McAfee Enterprise Security Manager 9.5.0

Transcription

1 Release Notes McAfee Enterprise Security Manager Contents About this release New features for Resolved issues Known issues Upgrade instructions Find product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. We do not support the automatic upgrade of a pre-release software version. To upgrade to a production release of the software, contact the McAfee Beta Team at beta7@mcafee.com for the upgrade process. New features for McAfee Enterprise Security Manager (McAfee ESM) from Intel Security offers a broad range of updated capabilities supporting the security connected vision, integrated big security data, and best in class SIEM features. Amazon cloud If you have access, you can now start the ESM in Amazon Web Services/Elastic Compute Cloud (AWS/ EC2). This feature was released with version See the Release Notes for more information. 1

2 Application Data Monitor (ADM) improvements The ADM now supports: Protocols: BitTorrent, Apple Filing Protocol (AFP), Bitcoin, Git, Server Message Block 2 (SMB2), and Microsoft Endpoint Manager (EPM) File types: Iso9660, Applefile, and ICal Bandwidth management on sent data Your organization's bandwidth restrictions might limit the amount of data your devices can send out. You can now define a maximum data output value for your Receiver, Advanced Correlation Engine (ACE), Enterprise Log Manager (ELM), ADM, Database Event Monitor (DEM), and Nitro Intrusion Prevention System (IPS). Output values include kilobytes (KB), megabytes (MB), and gigabytes (GB) per second. You can also schedule a daily time range to limit when the ESM pulls data from each device and when devices send data to the ELM. This feature was released with version For more information, see the following topics in the online Help or product guide: Set up network traffic control on a device Limit collection time for data Set up network traffic control on the ESM Case improvements You can now search for cases (with source events) using any event field, source IP address, destination IP address, or host device. You can also create your own views with case queries using a table component or bar, pie, or list chart. For more information, see the following topic in the online Help or product guide: Filtering views Client data sources You can now add more than one client data source with the same IP address and use the port number to differentiate them. You can then segregate data types by different ports. This feature was released with version For more information, see the following topics in the online Help or product guide: Client data sources Add a client data source Configuration files You can now back up and restore SSH keys, network configuration, SNMP, and other configuration files for each device. 2

3 This feature was released with version For more information, see the following topics in the online Help or product guide: Backing up and restoring system settings Restore backed up configuration files Content packs When a specific threat situation occurs, respond immediately by importing and installing the relevant content pack from the rules server. Content packs contain use-case driven correlation rules, alarms, views, reports, variables, and watchlists to address specific malware or threat activity. Content packs enable you to respond to threats without wasting time creating tools from scratch. For details about content packs, see this McAfee KnowledgeBase: KB8373. You can also now export and import alarms, reports, and watchlists. For more information, see the following topics in the online Help or product guide: Working with content packs Import content packs Cyber threat management ESM allows you to retrieve indicators of compromise (IOC) from remote sources and quickly access related IOC activity in your environment. Cyber threat management enables you to set up automatic feeds that generate watchlists, alarms, and reports, giving you visibility to actionable data. For example, you can set up a feed that automatically adds suspicious IP addresses to watchlists to monitor future traffic. That feed can generate and send reports, indicating past activity. Use the Event Workflow Views Cyber Threat Indicators view to drill down quickly to specific IOC events and activity in your environment. For more information, see the following topics in the online Help or product guide: Set up cyber threat management View cyber threat feed results Data enrichment Source types now include Apache Hadoop Hive, Apache Hadoop Pig, and HTTP/HTTPS. You can also leverage Microsoft Active Directory to populate Microsoft Windows events with the full user display names. For more information, see the following topics in the online Help or product guide: Add Hadoop Pig data enrichment source Create an Internet data enrichment source Add Active Directory data enrichment for user names 3

4 Data sources improvements As a result of several possible settings, the time on a data source can get out of sync with the ESM. When an out-of-sync data source generates an event, a red flag appears next to the Receiver on the system navigation tree. You can now set up an alarm to notify you when this event occurs. Then manage the data sources that are out of sync from the Time Delta page. Data source rules have a defined default action. The Receiver assigns this action to the event subtype associated with the rule. You can now change this action. Instead of only using the value inherited from the parsing rule, set the value of the event subtype per data source rule. Then, you can set rule actions for dashboards, reports, parsing rules, or alarms with different values with this event subtype. These features were released with version For more information, see the following topics in the online Help or product guide: Manage out-of-sync data sources Set data source rule actions Device statistics You can now view device-specific CPU, memory, queue, and other device-specific details for ESM devices. You can also view Receiver usage statistics, which include the incoming (collector) and outgoing (parser) data source rates for the last 10 minutes, the last hour, and the last 24 hours. For more information, see the following topics in the online Help or product guide: View device statistics View Receiver throughput statistics Devices and what they do Dynamic Host Configuration Protocol (DHCP) IP networks use DHCP to distribute network configuration parameters, such as IP addresses for interfaces and services. Setting up ESM to deploy in the cloud environment automatically enables DHCP and assigns an IP address. When not in the cloud environment, you can enable and disable DHCP services on the VLANs, ESM, non-high Availability (HA) Receiver, ACE, and ELM. This feature was released with version For more information, see the following topics in the online Help or product guide: Set up DHCP on VLAN Set up DHCP 4

5 Enterprise Log Manager (ELM) improvements Database management: ELM performance has been enhanced. You can also increase the size of the ELM management database. Health monitor flags warn you when the database is low on space. ELM searching speed: A new log indexing method now provides enhanced searching speed and replaces the full-text indexing (FTI) functionality. The space previously used by FTI is automatically reclaimed. Since the new method might require additional space, you can now increase the size of the management database. ELM redundancy: This feature was released with version For more information, see the following topics in the online Help or product guide: Select database location page View a system or device log ELM redundancy Set up ELM redundancy Export views and reports When exporting a page for a chart, distribution, or table component, the exported data now matches what you see on the page. If you export multiple pages, the query reruns as it exports the data. So, exported output for multiple pages might differ from what you see on the component. This feature was released with version For more information, see the following topic in the online Help or product guide: Export a component Filters You can now set the execution order for ASP or Filter rules. For ASP rules, you can also set multiple custom time formats to increase the likelihood that the time format for the ASP log matches. When you first log on to the ESM, default filters now include the source user, destination user, source IP address, and destination IP address filter fields. You can add and delete filter fields, save filter sets, change the default set, manage all filters, and start the string normalization manager. You can also now filter cases by event details. If you have User Administration permissions, you can now limit filter sets for other groups. For more information, see the following topics in the online Help or product guide: Set order for ASP and Filter rules Add time format to ASP rules Filtering views HA Receivers You can now choose a preferred primary Receiver when setting up HA Receivers in a primary and secondary mode. In this setup, one Receiver acts as the primary or lead active device. The secondary Receiver monitors the primary continuously. 5

6 When the secondary determines that the primary has failed, it stops operations on the primary and takes its function. Once the primary is repaired, it becomes the secondary or it becomes the primary once again, depending on the preferred primary option you select. Before you upgrade, set your preferred primary Receiver to No Preference, which allows you to use the Fail-Over option. After you upgrade both Receivers, you can then reapply your preferred primary Receiver. For more information, see the following topics in the online Help or product guide: High Availability Receivers Reset HA devices Set up Receiver-HA Devices Switch Receiver-HA roles Reinitialize the secondary device Upgrade HA Receivers IP address details If you have a McAfee Global Threat Intelligence (McAfee GTI) license and look up IP address details, you can now access details about an IP address, including risk severity and geolocation data. This feature was released with version For more information, see the following topics in the online Help or product guide: View the IP address details of an event Perform a WHOIS or ASN lookup McAfee Threat Intelligence Services (MTIS) McAfee Threat Intelligence Services (MTIS) and your system's vulnerability assessment sources generate a list of known threats. ESM uses the severity of these threats and the criticality of each asset to calculate the risk level these threats represent to your organization. Asset Manager: When you add an asset to the Asset Manager, you can assign a criticality level to represent how critical that asset is to your organization. For example, if a single computer without backup manages your enterprise setup, that computer's criticality is high. But, if multiple computers (each with their own backup) manage your setup, the criticality level for each computer is considerably lower. Threat Management: The Threat Management tab on the Asset Manager lists known threats, their severity, the vendor of the affected product, and whether it is set to use when calculating risk. You can enable or disable specific threats to calculate risk. For each threat listed, you can view recommendations for dealing with the threat, as well as countermeasures to consider. Predefined views: Three new predefined views summarize and display asset, threat, and risk data: Asset threat summary Breaks down top assets by risk score and threat levels, and threat levels by risk. Recent threat summary Breaks down recent threats by vendor, risk, asset, and available protection products. Vulnerability summary Breaks down vulnerabilities by threats and assets. If you create a view that includes Total Number of Vulnerabilities Count or Dial component, you might see an inflated count of vulnerabilities. The MTIS feed adds threats based on the original vulnerability that the VA source reported. 6

7 For more information, see the following topics in the online Help or product guide: Asset, threat, and risk assessment Manage known threats Manage assets Working with ESM views Power or hardware failures Power and hardware failures can shut down your system without warning. To alert you of an impending failure, you can now set up alarms to trigger when an ESM's power fails. You can also set up SNMP traps to notify you of general hardware failures and DAS power failures. This feature was released with version For more information, see the following topics in the online Help or product guide: Add a power failure notification alarm Set up SNMP trap for power failure notification Severity and action maps The severity and action maps now contain the following new action types: 25 = alert-reject 33 = infected 26 = alert-drop 34 = move 27 = alert-sdrop 35 = move-fail 28 = restart 36 = quarantine 29 = block 37 = quarantine-fail 30 = clean 38 = remove-fail 31 = clean-fail 39 = denied 32 = continue McAfee Threat Intelligence Exchange (TIE) integration The TIE feature was released with version For more information, see the following topics in the online Help or product guide: Threat Intelligence Exchange integration View TIE execution history and set up actions Triggering events When an alarm triggers, you can now view the event that triggered that alarm. You can also customize the triggered alarms and cases to include the field match and internal event in their summary. This feature was released with version For more information, see the following topics in the online Help or product guide: View and manage triggered alarms Customize summary for triggered alarms and cases 7

8 Watchlists You can create a watchlist from sources on the Internet that can be refreshed periodically and that pull threat feeds automatically into the watchlist. On this watchlist, you can preview the data to be retrieved through the HTTP request, as well as add regular expressions to filter this data. You must have an Internet connection to download McAfee Global Threat Intelligence (McAfee GTI) watchlists. They can't be downloaded off line. For more information, see the following topic in the online Help or product guide: Create a watchlist of Internet sources Product documentation updates Federal Information Processing Standard (FIPS) mode: FIPS information in the product documentation has been updated. The Health monitor signature IDs topic now identifies the type, device, and severity for each ID. Installation Guide: Wiring diagrams for network ports have been updated. Online Help/product guide: The table of contents has been reorganized to help you find information quickly. Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Real-time alarms on parent ESM cause performance issues Creating a real-time alarm on a parent ESM now triggers that alarm only on the parent Receiver without triggering alarms on the corresponding distributed Receivers. ELM device log displays lock conflicts When you add storage pools to the ELM, the devices log no longer displays lock conflicts. HTML report title alignment HTML reports that you create (ESM Properties Reports) now correctly apply whatever title alignment you set (left, right, or center). Character limit on data source names The character limit for data source names has been increased to 100 characters. Incorrect character displayed when exporting reports in japanese When exporting reports with the Japanese language selected, the date now correctly displays a range as 1 / 2, instead of 1?? 2. No baseline for stacking components If you select a stacking option to group fields on the event distribution, the baseline now displays correctly. 8

9 Syncing issues with redundant ESM devices Redundant ESM devices now sync correctly. Known host entries removed for High Availability Known host entries for High Availability Receivers are now retained permanently. Data CSV export never finishes ESM now successfully completes data exports to CSV files. Redundant ESM syncing process You can no longer interrupt a sync of redundant ESMs once it begins. CSV change data sources doesn't remove all information ESM now correctly uses CSV files to remove data sources. Editing Auto Learn data sources ESM now correctly applies your changes to your Auto Learn data source types. Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: KB Upgrade instructions To prepare your system for the software release, download the upgrade files for the ESM, Nitro IPS, ACE, ADM, Database Event Monitor (DEM), Receiver, ELMERC, ELM, and ESM/Receiver combo. Then upgrade them in the order described. For information about installing the devices, see McAfee Enterprise Security Manager Installation Guide. Tasks Download the upgrade files on page 14 When the system is ready to upgrade, download the upgrade files to your local system. Upgrade the system on page 15 You must upgrade the ESM and its devices, in a specific order, based on your mode. After you upgrade, rewrite the device settings and roll out the policy. Upgrade ESM, ESMREC, or ENMELM on page 16 Once your system is ready, you can upgrade your ESM, ESMREC, or ENMELM to Upgrade devices on page 17 If you aren't in FIPS mode, upgrade the IPS, Event Receiver, ELM, ELM/Event Receiver, ACE, ADM, and DEM after the ESM is upgraded. If you are in FIPS mode, upgrade the devices before upgrading the ESM. 9

10 Preparing to upgrade There are several things you must do before you can upgrade. Review the ESM checklist to make sure that the ESM and devices are in a good state before starting the upgrade. Make sure that the ESM database rebuild from a previous build (9.3.2 or later) is complete, and that you can schedule the appropriate outage window for this upgrade. Complete a database backup of the ESM before beginning the upgrade. Make sure that the soft raid subsystem is running with two active drives. If you are running ESM 4245R, 5205R, 5510R, or 5750R; ESMREC 4245R, 5205R, or 5510R; ESMLM 4245R, 5205R, or 5510R, issue the cat /proc/mdstat command in one of these ways: On the ESM console, click System Properties ESM Management Terminal, then click Write and type the command. SSH into the ESM. Connect a monitor and keyboard to the device. If the output looks like the following example, the raid is functioning properly and you can proceed with the upgrade: Personalities : [raid1] md_d127 : active raid1 sda[0](w) sdb[1](w) blocks [2/2][UU] Unused devices: <none> The [UU] code identifies active drives. If it shows [_U] or [U_], a drive is not part of the raid. You must contact McAfee Support before upgrading. 10

11 Type of information Device types supported Device removal Details The ESM, ESM/Event Receiver (ESMREC), or ESM/Log Manager (ENMELM) only communicate with device models. To check the model of your device, issue the cat /proc/cpuinfo command. The output includes the CPU number on the model name line. The CPU must be one of the following: Before upgrading the ESM, ESMREC, or ENMELM, all device models specified and virtual IP addresses for the specified Nitro IPS models must be removed. If this isn't done, a message appears on the Login page and the message log stating that this problem occurred, and that the upgrade fails. ESM also fails to upgrade and notations are placed in the device message log. To remove a virtual IPS, select the device in the system navigation tree and click the Properties icon. Select Device Configuration Virtual Devices, then select the existing virtual devices and click Remove. Click Write to write the settings to the IPS. You must roll out policy from the ESM, ESMREC, or ENMELM to the IPS device or the IPS remains in bypass mode and no traffic is inspected. Rebuild time Upgrade paths Upgrade Receiver-HA devices Table rebuild time varies based on the ESM, ESMREC, or ENMELM. To speed up the upgrade of the ESM database: Set collection duration of events, flows, and logs to a longer pull time, allowing more time for the rebuild. On the ESM console, click System Properties Events, Flows & Logs, then set Auto check interval. Turn off collection of events, flows, and logs until the rebuild finishes. Complete this step only if the number of events and flows sent to the ESM is low. On the ESM console, click System Properties Events, Flows & Logs, then deselect Auto check interval. The rebuild time for devices is around 45 minutes. You can upgrade to directly from or later. You must upgrade versions before following this path: 7.x.x > 8.2.x > 8.3.x > > > > > or later > To upgrade Receiver-HA devices, you must first check the Receiver's High Availability status. See Check Receiver high availability status in the ESM online Help. 11

12 Special upgrade situations There are a few situations where you might need to take additional steps before or after upgrading. Situation Installing a new McAfee ESM model Obtaining offline rule updates Action When installing a new McAfee ESM model, register your hardware within 30 days to ensure that you receive policy, parser, and rule updates as part of your maintenance contract. If you don't register, you cannot receive upgrades. To get your permanent user name and password, Licensing@McAfee.com with the following information: McAfee grant number, account name, address, contact name, and contact address. 1 Go to 2 In the upper right corner, click Download My Products and click Go. 3 Enter your grant number, type the letters displayed, then click Submit. 4 Click MFE Enterprise Security Manager, then click MFE Nitro Rules Downloads. 5 Read the license agreement, then click I Agree. The available update files appear by ESM version. 6 Download the rules for the version of your ESM. Resolving device communication issues If you upgraded a McAfee device (not ESM), the message The device needs to be upgraded to before the operation can be performed might appear. Verify that the ESM has the correct version. 1 On the ESM console, select the device in the system navigation tree, then select the Properties icon. 2 Click Connection, then click Status. The version updates. 3 Retry the operation that resulted in the message. 12

13 Situation Upgrading a redundant ESM Action You must upgrade the primary ESM first, then upgrade the redundant ESM exactly as described. 1 On the system navigation tree, select the primary ESM and click the Properties icon. 2 Click Events, Flows & Logs and deselect the Auto check interval option. 3 On the primary ESM, use an SSH-secure connection to confirm that alerts files are not being processed by running the following command: ll /usr/local/ess/dbredund/ 4 If no alerts files exist in the folder, upgrade the primary ESM. 5 On the redundant ESM, use an SSH-secure connection to confirm that alerts files are not being processed by running the following command: ll /usr/local/ess/dbredundprimarytransfer/ 6 If no alerts files exist in the folder, upgrade the redundant ESM. 7 After upgrading the redundant ESM, re-enable the collection of events, flows, and logs on the primary ESM. Another way to verify that the redundant ESM is done processing alerts is to use an SSH-secure connection to run the top command. Verify that no event insert processes are running (see items in bold) root m 4.5g 9700 S :37.20 cp Job31 idle root m 4.5g 9700 S :51.55 cp Job32 idle root m 4.5g 9700 S :37.59 cp Job33 idle root m 4.5g 9700 S :39.24 cp Job34 idle root m 4.5g 9700 S :32.00 cp Backup root m 4.5g 9700 S :00.72 cp RedundantInsert McAfee epo with Policy Auditor If the McAfee epo device is already on the ESM, you must refresh it. 1 If you are not on an all-in-one device, upgrade the Receiver to which the McAfee epo device is connected. 2 On the ESM console, click epo Properties Device Management, then click Refresh. You can set up auto retrieval on the Device Management tab 3 On the ESM console, click Receiver Properties, then click the Vulnerability Assessment (VA) tab. 4 Click Write. 5 Repeat step 2 to get VA data on the ESM. Refreshing registers Policy Auditor as a VA source, which in turn allows Policy Auditor to be written to vathirdparty.conf. 6 Log out of the ESM console, then log back in. Upgrading High Availability (HA) Receivers Before you upgrade, set your preferred primary Receiver to No Preference, which allows you to use the Fail-Over option. The upgrade process upgrades both Receivers sequentially, starting with the secondary Receiver first. After you upgrade both Receivers, you can then reapply your preferred primary Receiver. 13

14 Situation Rebuilding the ELM management database Action Indexing your ELM management database might require additional time, depending on your ELM model. For example, the number of pools you have, the amount of data sent from logging devices, and your network bandwidth if using remote storage can increase the time it takes to complete the indexing. However, this background task minimally impacts your performance and, when complete, provides improved querying on your historical data. To check the status of the rebuild, go to ELM Properties ELM Information. If the message Database is rebuilding appears in the Active Status field, DO NOT stop or start the ELM database. The system indexes all new ELM data on the sending device before sending that data to the ELM. If you have Receivers logging to the ELM and they are near maximum capacity, contact Support. Upgrading a redundant ELM You must upgrade the standby ELM first, then upgrade the active ELM. The upgrade process suspends the ELM redundancy. After upgrading both ELMs, you must restart the ELM redundancy. 1 Upgrade the standby ELM. 2 Then upgrade the active ELM. 3 On the system navigation tree, select the standby ELM and go to ELM Properties ELM Redundancy. Click Return to Service. 4 Go to ELM Properties ELM Information and click Refresh. Both the active and standby ELMs should display an OK status. If the standby ELM displays a Not OK status, click Refresh again. After a few minutes, the standby ELM status should change to OK, redundant ELM rsync is 100% complete. You might need to click Refresh several times. Download the upgrade files When the system is ready to upgrade, download the upgrade files to your local system. Task 1 On the McAfee Product Downloads website at enter your customer grant number in the Download My Products field, then click Search. 2 Select the device you want to upgrade. 3 Select the correct link (MFE <device name> v9.5.0), read the McAfee EULA, then click I Agree. 4 Download these files to your local system: For the McAfee Enterprise Security Manager (ESM or ETM) device: ESS_Update_9.5.0.tgz. For the McAfee Enterprise Security Manager and Log Manager (ENMELM or ESMREC) device: ESSREC_Update_9.5.0.tgz. For the McAfee Nitro Intrusion Prevention System (Nitro IPS or NTP) device: IPS_Update_9.5.0.tgz. For the McAfee Event Receiver (ERC or ELMERC) device: RECEIVER_Update_9.5.0.tgz. For the McAfee Database Event Monitor (DEM) device: DBM_Update_9.5.0.tgz. 14

15 For the McAfee Advanced Correlation Engine (ACE) device: RECEIVER_Update_9.5.0.tgz. For the McAfee Enterprise Log Manager (ELM) device: RECEIVER_Update_9.5.0.tgz. For the McAfee Application Data Monitor (ADM) device: APM_Update_9.5.0.tgz. These files are now ready to be used to upgrade your ESM and devices. Upgrade the system You must upgrade the ESM and its devices, in a specific order, based on your mode. After you upgrade, rewrite the device settings and roll out the policy. Before you begin Review Preparing to upgrade and Special upgrade situations. Make sure that your system is running version or later. If you recently upgraded to 9.3.2, verify that the database rebuild is complete. Task 1 Upgrade the devices in this order. For details about upgrading the ESM and devices, see Upgrade ESM, ESMREC, or ENMELM and Upgrade devices. Mode Order Non-FIPS 1 Upgrade the ESM, ESMREC, or ENMELM. 2 Wait for the database to build. 3 Upgrade the ELM or ELMERC. 4 Upgrade Nitro IPS, Event Receiver, ACE, DEM, and ADM. If you are upgrading a redundant ESM, see Upgrading a redundant ESM in Special upgrade situations. FIPS 1 Upgrade the ELM or ELMERC. 2 Upgrade Nitro IPS, Event Receiver, ACE, DEM, and ADM. 3 Upgrade the ESM, ESMREC, or ENMELM. You can begin when all device upgrades start. Failure to upgrade the devices before upgrading the ESM when in FIPS mode could have an impact on ELM log collection. 2 Verify that you have communication with the devices. 3 Download the manual rules update to the ESM (see Obtaining offline rule updates in the Special upgrade situations section of this document). 4 Apply the updated rules. a On the system navigation tree, select the system, then click the Properties icon. b c On the System Information page, click Rules Update, then click Manual Update. Browse to the update file, click Upload, then click OK. 15

16 5 Follow this process to rewrite device settings for each device to make sure that all settings are applied. a On the ESM console, select the device in the system navigation tree, then click the Properties icon. b Follow these steps for each device. Device type Event Receiver or ESM/Event Receiver combo ACE Nitro IPS, DEM, or ADM Process For data sources: Click Data Sources Write. For VA sources: Click Vulnerability Assessment Write. For risk correlation: Click Risk Correlation Management Write. For historical correlation: Click Historical Enable Historical Correlation Apply. If it's already selected, deselect it, select it again, then click Apply. For rule correlation: Click Rule Correlation, select Enable Rule Correlation, and click Apply. If it's already selected, deselect it, select it again, then click Apply. For virtual devices (IPS and ADM): Click Virtual Devices Write. For database servers: Click Database Servers Write. 6 Roll out the policy to all upgraded devices. After rolling it out to a Nitro IPS device, make sure to take the device out of bypass mode on Device Configuration Interfaces. 7 If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties Device Configuration Sync ELM). Upgrade ESM, ESMREC, or ENMELM Once your system is ready, you can upgrade your ESM, ESMREC, or ENMELM to Before you begin Read through this document completely, and make sure that all devices attached to the ESM are supported in (see Device types supported in Preparing to upgrade). Task For option definitions, click? in the interface. 1 On the ESM console, select the ESM device, then click the Properties icon. 2 Select ESM Management, then click Update ESM. 3 On the Select Software Update File page, browse to one of these files. Device type Standalone Enterprise Security Manager (ESM) Enterprise Security Manager with a built-in Receiver (ESMREC) Enterprise Security Manager with a built-in Receiver and Enterprise Log Manager (ENMELM), also known as a Combination Box File ESS_Update_9.5.0.tgz ESSREC_Update_9.5.0.tgz ESSREC_Update_9.5.0.tgz 16

17 4 Select the file, then click Upload. You are informed that the ESM restarts and there is a loss of connection for all users. 5 Click Yes to continue, and when asked to close the browser, click OK. The upgrade, which can take several hours, takes place. 6 Once the upgrade is complete, log back on to the console through a new browser session. Upgrade devices If you aren't in FIPS mode, upgrade the IPS, Event Receiver, ELM, ELM/Event Receiver, ACE, ADM, and DEM after the ESM is upgraded. If you are in FIPS mode, upgrade the devices before upgrading the ESM. Before you begin Read through this document completely, and make sure that all devices are supported in (see Device types supported in Preparing to upgrade). Task For option definitions, click? in the interface. 1 On the ESM console, select the device you want to upgrade, then click the Properties icon. 2 Click the Management option for the device, then click Update Device. 3 On the Select Software Update File page, browse to one of these files: Device type IPS Event Receiver ELM ELM/Event Receiver combo ACE DEM ADM ESS VM File IPS_Update_9.5.0.tgz Receiver_Update_9.5.0.tgz DBM_Update_9.5.0.tgz APM_Update_9.5.0.tgz Upgrades for this device are no longer available. Contact McAfee Sales to purchase a new ESM VM model. 4 Select the file, then click Upload. 5 On the Update Device Software page, click Yes to continue. The file uploads and the device restarts. 6 Once the communication is restarted, verify the version of the device. 17

18 Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. Task 1 Go to the Knowledge Center tab of the McAfee ServicePortal at 2 In the Knowledge Base pane, click a content source: Product Documentation to find user documentation Technical Articles to find KnowledgeBase articles 3 Select Do not clear my filters. 4 Enter a product, select a version, then click Search to display a list of documents. Product documentation Every McAfee product has a comprehensive set of documentation. You can access localized McAfee ESM product documentation from within the ESM online Help or from the Knowledge Center. Accessing localized online Help When you log on to ESM, you can change the language setting, which also changes the language used in the online Help. 1 Log on to ESM. 2 On the system navigation pane of the ESM console, click Options. 3 Select a language from the Language drop-down list, then click OK. 4 To access help, click the help icon in the upper right corner of ESM windows or click the Help menu on the ESM console. The online Help displays in the language you selected. If the help appears in English only, localized help is not yet available. A future update will install localized help. Accessing localized guides in the Knowledge Center 1 Locate your grant ID and log on to the MFE Enterprise Security Manager Product Downloads page. 2 Click the ESM Product Documentation v9.5.0 link. 3 Select a language from the Language drop-down box. 4 Click the appropriate link to open the localized Product Guide (pg), Installation Guide (ig), or Release Notes (rn). 18

19 Copyright 2015 McAfee, Inc. Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.