Network Security Platform 8.1

8.1.3.6-8.1.3.5 M-series Release Notes Network Security Platform 8.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. This maintenance release of Network Security Platform is to provide few fixes on the Manager software. Network Security Manager software version: 8.1.3.6 Signature Set: 8.6.28.4 M-series Sensor software version: 8.1.3.5 Network Security Platform version 8.1 replaces 8.0 release. If you are using version 8.0 and require any fixes, note that the fixes will be provided in version 8.1. There will not be any new maintenance releases or hot-fix releases on version 8.0. With release 8.1, Network Security Platform no longer supports the Network Access Control module and N-series Sensors. If you are using Network Access Control with N-series (NAC-only) Sensors, McAfee recommends that you continue to use the 7.1.3.6 version. If you are using the Network Access Control module in M-series Sensors, continue to use the 7.5.3.30 version. That is, you should not upgrade the Manager or the Sensors to 8.1 for such cases. Manager software version 7.5 and above are not supported on McAfee-built Dell based Manager Appliances. This version of 8.1 Manager software can be used to configure and manage the following hardware: 7.1, 7.5, 8.0, and 8.1 M series and Mxx30-series Sensors 8.0 Virtual IPS Sensors 7.1 and 8.0 NS-series Sensors 1

7.1, 7.5, 8.0, and 8.1 XC Cluster Appliances 7.1, 7.5, 8.0, and 8.1 NTBA Appliance software (Physical and Virtual) 7.1 I-series Sensors Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.7.0_45, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 8.1 uses JRE version 1.7.0_51. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. New features This release is to provide few bug fixes for some of the previously known Manager software issues, and does not include any new feature. Enhancements This release is to provide few bug fixes for some of the previously known Manager software issues, and does not include any enhancements to features. Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the high-severity Manager software issues: 962714 Malware archive fault message is misleading. The following table lists the medium-severity Manager software issues: 960293 Improved protection against cross-site request forgery (CSRF) exploits against the Manager. 951549 The Manager's connection with XC-240 load balancer is not recovered if the link is down for more than 9 minutes. 949576 Incorrect pop-up message is displayed when the entered SSL flow count is more than the maximum allowed. 949202 Scripts for alert notification do not execute if the attack-severity variable ($ATTACK_SEVERITY$) is used. 2

947003 Attack ID format is changed when the Manager is upgraded to 8.0.5.11. 945781 When the imported custom attacks are deleted without saving the first time, they do not get saved after a subsequent re-import. Resolved Sensor software issues The following table lists the high-severity Sensor software issues: 831157 Occasionally, filename is not shown as part of malware alerts. The following table lists the medium-severity Sensor software issues: 954930 On upgrade of the Sensor software, the customized management MTU value is reset to its default value. 954005 [M-1250, M-1450] The "Total IP no Credit Packets dropped" values are not cleared on port 4B by the "clrstat" command. 949270 The Sensor fails to update the signature set after upgrade due to IPv6 SNORT rule. 946996 In rare conditions, while disabling "Application Identification" feature, the Sensor health changes to bad health. 946864 In rare conditions, the Sensor generates "host ack sweep" attack even though the ACL is configured to drop the traffic from the specific source host. 941194 During signature set update, the HTTP: Attempt to read password file attack may go undetected for a very short time. 940899 When certain firewall, which validate the DNS transaction field, are added between the Sensor and the DNS server, DNS queries for GTI are dropped. 940652 The Layer7 data collection update alert count is clubbed with the Sensor alert sent count, due to which there is an inconsistency in the alert sent count between the Sensor and the Manager database. 937639 Under rare case scenario, the Sensor causes latency due to out-of-context traffic and many ACL rules. 927369 In certain cases, source IP is not displayed in the Real-Time Threat Analyzer for ARP attacks with a single attack counts. 926990 ARP attack doesn't display the VLAN sub-interface name in Threat Analyzer. 923806 The Device DNS server connectivity status fault message, which should be raised only when the configured DNS server is unreachable, is raised even when the user disables DNS. 923295 The Sensor incorrectly raises the "HTTP: Web Application Server Attack Detected" alert occasionally, when a user edits or submits information in the internal web application. 919217 When a resetconfig is issued on the Sensor running a non-fips image, the admin password and admin added user accounts (via adduser command) are also deleted. 916569 Retransmitted SYN-ACK can cause attack to go undetected in SPAN. 914479 The Sensor reports an error "Sensor reassembly buffer memory exhausted" during a denial-of-service attack. 909032 When alert throttling is enabled, multiple geo-locations are mapped to the same IP address in the syslog messages. 908386 On rare occasions, the Application Visualization feature can cause database connectivity fault with the "sumbandwidth" error. 3

897178 In rare conditions of MDR setup, upon reporting an ACTIVE-ACTIVE fault, the Sensor re-sends the status requests to the Managers and attempts to correct the MDR status of the Managers. 895268 [M-3050, M-4050, M-6050, M-8000] In rare load conditions, Sensor goes to layer 2 mode when the latency monitor is enabled. 881169 In a rare scenario, when AppID and SNORT signatures are configured with regular expression and while processing a specific traffic, the Sensor incorrectly triggers the "SMTP: Missing Important Command" (0x40405a00) alert. 880770 The message "Sensor is unreachable" is displayed in the primary Manager for all the Sensors, when the Manager was replaced for an MDR pair. The following table lists the low-severity Sensor software issues: 928931 The Threat Analyzer shows the "BOT: Zero Access Traffic Detected" direction incorrectly. This requires fixes in Manager and signature set as well (use Manager version 8.1.3.3 or above, and signature set version 8.6.28.4 or above). 871725 When TLS 1.1 or 1.2 is detected, the "SSL Bad State Transition" alert is raised. Installation instructions Manager server/client system requirements The following table lists the 8.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, SP1 (Full Installation), English operating system Windows Server 2008 R2 Standard or Enterprise Edition, SP1 (Full Installation), Japanese operating system Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter (Server with a GUI) Japanese operating system Only X64 architecture is supported. Recommended Same as the minimum required. Memory 8 GB 8 GB or more CPU Server model processor such as Intel Xeon Same 4

Minimum required Recommended Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition with SP1 English operating system Windows Server 2008 R2 Standard or Enterprise Edition with SP1 Japanese operating system Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter (Server with a GUI) Japanese operating system Only X64 architecture is supported. Same as minimum required. Memory 8 GB 8 GB or more Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.0 ESXi 5.1 ESXi 5.5 CPU Memory Internal Disks Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00 GHz Physical Memory: 16 GB 1 TB 5

The following table lists the 8.1 Manager client requirements when using Windows 7 or Windows 8: Operating system Minimum Windows 7 English or Japanese Windows 8 English or Japanese Windows 8.1 English or Japanese The display language of the Manager client must be same as that of the Manager server operating system. Recommended RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 9, 10 or 11 Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported) If you are using Google Chrome, add the Manager certificate to the trusted certificate list. Internet Explorer 11 Mozilla Firefox 20.0 or above Google Chrome 24.0 or above For the Manager client, in addition to Windows 7 and Windows 8, you can also use the operating systems mentioned for the Manager server. The following table lists the 8.1 Central Manager / Manager client requirements when using Mac: Mac operating system Lion Mountain Lion Browser Safari 6 or 7 For more information, see McAfee Network Security Platform Installation Guide. Upgrade recommendations McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. The following is the upgrade matrix supported for this release: Component Minimum Software Version Manager/Central Manager software 7.1 7.1.3.5, 7.1.5.7, 7.1.5.10, 7.1.5.14 7.5 7.5.3.11, 7.5.5.6, 7.5.5.7 8.0 8.0.5.9, 8.0.5.11 8.1 8.1.3.4 M-series Sensor software 7.1 7.1.3.6, 7.1.3.51, 7.1.3.88, 7.1.3.106 7.5 7.5.3.16, 7.5.3.30 8.0 8.0.3.10, 8.0.3.23 6

Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Manager software issues: KB81373 M-series Sensor software issues: KB81374 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. Copyright 2014 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. 0A-00