KB Article | Forcepoint Support

Resolution

Contents

Downloads and UpdatesInformation on downloading and updating SMC
SMC LicensingHow to access and use the license center
SMC Online HelpHow to use the online help
How ToHow to perform various tasks and gather information in SMC
LoggingQuestions about SMC and NGFW appliance logging
GeneralGeneral questions about SMC
UpgradingInformation on upgrading your SMC installation.
 

Downloading and Updates

Where can I download Security Management Center (and Next Generation Firewall)?
Product software, upgrades and maintenance releases are available from the Downloads site. You must be logged into your Forcepoint Support site account to access downloads.

Important Issue resolutions in minor and major releases are cumulative; therefore, Forcepoint recommends that you download and install the latest version.
 
What Security Management Center updates can be configured in Global System Properties to automatically download?
You can configure the following updates and upgrades to automatically download:
  • Dynamic updates
  • Remote upgrades for engines
  • Licenses
Note These updates require the Management Server to have Internet connectivity and allow access by HTTPS. Also, the Management Server must have a valid support entitlement to access these resources. If Internet access is not allowed or automatic downloads are not required, you can import these updates manually using the Management client.

Where can I manually download dynamic updates?
Dynamic updates can be downloaded manually from the IPS Dynamic Update Download page.

How do I manually install a dynamic update package?
Select Configuration > Administration > Other Elements, then right-click Updates for Import Update Packages. You can activate the update when it has finished installing.

Note A policy refresh is required for engines to use these changes with the update package.

How do I download a remote Engine upgrade? Engine remote upgrades can be manually downloaded from the Product Downloads site and imported through the Management Client. See the appliance software support table in KB9743 to determine which software image to select for your engine. To import an Engine Upgrade, select Configuration, click Administration, click Other Elements and then right-click Engine Upgrades.

Note Each component requires its own license. A license upgrade is required for each major version.

Where can I download product documentation?
Next Generation Firewall (NGFW) and SMC 5.7 and later support documentation is available from the Documentation page on the Support Portal.

Where can I obtain information on issues with earlier versions of NGFW and SMC?
Resolved issues in earlier versions (released 2014 and before) can be viewed by searching for your issue in the Knowledge Base for older versions.

Back to contents

SMC Licensing

What is the location of the Next Generation Firewall and Secure Management Center License Center?
Follow this link to locate the License Center.

What actions can I perform in the License Center?
In the License Center you can:
  • Input proof of license (POL) or proof of serial (POS) to view your current license
  • Register licenses
  • Download license files
  • Upgrade licenses
  • Request license binding change
  • Activate a spare unit
  • Register the appliance for plug and play installation

    Note For full steps to use Installation Cloud for NGFW initial configuration, see KB9662
Back to contents
 

SMC Online Help

What is Security Management Center Online Help?
Security Management Center Online Help describes steps to configure and manage the system. Management Client configuration options are also described in Online Help.

How is Security Management Center Online Help accessed?
Online Help is accessible through the Help menu and by clicking the Help button or pressing F1 in any window or dialog of the Management Client and the Web Portal. By default, the Management Client's Online Help is accessed through the Internet. Alternatively, you can configure the Management Client to use a copy of the Online Help from a local machine.

Can I download Online Help?
A zipped file containing Online Help can also be downloaded from the Online Help database.

Can I use Online Help locally?
Yes, you can host the Online Help on a local client such as an intranet server or a local share. This way the Management Client can access Online Help even when there is no Internet connectivity. If you want to use the Online Help locally, Technical Support highly recommends you host it on your intranet server. The Online Help is context-sensitive only if it is used from a server. For full information on hosting Online Help locally, see KB10097​

Can I view Online Help through the Internet?
Online Help can also be used in your web browser. Click here to view Online Help for your SMC version.

Back to contents

How To

How can I locate where each element is used in SMC?
For example, the element Local Network is used in different firewall policies and groups. How can I find which policy, subpolicy and groups use this element? Right-click the element and select Tools, and then click References.

How can I list the unused elements?
To search for unused elements select Search, and click Search Unused elements.

How can I start or stop Management Server service ?
When SMC server installs services on Linux platforms, the installation from SMC 6.4 onwards uses systemd instead of SysV (for init system and service management). Linux distributions that run systemd can now manage SMC services. There are no changes for Linux distributions that run SysV. Because systemd maintains compatibility with other init systems, the service command continues to work in all environments. The following commands are equivalent and can be used to start or stop the service:
# service sgMgtServer [stop|start|status]
# systemctl [stop|start|status] sgMgtServrer.service 

Then in addition the <SMC install directory>/bin contains below scripts to manually start or stop the server:
#./sgStartMgtSrv.sh
#./sgStopMgtSrv.sh

Back to contents

Logging

Does the log server use a database or, are logs saved as simple binary files?
The log server saves logs in a proprietary binary format. It is not a database, but it has some indexing.

What is the maximum period of time appliance logs can be kept?
When connectivity to the log server is working, logs are immediately sent from the appliance to the log server and logs are not kept in the appliance. There is some local disk space available on the appliance, for log spooling and for situations when the log server is not reachable.

After the connection to the log server is restored, spooled logs are sent to the log server. The time period that the local spool can handle logs is not fixed, and depends on the number of logs that are produced in that specific environment and configuration.

Back to contents

General

A certificate is used for encryption between SMC, the Security engine and proofs. Does this electronic certificate correspond to SHA-2 and RSA2048?
There are two modes, the default mode is 256-bit security mode. The mode can be selected when installing SMC.

In default mode, 2048-bit RSA keys are used for authentication; TLS cipher suite is TLS_RSA_WITH_AES_128_CBC_SHA.
In 256-bit security mode, 521-bit ECDSA keys are used for authentication; TLS cipher suite is TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384.

Is deployment of SMC using a distributed environment using different operating systems between the components supported?
For example, the Management Server is installed on Microsoft Windows and the Log Server is installed on Linux. This type of configuration is supported.

Note For performance reasons, Forcepoint Technical Support recommends running your Log Server on Linux.

Which administrative domain log servers should be set to?

There must always be one Log Server defined in Shared Domain and selected as Log Server in Management Server properties to handle server alerts. Forcepoint Technical Support recommends using administrative domain specific Log Servers. Log Server in Shared Domain can be used by NGFW engines in several administrative domains though.

Management client Reconnect option works only shortly after disconnect

Management client has an option when clicking Menu, clicking File, and clicking Reconnect to re-establish connection with the Management server if it for some reason disconnected. This way all open tabs will be available. This option though only works for a short time after disconnection and the session must still exist on the server end. If the session no longer exists on the server, it rejects the reconnect request and the client is shown the error message "Failed to restart. Connection to server failed. Connection already closed".

SMC servers cannot listen to ports below 1024 in Linux environments
Web Start and Web Portal Servers cannot listen to ports below 1024 in Linux environments. Log Servers are also unable to use ports below 1024 for Log Reception in Linux environments. Only root processes can listen for connections on ports below 1024.

Manual blacklisting not supported with dynamic firewalls
Firewall engines that have a dynamic control IP address do not support manual blacklisting.

Back to contents

Upgrading

Can I install a pair of SMC Management servers in an Active/Active configuration so they share information?

No, SMC currently has High Availability (HA) mode where only one SMC node is active. However, these configured Management Servers will share information in real time. You can have up to four (4) standby Management Servers.

Note In this configuration, only the Management Server is set up in HA. The Log Server component of SMC approaches HA entirely differently. Each log sending engine can revert to a configured standby log server if failing to communicate with the default server.

Which SMC component must be upgraded first, the Log server or Management server?

The order you upgrade your management and log servers does not matter because both must be upgraded before they can communicate. Forcepoint Technical Support recommends you upgrade your Management server first because if there happens to be any upgrade issues, they are more likely to be seen during the Management server upgrade.

I have deployed my SMC server using High Availability; if the active Management Server fails, how soon does the backup SMC Management Server become aware of the failure?

SMC failover is always manual and can be performed regardless of the primary being up or down. It does not matter how and when the backup server notices the primary is down because you must manually activate the other Management Server and failover only happens when the SMC chooses to trigger it.

When the primary Log Server fails, how long does it take the secondary server to detect and pick up the active role?

Log servers are always active. The Engine will detect that it cannot send logs to its primary log destination and switch to the backup. No logs are lost because the Engine will resend the logs it could not successfully send to the primary.

Is the log data automatically replicated across all log servers or do they synchronize? Are some logs only visible on one server, and some other logs are available on the other server?

In this scenario the logs will be stored partially on the Primary Log server and partially on the backup server; however this has no relevance to using them because the Log browser and reporting will query both servers for the relevant logs.
 
Note If you have more than one backup, all configured backup Log Servers will be queried. Because there is no data replication between log servers, if a Log Server suffers a drive failure or other similar issue, then those logs will be lost, unless you have archived them. Forcepoint Technical Support recommends you create a scheduled task to periodically archive logs, so they can be restored if required.

When upgrading SMC I suffer an upgrade rollback. How can I check when and which version the rollback data was created on and where the sgrollbackfolder is located?

To find the location of the files and the creation of the rollback data, view the <installation directory>/uninstall/rollback.properties file: For example (on Linux):
  • Type cat <installation directory>/uninstall/rollback.properties and press Enter. You will see an output similar to:
ROLLBACK_PREVIOUS_SMC_DESTINATION=/usr/local/stonesoft/management_center/backups/sgrollbackfolder
ROLLBACK_PREVIOUS_SMC_VERSION=5.7.1
ROLLBACK_PREVIOUS_DATE=Tue, 8 Jul 2014

How to revert to previous SMC version?
If during upgrade was selected to save rollback data, it is possible to revert to previous SMC version also manually even upgrade was successful. Revert will always return to configuration state at time of upgrade and rollback data saved. To revert to previous version run:
<installation directory>/uninstall/revert.sh

Can I restore a backup of an SMC Management or Log server taken from a Windows server to a Linux installation and vice versa?
Yes, you can restore a backup taken from SMC installed on Windows to SMC installed on Linux and vice versa. For example, if you decide to switch your installation from Microsoft Windows to Linux, install SMC to your Linux server(s) and restore the Management and Log servers from your Windows SMC installation backup.

Are there any other considerations when restoring these backups?
Yes, when you move the SMC installation to a new server, and restore only the Management Server from a backup, your Log Server will need to be recertified after the Management backup is restored. When you restore the configuration using a management backup, the CA from the old installation is also restored. Because the log server is not restored from backup, it will use a certificate signed by the new installation CA and therefore cannot talk to the restored Management Server.

Back to contents

Article Feedback



Thank you for the feedback and comments.