Revision B McAfee Network Security Platform 9.2 (9.2.7.22-9.2.5.27 Manager-NS-series Release Notes) Contents About this release New features Enhancements Resolved Issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. Network Security Platform follows a release process that is based on customer requirements and best practices followed by other McAfee teams. For details, read KB78795. This release of Network Security Platform is to provide new features and enhancements on the Manager and NS-series Sensor software. Release parameters Version Network Security Manager software 9.2.7.22 Signature Set 9.8.28.4 NS-series Sensor software 9.2.5.27 McAfee SSL Agent (For inbound SSL decryption using DHE/ECDHE ciphers) 1.0 Suricata Snort Engine 3.2.3 If your Sensor has run out of memory and does not accept signature set updates, see the section Lite Signature Set in McAfee Network Security Platform Manager Administration Guide to overcome the problem. 1
Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the Sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.8.0_181, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 9.2 uses JRE version 1.8.0_181 and MySQL version 5.6.41. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Manager software version 9.2 is not supported on McAfee-built Dell-based Manager Appliances. McAfee recommends that you use Intel-based Manager Appliances instead. Upgrade support McAfee regularly releases updated versions of the signature set. You can choose to automatically download and deploy the signature set in the Manager. Upgrade paths for Manager software versions Current version Upgrade path to 9.2 8.1.3.4, 8.1.3.6, 8.1.7.5, 8.1.7.12, 8.1.7.13 8.1.7.82 9.2.7.22 8.1.7.33, 8.1.7.52, 8.1.7.82, 8.1.7.91, 8.1.7.96, 8.1.7.100, 8.1.7.105 9.2.7.22 8.3.7.7, 8.3.7.28, 8.3.7.44, 8.3.7.52, 8.3.7.64, 8.3.7.68, 8.3.7.86 9.2.7.22 9.1.7.11, 9.1.7.15, 9.1.7.49, 9.1.7.63, 9.1.7.73 9.2.7.22 9.2.7.9 9.2.7.22 All intermediate Manager versions, such as Hotfixes, below 8.1.7.33 must upgrade to 8.1.7.82 before upgrading to the latest 9.2 Manager version. All Manager versions above 8.1.7.33 can directly upgrade to the latest 9.2 Manager version. Upgrade paths for Sensor software versions NS-series (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300): Component Upgrade path to 9.2 8.1.5.14, 8.1.5.39, 8.1.5.57, 8.1.5.135 8.1.5.175 9.2.5.6 9.2.5.27 8.1.5.175, 8.1.5.210, 8.1.5.215, 8.1.5.217, 8.1.5.219 9.2.5.6 9.2.5.27 8.3.5.6, 8.3.5.11, 8.3.5.32, 8.3.5.47, 8.3.5.48, 8.3.5.53 9.2.5.6 9.2.5.27 9.1.5.9, 9.1.5.20, 9.1.5.23, 9.1.5.40 9.2.5.6 9.2.5.27 9.2.5.6 (without outbound SSL decryption) 9.2.5.27 9.2.5.25 (with outbound SSL decryption) 9.2.5.27 You must first purchase a license to enable outbound SSL decryption feature. To obtain a license for outbound SSL decryption, contact MB Licensing. All intermediate Sensor software versions, such as Hotfixes, below 8.1.5.175 must upgrade to 8.1.5.175 before upgrading to the latest 9.2 Sensor software version. All Sensor software versions above 8.1.7.175 can directly upgrade to the latest 9.2 Sensor software version. 2
NS-series (NS7150, NS7250, NS7350): Component Upgrade path to 9.2 9.1.5.15, 9.1.5.20, 9.1.5.23 9.1.5.40 9.2.5.27 9.1.5.40 9.2.5.27 Heterogeneous support This version of 9.2 Manager software can be used to configure and manage the following devices: Sensor images for IPS-VM100 and IPS-VM100-VSS Sensor models are not available in version 9.2. Device NS-series Sensors (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300) Version NS-series Sensors (NS7150, NS7250, NS7350) 9.1, 9.2 8.1, 8.3, 9.1, 9.2 Virtual IPS for ESXi server (IPS-VM100, IPS-VM600) IPS-VM100: 8.1, 8.3, 9.1 Virtual IPS for KVM (IPS-VM100, IPS-VM600) 8.3 IPS-VM600: 8.1, 8.3, 9.1, 9.2 Virtual IPS for VMware NSX (IPS-VM100-VSS, IPS-VM600-VSS) IPS-VM100-VSS: 8.1, 8.3, 9.1 IPS-VM600-VSS: 9.2 Virtual IPS for AWS (IPS-VM100-VSS, IPS-VM600-VSS) IPS-VM100-VSS: 8.3, 9.1 Virtual IPS for Azure (IPS-VM600-VSS) 9.2 M-series Sensors (M-1250, M-1450, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) IPS-VM600-VSS: 9.2 8.1, 8.3, 9.1 Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.3, 9.1 M-8000XC Cluster Appliance 8.1, 8.3, 9.1 NTBA Appliances (T-200, T-500, T-600, T-1200) 8.1, 8.3, 9.1 Virtual NTBA Appliances (T-VM, T-100VM, T-200VM) 8.1, 8.3, 9.1 Integration support The above mentioned Network Security Platform software versions support integration with the following product versions: Table 1-1 Network Security Platform compatibility matrix Product McAfee epo 5.9.1 McAfee Global Threat Intelligence McAfee Endpoint Intelligence Agent 2.6.3 McAfee Logon Collector 3.0.7 McAfee Threat Intelligence Exchange 2.0.0 McAfee Data Exchange Layer 3.1.0 McAfee Advanced Threat Defense 4.2.0 Version supported Compatible with all versions 3
Table 1-1 Network Security Platform compatibility matrix (continued) Product Version supported McAfee Virtual Advanced Threat Defense 4.2.0 McAfee Vulnerability Manager 7.5 McAfee Host Intrusion Prevention 8.0 Intel Security Controller 2.6 New features This release of Network Security Platform includes the following new features: Introducing Network Security Sensors: NS7150, NS7250, and NS7350 With this release, McAfee's next generation Network Security Platform NS7x50 Sensor models are supported in version 9.2. The NS7350, NS7250, and NS7150 Sensor models are a mid-range offering that provide 5 Gbps, 3 Gbps, and 1.5 Gbps throughput respectively. The NS-series Sensors are flexible enough to adapt to the security needs of any enterprise environment. When deployed at key network access points, they provide real-time monitoring on high traffic loads to detect malicious activity and respond to the malicious activity as configured by the administrator. The NS7x50 Sensors are 1RU units equipped with the following components: Two slots for pluggable and hot swappable I/O modules 8-port SFP/SFP+ 1/10 Gigabit interface module 6-port RJ-45 10/100/1000 Mbps with internal fail-open interface module 4-port RJ-45 10 Gbps/1 Gbps/100 Mbps with internal fail-open interface module 4-port 10/1 GigE SM 8.5 micron with internal fail-open interface module 4-port 10/1 GigE MM 50 micron with internal fail-open interface module 4-port 10/1 GigE MM 62.5 micron with internal fail-open interface module Pluggable SFP transceiver modules are supported on the NS7x50 Sensors. McAfee's IAC-SFTSR-FOT 10 Gbs enhanced 850nm SFP+ transceivers are designed for use in 10 Gigabit Ethernet links over multimode fiber McAfee's IAC-SFTLR-FOT 10 Gbs enhanced 1310nm SFP+ transceivers are designed for use in 10 Gigabit Ethernet links up to 10 km over single mode Two fixed SFP+ 10/1 Gigabit Ethernet ports Eight RJ-45 10/100/1000 Mbps Ethernet Monitoring ports One Console port Up to 10 Gbps support on Management and Response ports One RJ-45 10 Gbps/1 Gbps Management port One RJ-45 10 Gbps/1 Gbps Response port External USB ports for Storage/Rescue application USB 3.0 is not supported. 4
DB9/Serial Console Baud Rate = 115200 RJ-11 port for fail-open control of two built-in SFP+ ports in slot G0 The front and rear panel LEDs provide status information for the health of the Sensor and the activity on its ports Diagnostics for field replacement The 1 Gbps Copper External Passive Fail-Open Kit and the 1 and 10G Fiber External Passive Fail-Open Kits are supported on the NS7x50 Sensors. For detailed information, refer to the McAfee Network Security Platform NS7x50 Sensor Product Guide. Enhancements This release of Network Security Platform includes the following enhancement: Gateway Anti-Malware Enhancement With this release of 9.2, Manager version 9.2.7.22 or later and Sensor version 9.2.5.27 or later supports manual update for Gateway Anti-Malware version 2017. With Manager version 9.2.7.22 and above, depending on the 9.2 Sensor software version, the Gateway Anti-Malware Update Server downloads the appropriate Gateway Anti-Malware version. The following table describes the Gateway Anti-Malware versions downloaded for manual import: Manager Sensor Gateway Anti-Malware version 9.2.7.9 (or any 9.2 Manager hotfix before 9.2.7.22) 9.2.5.6 till 9.2.5.27 but does not include 9.2.5.27 9.2.7.22 or later 9.2.5.6 till 9.2.5.27 but does not include 9.2.5.27 Manual import is not supported. Downloads Gateway Anti-Malware version 2017 version 1. 9.2.7.22 or later 9.2.5.27 or later Downloads Gateway Anti-Malware version 2017 version 3. 9.2.7.22 or later 9.1.5.40 or later Downloads Gateway Anti-Malware version 2017 version 1. 9.2.7.22 or later 9.1.5.9 till 9.1.5.40 but does not include 9.1.5.40 Downloads Gateway Anti-Malware version 2014. 9.2.7.22 or later 8.3.5.x Downloads Gateway Anti-Malware version 2014. For more information on Gateway Anti-Malware, see McAfee Network Security Platform 9.2 IPS Administration Guide. Layer 7 protocols supported in snort rules With this release of 9.2, the following layer 7 protocols are supported in snort rules: TCP FTP UDP TLS ICMP SMB 5
IP DNS HTTP For more information on snort rules, see McAfee Network Security Platform 9.2 Custom Attack Definitions Guide. Increase in memory size for handling signature sets With a growing number of threats, the frequency of signature set updates and the number of attacks in each update constantly increase. As a means to accommodate a larger signature set size in the future, the memory size allocated to signature sets on the Sensor has been increased. Resolved Issues The current release of the product resolves these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the high-severity Manager software issues: ID # Issue Description 1237763 Unable to modify Advanced Threat Defense User Profile for File Submission under the ATD Integration page in Network Security Manager. 1236702 Login to Manager when deployed manually in AWS environment fails. The following table lists the medium-severity Manager software issues: ID # Issue Description 1249254 In the Device Manager page, the Sensors are not displayed after upgrading the Manager. 1245935 Manager is unable to deploy a new user defined signatures to Sensors leading to compilation error. 1245601 The Manager allows the user to save a string greater than 64 bytes within the Description field under Firewall Policies causing the configuration deployment to the Sensors to fail. 1244227 Unable to deploy configuration changes to the Sensor after policy update. 1242947 In the Dashboard page, US flag is displayed for private IP addresses in the Top Attackers and Top Targets monitors. 1242839 A user assigned with a custom role is abruptly signed out of the Manager on clicking the attack name. 1242514 Bulk edit of IPS policies does not display the Save option. 1240298 The Version Control page for an IPS policy does not display information for Active Revision. 1239142 Packet capture in attack log captures only the attack packet in an alert and not the subsequent packets or the entire flow. 1239128 Policy cannot be assigned to a Virtual IPS Sensor in a vnsp Cluster in the Manager. 1238502 The performance charts display the recent performance data for the custom time range. 1236581 Manual import of Gateway Anti Malware update to a Sensor fails when the Manager does not have internet connection. Resolved Sensor software issues The following table lists the high-severity Sensor software issues: 6
ID # Issue Description 1244643 Upgrade from Sensor software version 8.3.5.48 to 9.2.5.6 generates Sensor internal configuration: unsupported configuration upgrades critical fault. 1221039 In rare scenarios, the Sensor's datapath processor crashes while processing SMTP traffic. 1218590 The Sensor unexpectedly reboots or becomes unresponsive if the Sensor is up for 497 days. 1217998 The management process experiences an exception due to resource exhaustion. The following table lists the medium-severity Sensor software issues: ID # Issue Description 1245053 Few flash exploits are not detected by the internal flash engine. 1241157 [NS3x00] The Sensor incorrectly generates a fault for secondary power supply unit. 1240052 [NS3x00] The TCP reset packet is not sent through response port R1. 1238992 In Gateway Anti-Malware engines, instances are incorrectly shutdown during the update process which causes update failure. 1238788 [NS5100] The Sensor failover pair floods the logs with CHECKSUM ERROR IN FAILOVER MSG; ignoring error error message. 1237777 The Sensor switches to layer 2, auto recover, or reboot when layer 7 process crashes. 1236810 The X-Forwarded-For Header (XFF) does not display the correct source IP address. 1235441 [NS5x00, NS3x00] Sensor software version cannot be downgraded from 9.1 to 8.3. 1234673 Upgrade from Sensor version to 9.1.5.20 causes Sensor to reboot if 10G I/O modules are present. 1234498 New fan units in the Sensor run at very high rpm and emit loud noise. 1233320 The datapath processor experiences an exception when guest portal is enabled and the internal resources are incorrectly released causing corruption. 1231255 The operational status of the monitoring ports state for Virtual IPS Sensors in AWS is always is always returned as "2" to SNMP client. 1230865 Sensor experiences an exception causing it to go to layer 2 mode or reboot when NSP Analysis Engine is enabled. 1230284 Management process in Global Threat Intelligence IP reputation experiences an exception when cache entries exceed the supported limit. 1229550 Sensor sends values greater than 100% flows to the Manager. 1228862 Special FTP alerts in layer 7 data fields are not analyzed correctly. 1225322 The output for set manager secondary ip CLI command displays % Ambiguous command. 1224971 The SENSOR: Attack Marker Resources Exhausted alerts are generated due to exhaustion of resources. 1224468 Malware management process experiences an exception while extracting URI information to be exported to external engines such as Network Threat Behavior Analysis and Advance Threat Defense. 1222361 Firewall rules for McAfee Logon Collector are incorrectly matched with non McAfee Logon Collector firewall rules. 1221119 Small percentage of fragmented packets in the Sensor are not forwarded to the correct destination that results in packet drops. 1220494 New firewall policies updated in the Sensor does not work without Sensor reboot. 1220164 In rare scenarios, the datapath processor experiences an exception when Callback Detectors and Heuristic Callback Discovery are enabled. 1214529 The power supply status is incorrectly reported in SNMP responses. 1211263 Auto negotiation feature disabled in port setting is updated in the Sensor after a Sensor reboot. 7
ID # Issue Description 1211242 Alert suppression displays incorrect values when a set pattern of n number of attacks is given. 1208841 [NS9x00, NS7x00] Auto MDI/MDI-X remains enabled even though the auto-negotiation option is disabled. 1206700 The Manager and Sensor quarantine query are not synchronized. 1205502 HTTPS protocol connections for users based on McAfee Logon Collector database are incorrectly blocked. 1200980 In rare scenarios, SNMP management process experiences an exception due to large number of queries. Installation instructions Manager server/client system requirements The following table lists the 9.2 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Recommended Windows Server 2016 Standard Edition operating system Memory 8 GB Supports up to 3 million alerts in Solr. >16 GB Supports up to 10 million alerts in Solr. CPU Server model processor such as Intel Xeon Same 8
Minimum required Recommended Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Windows Server 2016 Standard Edition operating system Memory 8 GB >16 GB Supports up to 3 million alerts in Solr. Supports up to 10 million alerts in Solr. Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.5 Update 3 ESXi 6.0 Update 1 ESXi 6.5 Update 1 9
The following table lists the 9.2 Manager client requirements when using Windows 7, Windows 8, or Windows 10: Operating system Minimum Windows 7, English or Japanese Windows 8, English or Japanese Windows 8.1, English or Japanese Windows 10, English or Japanese The display language of the Manager client must be same as that of the Manager server operating system. Recommended Windows 10, English or Japanese RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 10, 11 Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported) Internet Explorer 11 Mozilla Firefox 20.0 or later Google Chrome 24.0 or later To avoid the certificate mismatch error and security warning, add the Manager web certificate to the trusted certificate list. For the Manager client, in addition to Windows 7, Windows 8, Windows 8.1 and Windows 10, you can also use the operating systems mentioned for the Manager server. The following are Central Manager and Manager client requirements when using Mac: Mac operating system Yosemite El Capitan Browser Safari 8 or 9 For more information, see McAfee Network Security Platform Installation Guide. Known issues For a list of known issues in this product release, see Network Security Platform software issues: KB90337 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation Go to docs.mcafee.com to find the product documentation for this product. 10
Or 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 9.2 product documentation list The following software guides are available for Network Security Platform 9.2 release: Quick Tour Virtual IPS Administration Guide Installation Guide (includes Upgrade Guide) CLI Guide Manager Administration Guide Integration Guide Custom Attack Definitions Guide Best Practices Guide Manager API Reference Guide Troubleshooting Guide IPS Administration Guide Copyright 2018 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 0B00