provide all firewalls with access to its datacenter. For this purpose, a variable object will be used: a Host object representing a firewall interface. A single rule and a single object will therefore suffice for all firewalls. For more information, please refer to the section

Creating variable objects .

l

Define specific rules on each firewall from SMC, going to the firewall's Filter rules or NAT rules tab.

l

If necessary, define a "Block all" rule as the last low-priority rule in the MySMC folder in order to ignore the rules found in the firewalls' local security policy. For more information on how to configure the "Block all" rule, refer to the SN firewall User configuration manual.

l


7.3.3 Managing a multi-site environment with shared and specific rules and delegated filtering

We shall use the example of a trading company that has a warehouse, offices, hypermarkets and supermarkets spread out over several sites: l

The central administrator uses two levels of sub-folders under the root folder to organize its firewalls, l l

Filter and NAT rules apply to all firewalls, and other rules apply only to certain folders,

The administrator wishes to delegate the administration of certain traffic to local administrators in order to give them the possibility of implementing local rules on specific services, protocols, users or networks. A store may, for example, need to communicate with a

CCTV service provider.




Page 39/66

The central administrator must therefore: l

Define the rules shared by all firewalls in the MySMC folder using variables objects. For more information, please refer to the section

Creating variable objects

.

l l l

Define rules shared by warehouses/offices/stores in the corresponding folders and subfolders.

Define, if necessary, specific rules on certain firewalls from SMC, going to the firewall's Filter rules or NAT rules tab.

Choose Delegate for the relevant rules in each rule's Action menu and define a "Block All" rule as the last low-priority rule on the MySMC root folder .

l





7.4 Managing the migration of a firewall environment in production in SMC

If you do not create a "Block all" as the last rule in SMC, local filter and NAT rules, i.e., those created directly on a firewall, will be read after global rules (originating from SMC).

During the migration of a firewall environment in production to centralized administration in SMC, we recommend that you do not create this "Block all" rule, to avoid disrupting production during the migration process.

When the migration process is complete, we suggest that you rewrite the rules in the firewalls' local policies in SMC and add a "Block all" rule where necessary.



8. RUNNING SNS CLI COMMANDS ON AN ENVIRONMENT OF FIREWALLS

8. Running SNS CLI commands on an environment of firewalls

Stormshield Management Center allows executing SNS CLI scripts on SN firewalls from version

2.4 upwards. This mode enables the configuration of all firewall features. Scripts therefore offer a solution for deploying the configuration of an environment of firewalls for features that are not available in the menus of the SMC server.

SNS CLI scripts can be executed from the web interface of the SMC server and from the command line interface.

To see examples of how scripts are used, please refer to the Appendix

Examples of the use of

SNS CLI scripts

.

8.1 Creating the CLI command script

Create a UTF-8 encoded text file not exceeding 5 MB with the extension .script containing the commands to be run in your environment of SN firewalls.

The available executable commands on the CLI console are listed: l

In the SN firewall web administration interface, in the menu Configuration > System > CLI

Console. Refer to the SN Firewall Configuration and administration manual to learn how to use the interface.

l

In the CLI Serverd Commands Reference Guide that is available in your private area https://mystormshield.eu

, in the Document base section.

To assist you, you may also display CLI commands in the web administration interface of a SN firewall in order to copy the commands used to perform an action that you wish to reproduce in your script:

1. Click on the black arrow expand the events panel.

at the bottom of a SN firewall's administration interface to

2. Select the menu Options > Show commands.

Page 41/66

3. Perform an action (create an object for example) that you wish to repeat in the script.

4. Copy the commands that were run to produce the action.

5. Paste them in your script.

To adapt commands to each firewall, use variables surrounded with the symbol %. To find out which variables to use, please refer to the section

Using variables

.


Page 42/66



8.2 Using variables

The properties of firewalls indicated in the list of firewalls or in the settings of each firewall

(Monitoring > Firewalls menu) are variables that can be used in scripts.

You can use even more variables with the help of a CSV file. Refer to the section

Using a CSV file

.

Variables are case sensitive.

8.2.1 Using variables specific to firewalls

Insert variables surrounded with the symbol % in the CLI commands of your script.

These variables take on different values according to the firewall on which the script is run: l

FW_ADDRESS: IP address field of the firewall connected to the SMC server, l l

FW_DESCRIPTION: Firewall's Description field,

FW_LOCATION: Firewall's Location field, l

FW_MODEL: firewall's model, l

FW_NAME: firewall's name, l l

FW_SERIAL: firewall's serial number,

FW_VERSION: firewall's version number, l

HA_PEER_SERIAL: serial number of the passive firewall (without High availability, the value will be empty), l

HA_ PEER_ FIRMWARE: version number of the passive firewall (without High availability, the value will be empty), l

FW_CUSTOM1 to FW_CUSTOM10: customizable fields 1 to 10.

Ten variables can be customized to your needs (FW_CUSTOM1 to FW_CUSTOM10). Double-click on a firewall in the Monitoring > Firewalls menu and open the Customized variables tab. Fill in the fields with you customized values.

8.2.2 Using global variables

These variables have the same value for all firewalls and refer to the server's date and time: l

NOW: full date in local format (example: "%NOW%" => "20151222-104727"), l

NOW_AS_DATE: date in local format (example: "%NOW_AS_DATE%" => "20151222"), l

NOW_AS_TIME: time in local format (example: "%NOW_AS_TIME%" => "104727").

8.2.3 Using a CSV file

In the event there are not enough customizable variables, and in order to perform operations on a large number of firewalls, or to perform a complex operation on a firewall, we recommend that you use a CSV file.

CSV files can only be used in the command line interface. Variables associated with firewalls will then be read from this file and the script will be duplicated as many times as the number of lines in the CSV file for a given firewall.

To find out how to use CSV files in the command line interface, please refer to the section

Examples of the use of scripts in command line with a CSV file

.


Page 43/66



8.3 Running the SNS CLI script from the web interface

1. In the web interface of the SMC server, select Scripts > SNS CLI scripts.

2. In the Firewalls selection tab, select the script to run.

l

The button allows viewing the raw contents of the script as it is found on your workstation.

3. In the Optional: attachments related to the script menu, select the relevant files to attach to the script. For more information, please refer to the section

Attaching files to a script and receiving files generated by script

.

4. In the second part of the Firewalls selection tab, select the SN firewalls on which the script will be run. For each firewall: l

The icon indicates, where applicable, that the firewall cannot be selected for the execution of the script. As such, the row will be grayed out. Scroll over the icon with your mouse to find out why: o

The firewall is not connected.

o

The version of the firewall must be at least 2.4.0.

l

The icon allows viewing the contents of the script, including variables replaced with values associated with the firewall in question. The icon becomes if there is an error during the analysis of the script (missing attached file or unknown variable). View the contents of the script to find out which row is causing the issue.

5. Click on Execute script at the bottom of the tab. The Execution tab automatically opens.

6. Track the progress and results of the execution of scripts on each selected firewall.

During the execution of a script or deployment of a configuration, you will not be able to run another script execution but you can prepare it in the Firewalls selection tab.

WARNING

Executing script automatically adopts the reading/writing privileges on any administration sessions already open on the firewalls in question.

7. A summary of the execution process can be seen at the bottom of the panel, displaying successful operations, errors and the firewalls on which the script could not be deployed.

8. You can also filter the list of firewalls by selecting a status in the drop down list at the top of the list.

9. In case of error, see the SMC server logs. You can also connect to the logs and activity reports of a firewall by clicking the icon in the Actions column.

8.4 Running the SNS CLI script in command line

In the command line interface of the SMC server, enter the command fwadmin- sns- cliscript followed by the necessary options for attaching the script (and attachments where applicable) and selecting firewalls.




TIP

Display help using the option --help:

Page 44/66

Two of these options are mandatory: l

-s: to be followed by the path to the script file, l one of the three following options: o o o

-l: to be followed by a list of firewall names separated by commas,

-a: indicates that the script will be run on all firewalls,

-c: to be followed by a path to a CSV file containing the list of firewalls and the associated variables. The command will then list the firewalls specified in this file. For more information, please refer to the section

Using a CSV file .

The option -c may be used jointly with the options -l and -a. In this case, both of these options will specify the list of firewalls on which the script will be run.

The following options are not mandatory: l l

-f: allows forcing the previous session to shut down, for example in the case of an execution that did not end properly,

-v: allows displaying logs in further detail, l

--dry-run: allows displaying the contents of the script including the variables associated with each firewall, for the purpose of reference only.

When the deployment of a configuration is in progress, or another script is being run, a new script cannot be run in command line. An error message will appear if the deployment has not fully ended on all connected firewalls or if the script has not finished running. Firewalls on which the deployment of the configuration was conducted in batches will not prevent scripts from running.

To send or receive files attached to a script, please refer to the section

Attaching files to a script and receiving files generated by script

.

Examples of the use of scripts in command line with a CSV file

The following is an example of how a CSV file can be used with a script. For all firewalls in an environment (two in this example), we wish to create an object that represents the main Active


Page 45/66



Directory server and an object that represents the secondary AD server, taking into account the following assertions: l

The main AD server has to be an object with static IP address resolution, l l

The secondary AD server has to be an object with dynamic IP address resolution,

The name of each object has to indicate whether it is a main or secondary server, l

The comments of each object must indicate the name of the firewall on which it will be created.

l

The IP address of each AD server is different for each firewall.

1. Create the script /var/tmp/ad.script:

# Create a new host

CONFIG OBJECT HOST NEW name=AD-%type% comment="%type% AD server for FW %FW_

NAME%" ip="%ip_addr%" resolve=%mode%

CONFIG OBJECT ACTIVATE

2. Create the CSV file /var/tmp/ad.csv for the environment of two firewalls: firewall;type;ip_addr;mode sns-paris;Main;1.1.1.1;static sns-paris;Backup;1.1.2.2;dynamic sns-lyon;Main;4.4.4.4;static sns-lyon;Backup;4.4.5.5;dynamic

3. Enter the following command in the command line interface: fwadmin-sns-cli-script --script /var/tmp/ad.script --csv-file /var/tmp/ad.csv

The following is the expected result for each of the firewalls sns-paris and sns-lyon:

# Create a new host

CONFIG OBJECT HOST NEW name=AD-Main comment="Main AD server for FW sns-paris" ip="1.1.1.1" resolve=static


# Create a new host

CONFIG OBJECT HOST NEW name=AD-Backup comment="Backup AD server for FW sns-paris" ip="1.1.2.2" resolve=dynamic


# Create a new host

CONFIG OBJECT HOST NEW name=AD-Main comment="Main AD server for FW sns-lyon" ip="4.4.4.4" resolve=static


# Create a new host

CONFIG OBJECT HOST NEW name=AD-Backup comment="Backup AD server for FW sns-lyon" ip="4.4.5.5" resolve=dynamic


TIP

In CSV files, fields are often separated by a comma or semi-colon. The fwadmin- snscli-script command interprets semi-colons (;) as separators by default. The separator may be different depending on the CSV file. In order to change the separator, put the variable FWADMIN_SNS_CLI_CSV_DELIMITER before the command. For example:

FWADMIN_SNS_CLI_CSV_DELIMITER=, fwadmin-sns-cli-script --csvfile=/var/tmp/myfile.csv --script=/var/tmp/myscript.script

8.5 Running the SNS CLI script on a high availability cluster

The steps are the same as in both previous sections.

The script is first run on the active node of the cluster. The SMC server then performs a synchronization of both nodes of the cluster.


Page 46/66



If the passive node is not connected to the active node at the time of execution, the SMC server will perform a synchronization between both nodes when the passive node connects again to the active node.

8.6 Attaching files to a script and receiving files generated by script

Running certain script commands requires sending or receiving files to or from SN firewalls. For example: l

Updating SN firewalls, l l

Installing licenses,

Generating backups of SN firewall configurations.

Files can be sent or received from the web interface of the SMC server and from the command line interface.

8.6.1 Command arguments to be used in the script

For a command requiring an input file, use the following command arguments to specify the name of the file to be sent: l

$FROM_ DATA_ FILE ("myFileName.extension") processing, to attach a file without Unicode l

$FROM_ TEXT_ FILE ("myFileName.extension") processing.

to attach a file with Unicode

For a command generating an output file, use the following command arguments to specify the name of the file to be received: l l

$SAVE_TO_DATA_FILE("myFileName.extension") to back up a file without Unicode processing,

$SAVE_ TO_ TEXT_ FILE ("myFileName.extension") processing.

to back up a file with Unicode

To find out the locations of these files, please refer to the sections below

Attaching files to a SNS

CLI script

and

Receiving files generated by a SNS CLI script .

The script will not run if: l

No files have been specified in the argument of a command that requires an input file or generates an output file, l

An input or output file has been specified in the argument of a command that does not require one.

Example

The following command allows generating the backup file of a firewall named backup-22-09-

16.zip on the SMC server:

CONFIG BACKUP list=all $SAVE_TO_DATA_FILE("backup-22-09-2016.zip")


Page 47/66



TIP

You can use variables in the syntax for sending or receiving files. For example, to create configuration backups for several firewalls, write the following command:

CONFIG BACKUP list=all $SAVE_TO_DATA_FILE("backup-%FW_NAME%.na")

8.6.2 Attaching files to a script

Via the web interface

1. In the web interface of the SMC server, select Scripts > SNS CLI scripts.

2. In the Firewalls selection tab, after having selected a script, expand the Optional: attachments related to the script sub-menu and select one or several attachments.

Via the command line interface

Copy the attachments at the root of the folder /var/tmp/sns-cli/input on the SMC server using

SSH.

The script execution engine retrieves the files needed at this location in order to forward them to the firewalls.

TIP

You can change the default folder in the environment variable

FWADMIN_ SNS_ CLI_

ATTACHMENTS_DIR located in the file /data/config/fwadmin-env.conf.local. You will then need to restart the server.

nrestart fwadmin-server

.

8.6.3 Receiving files generated by a script

Via the web interface

In the Execution tab in the SNS CLI scripts menu, retrieve all files and logs generated for each firewall the last time the script was run.

To retrieve files and logs generated in earlier script executions, please refer to the following section


.

Receiving files and logs

Click on Download all generated files at the bottom of the Execution tab to download an archive including all generated files and execution logs for all firewalls at the same time. The archive will contain a folder per firewall.

To retrieve files and logs generated by running a script on a single firewall, click on the icon in the column Generated files.

View execution logs

To simply view execution logs for a given firewall, click on the icon in the column Generated files.


All files and logs generated for each firewall after running a script are placed by default in the folder /var/tmp/sns-cli/output on the SMC server. The tree created as such will contain a folder for each script execution.


Page 48/66



TIP

You can change the default folder in the environment variable

FWADMIN_ SNS_ CLI_

OUTPUT_DIR located in the file /data/config/fwadmin-env.conf.local. You will then need to restart the server.

nrestart fwadmin-server

.

Example

When this command is run

CONFIG BACKUP list=all $SAVE_TO_DATA_FILE("backup-%FW_NAME%.na") the following tree is obtained:

/var/tmp/sns-cli/output/latest -> 00001_20160219-171926

/var/tmp/sns-cli/output/00001_20160219-171926

/var/tmp/sns-cli/output/00001_20160219-171926/sns-2

/var/tmp/sns-cli/output/00001_20160219-171926/sns-1/backup-sns-2.na

/var/tmp/sns-cli/output/00001_20160219-171926/sns-2/output.log

/var/tmp/sns-cli/output/00001_20160219-171926/sns-1

/var/tmp/sns-cli/output/00001_20160219-171926/sns-1/backup-sns-1.na

/var/tmp/sns-cli/output/00001_20160219-171926/sns-1/output.log

The latest folder always directs to the last execution.

8.7 Troubleshooting

Refer to this section in order to resolve frequently encountered issues while using SNS CLI scripts.

8.7.1 The script file is too large

l

Situation: When a script file is selected, an error message indicates that the script is too large.

l

Cause: The size of the file must not exceed 5 MB by default.

l

Solution : If necessary, increase the limit by adding the line below to the file

/data/config/fwadmin- env.conf.local

. Set the limit to 10 MB for example:

FWADMIN_SNS_CLI_SCRIPT_MAX_UPLOAD_SIZE=$((10*1024*1024))

8.7.2 Certain characters are not supported in the script

l

Situation: Certain accented or special characters do not display correctly in the script. The script could not be run.

l l

Cause: The .script file was not encoded in UTF-8.

Solution: Change the encoding of the script to UTF-8.

8.7.3 The script fails to run on certain firewalls

l l l

Situation: The Execution tab in the SNS CLI scripts menu indicates errors.

Cause: The script calls up customized variables and/or attachments which are missing. The encoding of the script is wrong. Other problems may be the cause of the script's failure to run.

Solutions: o o o

Look for the cause of the error which appears in the status bar when the script is run for a given firewall.

Look up the log file in /var/log/fwadmin-server/server.log for further details.

Before running the script, you can view it for a given firewall in the Firewalls selection tab.

Certain errors may be indicated.




8.7.4 The Execute script button remains grayed out

l

Situation: Firewalls have been selected for the execution of a script but the execution button remains grayed out l

Cause: During the execution of a script or deployment of a configuration, you will not be able to run another script execution.

l

Solution: Wait for the ongoing execution or deployment to end.


Page 50/66


9. BACKING UP THE CONFIGURATION OF FIREWALLS AND SMC

9. Backing up the configuration of firewalls and

SMC

SMC makes it possible to set up automatic backups of the configuration of SN firewalls as well as the configuration of the SMC server. You can manually perform full backups of your firewall environment as well at any moment.

9.1 Automatic backups of the configuration of the server and firewalls

SMC can automatically and recurrently back up the configuration of SN firewalls and the server itself in order to restore the entire pool when necessary.

To enable automatic backup:

1. Go to the Maintenance > Backup menu on the left.

2. In the Automatic tab, select Enable automatic backup.

An automatic backup will be performed every hour.

The list will show all saved backups, which will be kept for seven days. After seven days, only one backup per day is saved. After one month, only one backup per month is saved. After 12 months, backups are deleted.

To retrieve a backup, click on in the Actions column. The archive contains a metadata file, the backup of the SMC server's configuration and the backups of each firewall's configuration in .na format.

To find out how to restore a backup of the SMC server's configuration, refer to the section

Saving and restoring the SMC server configuration .

To find out how to restore a backup of a firewall's configuration, refer to the Stormshield Network

user configuration manual.

An icon in the Status column indicates whether the configurations of all firewalls have been backed up, and which firewalls present issues. Scroll over icons with the mouse to display a tool tip.

For more details on a backup, double click on a line or click on in the Actions column.

9.2 Backing up the configuration of firewalls manually

You can also perform a one-off backup of the configuration of some or all of the firewalls in your pool.

1. Go to the Maintenance > Backup menu on the left.

2. In the Manual tab, enter a password if you wish to encrypt backups. The characters #, % and

" are prohibited and the password must not exceed 255 characters.

3. Click on Use the firewalls backup script.

4. The SNS CLI scripts panel appears. The script to manually back up the firewall configuration is preloaded.

5. Select the firewalls for which you wish to back up the configuration, then run the script.

For more information on scripts, please refer to the section

Running the SNS CLI script from the web interface .



9. BACKING UP THE CONFIGURATION OF FIREWALLS AND SMC

This manual backup does not include the configuration of the SMC server. To back up the configuration of the server, refer to the section

Saving and restoring the SMC server configuration

or enable automatic backups.



10. REMOVING SN FIREWALLS FROM THE SMC SERVER

10. Removing SN firewalls from the SMC server

1. To stop administrating a firewall from the SMC server and remove it from the list of firewalls in the web interface, scroll over the name of the firewall in Monitoring > Firewalls and select the red cross.

The firewall will no longer be able to connect to the SMC server.

2. As a second step, connect to the firewall via SSH connection or console port and enter the following command lines: nstop cad setconf /Firewall/ConfigFiles/Cad/cad Server State 0 rm /Firewall/ConfigFiles/Cad/*.pem

The firewall will stop trying to connect to the SMC server.

In the case of a high availability cluster, enter these commands on the active node of the cluster and synchronize both nodes.


Page 53/66


11. MANAGING AND MAINTAINING THE SMC SERVER

11. Managing and maintaining the SMC server

Management and maintenance operations are performed either from the web interface or from the command line interface, or both.

11.1 Verifying the SMC server version in command line

To see the SMC server version:


2. Enter the command fwadmin-version

.

3. The following information displays: l

FWADMIN_VERSION: indicates the version under the form 1.2.3, l

FWADMIN_BUILD_NUMBER: indicates the date of the build of the server and Stormshield hashes which can be provided to the Stormshield Network Security Support in case of issue.

11.2 Changing the SMC server time zone and date

By default the SMC server time zone is GMT+1 (Central European Time).

11.2.1 Changing the time zone


2. Enter the command fwadmin-date-time --timezone "timezone” to modify the time zone. Replace timezone with the correct time zone.

l

To see the available time zones, enter the command ls -l /usr/share/zoneinfo/

, l

To find the city in the zone of your choice (Asia for example), enter the command ls

/usr/share/zoneinfo/Asia

.

3. Restart the server with the command reboot

. This step is required in order for the new time zone to be applied to all services.

4. Enter the command fwadmin- date- time to check the modification has been properly applied.

11.2.2 Changing the date manually

1. Enter the command fwadmin-date-time --date-time "dateandtime" to modify the date. Replace dateandtime with the current date and time, using the format YYYY-MM-DD hh:mm:ss.

2. Enter the command fwadmin- date- time to check the modification has been properly applied.

11.2.3 Changing the date via NTP

To enable NTP on the SMC server:

1. Enter the command fwadmin-date-time --ntp-servers ntp1.org,ntp2.com,IPaddress separating


Page 54/66


11. MANAGING AND MAINTAINING THE SMC SERVER each NTP server with a comma if there are several. NTP servers may also be identified by their

IP addresses or DNS names.

2. Enter the command date to check the modification has been properly applied.

To disable NTP, you need to go back to manual date mode.

11.2.4 Displaying a comprehensive summary of the SMC server's date/time

l

Enter the command fwadmin-date-time to display all of the server's date/time parameters: fwadmin-date-time

TIMEZONE=Asia/Dubai

NTPSERVERS=none

LOCALDATE=2016-05-18 09:05:19

11.3 Managing administrators

Go to SMC Server > Administrators to add, edit and remove administrators. The panel displayed depends on whether you are connected to the server as the "admin" user or as another user.

Apart from the right to add, edit or delete administrators, all administrators have the same rights on the SMC server web interface.

11.3.1 Managing administrators when connected as the "admin" user

The "admin" user is the only user allowed to add, edit and remove administrators. Go to the

Administrators panel:

1. To add an administrator, click Add an administrator.

2. To edit an administrator, double click the administrator line or move the mouse over the administrator name and select the pen icon .

3. To remove an administrator, move the mouse over the administrator name and select the red cross icon .

TIP

The admin user cannot be removed.

11.3.2 Managing administrators when connected as a user other than the "admin" user

The other administrators who have been set by the "admin" user account can only edit their own profile:

1. Go to SMC Server > My administrator profile.

2. Edit the properties and apply modifications.

11.4 Consulting and saving the SMC server's logs locally

The SMC server provides two types of log files: l l

server.log: lists all actions saved on the SMC server. This file may be read from the server's web interface and from the command line interface using the nlogs command.

audit.log: lists all actions performed by an administrator on the server. This file may be read from the command line interface using the alogs command.




To find out how to send logs to a remote Syslog server, refer to the section

Sending SMC logs to a remote server in Syslog format

.

11.4.1 Viewing server.log logs from the web interface

1. Display and hide the logs from the server.log file at any time by clicking the logs button at the right top of the interface or by clicking the black arrow at the bottom of the interface

.

2. Select the debug or information logs level in the drop down list.

A maximum of 1000 lines can be displayed. When the limit is reached, old logs are replaced by new ones in the interface.

3. To view the contents of the entire log file, connect to the SMC server via the console port or in

SSH with the "root" user account and enter the command nlogs

.

11.4.2 Saving server logs

In SMC Server > Maintenance, click Save logs in the Save server logs pane.

Page 55/66

An archive containing both log files in .json format will be downloaded. Logs cannot be restored.

11.5 Sending SMC logs to a remote server in Syslog format

SMC supports the Syslog protocol in order to collect all logs from the server and send them to a remote Syslog server, with or without encryption.

To use the Syslog service on SMC:


2. Enter the command fwadmin-syslog-ng

. The service's current configuration will appear.

11.5.1 Sending logs to a remote server without encryption

1. Type the command fwadmin-syslog-ng --wizard to select an operating mode.

2. Select the option Store logs locally and send logs to a syslog-ng server through TCP.

3. Enter the IP address or FQDN of the remote server as well as the port number.

11.5.2 Sending logs to a remote server with encryption

To encrypt communications when forwarding logs to the remote server, you will need three files issued by your PKI (Public Key Infrastructure): l l

The client certificate in PEM format which allows the remote server to identify SMC,

The client's private key in PEM format which would allow SMC to encrypt data so that only the remote server can decrypt it, l

The certificate of the certificate authority in PEM format which would allow SMC to trust the remote server.


Page 56/66



1. Before configuring the Syslog service, copy these three files on SMC, in

/tmp for example.


3. Select the option Store logs locally and send logs to a syslog-ng server through TCP with

TLS.

4. Enter the IP address or FQDN of the remote server as well as the port number.

5. Indicate the location of the certificates. The Syslog wizard will copy them into the folder

/data/certs/syslog-ng/

.

11.5.3 Disabling the sending of logs to a remote server


2. Select the option Store logs locally in /var/log/messages (default).


The remote Syslog server is unreachable

l

Situation: You have specified the name of the remote Syslog server using its FQDN but the server remains unreachable.

l

Cause: The DNS service was probably not configured properly or is unable to resolve the

FQDN.

l

Solution : Check the resolution of the DNS server by typing the command nslookup server-syslog.domain.com

in the SMC command line interface.

When logs are forwarded with encryption, the remote server does not receive SMC logs

l

Situation: You have configured logs to be sent to a remote Syslog server with encryption. You have provided the certificates required, but the Syslog server did not accept the encrypted communication.

l

Cause: The remote Syslog server probably did not accept the certificates as they may have expired or been revoked.

l

Solution : Check the error message that the remote Syslog server returned by typing the following commands in the SMC command line interface:

MY_SERVER_ADDR=xxx.xxx.xxx.xxx

MY_SERVER_PORT=xxxx openssl s_client -connect ${MY_SERVER_ADDR}:${MY_SERVER_PORT} -cert

/data/certs/syslog-ng/xxxx.pem -key /data/certs/syslog-ng/xxxx.pem -CAfile

/data/certs/syslog-ng/xxxx.pem

11.6 Saving and restoring the SMC server configuration

Saving and restoring the SMC server configuration is possible from the server web interface or from the command line interface.

TIP

The following restriction applies to the restoration of a server configuration: the SMC server version must be the same as the version of the server from which the backup file was generated.

Server logs are not contained in the backup file.


Page 57/66



11.6.1 Saving the server configuration from the web interface

In SMC Server > Maintenance, click Save configuration in the Save server configuration pane.

The configuration backup file can be restored from: l

The SMC server web interface, l

The command line interface, l

The SMC server initialization wizard.

For more information, refer to sections

Restoring server configuration from the web interface

,

Restoring server configuration from the command line interface

and

Restoring server configuration from the initialization wizard

.

11.6.2 Saving the server configuration from the command line interface

1. To save a server configuration from the command line interface, connect to the SMC server via the console port or SSH connection with the "root" user.

2. Enter the command fwadmin-config-backup

The name of the archive name is displayed.

3. To save the configuration without the deployment history, enter the command fwadmin-config-backup --no-history

The configuration backup file can be restored from: l l

The SMC server web interface,

The command line interface, l

The SMC server initialization wizard.

For more information, refer to sections

Restoring server configuration from the web interface

,

Restoring server configuration from the command line interface

and

Restoring server configuration from the initialization wizard

.

11.6.3 Restoring server configuration from the web interface

In SMC Server > Maintenance, select a backup file to restore in the Restore server configuration pane.

To know how to create a server backup, refer to sections

Saving the server configuration from the web interface

and

Saving the server configuration from the command line interface .




11.6.4 Restoring server configuration from the command line interface

1. To restore a server configuration from the command line interface, copy the backup file in

/var/tmp on the SMC server using SSH protocol.


3. Enter the command fwadmin-config-restore --backup-file /path/to/backup

. Replace backupfile /path/to/backup by the name and path.

4. Reboot.



and


11.6.5 Restoring server configuration from the initialization wizard

When initializing a new SMC server after the deployment of a new virtual machine, select a backup to restore from the first step of the server initialization wizard.

Page 58/66



and


The integrity of the backup file is verified before being restored and then logging in again is required.

11.7 Updating the SMC server from the command line interface

An update archive is required to update the SMC server. Archiving involves the update of the web interface and of the operating system.

During the update process, firewalls continue to run. Firewalls do not need to be updated.

During each update, the unified configuration file will be migrated to the new version of the server.

This file will be automatically updated on the older system before the migration process begins.

To update the server:

1. Download the upload archive on your workstation from your MyStormshield personal area.

2. Copy the archive in /var/tmp on the SMC server using SSH protocol.


4. Enter the command fwadmin-update -u /var/tmp/archivename

. Replace archivename with the name of your archive.




5. Wait for the completion of the update. During the process, the server remains available within the current version.

6. Enter the command reboot

. The updated system restarts.

For any specific information regarding updates between two versions, please refer to the SMC release notes.

11.8 Resetting "root" and administrator passwords

If you forgot the "root" administrator password used to connect to the SMC server via the console port or in SSH, or the administrator password for the server's web interface, follow this procedure.

11.8.1 Resetting the "root" administrator password

WARNING

QWERTY keyboard layout is required to perform these actions.

Changing the server startup mode

1. From the virtual environment, restart the SMC server.

2. When the server restarts and the screen to select the server version displays, press the TAB key to enter the startup screen Edition mode.

3. The command line to edit server startup displays. At the end of the line add: rw init=/bin/bash

Page 59/66

4. Press Enter to validate and start the server.

Modifying the password

1. The server starts. Enter the command passwd directly.

2. Enter and confirm the new password (QWERTY keyboard layout).


Page 60/66



3. Enter the command shutdown -nr now to restart the server.

11.8.2 Resetting the administrator password


2. Enter the following commands: l l fwadmin-ui-password --password myNewPassword to modify the main "admin" administrator password, fwadmin- ui- password - - username myOtherUser myNewPassword to modify the main "admin" administrator password,

- - password

11.9 Disabling automatic synchronization of high availability clusters

The SMC server regularly synchronizes both nodes in the high availability clusters of SN firewalls that it manages.

If necessary, you can disable automatic synchronization:


2. Edit the file /data/config/fwadmin-env.conf.local by adding the following line at the end:

FWADMIN_HASYNC_ON_DESYNCHRO=false

3. Restart the fwadmin-server service with the command nrestart fwadmin-server

11.10 Monitoring SMC with SNMP

SNMP (Simple Network Management Protocol) is a communication protocol that allows network administrators to monitor devices and diagnose network and hardware issues remotely.

SMC offers the SNMP service via the command fwadmin-snmp

.

This service is not enabled by default on the SMC server. If you do enable it, you do not need to enable it again after restarting the server, as this setting will be remembered.

11.10.1 Using the SNMP service


2. Enter one of the following commands:

Action

Enable the service

View the status of the service

Restart the service

Disable the service

Command fwadmin-snmp enable fwadmin-snmp status fwadmin-snmp reload fwadmin-snmp disable

11.10.2 Using MIBs

ips

SMC supports the following MIBs to monitor SMC:

Category system ifaces

RFC

RFC 1213

RFC 1213

RFC 2863

RFC 1213

MIB

.1.3.6.1.2.1.1

.1.3.6.1.2.1.2

.1.3.6.1.2.1.31

.1.3.6.1.2.1.4


tcp udp snmp mem disk load cpu sysstats perf

RFC 1213

RFC 1213

RFC 1213

UCD-SNMP-MIB

UCD-SNMP-MIB

UCD-SNMP-MIB

UCD-SNMP-MIB

UCD-SNMP-MIB

RFC 1514



.1.3.6.1.2.1.6

.1.3.6.1.2.1.7

.1.3.6.1.2.1.11

.1.3.6.1.4.1.2021.4

.1.3.6.1.4.1.2021.9

.1.3.6.1.4.1.2021.10

.1.3.6.1.4.1.2021.11

.1.3.6.1.4.1.2021.11

.1.3.6.1.2.1.25.4

.1.3.6.1.2.1.25.5


Page 62/66


ANNEXE A. EXAMPLES OF THE USE OF SNS CLI SCRIPTS

Annexe A. Examples of the use of SNS CLI scripts

This appendix provides four examples of how to use SNS CLI scripts to perform grouped actions on a pool of SN firewalls.

For more information on SNS CLI scripts, please refer to the section

Running SNS CLI commands on an environment of firewalls .

A.1 Backing up the configuration of firewalls

The following scripts allow backing up the configuration of SN firewalls in standalone or in HA clusters.

Standalone SN Firewalls

###############################################################

# To save the configuration of a SNS firewall

# You need to execute the following command: CONFIG BACKUP

#

# The "list" option specifies the list of modules to save. The list of modules has to be comma-separated.

# Available modules are the following:

MailFiltering,UrlFiltering,SslFiltering,UrlGroup,Autoupdate,Services,

SecurityInspection,Object,Filter,Vpn,Ldap,Network,Global

# Use list=all in order to save all modules

#

# The $SAVE_TO_DATA_FILE argument indicates the name of the file in which the result of the execution will be saved

###############################################################

CONFIG BACKUP list=all $SAVE_TO_DATA_FILE("backup-%FW_NAME%.na")

HA Cluster

###############################################################

# To save the configuration of each peer of a HA cluster

# You need to execute twice the following command: CONFIG BACKUP

#

# The "list" option specifies the list of modules to save. The list of modules has to be comma-separated.

# Available modules are the following:

MailFiltering,UrlFiltering,SslFiltering,UrlGroup,Autoupdate,Services,SecurityIns pection,Object,Filter,Vpn,Ldap,Network,Global

# Use list=all in order to save all modules

#

# On a HA cluster, use the serial number to refer to the peer to save

# To do this, use the "fwserial" option

#

# The $SAVE_TO_DATA_FILE argument indicates the name of the file in which the result of the execution will be saved

###############################################################

# For the active node

CONFIG BACKUP list=all fwserial=%FW_SERIAL% $SAVE_TO_DATA_FILE("backup-activenode-%FW_NAME%.na")

# For the passive node

CONFIG BACKUP list=all fwserial=%HA_PEER_SERIAL% $SAVE_TO_DATA_FILE("backuppassive-node-%FW_NAME%.na")


Page 63/66


ANNEXE A. EXAMPLES OF THE USE OF SNS CLI SCRIPTS

A.2 Updating firewalls

The following scripts allow updating SN firewalls in standalone or in HA clusters.

Standalone SN Firewalls

###############################################################

# To update a SNS firewall

# You need to execute the following command: SYSTEM UPDATE UPLOAD

#

# Execute the SYSTEM UPDATE ACTIVATE command after the SYSTEM UPDATE UPLOAD command in order to complete the update

#

# The $FROM_DATA_FILE argument specifies the name of the update archive to be used

###############################################################

SYSTEM UPDATE UPLOAD $FROM_DATA_FILE("fwupd-2.4.0.maj")

SYSTEM UPDATE ACTIVATE

HA Cluster

###############################################################

# To update each peer of a HA cluster

# You need to execute twice the following command: SYSTEM UPDATE UPLOAD

#

# To limit the number of failovers, we recommend to apply the update procedure to the passive node first

# Once the passive node has rebooted, apply the update procedure to the active node

# The passive node will become the active one after failover

#

# Execute the SYSTEM UPDATE ACTIVATE command after the SYSTEM UPDATE UPLOAD command in order to complete the update

#

# On a HA cluster, use the serial number to refer to the peer to update

# To do this, use the "fwserial" option

#

# The $FROM_DATA_FILE argument indicate the name of the archive of update to use

###############################################################

# For the passive node

SYSTEM UPDATE UPLOAD fwserial=%HA_PEER_SERIAL% $FROM_DATA_FILE("fwupd-2.4.0.maj")

SYSTEM UPDATE ACTIVATE fwserial=%HA_PEER_SERIAL% # The passive node will reboot after this command

# When the passive node is back online

# Follow the same procedure for the active node

SYSTEM UPDATE UPLOAD fwserial=%FW_SERIAL% $FROM_DATA_FILE("fwupd-2.4.0.maj")

SYSTEM UPDATE ACTIVATE fwserial=%FW_SERIAL% # The active node will reboot after this command and the passive node will become the active one


Page 64/66


ANNEXE B. DETAILS OF FWADMIN-XXX COMMANDS

Annexe B. Details of fwadmin-xxx commands

This appendix sets out the list of commands specific to SMC that can be used in the command line interface to manage the server. To find out how to log on to the command line interface, refer to the section

Connecting to the command line interface .

There are other fwadmin-xxx commands that have not been mentioned in this list as they are solely intended for the internal operations of the server.

Command fwadmin-update

Action

Updates the SMC server. See section

Updating the SMC server from the command line interface

.

fwadmin-version

Displays the version of the SMC server. See section

Verifying the SMC server version in command line

.

fwadmin-ui-password

Modifies the password of the user on the SMC server's web interface. See section

Resetting the administrator password

.

fwadmin-syslog-ng fwadmin-snmp fwadmin-sns-cliscript

Configures the logging service in Syslog format. See section

Sending SMC logs to a remote server in Syslog format

.

Configures the SNMP service. See section

Monitoring SMC with SNMP

.

Runs SNS CLI commands on a pool of firewalls. See section

Running SNS CLI commands on an environment of firewalls

.

fwadmin-configbackup

Saves the configuration of the SMC server. See section

configuration from the command line interface

.

Saving the server

fwadmin-configrestore

Restores the configuration of the SMC server. See section

configuration from the command line interface

.

Restoring server

fwadmin-date-time fwadmin-firewallsand-packages

Displays and configures the system's date, time and time zone. See section

Changing the SMC server time zone and date

.

Creates firewalls in SMC and their connecting package. See section

Importing SN firewalls from a CSV file

.

fwadmin-importobjects

Imports network objects originating from an SN firewall export in CSV format. See section

Importing objects from a CSV file

.

fwadmin-installcertificate

Installs a P12 certificate on an SN firewall. See section

an SN firewall

.

Importing a certificate for

fwadmin-keyboard

Changes the language of the keyboard in the command line interface.

fwadmin-log-backup

Backs up the logs of the SMC server in a tgz archive.

fwadmin-logs

Displays logs of all actions saved on the SMC server. Equivalent to the nlogs command.

fwadmin-monitor

Displays configurations pending deployment.

fwadmin-server

Shuts down/starts/restarts the service that manages the SMC web server by using the commands nstop

, nstart and nrestart

. Before shutting down the service, the monit service must also be shut down with nstop monit

. To restart this service: nstart monit

.



ANNEXE C. COMPATIBILITY OF SMC/SN FIREWALLS

Annexe C. Compatibility of SMC/SN firewalls

This table recaps the lowest versions of SN firewalls required in order to be compatible with the following SMC features:

Feature/Object

SNS CLI Scripts

Filter/translation rules

VPN

Router and time objects

Lowest version of SN firewall required

2.4

3.0

3.0

3.1



Page 66/66

[email protected]


Stormshield Management Center Administration guide v2.1

STORMSHIELD MANAGEMENT

CENTER

ADMINISTRATION GUIDE

Table of contents

1. Getting started

1.1 Connecting to the SMC server's web interface

1.2 Connecting to the command line interface

1.3 Installing the SMC license

1.3.1 Troubleshooting

The SMC server rejects all new firewall connections

Your license is no longer valid after the restoration or backup of a configuration

2. Warning before connecting SN firewalls to the

SMC server

3. Connecting SN firewalls to the SMC server

3.1 Connecting a firewall with a factory configuration to the SMC server

3.1.1 Declaring the firewall in the SMC server web interface

3.1.2 Building the firewall connecting package

3.1.3 Installing the connecting package on the firewall from a USB drive

3.1.4 Installing the connecting package on the firewall from the installation wizard

3.2 Connecting a firewall already in production to the SMC server

3.2.1 Declaring the firewall in the SMC server web interface

3.2.2 Building the firewall connecting package

3.2.3 Installing the connecting package on the firewall

3.3 Connecting a high availability cluster to the SMC server

3.3.1 Declaring the cluster in the SMC server web interface

3.3.2 Building the cluster connecting package

3.3.3 Installing the connecting package on the active node of the cluster

3.4 Troubleshooting with the server's logs

3.4.1 Generating a firewall's connecting package

3.4.2 Installing the connecting package on the SN firewall

3.5 Importing SN firewalls from a CSV file

3.5.1 Creating the CSV file

3.5.2 Importing firewalls

4. Supervising SN firewalls

4.1 Monitoring and organizing firewalls

4.1.1 Getting information about firewalls

Troubleshooting

4.1.2 Organizing firewalls by folders

Creating folders

Organizing firewalls

Removing folders

4.1.3 Check usage of a firewall in the configuration

4.2 Accessing the logs and activity reports of firewalls

5. Configuring SN firewalls

5.1 Editing firewalls

5.2 Managing objects

5.2.1 Deploying objects on SN firewalls

5.2.2 Creating variable objects

5.2.3 Check usage of an object in the configuration

5.2.4 Importing objects from a CSV file

Creating the CSV file

Importing objects

5.3 Deploying a configuration on firewalls

5.3.1 Deploying a configuration on a firewall

5.3.2 Deploying a configuration on a high availability cluster

5.3.3 Troubleshooting with the server's logs

SMC side

SN firewall side

5.4 Loading and deploying a former configuration

5.5 Accessing the web administration interface of firewalls

5.6 Using the Emergency mode

5.7 Converting a firewall connected to the SMC server into a high availability cluster

5.8 Importing a certificate for an SN firewall

5.8.1 Importing a certificate from the server's web interface

5.8.2 Importing a certificate from the command line interface

5.8.3 Importing a certificate on a high availability cluster

5.8.4 Troubleshooting

The Import button remains grayed out

Importing the certificate on a firewall causes an error

Other possible causes:

6. Creating and monitoring VPN tunnels

6.1 Configuring a mesh topology

6.1.1 Importing certificates for SN firewalls

6.1.2 Declaring the certificate authority

6.1.3 Creating objects included in the topology

6.1.4 Creating the VPN topology

6.2 Configuring a star topology

6.2.1 Creating objects included in the topology

6.2.2 Creating the VPN topology