Network Security Platform 8.1

8.1.7.33-8.1.3.89-2.11.9 Manager-XC-Cluster Release Notes Network Security Platform 8.1 Revision C Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. Network Security Manager software version: 8.1.7.33 Signature Set: 8.7.61.4 1

M-8000XC Sensor software version: 8.1.3.89 XC-240 Load Balancer software version: 2.11.9 Network Security Platform version 8.1 replaces 8.0 release. If you are using version 8.0 and require any fixes, note that the fixes will be provided in version 8.1. There will not be any new maintenance releases and hot-fix releases on version 8.0. With release 8.1, Network Security Platform no longer supports the Network Access Control module and N-series Sensors. If you are using Network Access Control with N-series (NAC-only) Sensors, McAfee recommends that you continue to use the 7.1.3.6 version. If you are using the Network Access Control module in M-series Sensors, continue to use the 7.5.3.30 version. That is, you should not upgrade the Manager or the Sensors to 8.1 for such cases. Manager software version 7.5 and above are not supported on McAfee-built Dell based Manager Appliances. This version of 8.1 Manager software can be used to configure and manage the following hardware: 7.1 and 8.1 NS9x00-series Sensors 8.1 NS7x00-series Sensors 8.1 Virtual IPS Sensors 7.1 and 8.1 M series and Mxx30-series Sensors 7.1 and 8.1 XC Cluster Appliances 7.1 and 8.1 NTBA Appliance software (Physical and Virtual) 7.1 I-series Sensors Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.7.0_45, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 8.1 uses JRE version 1.7.0_51. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. New features This release of Network Security Platform does not include any new features. Enhancements This release of Network Security Platform includes the following enhancements: Support for RSA 2048-bit keys (and fall-back RSA 1024-bit keys). Support for file transfers using SCP and TFTP. 2

In this release, the Sensor is upgraded to: OpenSSL v1.0.1o. OpenSSH v6.4p1 which only supports: Ciphers: aes256-cbc, aes128-cbc. MACs: hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512. KexAlgorithms: diffie-hellman-group14-sha1. 3 rd party SNMPv3 users are required to migrate to AES128-SHA from DES-MD5 for SNMP user association. For the secondary Manager in the MDR, manual or automatic database tuning is enabled. For more information see McAfee Network Security Platform Manager Administration Guide. Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the medium-severity Manager software issues: ID # 1084912 Configuration update fails with error SIGUPDT: ERROR in the signature file. 1082814 Alert signature is triggered even when Observed Value is much less than the Threshold Value configured in the Customized Host Threshold in an NTBA. 1082804 The proxy settings cannot be updated in the Manager and also for the devices at the global level in all browsers. 1082433 The Manager fails the security scan as the Tomcat version is vulnerable to CVE-2014-0230 and CVE-2014-7810. 1081189 Upon restarting the Manager or during switch over in an MDR scenario, the alert channel connection faults are generated. 1080654 The Next Generation reports does not display any performance data for NTBA appliance. 1078394 Importing MCAFEE-SENSOR-CONF-MIB to some SNMP Managers generates an error. 1074977 Memory leak in the Manager results in an MDR failover. 1074124 Firewall rules created for a combination of any TCP service with a Deny response action fails. 1073096 An email is generated for faults created and cleared for scheduled botnet and signature set download. 1071158 The Executive Summary Report in the Manager does not get generated for the report for last full calendar month beginning from the 1st of the month till the last date of the month. 1070791 The IPS Sensor Configuration report displays the output for jumbo frame parsing as Enabled even when the jumbo parsing feature is disabled in the IP Settings page. 1070486 The events ivsensorstringcontentevent and ivsensorinlayer2switchmodeevent, in the EMS-TRAP-MIB file displays the same description. 1070468 The Scheduled backup failed fault is not generated even when automated archival or backups fails in the Automated Archival page. 1070132 The layer 7 data is not captured for NETBIOS attacks even when NETBIOS-SS is enabled in layer 7 data capture settings. 3

ID # 1067206 Rules deleted from the Custom Attack Editor are not deleted in the rule set. 1059780 The Manager service is causing high CPU usage of 99% twice a week. 1047182 The details for High-Risk Endpoints are not displayed in the Threat Explorer upon navigating from the dashboard. 1040886 An error is generated when you attempt to run Next Generation report (Top 10 Attack Source Countries). 1015030/ 904402 During a manual import of certain Snort rules, the Manager displays the ERROR during compiling - 63-30 - error: Pattern is too large message. 955631 8.1 does not support McAfee NAC integration; therefore, the Host type column for quarantined hosts must be removed. 908697 Policy synchronization with a 7.5 Manager fails with Snort rules imported. The following table lists the low-severity Manager software issues: ID # 1073173 The Analyze Packets option in Alert Details window is disabled for reconnaissance attacks. Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: ID # 1094233 The Sensor goes to bad health due to exception in the malware processing engine. 1081872 During file extraction, an error response received from malware processing engine on management processor was not handled correctly by datapath processor. This results in datapath processor experiencing an exception due to which the Sensor autorecovers. 1074706 Layer 7 data is not displayed in the Threat Analyzer because the Sensor attempts to send information before it is available. 1072752 Insufficient memory on the Sensor for the latest signature set updates. 1071663 When L7 data collection is disabled, sometimes the maximum percentage of L7 Dcap flows shows incorrect usage statistics in the Sensor CLI show mem-usage. 1065968 When OS Fingerprinting and Layer 7 Data Collection are enabled, the Sensor might auto-recover or reboot depending on the configuration. 1063967 If TCP flow violation is set to stateless inspection and packets are received out of order, the Sensor reboots due to internal resource exhaustion. 1063164 Alerts for snort attacks are not generated in the Threat Analyzer. 1058892 Link failure fault for port pairs of interconnect ports is incorrectly raised when the port is in Not used status in the Physical Ports page in the Manager. 1058120 The Sensor could reboot after a long run due to exhaustion of system resources. 1056402 The Sensor forwards some inline packets ahead of others, causing certain applications to send TCP RST responses for packets that arrive out of order. 1056146 The Sensor at times fails to block Utorrent/BitTorrent application. 1053934 The fault notification for a PSU event on the Sensor does not clearly identify the PSU. 1052324 False positive alerts are raised from the Sensor while signature is pushed to the Sensor. 1052299 Alert exception rules does not work for callback detector alerts when server-originated alerts are detected in the client packet. 1050950 When SSL is enabled the Sensor may reboot or auto recover occasionally. 4

ID # 1050442 When Sensor resources are exhausted, GTI queries made by the Sensor can fail. 1049096 Invalid memory access in the protocol parsing engine could sometimes result in a Sensor reboot. 1048758 The Sensor is vulnerable to [CVE-2015-0204] FREAK Vulnerability. 1048389 During simultaneous logging of various log files, the Sensor may reboot. 1046769 The show eventlog command displays incomplete error message for fan removal. 1044100 The EIGRP update packets with large route information that are part of fragments are dropped by the Sensor. 1043396 The Sensor output displays several errors for GTI File Reputation query failures and attack ID is not supported for syslog forwarding. 1042629 The Sensor is vulnerable to [CVE-2015-0235] Ghost Vulnerability which is a heap-based buffer overflow that allows execution of arbitrary codes. 1042563 The Sensor load shows 0% when very there is low traffic flowing through the Sensor. 1041835 Internal SNMP communication error causes an exception resulting in Sensor auto-recovery. 1040530 Unable to log into the Sensor using TACACS credentials due to unintentional removal of access to certain files. 1034108 When Port Throughput Utilization in Performance Monitoring is enabled, disabling monitoring ports from the Manager is not possible. 1027922 The Sensor is not able to send the event logs to the syslog server on a custom UDP port. By default, it sends the logs on port 514. 1027794 Inactive user account gets locked unexpectedly. 1026581 Due to temporary unavailability of control buffer resources in the datapath processor, the Sensor sometimes switches to layer 2 or reboot. 1025927 The show gti statistics file CLI command is deprecated. 1024701 The Sensor may reboot after a long run due to exhaustion of system resources. 1024681 The Sensor detects HTTP: Web application server attack detected as a false positive alert. This issue is addressed in the signature set versions later than 8.7.45.5. 1024477 The Advanced Threat Defense dashboard sometimes displays hash value instead of the file name. 1024262 The response port disable option cannot be configured. 1021595 In an ACL summary alert, country name is missing for the source and destination IP addresses. 1019138 The User Defined Report in Traditional Report shows "McAfee NAC" for Alert/Attack Type. 1018047 The GTI alert connection from high risk internal IP is incorrectly triggered even when it is not present in the signature set. 1015866 The SENSOR: PREVDATA-NODES Exhausted alert appears intermittently. 1015306 Due to incorrect XFF parsing, the non-true client is quarantined. 1012305 The Sensor sometimes reboots which causes some loss of data due sudden reboot. 1012154 The Sensor can sometimes go to layer 2 or reboot when new configuration updates are deployed to the Sensor. 1010765 Under certain error conditions in HTML decoder (under Advanced Traffic Inspection), the control packet buffers are not released. 1010345 The exception objects are not taking effect for some reconnaissance attacks. As a result the alerts are still displayed in the Threat Analyzer. 5

ID # 1010209 The Sensor connectivity status with GTI server fault is not automatically cleared in the System Faults page. 1009744 The deployment of Botnet update to the Sensor fails, due to which the Internal configuration error critical fault is generated. 1006999 When the Sensor configuration update fails, the Sensor is in uninitialized state. The Sensor then rejects the configuration update as the maximum number of supported CIDR interface is incorrectly calculated by the Sensor software for inline port. 980149 Attacks configured to be blocked by the Sensor could sometimes pass through. 975938/ 973536 The reconnaissance alerts are not filtered correctly when the alert filter contains rules as Any internal IP or Any external IP. 965115 The IPv4: TCP Session Hijacking Attempt alert sometimes is falsely reported on ports configured in SPAN/Tap mode. 964385 Signature set download to the Sensor fails because of the Invalid File Name or File not Found error. 958957 The L3/L4 error count in SPAN port cannot be viewed even after it crosses the threshold limit. The following table lists the low-severity Sensor software issues: ID # 980117 The Sensor management port is affected by shellshock vulnerability. Resolved XC-240 software issues There are no resolved issues for XC-240 applicable to this release. 6

Installation instructions Manager server/client system requirements The following table lists the 8.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Japanese operating system Only x64 architecture is supported. Recommended Same as the minimum required. Memory 8 GB 8 GB or more CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 7

Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter (Server with a GUI) Japanese operating system Only X64 architecture is supported. Same as minimum required. Memory 8 GB 8 GB or more Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.0 ESXi 5.1 ESXi 5.5 CPU Memory Internal Disks Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00 GHz Physical Memory: 16 GB 1 TB The following table lists the 8.1 Manager client requirements when using Windows 7 or Windows 8: Operating system Minimum Windows 7 English or Japanese Windows 8 English or Japanese Windows 8.1 English or Japanese The display language of the Manager client must be same as that of the Manager server operating system. Recommended RAM 2 GB 4 GB 8

Minimum Recommended CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 9, 10 or 11 Mozilla Firefox Google Chrome in not supported since the NPAPI plug-in is disabled by default and will not be supported by Google going forward. This means that Java applet support is also disabled by default. Internet Explorer 11 Mozilla Firefox 20.0 or above For the Manager client, in addition to Windows 7 and Windows 8, you can also use the operating systems mentioned for the Manager server. The following table lists the 8.1 Central Manager / Manager client requirements when using Mac: Mac operating system Lion Mountain Lion Browser Safari 6 or 7 For more information, see McAfee Network Security Platform Installation Guide. Upgrade recommendations McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. The following is the upgrade matrix supported for this release: Component Minimum Software Version Manager/Central Manager software 7.1 7.1.3.5, 7.1.5.7, 7.1.5.10, 7.1.5.14, 7.1.5.15 8.1 8.1.3.4, 8.1.3.6, 8.1.7.5, 8.1.7.12, 8.1.7.13 M-8000XC Sensor software 7.1 7.1.3.6, 7.1.3.51, 7.1.3.88, 7.1.3.106, 7.1.3.119 8.1 8.1.3.5, 8.1.3.43 XC-240 2.9.2 2.9.4 2.11.7 Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Manager software issues: KB81373 XC-Cluster Sensor software issues: KB81377 9

Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8.1 product documentation list The following software guides are available for Network Security Platform 8.1 release: Quick Tour Installation Guide Upgrade Guide Manager Administration Guide Manager API Reference Guide (selective distribution - to be requested via support) CLI Guide IPS Administration Guide Custom Attacks Definition Guide XC Cluster Administration Guide Integration Guide NTBA Administration Guide Best Practices Guide Troubleshooting Guide Copyright 2016 McAfee, Inc. www.intelsecurity.com Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others. 0C-00