McAfee Network Security Platform 9.2 (9.2.7.22-9.2.7.20 Manager-Virtual IPS Release Notes) Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. Network Security Platform follows a release process that is based on customer requirements and best practices followed by other McAfee teams. For details, read KB78795. This release of Network Security Platform is to provide new features and enhancements on the Manager and Virtual IPS Sensor software. Release parameters Version Network Security Manager software 9.2.7.22 Signature Set 9.8.28.4 Virtual IPS Sensor software (ESXi) 9.2.7.20 Virtual IPS Sensor software (VMware NSX) 9.2.7.17 Virtual IPS Sensor software (AWS) 9.2.7.20 Virtual IPS Sensor software (Azure) 9.2.7.132 1
Release parameters Version Virtual Network Security Platform Controller 3.6.1 (022618a) Virtual Network Security Platform Probe 3.6.1-11 If your Sensor has run out of memory and does not accept signature set updates, see the section Lite Signature Set in McAfee Network Security Platform Manager Administration Guide to overcome the problem. Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the Sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.8.0_181, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 9.2 uses JRE version 1.8.0_181 and MySQL version 5.6.41. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Manager software version 9.2 is not supported on McAfee-built Dell-based Manager Appliances. McAfee recommends that you use Intel-based Manager Appliances instead. Upgrade support McAfee regularly releases updated versions of the signature set. You can choose to automatically download and deploy the signature set in the Manager. Consider the following before upgrading to Network Security Platform version 9.2: This release is for ESXi, VMware NSX, AWS, and Azure environments only. You have to follow the specified sequence while upgrading the components deployed in an AWS environment. For the upgrade sequence in an AWS deployment, see the section Upgrade AWS components in McAfee Network Security Platform 9.2 Installation Guide. Upgrade paths for Manager software versions Current version Upgrade path to 9.2 8.1.3.4, 8.1.3.6, 8.1.7.5, 8.1.7.12, 8.1.7.13 8.1.7.82 9.2.7.22 8.1.7.33, 8.1.7.52, 8.1.7.82, 8.1.7.91, 8.1.7.96, 8.1.7.100, 8.1.7.105 9.2.7.22 8.3.7.7, 8.3.7.28, 8.3.7.44, 8.3.7.52, 8.3.7.64, 8.3.7.68, 8.3.7.86 9.2.7.22 9.1.7.11, 9.1.7.15, 9.1.7.49, 9.1.7.63, 9.1.7.73 9.2.7.22 9.2.7.9 9.2.7.22 All intermediate Manager versions, such as Hotfixes, below 8.1.7.33 must upgrade to 8.1.7.82 before upgrading to the latest 9.2 Manager version. All Manager versions above 8.1.7.33 can directly upgrade to the latest 9.2 Manager version. Upgrade paths for Sensor software versions Upgrade for IPS-VM600 from Sensor software versions 8.1, 8.3, or 9.1 to Sensor software version 9.2 is not supported due to increased Sensor image size. For more information, see the section Upgrade consideration for Virtual Sensors deployed in ESX in the McAfee Network Security Platform 9.2 Installation Guide. Virtual IPS Sensor software ESXi (IPS-VM600) : Current version Upgrade path to 9.2 9.2.7.10 9.2.7.20 2
Virtual IPS Sensor software VMware NSX (IPS-VM600-VSS): Current version Upgrade path to 9.2 9.2.7.12 9.2.7.17 Virtual IPS Sensor software AWS (IPS-VM600-VSS): Current version Upgrade path to 9.2 9.2.7.10 9.2.7.20 Upgrade to Azure Virtual IPS Sensor software version 9.2.7.132 is not supported for IPS-VM600-VSS. This version of 9.2 supports only a fresh installation of the Virtual IPS Sensor. Heterogeneous support This version of 9.2 Manager software can be used to configure and manage the following devices: Sensor images for IPS-VM100 and IPS-VM100-VSS Sensor models are not available in version 9.2. Device NS-series Sensors (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300) Version NS-series Sensors (NS7150, NS7250, NS7350) 9.1, 9.2 8.1, 8.3, 9.1, 9.2 Virtual IPS for ESXi server (IPS-VM100, IPS-VM600) IPS-VM100: 8.1, 8.3, 9.1 Virtual IPS for KVM (IPS-VM100, IPS-VM600) 8.3 IPS-VM600: 8.1, 8.3, 9.1, 9.2 Virtual IPS for VMware NSX (IPS-VM100-VSS, IPS-VM600-VSS) IPS-VM100-VSS: 8.1, 8.3, 9.1 IPS-VM600-VSS: 9.2 Virtual IPS for AWS (IPS-VM100-VSS, IPS-VM600-VSS) IPS-VM100-VSS: 8.3, 9.1 Virtual IPS for Azure (IPS-VM600-VSS) 9.2 M-series Sensors (M-1250, M-1450, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) IPS-VM600-VSS: 9.2 8.1, 8.3, 9.1 Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.3, 9.1 M-8000XC Cluster Appliance 8.1, 8.3, 9.1 NTBA Appliances (T-200, T-500, T-600, T-1200) 8.1, 8.3, 9.1 Virtual NTBA Appliances (T-VM, T-100VM, T-200VM) 8.1, 8.3, 9.1 Integration support The above mentioned Network Security Platform software versions support integration with the following product versions: Table 1-1 Network Security Platform compatibility matrix Product McAfee epo 5.9.1 McAfee Global Threat Intelligence Version supported Compatible with all versions 3
Table 1-1 Network Security Platform compatibility matrix (continued) Product Version supported McAfee Endpoint Intelligence Agent 2.6.3 McAfee Logon Collector 3.0.7 McAfee Threat Intelligence Exchange 2.0.0 McAfee Data Exchange Layer 3.1.0 McAfee Advanced Threat Defense 4.2.0 McAfee Virtual Advanced Threat Defense 4.2.0 McAfee Vulnerability Manager 7.5 McAfee Host Intrusion Prevention 8.0 Intel Security Controller 2.6 New features This release of Network Security Platform includes the following new features: Multi-tenancy for VMware NSX deployment With this release of 9.2, a single Virtual IPS Sensor deployed to inspect traffic from various virtual machines can generate alerts based on the tenant. Each child admin domain has a policy group to which the Sensor interfaces are assigned. The child admin domain is then associated to a tenant through the security group. When an attack is detected on a virtual machine, an alert is generated in the attack log of the child admin domain in which the virtual machine is present. For more information on multi-tenant deployment, see McAfee Network Security Platform 9.2 Virtual IPS Administration Guide. Enhancements Deployment of Network Security Manager with user data in AWS Previously after the deployment of Network Security Manager instance, the Manager had to be installed manually. With this release of Network Security Platform, inclusion of user data while launching the Network Security Manager instance in AWS is supported. The Manager installation file runs automatically which installs the Manager. In the Configure Instance Details page of AWS interface, under the Advanced Section, you can enter the user data which deploys the Manager instance installs the Manager automatically. For more information on deploying the Network Security Manager, see Install the Network Security Manager in McAfee NSP 9.2 Virtual IPS Administration Guide. Installation of Network Security Manager in Azure using custom data In previous release of 9.2, Network Security Manager had to be installed manually once the Manager virtual machine was deployed. 4
With this release of 9.2, you can deploy Azure VHD which installs the Network Security Manager virtual machine automatically in Azure cloud with the Manager installed automatically. The Manager instance is launched with the user data details from CLI commands in Azure. The user data details contain the user name, user password, and database password used for logging into the Manager. For more information on deploying the Network Security Manager in Azure cloud using CLI commands, see McAfee Network Security Platform 9.2 Virtual IPS Administration Guide. CPU enhancement for Virtual IPS Sensors in Azure Previously, the Virtual IPS Sensor instances were using 5 logical CPU cores. But with this enhancement, the Sensor instances will use 4 logical CPU cores without any performance impact. That is, the Virtual IPS Sensor throughput will continue to support 1 Gbps. With this release of 9.2, the Virtual IPS Sensor instances in Azure are launched with 4 logical CPU cores. During the deployment, the size of the virtual machine should be selected as Standard_F4s. For more information on Virtual IPS Sensor CPU cores in Azure, see McAfee Network Security Platform 9.2 Virtual IPS Administration Guide. Layer 7 protocols supported in snort rules With this release of Network Security Platform, the layer 7 protocols that are supported in snort rules are as follows: TCP FTP UDP TLS ICMP SMB IP DNS HTTP For more information on snort rules, see McAfee Network Security Platform 9.2 Custom Attack Definitions Guide. Increase in memory size for handling signature sets With a growing number of threats, the frequency of signature set updates and the number of attacks in each update constantly increase. As a means to accommodate a larger signature set size in the future, the memory size allocated to signature sets on the Sensor has been increased. Resolved issues The current release of the product resolves these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the high-severity Manager software issues: ID # Issue Description 1237763 Unable to modify Advanced Threat Defense User Profile for File Submission under the ATD Integration page in Network Security Manager. 1236702 Login to Manager when deployed manually in AWS environment fails. The following table lists the medium-severity Manager software issues: 5
ID # Issue Description 1249254 In the Device Manager page, the Sensors are not displayed after upgrading the Manager. 1245935 Manager is unable to deploy a new user defined signatures to Sensors leading to compilation error. 1245601 The Manager allows the user to save a string greater than 64 bytes within the Description field under Firewall Policies causing the configuration deployment to the Sensors to fail. 1244227 Unable to deploy configuration changes to the Sensor after policy update. 1242947 In the Dashboard page, US flag is displayed for private IP addresses in the Top Attackers and Top Targets monitors. 1242839 A user assigned with a custom role is abruptly signed out of the Manager on clicking the attack name. 1242514 Bulk edit of IPS policies does not display the Save option. 1240298 The Version Control page for an IPS policy does not display information for Active Revision. 1239142 Packet capture in attack log captures only the attack packet in an alert and not the subsequent packets or the entire flow. 1239128 Policy cannot be assigned to a Virtual IPS Sensor in a vnsp Cluster in the Manager. 1238502 The performance charts displays the recent performance data for custom time range. 1236581 Manual import of Gateway Anti Malware update to a Sensor fails when the Manager does not have internet connection. Resolved Sensor software issues The following table lists the high-severity Sensor software issues: ID # Issue Description 1244643 Upgrade from Sensor software version 8.3.5.48 to 9.2.5.6 generates Sensor internal configuration: unsupported configuration upgrades critical fault. The following table lists the medium-severity Sensor software issues: ID # Issue Description 1231255 The operational status of the monitoring ports state for Virtual IPS Sensors in AWS is always is always returned as "2" to SNMP client. 1228862 Special FTP alerts in layer 7 data fields are not analyzed correctly. 1221119 Small percentage of fragmented packets in the Sensor are not forwarded to the correct destination that results in packet drops. 1205502 HTTPS protocol connections for users based on McAfee Logon Collector database are incorrectly blocked. 6
Installation instructions Manager server/client system requirements The following table lists the 9.2 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Recommended Windows Server 2016 Standard Edition operating system Memory 8 GB Supports up to 3 million alerts in Solr. >16 GB Supports up to 10 million alerts in Solr. CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 7
Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Windows Server 2016 Standard Edition operating system Memory 8 GB >16 GB Supports up to 3 million alerts in Solr. Supports up to 10 million alerts in Solr. Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.5 Update 3 ESXi 6.0 Update 1 ESXi 6.5 Update 1 8
The following table lists the 9.2 Manager client requirements when using Windows 7, Windows 8, or Windows 10: Operating system Minimum Windows 7, English or Japanese Windows 8, English or Japanese Windows 8.1, English or Japanese Windows 10, English or Japanese The display language of the Manager client must be same as that of the Manager server operating system. Recommended Windows 10, English or Japanese RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 10, 11 Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported) Internet Explorer 11 Mozilla Firefox 20.0 or later Google Chrome 24.0 or later To avoid the certificate mismatch error and security warning, add the Manager web certificate to the trusted certificate list. For the Manager client, in addition to Windows 7, Windows 8, Windows 8.1 and Windows 10, you can also use the operating systems mentioned for the Manager server. The following are Central Manager and Manager client requirements when using Mac: Mac operating system Yosemite El Capitan Browser Safari 8 or 9 For more information, see McAfee Network Security Platform Installation Guide. Known issues For a list of known issues in this product release, see Network Security Platform software issues: KB90337 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation Go to docs.mcafee.com to find the product documentation for this product. 9
Or 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 9.2 product documentation list The following software guides are available for Network Security Platform 9.2 release: Quick Tour Virtual IPS Administration Guide Installation Guide (includes Upgrade Guide) CLI Guide Manager Administration Guide Integration Guide Custom Attack Definitions Guide Best Practices Guide Manager API Reference Guide Troubleshooting Guide IPS Administration Guide Copyright 2018 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 00