Stonesoft Management Center Release Notes 6.1.0 Revision B
Table of contents 1 About this release...3 System requirements... 3 Build version...4 Compatibility... 5 2 New features...6 3 Enhancements... 8 4 Resolved issues...9 5 Installation instructions...11 Upgrade instructions... 11 6 Known issues...13 7 Find product documentation... 14 Product documentation... 14 2
About this release This document contains important information about the current release of Stonesoft Management Center by Forcepoint (SMC; formerly known as McAfee Security Management Center). We strongly recommend that you read the entire document. System requirements Make sure that you meet these basic hardware and software requirements. Basic management system hardware requirements You can install SMC on standard hardware. Intel Core family processor or higher recommended, or equivalent on a non-intel platform A mouse or pointing device (for Management Client only) SVGA (1024x768) display or higher (for Management Client only) Disk space for Management Server: 6 GB Disk space for Log Server: 50 GB Memory requirements for 32-bit Linux operating systems: 2 GB RAM for the Management Server, Log Server, or Web Portal Server (3 GB if all servers are installed on the same computer) 1 GB RAM for Management Client Memory requirements for 64-bit operating systems: 6 GB RAM for the Management Server, Log Server, or Web Portal Server (8 GB if all servers are installed on the same computer) 2 GB RAM for Management Client Operating systems SMC supports the following operating systems and versions. Note: Only U.S. English language versions have been tested, but other locales might also work. Supported Microsoft Windows operating systems: Windows Server 2012 R2 (64-bit) Windows Server 2008 R1 SP2 and R2 SP1 (64-bit) Windows 7 SP1 (64-bit) Windows 10 Supported Linux operating systems: CentOS 6 (for 32-bit and 64-bit x86) CentOS 7 (for 64-bit x86) Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86) Red Hat Enterprise Linux 7 (for 64-bit x86) SUSE Linux Enterprise 11 SP3 (for 32-bit and 64-bit x86) About this release 3
SUSE Linux Enterprise 12 SP1 (for 32-bit and 64-bit x86) Ubuntu 12.04 LTS (for 64-bit x86) Ubuntu 14.04 LTS (for 64-bit x86) Ubuntu 16.04 LTS (for 64-bit x86) Web Start client In addition to the operating systems listed, SMC can be accessed through Web Start by using Mac OS 10.9 and JRE 1.8.0_77 or a later critical patch update (CPU) release. Build version SMC 6.1.0 build version is 10218. This release contains Dynamic Update package 810. Product binary checksums Use the checksums to make sure that the installation files downloaded correctly. smc_6.1.0_10218.zip SHA1SUM: ac946a52ca54a1e3b0a1c8c93865401fa222b358 SHA256SUM: 58ba27e80ccd34edf35def0b646286345aa3470554dd0916e7fdc18465051559 SHA512SUM: 00bd8ee10c47e792aae120e395aad2a4 1c65190b9bb762be8aef1912ea21bf38 8fa35044eaeebce56b3dceac019ac419 5851603928e5c1ebde4ab20aaafb3f4a smc_6.1.0_10218_linux.zip SHA1SUM: 5f09e88b0e7252aad582e64fd7fb45ff4d1becd7 SHA256SUM: 74bfd0e8f0e57c2e3e5016d5cf999cb6e8a8d29f3c0238e619bb3663182f378d SHA512SUM: 02d5b7a4bcea4d5824bb99c6c1e51b61 9d149d67b0ea680c5a3838598bb86752 9ee7464b7027f8dacfa6c756c54a72a9 f8a8f94d246d7bd5fd64ef590d325db1 smc_6.1.0_10218_windows.zip SHA1SUM: a285d7156fb320cf71e0c3f0349adcf1e964c396 SHA256SUM: f0e16d20042fecd7d3f0cf2bab8135401c0a4cd9b553e67ab0c73729d315e14a SHA512SUM: 1fe9c15e7619e6dcca44fc6eaf567ee6 9d0e83223a45df0038a831318b439521 c7a9b972aaeb1f7b2b2b8ddb3709e043 1d7a9fb6795db98acca91fad5aa0781e About this release 4
smc_6.1.0_10218_webstart.zip SHA1SUM: a4f6116c1e1a27db2936ef07c380648805cba215 SHA256SUM: b986454f94c0d1adf7afd72fc57deb7238aed37c064a0b39fd9c0b24ad9b2886 SHA512SUM: 86f1334eff27420991298441c5444be5 d4d2b41dd3b3721ce559729d21b9f9bf d5d6478189537f7cc9aa6fe1a89da9b9 bb07d5b259d9482909caf6084af71b6c Compatibility SMC 6.1 has the following requirements for minimum compatibility and native support. Note: SMC 6.1 can manage all compatible Stonesoft NGFW engine versions up to and including version 6.1. Minimum component versions SMC 6.1 is compatible with the following component versions. Stonesoft Next Generation Firewall (Stonesoft NGFW) 6.0 and 6.1. McAfee Next Generation Firewall (McAfee NGFW) 5.7, 5.8, 5.9, and 5.10. Stonesoft Security Engine 5.5 McAfee epolicy Orchestrator (McAfee epo ) 5.0.1 and 5.1.1 McAfee Endpoint Intelligence Agent (McAfee EIA) 2.5 McAfee Enterprise Security Manager (McAfee ESM) 9.2.0 and later (9.1.0 CEF only) For more information about the Stonesoft Next Generation Firewall lifecycle policy, see Knowledge Base article 10192. Native support To use all features of SMC 6.1, Stonesoft NGFW 6.1 is required. About this release 5
New features This release of the product includes these new features. For more information and configuration instructions, see the Stonesoft Next Generation Firewall Product Guide and the Stonesoft Next Generation Firewall Installation Guide. Status cards and element home pages in the Home view The Home view now shows the status of monitored components and devices as cards. When you select the status card for a Security Engine, VPN, or VPN Gateway, the element s home page opens. The home page shows information about the configuration status of the element. You can open the properties of the Security Engine, VPN, or VPN Gateway or the Security Engine s policy from the element s home page. If the configuration of a Security Engine has not yet been completed, you can continue the configuration (for example, save the engine s initial configuration or upload a policy to the engine) directly from the Security Engine s home page. The remaining configuration steps are shown on the home page. Other changes in the Home view The Active alerts for a monitored component are shown in the Home view. There are new options for organizing how the Security engines are shown in the System Status tree. You can now organize the Security Engines by appliance model, group, or geolocation. Geo-protection and IP address categorization You can now configure geo-protection to allow or block traffic. There are predefined Country elements that represent IP addresses registered in specific countries. You can use Country elements to filter traffic in Access rules based on the source or destination country, or entire continents. They can also be used in NAT rules, Inspection rules, and File Filtering rules. You can use predefined IP address lists to control access to known good or bad IP addresses. You can either use the predefined IP address lists or create new IP address lists. You can also import IP address lists through the SMC API to the SMC. For more information, see the Stonesoft SMC API Reference Guide. Integration of Sidewinder Proxies On Sidewinder firewalls, proxies provide high assurance protocol validation. On Stonesoft NGFW, Sidewinder Proxies enable some of the proxy features that are available on Sidewinder. In Stonesoft NGFW version 6.1, the following Sidewinder Proxies are supported: HTTP, SSH, TCP, and UDP. You can use Sidewinder Proxies on Stonesoft NGFW to enforce protocol validation and to restrict the allowed parameters for each protocol. Sidewinder Proxies are primarily intended for users in high assurance environments, such as government or financial institutions. In environments that limit access to external networks or access between networks with different security requirements, you can use Sidewinder Proxies for data loss protection. Changes in category-based URL filtering Category-based web filtering now uses URL categories provided by Forcepoint ThreatSeeker Intelligence Cloud. There are new types of elements for configuring URL filtering: URL Category elements are Network Application elements that represent the categories for category-based URL filtering. URL Category Group elements contain several related URL Categories. URL List elements are Network Application elements that allow you to manually define lists of URLs that you want to allow or block. New features 6
The way that category-based URL filtering is applied to traffic has changed. You can now use URL Categories, URL Category Groups, and URL Lists in the Service cell of Access rules to configure URL filtering. It is no longer possible to configure URL filtering using Situation elements in the Inspection Policy. Note: These changes affect all existing users of category-based URL filtering. Legacy URL Situation elements can no longer be used in policies for Stonesoft NGFW version 6.1 or higher. If rules in your policy contain legacy URL Situation elements, you must replace them with URL Category elements. Redirection of web traffic to TRITON AP-WEB Cloud TRITON AP-WEB Cloud is a cloud-based web security proxy service. Stonesoft NGFW can now redirect web traffic to the TRITON AP-WEB Cloud for inspection. Stonesoft NGFW redirects web traffic to the TRITON AP- WEB Cloud using a predefined policy-based VPN. The traffic is inspected in the TRITON AP-WEB Cloud and transparently forwarded to the destination. Note: To use TRITON AP-WEB Cloud to inspect web traffic, you must have a subscription to the TRITON AP-WEB Cloud service. In addition to an IPv4 or IPv6 address, you can now use a fully qualified domain name (FQDN) as a dynamic contact address of an external VPN gateway. Connecting through a VPN to a dynamic FQDN endpoint allows TRITON AP-WEB Cloud to offer addresses from the geographically closest service point. The TRITON AP-WEB Cloud service requires the endpoint to use a MAC address as a unique identifier. You can now define VPN-specific exceptions to the IKE Phase-1 ID for endpoints on VPN Gateways. Exceptions are useful in cases where an external VPN gateway requires specific information in the IKE phase-1 value. New features 7
Enhancements This release of the product includes these enhancements. Enhancements in SMC version 6.1.0 Enhancement Simplified service configuration and customization improvements in SSL VPN Portal Fully qualified domain names as contact addresses in VPN gateways VPN-specific exceptions for IKE Phase-1 ID Possibility to modify text size in Configuration view and Policy Editing view Possibility to resolve IP addresses from DNS names New fonts Description You can now allow access to intranet services in the SSL VPN Portal with a freeform URL. It is no longer necessary to configure each SSL VPN Portal service separately. End users can access the services by typing the URL directly in the SSL VPN Portal. You can now also modify the look-and-feel of the SSL VPN Portal and create a custom theme with company colors and logos for the SSL VPN Portal in the Management Client. In addition to an IPv4 or IPv6 address, you can now use a fully qualified domain name (FQDN) as a dynamic contact address of a VPN gateway. You can now define VPN-specific exceptions to the IKE Phase-1 ID for endpoints on VPN Gateways. Exceptions are useful in cases where an external VPN gateway requires specific information in the IKE phase-1 value. You can now modify the text size in the Configuration view and in the Policy Editing view. You can now resolve an IP address from a DNS name in the Management Client when defining an IP address for an interface. All fonts have been changed in the Management Client. If you use the Management Client from a remote desktop, the new fonts are rendered better than the previously used fonts. Enhancements 8
Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Description Retrieving routing information through the SMC API can work unreliably, especially with a large number of dynamic routes on Virtual Firewalls. The Active Alerts view might not be updated in real time when the status of a Log Server changes. For example, when a Log Server is restarted immediately after acknowledging alerts, some acknowledged alerts might appear on the Active Alerts view again. Alerts that were received when the Log Server was shut down might not be immediately shown in the Active Alerts view after the Log Server is started again. Searching for IPv6 addresses does not return results when the search criteria includes letters. Changing the interface ID and creating a new interface with the same ID can result in an incorrect automatic routing configuration if all the interface configuration changes are not saved at the same time. In a high-availability Management Server configuration, the status of Management Servers might not be shown correctly if the license of the standby Management Server is lost or its IP address changed. You cannot delete Blacklist entries that have only the source IP address defined through the Blacklist view. When the Resolve Addresses by Elements option is selected in the Logs view, reports might add "%[" to the names of elements that have comments. When you select Dynamic as the Default Contact Address for a static IP address that is used as a VPN endpoint, and you select an option other than IP Address as the Phase-1 ID for the endpoint, saving the changes in the Engine Editor fails with the following error: "Failed to save Single Firewall <name> The Phase-1 ID type of the VPN Gateway Endpoint <IP> on VPN Gateway <name> is IP Address. This is incompatible with an Interface having a dynamic contact address in the Location: Default. A Dynamic Interface requires E-mail, DNS or Distinguished Name types. Please, change the Phase-1 ID type of the Endpoint <IP> or set the Interface with a static contact address instead of a dynamic one." Editing or previewing a route-based VPN is not possible after disabling endpoints referenced in the route-based VPN. In some situations, a full database replication can be done on a standby Management Server, which leads to incorrect status information about the Management Servers. Policy installation fails if a policy refers to a custom TLS Match or Application element in another administrative Domain. The following type of message is shown: "Element does not exist or is not accessible by the user." If policies have been moved between an administrative Domain and the Shared Domain, deleting the administrative Domain might fail because of a reference to a Policy Snapshot. When you print a policy as a PDF file, the titles of the tables and the tables in the PDF are on separate pages. Removing an IP Prefix List element from a Route Map can result in a database error when you save the Route Map. Editing the Route Map rule several times can lead to only the last change being saved. Issue number 116761 123510 126308 127250 127708 129833 130705 131042 131049 132184 132283 133081 133765 134253 Resolved issues 9
Description Snapshot comparison can fail with the error "Database error. Details: Failed to read import exported:data.xml." The problem can occur when a custom VPN profile is in use. Comparing Policy Snapshots can fail and give a "Database Error" message on Master Engines when you have moved networks from one interface to another interface and then deleted the original interface. Selecting elements in the Home view can result in the Management Client running out of memory when there are hundreds of managed elements. A diagram is drawn for each element, which consumes memory. You cannot edit a Single Firewall element after it has been converted to a Firewall Cluster element if the single firewall had browser-based authentication enabled when you gave the Upgrade to Cluster command. A Security Engine element exported in XML format might contain an invalid antispoofing parameter if the IP address of an interface has been changed from dynamic to static. This prevents importing the exported Security Engine element into the SMC. You cannot view or restore a policy snapshot if it contains a Policy-Based VPN with forwarding gateways defined. Issue number 134280 134411 134543 134950 135184 135352 Resolved issues 10
Installation instructions Use these high-level steps to install SMC and the Stonesoft NGFW engines. For detailed information, see the Stonesoft Next Generation Firewall Installation Guide. All guides are available for download at https://support.forcepoint.com. Note: The sgadmin user is reserved for SMC use on Linux, so it must not exist before SMC is installed for the first time. Note: If a Linux system has limited resources, and you are installing only the Management Client, you can install a 32-bit version of the SMC. SMC 6.1 is the last SMC release that has a 32-bit version of the SMC. If you are installing SMC servers, we recommend that you install a 64-bit SMC version. Note: If you are installing a 32-bit version of the SMC on a 64-bit Linux operating system, the compatibility libraries lib and libz are required. 1. Install the Management Server, the Log Servers, and optionally the Web Portal Servers. 2. Import the licenses for all components. You can generate licenses at https://stonesoftlicenses.forcepoint.com. 3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the Configuration view. 4. To generate initial configurations for the engines, right-click each Firewall, IPS, or Layer 2 Firewall element, then select Configuration > Save Initial Configuration. Make a note of the one-time password. 5. Make the initial connection from the engines to the Management Server, then enter the one-time password. 6. Create and upload a policy on the engines using the Management Client. Upgrade instructions Take the following into consideration before upgrading to SMC 6.1. Note: SMC (Management Server, Log Server, and Web Portal Server) must be upgraded before the engines are upgraded to the same major version. SMC 6.1 requires an updated license. If the automatic license update function is in use, the license is updated automatically. If the automatic license update function is not in use, request a license upgrade on our website at https:// stonesoftlicenses.forcepoint.com. Activate the new license using the Management Client before upgrading the software. To upgrade an earlier version of the SMC to 6.1, we strongly recommend that you stop all Stonesoft NGFW services and create a backup before continuing with the upgrade. After creating the backup, run the appropriate setup file, depending on the operating system. The installation program detects the old version and does the upgrade automatically. Upgrading is supported from the following SMC versions: 6.0.0 6.0.2 5.10.0 5.10.4 5.6.2 5.9.5 Installation instructions 11
Versions earlier than 5.6.2 require an upgrade to one of the versions above before upgrading to 6.1.0 Installation instructions 12
Known issues For a list of known issues in this product release, see Knowledge Base article 10584. Known issues 13
Find product documentation On the Forcepoint support website, you can find information about a released product, including product documentation, technical articles, and more. You can get additional information and support for your product on the Forcepoint support website at https:// support.forcepoint.com. There, you can access product documentation, Knowledge Base articles, downloads, cases, and contact information. Product documentation Every Forcepoint product has a comprehensive set of documentation. Stonesoft Next Generation Firewall Product Guide Stonesoft Next Generation Firewall online Help Note: By default, the online Help is used from the Forcepoint help server. If you want to use the online Help from a local machine (for example, an intranet server or your own computer), see Knowledge Base article 10097. Stonesoft Next Generation Firewall Installation Guide Other available documents include: Stonesoft Next Generation Firewall Hardware Guide for your model Stonesoft Management Center Appliance Hardware Guide Stonesoft Next Generation Firewall Quick Start Guide Stonesoft SMC API Reference Guide Stonesoft VPN Client User Guide for Windows or Mac Stonesoft VPN Client Product Guide The following document included in appliance deliveries still uses the old product name and brand: McAfee Security Management Center Appliance Quick Start Guide Copyright 1996-2016 Forcepoint LLC Forcepoint is a trademark of Forcepoint LLC. SureView, ThreatSeeker, TRITON, Sidewinder and Stonesoft are registered trademarks of Forcepoint LLC. Raytheon is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are property of their respective owners. Find product documentation 14