Revision B McAfee Network Security Platform 9.1 (9.1.7.75-9.1.3.13 Manager-M-series, Mxx30-series, and XC Cluster Release Notes) Contents About the release New features Enhancements Resolved Issues Installation instructions Known issues Product documentation About the release This document contains important information about the current release. We recommend that you read the whole document. Network Security Platform follows a release process that is based on customer requirements and best practices followed by other McAfee teams. For details, read KB78795. This release of Network Security Platform is to provide new features and enhancements on the Manager, M-series, Mxx30-series, and XC Cluster Sensor software. Release parameters Version Network Security Manager software version 9.1.7.75 Signature Set 9.8.35.7 M-series, Mxx30-series, M-8000XC Sensor software version 9.1.3.13 XC-240 Load Balancer 2.11.7 1
Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the Sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the JRE version 1.8.0_181, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 9.1 uses JRE version 1.8.0_181 and MySQL version 5.6.41. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Manager software version 9.1 is not supported on McAfee-built Dell-based Manager Appliances. McAfee recommends that you use Intel-based Manager Appliances instead. Upgrade support McAfee regularly releases updated versions of the signature set. You can choose to automatically download and deploy the signature set in the Manager. The following are upgrade matrices supported for this release: Manager Upgrade path for Manager installed on Windows: Current version Upgrade path to 9.1 8.1.3.4, 8.1.3.6, 8.1.7.5, 8.1.7.12, 8.1.7.13 8.1.7.82 9.1.7.75 8.1.7.33, 8.1.7.52, 8.1.7.82, 8.1.7.91, 8.1.7.96, 8.1.7.100, 8.1.7.105 9.1.7.75 8.3.7.7, 8.3.7.28, 8.3.7.44, 8.3.7.52, 8.3.7.64, 8.3.7.68, 8.3.7.86 9.1.7.75 9.1.7.11, 9.1.7.15, 9.1.7.49, 9.1.7.63, 9.1.7.73 9.1.7.75 Upgrade path for Manager installed on Linux Manager Appliance: Current version Upgrade path to 9.1 9.1.7.49, 9.1.7.63, 9.1.7.73 9.1.7.75 All intermediate Manager versions, such as Hotfixes, below 8.1.7.33 must upgrade to 8.1.7.82 before upgrading to the latest 9.1 Manager version. All Manager versions above 8.1.7.33 can directly upgrade to the latest 9.1 Manager version. M-series: (M-1250, M-1450, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000, M-3030, M-4030, M-6030, M-8030, M-8000XC) Current version Upgrade path to 9.1 8.1.3.5, 8.1.3.43, 8.1.3.89, 8.1.3.100, 8.1.3.124, 8.1.3.130, 8.1.3.135, 8.1.3.136 9.1.3.13 8.3.3.4, 8.3.3.9, 8.3.3.27, 8.3.3.35, 8.3.3.37, 8.3.3.39 9.1.3.13 9.1.3.4, 9.1.3.6, 9.1.3.9, 9.1.3.11 9.1.3.13 All intermediate Sensor software versions can directly upgrade to the latest 9.1 Sensor software version. 2
Component Minimum Software Version XC-240 2.9.2 2.10.4 2.11.7 Heterogeneous support This version of 9.1 Manager software can be used to configure and manage the following devices: New Sensor image for IPS-VM100 and IPS-VM100-VSS Sensor models are not supported from Sensor software version 9.1.7.12. Virtual IPS Sensor model IPS-VM100-VSS for VMware NSX environment is no longer supported. Device NS-series Sensors (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300) NS-series Sensors (NS7150, NS7250, NS7350) 9.1 Version 8.1, 8.3, 9.1 Virtual IPS for ESXi server (IPS-VM100, IPS-VM600) IPS-VM100: 8.1, 8.3, 9.1 Virtual IPS for KVM (IPS-VM100, IPS-VM600) 8.3 IPS-VM600: 8.1, 8.3, 9.1 Virtual IPS for AWS (IPS-VM100-VSS, IPS-VM600-VSS) IPS-VM100-VSS: 8.3, 9.1 M-series Sensors (M-1250, M-1450, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) IPS-VM600-VSS: 9.1 8.1, 8.3, 9.1 Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.3, 9.1 M-8000XC Cluster Appliance 8.1, 8.3, 9.1 NTBA Appliances (T-200, T-500, T-600, T-1200) 8.1, 8.3, 9.1 Virtual NTBA Appliances (T-VM, T-100VM, T-200VM) 8.1, 8.3, 9.1 Integration support The above mentioned Network Security Platform software versions support integration with the following product versions: Starting with Manager release 9.1.7.63, integration with McAfee Cloud Threat Defense is no longer supported. Product Version supported McAfee epo 5.10.0, 5.9.1 McAfee Global Threat Intelligence Compatible with all versions McAfee Endpoint Intelligence Agent 3.0.0, 2.6.3 McAfee Logon Collector 3.0.8 McAfee Threat Intelligence Exchange 2.0.0 McAfee Data Exchange Layer 3.1.0 McAfee Advanced Threat Defense 4.6.0 3
Product Version supported McAfee Virtual Advanced Threat Defense 4.6.0 McAfee Vulnerability Manager 7.5 McAfee Host Intrusion Prevention 8.0 New features This release of Network Security Platform includes the following new features: New features for Linux based Manager Linux based Central Manager support on Appliance The Linux based Central Manager support on Appliance is introduced for the first time with this release. The Central Manager Appliance runs the McAfee Linux Operating System (MLOS). The operating system is hardened and comes pre-loaded on the appliance with Network Security Central Manager software. The Central Manager is used to manage the Linux based Managers in a single system. Similar to Central Manager running on Windows operating system, it can be used to perform centralized actions like, policy or signature set updates across the Mangers at a time. The Linux based Central Manager can manage the Linux based Managers only. For more information about Linux based Central Manager support on Appliance, see McAfee Network Security Platform Manager Appliance (Linux) Installation Guide. Linux based Manager/Central Manager as a virtual machine With this release, you can deploy the Linux based Manager/Central Manager as virtual machines in your ESX servers. This Manager can manage all Sensor models. The Central Manager can be used to manage the Linux based Managers for updating policies, signature sets in the Managers. The virtual Manager/Central Manager is an OVA image that deploys a virtual instance of the Network Security Manager/Central Manager running on Linux machine. For more information about Linux based Manager/Central Manager as a virtual machine, see McAfee Network Security Platform 9.1 Installation Guide. Manager shell commands for Linux based Manager For simplicity of usage and security, with this release, Manager shell commands are introduced in the Linux based Manager/Central Manager. The shell commands allows you to configure and view Manager configuration and network information. For more information on Manager shell commands, see McAfee Network Security Platform Manager Appliance (Linux) Installation Guide. Upgrade for Linux based Manager The upgrade patch for upgrading the McAfee Linux Operating System and Manager software version is bundled as an upgrade file (setup.bin) and available in the Download Server. On executing the Linux based Manager upgrade file, the McAfee Linux Operating System and the Linux based Manager software are upgraded simultaneously. For more information about upgrading the Linux based Manager, see McAfee Network Security Platform Manager Appliance (Linux) Installation Guide. 4
Compilation of signature set based on core and non-core attributes With this release, the Manager dynamically compiles signature set based on the core and non-core attributes and pushes signatures to the Sensor based memory capacity of the model. This helps optimize Sensor resources in the latest M-series 9.1.3.13 Sensor version. It also allows improved attack coverage on NS-series 9.1.5.56 Sensor version and Virtual IPS 9.1.7.18 Sensor version leveraging improved memory capability for signature processing. To view the signature set pushed to a Sensor, go to Policy <Admin Domain Name> Intrusion Prevention Policy Types IPS Policies. Double-click on any policy, the Attack Definition tab opens. The Core column displays the availability of any attack definition in the signature set pushed to a Sensor. The display in Core column is Yes for attack definitions applicable for all Sensor models, whereas No for attack definitions applicable only to NS-series and Virtual IPS Sensors running on latest versions. For more information on signature set, see McAfee Network Security Platform 9.1 Manager Administration Guide. epolicy Orchestrator integration with Network Security Platform With this release, Network Security Platform supports integration with epolicy Orchestrator version 5.10.0. For more information about epolicy Orchestrator integration, see McAfee Network Security Platform 9.1 Integration Guide. Enhancements This release of Network Security Platform includes the following enhancements: Test compilation of custom attacks Previously, test compilation was carried out only for custom attacks in the custom attack editor resulting in deployment failures due to some custom attacks incompatibility with signature set. With this release, test compilation is carried out for all attacks in the system indicating the compilation status of each attack with accurate results. This helps the user identify each custom attack that fails compilation and to fix them accordingly, making sure there are no compatibility issues and deployment failures at Sensors. With the compilation status of attacks updated efficiently in the system, only attacks that pass compilation are published to the Sensors. To run test compile, go to Policy <Admin Domain Name> Intrusion Prevention Policy Types IPS Policies Custom Attacks, select the custom attacks that you want to run the test compile on and click Other Actions, select Test Compile. For more information on test compilation of custom attacks, see McAfee Network Security Platform 9.1 Custom Attack Definitions Guide. Unique Authoritative Engine ID for SNMP trap enhancement Previously, the Primary and Secondary Manager in an MDR pair used same authoritative engine ID for SNMP server. With this release, you can configure unique authoritative engine ID for Primary and Secondary Managers in an MDR pair when using SNMP server. The architecture for authoritative engine ID for SNMP server complies RFC3411 guidelines. The engine IDs can be configured for Secondary Manager only after successful creation of an MDR pair. The authoritative engine IDs remain specific to the Manager irrespective of the switchover. Post termination of the MDR pair, the authoritative engine IDs assigned are retained by the respective Managers. The SNMP server can be configured for alerts, faults, and audit notifications. 5
The unique authoritative engine ID in SNMP forwarder can be configured in the following pages: Go to Manager <Admin Domain Name> Setup Notification IPS Events SNMP. Go to Manager <Admin Domain Name> Setup Notification Faults SNMP. Go to Manager <Admin Domain Name> Setup Notification User Activity. The authoritative engine ID configuration is available in SNMP version 3 only. For more information about Unique Authoritative Engine ID for SNMP trap, see McAfee Network Security Platform 9.1 Manager Administration Guide. Manager log enhancements Previously for the Manager logs, module-specific logs were being logged into ems.log and emsout.log log files. With this release of 9.1, log files are enhanced. For easy access of log files, the critical module-specific log files are now available. The following logs are added: scheduler.log: Logs related to schedulers running in the Manager. malware.log: Logs related to all malware activities. reportgen.log: Logs related to report generation. sigfile.log: Logs related to signature file deploy/compilation activity. sigset.log: Logs related to signature set download from update server/local system. To view the new logs files, go to Manager <Admin Domain Name> Troubleshooting System Log, select the log file name from the drop-down list. You can access log files at <Network Security Manager install directory>/app/<all log files>. For more information about System Log files, see McAfee Network Security Platform 9.1 Troubleshooting Guide. Memory capacity optimized for handling signature sets on Sensor The memory allocated for signature set capacity threshold is frozen based on memory availability on M-series hardware. Further, individual segment sizes are optimized for improved signature set processing capacity in the Sensor. IPS CLI enhancements Following new Sensor CLI command is available: Table 3-1 Normal Mode CLI Command Description show datapath-memory-usage stats Displays the statistics of the datapath memory usage details of the device. Following Sensor CLI command is updated: Table 3-2 Debug Mode CLI Command Description show mem-usage Earlier, it displayed just the system memory usage details. This command now displays the system memory usage details and the statistics of the datapath memory usage details of the device. For more information about CLI commands, see McAfee Network Security Platform 9.1 CLI Guide. 6
Resolved Issues The current release of the product resolves these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the high-severity Manager software issues: ID # Issue Description 1260915 Alerts are not visible in the attack log and around 30% of the attacks available in signature set are not getting stored in the Manager database. 1218424 When reinstalling the Manager after an uninstallation, it causes the configuration push to fail with a database error. The following table lists the medium-severity Manager software issues: ID # Issue Description 1257965 Unable to save changes in the Manager to database tuning schedule for Network Threat Behavior Analysis. 1257826, 1257546, 1256494, 1255531, 1256470, 1252855, 1251825 The Manager's UI response slows down as its process led to high CPU usage, memory consumption and sometimes crashing. 1256911 The Manager fails to update data to the epo server task in the Central Manager when the credentials are updated in the local Manager. 1255950 The Effective Rules page for an interface in the Policy Manager does not display the geolocation rule details. 1255758 MySQL process lists the username and password as part of the command in clear text in the Manager Disaster Recovery server task. 1255714 Attack severity information in REST API is not updated when attack severity is updated in Default IPS Attack Policy. 1255209 Manager does not send the request to the Sensor due to which quarantined IP addresses cannot be released manually. 1253543 Updating to 9.8.28.4 signature set in the Manager fails with the following error message Process Failed!!!. Please see the log files to know about the error. 1253245 Post-Attack setting for Sensor Actions is enabled which cannot be changed as the option is disabled. 1251910 The error, A mix of IPv4 and IPv6 objects has been detected in this rule pops up while setting a rule in details about the firewall policies to IPv6 network. 1251126 Unable to see the summary of policies in the Policy Manager page. 1251059, 1239239 The quarantined IP address is still listed in the quarantined list even after releasing it. 1251004 Unable to deploy pending changes automatically to the Sensor. 1250712 When a filter is applied on certain columns for IPS policies and then editing the same fields in the attack details panel changes the Attack ID to 0. 7
ID # 1250398, 1248740 Issue Description The error Unable to get Ignore Rules. Failed to get Sensor for subscriber "0" pops up when trying to access ignore rules. 1249295 Clicking the Analysis tab immediately after clicking Policy tab displays the Policy menu on Analysis tab and vice versa. 1249293 When you edit a firewall policy and then click Cancel, only the Firewall policy that is selected to edit is displayed in the Firewall Policies page. 1249290 The Sensor information added to a Manager cannot be edited before it is connected. 1249103 Downloading two M-series Sensor software in a row immediately logs out the user from the Manager UI. 1248902 The Navigation between pages in Attack Log page jumps to a random page number without the alerts changing when sorted by the IP addresses in the Attack Log page of the Manager. 1248375 Running database pruning through dbadmin.bat crashes due to shortage of memory space. 1247382 Linux-based Manager console takes 25 30 minutes to load. 1244945 Automatic signature set update is not synchronized between am MDR Central Manager pair. 1244227 Unable to deploy configuration changes to the Sensor after policy update. 1243518 Instead of producing reports just at the beginning of the month, reports are being produced twice per month that is, first week and last week of the month. 1243118 Refreshing or deleting a Manager system faults in Central Manager displays the error An Unexpected error occurred during the processing of your request. Check the log file for possible errors!. 1241997 An unexpected error occurred during the processing of your request error. Check the log file for possible errors! error is displayed in Deploy Pending Changes page. 1241005 Diagnostic trace upload fails with error Reason #4:No response from server as the trace is sent from the Sensor to the secondary Manager. 1236581 Manual import of Gateway Anti-Malware update to a Sensor fails when the Manager does not have Internet connection. 1236007 Ignore rules cannot be created for Host: Outbound UDP Packet volume too high alert for Network Threat Behavior Analysis as it is not displayed in the Manager. 1233005 Import of Snort Custom Attacks from the Central Manager to the Secondary Manager fails in an MDR pair. 1232731 When you create a rule object with Host DNS Name type using as windows.net or windows.com, an error message pops up with the error Invalid Hostname. 1232051 Audit logs from the Secondary Manager appear with duplicate IPS event syslog. 1231121 System memory of 70% is shown as high in the Memory Usage monitor in the Dashboard page. 1226041 SNMP faults are sent from the standby Manager of the MDR pair. 1225834 Callback Detector uses the wrong port for health check. 1224598 The user is logged out of the Manager immediately after double-clicking on top-attack SNMP: Cisco IOS Undocumented Community String. 1223879 Application Visualization module tables are not part of database pruning scheduler. 1223870 Test Compilation fails during signature file push to the Sensor due to incorrect UDS format. 1209671 After installation of the Manager in the Linux based Manager Appliance, the Manager services do not start. 1199664 Upon searching HTTP: Microsoft Excel Document Parsing Heap Overflow Vulnerability in the Attack Log page, the user is logged out of the Manager. The following table lists the low-severity Manager software issues: 8
ID # Issue Description 1245543 Secondary Manager generates epo connection faults even when epo integration is disabled as the epo cache is not updated with MDR state. 1241612 Unable to deploy configuration changes to the Sensor after importing a user-defined signature file. 1219537 Primary and Secondary Managers are using the same engine ID while sending SNMPv3 traps. Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: ID # Issue Description 1249458 The Sensor is unable to inspect SSL traffic. 1246234 The Sensor incorrectly generates a fault for secondary power supply unit after a reboot. 1228862 FTP attacks incorrectly show username as part of layer7 data. The following table lists the low-severity Sensor software issues: ID # Issue Description 1252893 The command output of checkmanagerconnectivity does not show and test information for 2048-bit encryption. 1245206 Unwanted message is added after the port number for $IV_AUDIT_MESSAGE$ when syslog notification message in User Activity page. 9
Installation instructions Manager Windows server system requirements The following table lists the 9.1 Manager/Central Manager windows server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) Windows Server 2012 Standard Edition (Server with a GUI) Windows Server 2012 Datacenter Edition (Server with a GUI) Windows Server 2012 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Recommended Windows Server 2016 Standard Edition operating system Memory 8 GB Supports up to 3 million alerts in Solr. >16 GB Supports up to 10 million alerts in Solr. CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more 10
Minimum required Recommended Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager windows server on a VMware platform. Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) Windows Server 2012 Standard Edition (Server with a GUI) Windows Server 2012 Datacenter Edition (Server with a GUI) Windows Server 2012 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Windows Server 2016 Standard Edition operating system Memory 8 GB >16 GB Supports up to 3 million alerts in Solr. Supports up to 10 million alerts in Solr. Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more 11
Table 5-2 VMware ESX server requirements for Windows Operating System Component Minimum Virtualization software ESXi 5.5 Update 3 ESXi 6.0 Update 1 ESXi 6.5 Update 1 Manager Linux server system requirements The following table lists the 9.1 Manager/Central Manager Appliance (Linux) hardware and software specifications: Table 5-3 Hardware specifications Component Hardware Regulatory Model Name CPU Hard Drive DVD ROM DIMM Integrated LAN USB ports Video Serial Port Specifications R1000 Intel Xeon Silver 4114 2.2Ghz10C, Skylake1 per system 2.5" Enterprise HDD 2TB SATA III (6Gbps) 7200 RPM 2 per system None 64GB DDR4 2133Mhz 2 x 10 Gbe 2 x 3.0 on front and 3 x 3.0 on rear panel DB-15 HD VGA on front & rear panel RJ45 on rear panel Table 5-4 Software specifications Minimum requirements Recommended Manager version 9.1.7.75 and later 9.1.7.75 and later McAfee Linux Operating system 3.5.0.9545 3.5.0.9545 Logical CPU cores 6 8 Memory 16 GB 24 GB Disk space 150 GB 300 GB NIC 1 1 The following are the system requirements for hosting Manager/ Central Manager Linux server on a VMware platform. Table 5-5 VMware ESX server requirements for McAfee Linux Operating System Component Minimum Virtualization software ESXi 5.5 ESXi 6.0 ESXi 6.5 Hyperthreading should be available. 12
Manager client system requirements The following table lists the 9.1 Manager/Central Manager client requirements when using Windows 8, Windows 8.1, or Windows 10: Operating system Minimum Windows 8, English or Japanese Windows 8.1, English or Japanese Windows 10, English or Japanese The display language of the Manager client must be the same as that of the Manager server operating system. Recommended Windows 10, English or Japanese RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 11 Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported) To avoid the certificate mismatch error and security warning, add the Manager web certificate to the trusted certificate list. Internet Explorer 11 Mozilla Firefox 20.0 or later Google Chrome 24.0 or later In Mozilla Firefox version 52 or Google Chrome version 42 and above, the NPAPI plug-in is disabled by default. For the Manager/Central Manager client, in addition to Windows 8, Windows 8.1 and Windows 10, you can also use the operating systems mentioned for the Manager server. The following are Central Manager and Manager client requirements when using Mac: Mac operating system Yosemite El Capitan Browser Safari 8 or 9 For more information, see McAfee Network Security Platform Installation Guide. Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Network Security Platform software issues: KB88813 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation Go to McAfee Documentation Portal to find the product documentation for this product. 13
Or 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 9.1 product documentation list The following software guides are available for Network Security Platform 9.1 release: Quick Tour Virtual IPS Administration Guide Installation Guide (includes Upgrade Guide) CLI Guide Manager Administration Guide XC Cluster Administration Guide Custom Attack Definitions Guide Integration Guide Manager API Reference Guide Best Practices Guide IPS Administration Guide Troubleshooting Guide NTBA Administration Guide Copyright 2019 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 0B00