Revision A McAfee Network Security Platform 9.1 (9.1.7.73-9.1.3.11 Manager-M-series, Mxx30-series, and XC Cluster Release Notes) Contents About the release New features Enhancements Resolved Issues Installation instructions Known issues Product documentation About the release This document contains important information about the current release. We recommend that you read the whole document. Network Security Platform follows a release process that is based on customer requirements and best practices followed by other McAfee teams. For details, read KB78795. This release of Network Security Platform is to provide enhancements on the Manager, M-series, Mxx30-series, and XC Cluster Sensor software. Release parameters Version Network Security Manager software version 9.1.7.73 Signature Set 9.8.23.5 M-series, Mxx30-series, M-8000XC Sensor software version 9.1.3.11 XC-240 Load Balancer 2.11.7 1
Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the Sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the JRE version 1.8.0_172, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 9.1 uses JRE version 1.8.0_172 and MySQL version 5.6.40. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Manager software version 9.1 is not supported on McAfee-built Dell-based Manager Appliances. McAfee recommends that you use Intel-based Manager Appliances instead. Upgrade support McAfee regularly releases updated versions of the signature set. You can choose to automatically download and deploy the signature set in the Manager. The following are the upgrade matrices supported for this release: Manager: Current version Upgrade path to 9.1 8.1.3.4, 8.1.3.6, 8.1.7.5, 8.1.7.12, 8.1.7.13 8.1.7.82 9.1.7.73 8.1.7.33, 8.1.7.52, 8.1.7.82, 8.1.7.91, 8.1.7.96, 8.1.7.100, 8.1.7.105 9.1.7.73 8.3.7.7, 8.3.7.28, 8.3.7.44, 8.3.7.52, 8.3.7.64, 8.3.7.68, 8.3.7.86 9.1.7.73 9.1.7.11, 9.1.7.15, 9.1.7.49, 9.1.7.63 9.1.7.73 All intermediate Manager versions, such as Hotfixes, below 8.1.7.33 must upgrade to 8.1.7.82 before upgrading to the latest 9.1 Manager version. All Manager versions above 8.1.7.33 can directly upgrade to the latest 9.1 Manager version. M-series: (M-1250, M-1450, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000, M-3030, M-4030, M-6030, M-8030, M-8000XC) Current version Upgrade path to 9.1 8.1.3.5, 8.1.3.43, 8.1.3.89, 8.1.3.100, 8.1.3.124, 8.1.3.130, 8.1.3.135, 8.1.3.136 9.1.3.11 8.3.3.4, 8.3.3.9, 8.3.3.27, 8.3.3.35, 8.3.3.37, 8.3.3.39 9.1.3.11 9.1.3.4, 9.1.3.6, 9.1.3.9 9.1.3.11 All intermediate Sensor software versions can directly upgrade to the latest 9.1 Sensor software version. Component Minimum Software Version XC-240 2.9.2 2.10.4 2.11.7 2
Heterogeneous support This version of 9.1 Manager software can be used to configure and manage the following devices: Device NS-series Sensors (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300) NS-series Sensors (NS7150, NS7250, NS7350) 9.1 Version 8.1, 8.3, 9.1 Virtual IPS for ESXi server (IPS-VM100, IPS-VM600) IPS-VM100: 8.1, 8.3, 9.1 Virtual IPS for KVM (IPS-VM100, IPS-VM600) 8.3 Virtual IPS for VMware NSX (IPS-VM100-VSS) 8.1, 8.3, 9.1 Virtual IPS for AWS (IPS-VM100-VSS) 8.3, 9.1 M-series Sensors (M-1250, M-1450, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) IPS-VM600: 8.1, 8.3, 9.1 8.1, 8.3, 9.1 Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.3, 9.1 M-8000XC Cluster Appliance 8.1, 8.3, 9.1 NTBA Appliances (T-200, T-500, T-600, T-1200) 8.1, 8.3, 9.1 Virtual NTBA Appliances (T-VM, T-100VM, T-200VM) 8.1, 8.3, 9.1 New Sensor image for IPS-VM100 and IPS-VM100-VSS Sensor models are not supported from version 9.1.7.12. Integration support The above mentioned Network Security Platform software versions support integration with the following product versions: Product Version supported McAfee epo 5.9.1, 5.9.0 McAfee Global Threat Intelligence McAfee Endpoint Intelligence Agent 2.6 McAfee Logon Collector 3.0.7 McAfee Threat Intelligence Exchange 2.1.1, 2.0.0 McAfee Data Exchange Layer 3.1.0, 3.0.0 McAfee Advanced Threat Defense 4.2.0.20 McAfee Virtual Advanced Threat Defense 4.2.0.4 McAfee Vulnerability Manager 7.5 McAfee Host Intrusion Prevention 8.0 Compatible with all versions Starting with release 9.1.7.63, integration with McAfee Cloud Threat Defense is no longer supported. New features This release provides fixes for some of the previously known issues, and does not include any new features. 3
Enhancements Trend Analysis Report Generation Enhancement In previous releases only one trend item could be selected while generating a trend analysis report. To view alerts only Select attacks in the past option was available. With this release of 9.1, you can select one or more Trend Item(s) while generating reports. The trend data for the selected trend items can be viewed in the Trend Analysis Report. If you want to remove a Trend Item from the list, select the Trend Item and click on Remove Selection. To select the Trend Reporting Period for attacks, you can choose one of the following time spans: Select attacks for this day It detects all the attacks for a particular date. Select attacks between these dates It detects all the attacks between the dates selected. Select attacks in the past It detects all the attacks for the number of days, weeks, or months selected. For more information on Trend Analysis Report Generation, see McAfee Network Security Platform 9.1 Manager Administration Guide. Resolved Issues The current release of the product resolves these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the medium-severity Manager software issues: ID # Issue Description 1240819 Excessive packet logging on the emsout.log file causes it to roll over in few minutes. 1239636 Vulnerability identified for MySQL version 5.6.39. 1239618 / 1232051 Audit logs from the Secondary Manager should appear without duplicate IPS event syslog. 1238533 Sensor update fails when the number of customized attacks are more than 20,000. 1238275 The manual callback detectors update fails as the update file has.0 suffix. 1237406 During the Sensor software upgrade, the Gateway Anti-Malware update from the Manager to Sensor fails. 1237008 The Manager IP address is populated in the Sensor IP address field for SNMP traps. 1234533 After disabling port setting in a failover pair, the Sensor information is not available through API. 1234127 The Manager has an Apache Tomcat vulnerability which allows an attacker to uncover information about the Apache Tomcat version. 1233834 Configuration of a non-standard port at the device level displays the error Error adding non-standard port. 1233285 Addition of XC Cluster to the Manager fails with the error Error in adding XC Cluster: Internal Error. 1232114 In the Manager under Analysis <Admin Domain Name> Traditional Report Trend Analysis, the report contains duplicate Sensor names. 1232060 After Manager upgrade, syslog contains IPS event messages with no information. 1231963 The Top N Blocked Attacks report includes data for attacks with inconclusive attack results. 4
ID # Issue Description 1231669 In a trend analysis report, once the report is generated in HTML format, there is no option to go back to the report configuration page. 1231333 The customized VPC name is incorrectly displayed for users and groups in the Manager. 1231287 When you click the Back button after generating a Next Generation report, the expiration page appears instead of the Run report < report name> page. 1230161 When a port is disabled in NTBA in the Manager, Link Failure of Port: <port number> fault is generated. 1228772 Packet capture in attack log captures only the attack packet in an alert and not the subsequent packets or the entire flow. 1225510 Managers send events to the Central Manager even when Manager is not configured. 1225503 The date format in Primary and Secondary Central Managers are different in the Last Synchronized Time monitor in the Dashboard page. 1225366 After an upgrade, the logging in ems.log file continues even after reaching the maximum file limit. 1223185 API query does not return data for country. 1217412 Gateway Anti-Malware update fails for few Sensors due to a proxy configuration. The following table lists the low-severity Manager software issues: ID # Issue Description 1236685 The Manager has the following Spring Framework vulnerabilities: CVE-2018-1270 - An attacker can craft a message to the broker to execute a remote code attack. CVE-2018-1271 - An attacker can send a specially crafted URL request which can lead to directory traversal attack. CVE-2018-1272 - Multiple multipart in the server request could lead to part content exposure. CVE-2018-1275 - An attacker can craft a message to the broker to execute a remote code attack. Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: ID # Issue Description 1233320 The datapath processor experiences an exception when guest portal is enabled and the internal resources are incorrectly released causing corruption. 1229448 / 1224241 [M-8000] Files are extracted, but the Blacklist engine cannot block the files as it does not receive it. 1220494 New firewall rules updated in the Sensor for existing UDP protocols traffic do not work without Sensor reboot. 1214019 The Sensor prevents access to the server when outbound SSL flows are incorrectly processed as inbound SSL flows. 1206700 The Manager and Sensor quarantine entries are not synchronized. 1200980 In rare scenarios, SNMP management process experiences an exception due to large number of queries. 1159776 The Sensor is vulnerable to CVE-2008-5161 which has the CBC mode ciphers enabled. Resolved XC-240 software issues There are no resolved issues for XC-240 applicable to this release. 5
Installation instructions Manager server/client system requirements The following table lists the 9.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Recommended Windows Server 2016 Standard Edition operating system Memory 8 GB Supports up to 3 million alerts in Solr. >16 GB Supports up to 10 million alerts in Solr. CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 6
Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Windows Server 2016 Standard Edition operating system Memory 8 GB >16 GB Supports up to 3 million alerts in Solr. Supports up to 10 million alerts in Solr. Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.1 Update 2 ESXi 5.5 Update 3 ESXi 6.0 Update 1 ESXi 6.5 Update 1 The following table lists the 9.1 Manager Appliance (Linux) hardware and software specifications Table 5-3 Hardware and Software specifications Component Hardware Regulatory Model Name Specifications R1000 7
Table 5-3 Hardware and Software specifications (continued) Component CPU Hard Drive DVD ROM DIMM Integrated LAN USB ports Video Serial Port Software Specifications Intel Xeon Silver 4114 2.2Ghz10C, Skylake1 per system 2.5" Enterprise HDD2TBSATA III (6Gbps)7200 RPM2 per system None Manager software version 9.1 64GB DDR42133Mhz 2 x 10 Gbe 2 x 3.0 on front and 3 x 3.0 on rear panel DB-15 HD VGA on front & rear panel RJ45 on rear panel McAfee Linux OS (MLOS) version 3.4.0.8756 The following table lists the 9.1 Manager client requirements when using Windows 7, Windows 8, or Windows 10: Operating system Minimum Windows 7, English or Japanese Windows 8, English or Japanese Windows 8.1, English or Japanese Windows 10, English or Japanese The display language of the Manager client must be the same as that of the Manager server operating system. Recommended Windows 10, English or Japanese RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 10, 11 Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported) To avoid the certificate mismatch error and security warning, add the Manager web certificate to the trusted certificate list. Internet Explorer 11 Mozilla Firefox 20.0 or later Google Chrome 24.0 or later In Mozilla Firefox version 52 or Google Chrome version 42 and above, the NPAPI plug-in is disabled by default. For the Manager client, in addition to Windows 7, Windows 8, Windows 8.1 and Windows 10, you can also use the operating systems mentioned for the Manager server. The following are Central Manager and Manager client requirements when using Mac: Mac operating system Yosemite El Capitan Browser Safari 8 or 9 8
For more information, see McAfee Network Security Platform Installation Guide. Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Network Security Platform software issues: KB88813 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation Go to McAfee Documentation Portal to find the product documentation for this product. Or 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 9.1 product documentation list The following software guides are available for Network Security Platform 9.1 release: Quick Tour Virtual IPS Administration Guide Installation Guide (includes Upgrade Guide) CLI Guide Manager Administration Guide XC Cluster Administration Guide Custom Attack Definitions Guide Integration Guide Manager API Reference Guide Best Practices Guide IPS Administration Guide Troubleshooting Guide NTBA Administration Guide Copyright 2018 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 0A00