Stonesoft Management Center Release Notes 6.1.1 Revision B
Table of contents 1 About this release...3 System requirements... 3 Build version...4 Compatibility... 5 2 New features...6 3 Enhancements... 8 4 Resolved issues...9 5 Installation instructions...11 Upgrade instructions... 11 6 Known issues...13 7 Find product documentation... 14 Product documentation... 14 2
About this release This document contains important information about the current release of Stonesoft Management Center by Forcepoint (SMC; formerly known as McAfee Security Management Center). We strongly recommend that you read the entire document. System requirements Make sure that you meet these basic hardware and software requirements. Basic management system hardware requirements You can install SMC on standard hardware. Intel Core family processor or higher recommended, or equivalent on a non-intel platform A mouse or pointing device (for Management Client only) SVGA (1024x768) display or higher (for Management Client only) Disk space for Management Server: 6 GB Disk space for Log Server: 50 GB Memory requirements for 32-bit Linux operating systems: 2 GB RAM for the Management Server, Log Server, or Web Portal Server (3 GB if all servers are installed on the same computer) 1 GB RAM for Management Client Memory requirements for 64-bit operating systems: 6 GB RAM for the Management Server, Log Server, or Web Portal Server (8 GB if all servers are installed on the same computer) 2 GB RAM for Management Client Operating systems SMC supports the following operating systems and versions. Note: Only U.S. English language versions have been tested, but other locales might also work. Supported Microsoft Windows operating systems: Windows Server 2012 R2 (64-bit) Windows Server 2008 R1 SP2 and R2 SP1 (64-bit) Windows 7 SP1 (64-bit) Windows 10 Supported Linux operating systems: CentOS 6 (for 32-bit and 64-bit x86) CentOS 7 (for 64-bit x86) Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86) Red Hat Enterprise Linux 7 (for 64-bit x86) SUSE Linux Enterprise 11 SP3 (for 32-bit and 64-bit x86) About this release 3
SUSE Linux Enterprise 12 SP1 (for 32-bit and 64-bit x86) Ubuntu 12.04 LTS (for 64-bit x86) Ubuntu 14.04 LTS (for 64-bit x86) Ubuntu 16.04 LTS (for 64-bit x86) Web Start client In addition to the operating systems listed, SMC can be accessed through Web Start by using Mac OS 10.9 and JRE 1.8.0_77 or a later critical patch update (CPU) release. Build version SMC 6.1.1 build version is 10222. This release contains Dynamic Update package 824. Product binary checksums Use the checksums to make sure that the installation files downloaded correctly. smc_6.1.1_10222.zip SHA1SUM: 93d12bf9941034cca992fdbed990cf47e91c3b55 SHA256SUM: b1453712781250b51b6fca0789d4925263756a6067224ebc1cb93e2a1beee7de SHA512SUM: 9de16a1ed9e1bf23f50d09069aeecd61 097912adcd00d7c31ca2e7f02109e17b f55852bbd76f37c978cabee065cfe229 c7f1a5b6f0ea9d611f8471e8939e533b smc_6.1.1_10222_linux.zip SHA1SUM: ed7f5392ded0cb338d597211d676afb659f6ed07 SHA256SUM: 9fc8abf9a3d1254751fb085f1625284b5f51a3c5afad1b9dbe94e40a8f930ae6 SHA512SUM: d82d4f325d5109d6d9c612eb689246d5 e025890324aeec31aac02a83c395ee50 1ea77e332e027ff1ea7c82b0c3714171 aea148d3a516984b0537f2e20e48977c smc_6.1.1_10222_windows.zip SHA1SUM: 823a1ba889ee829260e0953658a6ec897b1e136f SHA256SUM: 3a061cee7ff2baa78c13342f593d5c4520cc98808ade2a4150253204cabe39de SHA512SUM: 54844540b5d11b452a543f6e7a907f48 a929827d6d5a857408e97c4d08308d06 18751491bed6f5f0a12018aa1cc079f7 66b8cdc89dc659ec7e25c919d1bade39 About this release 4
smc_6.1.1_10222_webstart.zip SHA1SUM: a0c7ff207df5037ace091dee777d9893b8cbc370 SHA256SUM: 7b5f37338d44f4c3e3a775cbb8ae53ddde6a560fdeb6c31425d9e14c4be464bd SHA512SUM: d9cdfc61fa0616cb231410e7b8dc86e4 642ef0fa036f0e1c2003844b99d20740 975aa9afb36c8af7f7be6a0560aabcc5 44ae6925bfa5afd0ac5a29925177f53b Compatibility SMC 6.1 has the following requirements for minimum compatibility and native support. Note: SMC 6.1 can manage all compatible Stonesoft NGFW engine versions up to and including version 6.1. Minimum component versions SMC 6.1 is compatible with the following component versions. Stonesoft Next Generation Firewall (Stonesoft NGFW) 6.0 and 6.1. McAfee Next Generation Firewall (McAfee NGFW) 5.7, 5.8, 5.9, and 5.10. Stonesoft Security Engine 5.5 McAfee epolicy Orchestrator (McAfee epo ) 5.0.1 and 5.1.1 McAfee Endpoint Intelligence Agent (McAfee EIA) 2.5 McAfee Enterprise Security Manager (McAfee ESM) 9.2.0 and later (9.1.0 CEF only) For more information about the Stonesoft Next Generation Firewall lifecycle policy, see Knowledge Base article 10192. Native support To use all features of SMC 6.1, Stonesoft NGFW 6.1 is required. About this release 5
New features This release of the product includes these new features. For more information and configuration instructions, see the Stonesoft Next Generation Firewall Product Guide and the Stonesoft Next Generation Firewall Installation Guide. Status cards and element home pages in the Home view The Home view now shows the status of monitored components and devices as cards. When you select the status card for a Security Engine, VPN, or VPN Gateway, the element s home page opens. The home page shows information about the configuration status of the element. You can open the properties of the Security Engine, VPN, or VPN Gateway or the Security Engine s policy from the element s home page. If the configuration of a Security Engine has not yet been completed, you can continue the configuration (for example, save the engine s initial configuration or upload a policy to the engine) directly from the Security Engine s home page. The remaining configuration steps are shown on the home page. Other changes in the Home view The Active alerts for a monitored component are shown in the Home view. There are new options for organizing how the Security engines are shown in the System Status tree. You can now organize the Security Engines by appliance model, group, or geolocation. Geo-protection and IP address categorization You can now configure geo-protection to allow or block traffic. There are predefined Country elements that represent IP addresses registered in specific countries. You can use Country elements to filter traffic in Access rules based on the source or destination country, or entire continents. They can also be used in NAT rules, Inspection rules, and File Filtering rules. You can use predefined IP address lists to control access to known good or bad IP addresses. You can either use the predefined IP address lists or create new IP address lists. You can also import IP address lists through the SMC API to the SMC. For more information, see the Stonesoft SMC API Reference Guide. Integration of Sidewinder Proxies On Sidewinder firewalls, proxies provide high assurance protocol validation. On Stonesoft NGFW, Sidewinder Proxies enable some of the proxy features that are available on Sidewinder. In Stonesoft NGFW version 6.1, the following Sidewinder Proxies are supported: HTTP, SSH, TCP, and UDP. You can use Sidewinder Proxies on Stonesoft NGFW to enforce protocol validation and to restrict the allowed parameters for each protocol. Sidewinder Proxies are primarily intended for users in high assurance environments, such as government or financial institutions. In environments that limit access to external networks or access between networks with different security requirements, you can use Sidewinder Proxies for data loss protection. Changes in category-based URL filtering Category-based web filtering now uses URL categories provided by Forcepoint ThreatSeeker Intelligence Cloud. There are new types of elements for configuring URL filtering: URL Category elements are Network Application elements that represent the categories for category-based URL filtering. URL Category Group elements contain several related URL Categories. URL List elements are Network Application elements that allow you to manually define lists of URLs that you want to allow or block. New features 6
The way that category-based URL filtering is applied to traffic has changed. You can now use URL Categories, URL Category Groups, and URL Lists in the Service cell of Access rules to configure URL filtering. It is no longer possible to configure URL filtering using Situation elements in the Inspection Policy. Note: These changes affect all existing users of category-based URL filtering. Legacy URL Situation elements can no longer be used in policies for Stonesoft NGFW version 6.1 or higher. If rules in your policy contain legacy URL Situation elements, you must replace them with URL Category elements. Redirection of web traffic to TRITON AP-WEB Cloud TRITON AP-WEB Cloud is a cloud-based web security proxy service. Stonesoft NGFW can now redirect web traffic to the TRITON AP-WEB Cloud for inspection. Stonesoft NGFW redirects web traffic to the TRITON AP-WEB Cloud using a predefined policy-based VPN. The traffic is inspected in the TRITON AP-WEB Cloud and transparently forwarded to the destination. Note: To use TRITON AP-WEB Cloud to inspect web traffic, you must have a subscription to the TRITON AP-WEB Cloud service. In addition to an IPv4 or IPv6 address, you can now use a fully qualified domain name (FQDN) as a dynamic contact address of an external VPN gateway. Connecting through a VPN to a dynamic FQDN endpoint allows TRITON AP-WEB Cloud to offer addresses from the geographically closest service point. The TRITON AP-WEB Cloud service requires the endpoint to use a MAC address as a unique identifier. You can now define VPN-specific exceptions to the IKE Phase-1 ID for endpoints on VPN Gateways. Exceptions are useful in cases where an external VPN gateway requires specific information in the IKE phase-1 value. New features 7
Enhancements This release of the product includes these enhancements. Enhancements in SMC version 6.1.0 Enhancement Simplified service configuration and customization improvements in SSL VPN Portal Fully qualified domain names as contact addresses in external VPN gateways VPN-specific exceptions for IKE Phase-1 ID Possibility to modify text size in Configuration view and Policy Editing view Possibility to resolve IP addresses from DNS names New fonts Description You can now allow access to intranet services in the SSL VPN Portal with a freeform URL. It is no longer necessary to configure each SSL VPN Portal service separately. End users can access the services by typing the URL directly in the SSL VPN Portal. You can now also modify the look-and-feel of the SSL VPN Portal and create a custom theme with company colors and logos for the SSL VPN Portal in the Management Client. In addition to an IPv4 or IPv6 address, you can now use a fully qualified domain name (FQDN) as a dynamic contact address of an external VPN gateway. You can now define VPN-specific exceptions to the IKE Phase-1 ID for endpoints on VPN Gateways. Exceptions are useful in cases where an external VPN gateway requires specific information in the IKE phase-1 value. You can now modify the text size in the Configuration view and in the Policy Editing view. You can now resolve an IP address from a DNS name in the Management Client when defining an IP address for an interface. All fonts have been changed in the Management Client. If you use the Management Client from a remote desktop, the new fonts are rendered better than the previously used fonts. Enhancements in SMC version 6.1.1 Enhancement New Task scheduling options File Filtering Situations can be used in Alert policies Usability enhancements in the Home view Description New options for scheduling Tasks have been added, and the existing options for scheduling Tasks have been improved to give you more precise control over when tasks are repeated. You can now use System Situations for file filtering, such as File_Malware-Blocked, in rules in the Alert Policy. You can now customize the Home view more flexibly, and see more status information in the Home view. Enhancements 8
Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Description Policy installation fails when a gateway in a Route-Based VPN tunnel does not have a Site defined. The following type of message is shown: "The VPN <id> referenced in rule @N/A has no valid tunnel for <firewall name>". Creating blacklist entries through the SMC API fails with the error "Impossible to add a blacklist entry for all defined engines. Index: 0, Size: 0". The Correlation Situation warning "Correlation Situations cannot Terminate: a match will create an Alert instead" is shown during the Inspection Policy validation and installation. If a Correlation Situation Category action is overridden by a Correlation Situation action, this is not taken into account on validation. If the same matching criteria, for example a Host and a Zone, are used in several Access rules, deleting one of the rules or removing the matching criteria from one of the rules also removes it from other rules that have the same matching criteria defined. As the result, policy installation might fail with the error "Element does not exist or is not accessible by the user. Failed to build specific configuration for <element name>." Configuration changes in the Firewall element, such as removing a node from a Firewall Cluster or converting a Firewall to a Master Engine, fail when the DHCP mode is enabled in the VPN Client settings in the Engine Editor. When you install a policy, a NAT rule can be ignored if an Alias element within an Alias element has been used as the translation value. The following type of message is shown: "The IPv4 NAT rule @X.X is ignored: in the source translation, the definition for the translated address is empty". After you have activated a dynamic update package, status cards for some appliances might not be shown correctly in the System Status view. Policy installation might also fail if the appliance has a wireless interface. Routing and antispoofing configurations are not updated when you add a new IPv4 address to an interface, save the changes to the interface, then update the netmask in the IPv4 address, and save the changes again. A Network element with the old netmask and another Network element with the new netmask are shown in the Routing and Antispoofing views. You cannot disable or delete API Client elements. When you open the Routing or Antispoofing pane by right-clicking a Security Engine in the Status tree of the Home view, the Engine Editor opens in edit mode. You cannot browse stored logs with the Management Client if you have defined administrative Domains. You can see new log entries in the Current Events view. Exporting a report as a PDF file might fail if the report includes a section with very short truncated labels. If you select a Comment Rule section in the Policy Editor, you cannot use the Expand All option. Using a Domain Controller password that is longer than 82 characters in the Active Directory Server properties prevents the Management Server from being upgraded. When you change the IP address of an interface from an IPv4 address to an IPv6 address or from IPv6 address to IPv4 address, the antispoofing configuration is not updated Issue number 123579 134452 134974 135471 SMC-554 SMC-559 SMC-599 SMC-893 SMC-1029 SMC-1067 SMC-1126 SMC-1134 SMC-1176 SMC-1189 SMC-1249 Resolved issues 9
Description correctly. Policy installation might fail. The following error message is shown: "Syntax error in network configuration: No IPv6 connected network available on interface X near line Y". When you use the SMC API, you cannot add a new rule before or after an existing rule. You can only add a new rule as the first rule in the policy. When you delete a VLAN interface from a Master Engine, saving the Master Engine might fail. The Web Start Management Client slows down after running for several days. When you modify a RADIUS or TACACS+ Authentication Server, you cannot remove Authentication Methods on the Authentication Methods tab of the RADIUS Authentication Server Properties or TACACS+ Authentication Server Properties dialog box. External authentication for administrators fails. When you install a policy for a Security Engine that has NGFW version 5.5 installed, the following warning message is incorrectly shown: "Domain Name Search List in DHCP Server settings is ignored: the installed software version 5.5 does not support it. Upgrade the engine software or deactivate this setting. Minimum version required by this feature is 5.9." When you copy and paste or move a large Rule Section in a policy, the order of the rules might change when you save the changes. When you use an Expression element with a negated Country in a rule, the rule is invalid. The following validation message is shown: "The Expression element <not country> in the Source cell of IPv4 Access rule <id> has no value for the target <name>. Missing Definitions". Adding a new IP address that only has a CVI to an existing interface that already has both CVI and NDI addresses might inadvertently change the order of IP addresses of the existing interface. The change might enable IP addresses as VPN endpoints and change the endpoints used in the Route-Based VPN. Issue number SMC-1329 SMC-1417 SMC-1447 SMC-1483 SMC-1788 SMC-1857 SMC-1883 SMC-1912 SMC-2078 Resolved issues 10
Installation instructions Use these high-level steps to install SMC and the Stonesoft NGFW engines. For detailed information, see the Stonesoft Next Generation Firewall Installation Guide. All guides are available for download at https://support.forcepoint.com. Note: The sgadmin user is reserved for SMC use on Linux, so it must not exist before SMC is installed for the first time. Note: If a Linux system has limited resources, and you are installing only the Management Client, you can install a 32-bit version of the SMC. SMC 6.1 is the last SMC release that has a 32-bit version of the SMC. If you are installing SMC servers, we recommend that you install a 64-bit SMC version. Note: If you are installing a 32-bit version of the SMC on a 64-bit Linux operating system, the compatibility libraries lib and libz are required. 1. Install the Management Server, the Log Servers, and optionally the Web Portal Servers. 2. Import the licenses for all components. You can generate licenses at https://stonesoftlicenses.forcepoint.com. 3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the Configuration view. 4. To generate initial configurations for the engines, right-click each Firewall, IPS, or Layer 2 Firewall element, then select Configuration > Save Initial Configuration. Make a note of the one-time password. 5. Make the initial connection from the engines to the Management Server, then enter the one-time password. 6. Create and upload a policy on the engines using the Management Client. Upgrade instructions Take the following into consideration before upgrading to SMC 6.1. Note: SMC (Management Server, Log Server, and Web Portal Server) must be upgraded before the engines are upgraded to the same major version. SMC 6.1 requires an updated license. If the automatic license update function is in use, the license is updated automatically. If the automatic license update function is not in use, request a license upgrade on our website at https://stonesoftlicenses.forcepoint.com. Activate the new license using the Management Client before upgrading the software. To upgrade an earlier version of the SMC to 6.1, we strongly recommend that you stop all Stonesoft NGFW services and create a backup before continuing with the upgrade. After creating the backup, run the appropriate setup file, depending on the operating system. The installation program detects the old version and does the upgrade automatically. Upgrading is supported from the following SMC versions: 6.1.0 6.0.0 6.0.3 5.10.0 5.10.4 Installation instructions 11
5.6.2 5.9.5 Versions earlier than 5.6.2 require an upgrade to one of the versions above before upgrading to 6.1.1 Installation instructions 12
Known issues For a list of known issues in this product release, see Knowledge Base article 10584. Known issues 13
Find product documentation On the Forcepoint support website, you can find information about a released product, including product documentation, technical articles, and more. You can get additional information and support for your product on the Forcepoint support website at https://support.forcepoint.com. There, you can access product documentation, Knowledge Base articles, downloads, cases, and contact information. Product documentation Every Forcepoint product has a comprehensive set of documentation. Stonesoft Next Generation Firewall Product Guide Stonesoft Next Generation Firewall online Help Note: By default, the online Help is used from the Forcepoint help server. If you want to use the online Help from a local machine (for example, an intranet server or your own computer), see Knowledge Base article 10097. Stonesoft Next Generation Firewall Installation Guide Other available documents include: Stonesoft Next Generation Firewall Hardware Guide for your model Stonesoft Management Center Appliance Hardware Guide Stonesoft Next Generation Firewall Quick Start Guide Stonesoft SMC API Reference Guide Stonesoft VPN Client User Guide for Windows or Mac Stonesoft VPN Client Product Guide The following document included in appliance deliveries still uses the old product name and brand: McAfee Security Management Center Appliance Quick Start Guide Copyright 1996-2017 Forcepoint LLC Forcepoint is a trademark of Forcepoint LLC. SureView, ThreatSeeker, TRITON, Sidewinder and Stonesoft are registered trademarks of Forcepoint LLC. Raytheon is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are property of their respective owners. Find product documentation 14