Network Security Platform 8.1

8.1.7.33-8.1.5.135 Manager-NS-series Release Notes Network Security Platform 8.1 Revision D Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. Network Security Manager software version: 8.1.7.33 Signature Set: 8.7.61.4 NS-series Sensor software version: 8.1.5.135 Network Security Platform version 8.1 replaces 8.0 release. If you are using version 8.0 and require any fixes, note that the fixes will be provided in version 8.1. There will not be any new maintenance releases or hot-fix releases on version 8.0. With release 8.1, Network Security Platform no longer supports the Network Access Control module and N-series Sensors. If you are using Network Access Control with N-series (NAC-only) Sensors, McAfee recommends that you continue to use the 7.1.3.6 version. If you are using the Network Access Control module in M-series Sensors, continue to use the 7.5.3.30 version. That is, you should not upgrade the Manager or the Sensors to 8.1 for such cases. Manager software version 7.5 and above are not supported on McAfee-built Dell based Manager Appliances. 1

This version of 8.1 Manager software can be used to configure and manage the following hardware: 7.1 and 8.1 NS9x00-series Sensors 8.1 NS7x00-series Sensors 8.1 Virtual IPS Sensors 7.1 and 8.1 M series and Mxx30-series Sensors 7.1 and 8.1 XC Cluster Appliances 7.1 and 8.1 NTBA Appliance software (Physical and Virtual) 7.1 I-series Sensors Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.7.0_45, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 8.1 uses JRE version 1.7.0_51. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. New features This release of Network Security Platform supports the following interface modules. 4-port 10/1 Gig SM 8.5 micron with internal fail-open interface module 4-port 10/1 Gig MM 50 micron with internal fail-open interface module 4-port 10/1 Gig MM 62.5 micron with internal fail-open interface module Enhancements This release of Network Security Platform includes the following enhancements: Support for RSA 2048-bit keys (and fall-back RSA 1024-bit keys). Support for file transfers using SCP and TFTP. In this release, the Sensor is upgraded to: OpenSSL v1.0.1o. OpenSSH v6.4p1 which only supports: Ciphers: aes256-cbc, aes128-cbc. MACs: hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512. KexAlgorithms: diffie-hellman-group14-sha1. 2

3 rd party SNMPv3 users are required to migrate to AES128-SHA from DES-MD5 for SNMP user association. For the secondary Manager in the MDR, manual or automatic database tuning is enabled. For more information see McAfee Network Security Platform Manager Administration Guide. Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the medium-severity Manager software issues: ID # 1084912 Configuration update fails with error SIGUPDT: ERROR in the signature file. 1082814 Alert signature is triggered even when Observed Value is much less than the Threshold Value configured in the Customized Host Threshold in an NTBA. 1082804 The proxy settings cannot be updated in the Manager and also for the devices at the global level in all browsers. 1082433 The Manager fails the security scan as the Tomcat version is vulnerable to CVE-2014-0230 and CVE-2014-7810. 1081189 Upon restarting the Manager or during switch over in an MDR scenario, the alert channel connection faults are generated. 1080654 The Next Generation reports does not display any performance data for NTBA appliance. 1078394 Importing MCAFEE-SENSOR-CONF-MIB to some SNMP Managers generates an error. 1074977 Memory leak in the Manager results in an MDR failover. 1074124 Firewall rules created for a combination of any TCP service with a Deny response action fails. 1073096 An email is generated for faults created and cleared for scheduled botnet and signature set download. 1071158 The Executive Summary Report in the Manager does not get generated for the report for last full calendar month beginning from the 1st of the month till the last date of the month. 1070791 The IPS Sensor Configuration report displays the output for jumbo frame parsing as Enabled even when the jumbo parsing feature is disabled in the IP Settings page. 1070486 The events ivsensorstringcontentevent and ivsensorinlayer2switchmodeevent, in the EMS-TRAP-MIB file displays the same description. 1070468 The Scheduled backup failed fault is not generated even when automated archival or backups fails in the Automated Archival page. 1070132 The layer 7 data is not captured for NETBIOS attacks even when NETBIOS-SS is enabled in layer 7 data capture settings. 1067206 Rules deleted from the Custom Attack Editor are not deleted in the rule set. 1059780 The Manager service is causing high CPU usage of 99% twice a week. 1047182 The details for High-Risk Endpoints are not displayed in the Threat Explorer upon navigating from the dashboard. 1040886 An error is generated when you attempt to run Next Generation report (Top 10 Attack Source Countries). 3

ID # 1015030/ 904402 During a manual import of certain Snort rules, the Manager displays the ERROR during compiling - 63-30 - error: Pattern is too large message. 955631 8.1 does not support McAfee NAC integration; therefore, the Host type column for quarantined hosts must be removed. 908697 Policy synchronization with a 7.5 Manager fails with Snort rules imported. The following table lists the low-severity Manager software issues: ID # 1073173 The Analyze Packets option in Alert Details window is disabled for reconnaissance attacks. Resolved Sensor software issues The following table lists the high-severity Sensor software issues: ID # 1031977 The Sensor sometimes reboots incorrectly because of incorrect low buffer available error. 1030994 In rare scenarios, all fiber ports on pluggable modules go down suddenly. 939736 In a failover pair, changes made for inline fail-open or inline fail-close mode are applied even to the peer Sensor. The following table lists the medium-severity Sensor software issues: ID # 1094233 Sensor goes to bad health due to exception in the malware processing engine. 1082660 Large number of small UDP packets, which triggers the UDP fast-forward threshold, causes the firewall rules to stop functioning. 1081872 During file extraction, an error response received from malware processing engine on management processor was not handled correctly by datapath processor. This results in datapath processor experiencing an exception due to which the Sensor autorecovers. 1081836 Sensor packet capture feature truncates captured packets to 980 bytes. 1080383 The alert SENSOR: Host Entries for Connection Limiting Feature Exhausted is continuously displayed in the Threat Analyzer when Protection for Web Servers is enabled. 1078695 When operating in standalone mode, the Sensor sometimes drops LACP (Link Aggregation Control Protocol) traffic. 1074102 The Sensor can occasionally go to layer 2 due to link flap observed on datapath cross connect port. 1071663 When L7 data collection is disabled, sometimes the maximum percentage of L7 Dcap flows shows incorrect usage statistics in the Sensor CLI show mem-usage. 1071248 During certain situations, the Sensor might reboot because it falsely detects a hung process. 1070475 The SNMP query for temperature and fan OID at times returns an incorrect status. 1065968 When OS Fingerprinting and Layer 7 Data Collection are enabled, the Sensor might auto-recover or reboot depending on the configuration. 1064944 At times the ports might remain down after the Sensor upgrade. 1064000 The Sensor sometimes reports incorrect status for the fan or the power supply. 1061185/ 1060880 The built in fail-open ports on the Sensors do not pass traffic during reboot or power cycle. 4

ID # 1059913 MTU changes on management port are not persisted across reboot. 1058999 Sensor may reboot during auto-recovery because of delay in crypto processor initialization causing data path processes to fail initialization. 1058054 The built-in RJ45 ports leak traffic from span ports after auto-recovery. 1056474 The Sensor sometimes reboots as the monitoring mechanism does not synchronize with the Sensor hardware watchdog within the configured timeout. 1056402 The Sensor forwards some inline packets ahead of others, causing certain applications to send TCP RST responses for packets that arrive out of order. 1056146 The Sensor at times fails to block the Utorrent/BitTorrent application. 1054989 Unable to add IP address ending with.127 to the quarantine list. 1053934 [NS9300] The PSU failure message does not indicate the failed Sensor (Primary or Secondary). 1052704 The Sensor triggers alerts for IP addresses configured in the firewall policies to be ignored. 1052324 False positive alerts are raised from the Sensor while signature is pushed to the Sensor. 1052299 Alert exception rules does not work for callback detector alerts when server-originated alerts are detected in the client packet. 1051959 The show powersupply command displays incorrect power supply status. 1050950 When SSL is enabled the Sensor may reboot or auto recover occasionally. 1050794 [NS9300] QSFP modules connected with 40G ports on the Sensor does not loop back traffic in layer 2 mode, and instead causes traffic issues when the Sensor is in layer 2 mode. 1050443 [NS9300] Traffic disruptions might be seen on the Sensors that are configured in high availability mode. 1050442 When Sensor resources are exhausted, GTI queries made by the Sensor can fail. 1049947 The Sensor introduces network latency in certain scenarios when the TCP flow violation is set to stateless inspection. 1049096 Invalid memory access in the protocol parsing engine could sometimes result in a Sensor reboot. 1048758 The Sensor is vulnerable to [CVE-2015-0204] FREAK Vulnerability. 1048738 Sensor packet capture feature truncates captured packets to 980 bytes. 1048389 During simultaneous logging of various log files, the Sensor may reboot. 1046769 The show eventlog command displays incomplete error message for fan removal. 1044100 The EIGRP update packets with large route information that are part of fragments are dropped by the Sensor. 1043396 Several errors for GTI File Reputation query failures are displayed in the Sensor output and attack ID is not supported for syslog forwarding. 1042629 The Sensor is vulnerable to [CVE-2015-0235] Ghost Vulnerability which is a heap-based buffer overflow that allows execution of arbitrary codes. 1042563 Sensor-load value is incorrectly displayed as 0% in the Sensor incorrectly when there is very low traffic load. 1041835 Internal SNMP communication error causes an exception resulting in Sensor auto-recovery. 1040530 Unable to log into the Sensor using TACACS credentials due to unintentional removal of access to certain files. 1039861 The Sensor raises false fan errors events. 5

ID # 1036365 If a Sensor reboots, the Sensor Power Up fault is not seen. 1035121 The Sensor could reboot when the watchdog gets triggered due to certain critical CPU processes not being able to execute. 1034108 When Port Throughput Utilization in Performance Monitoring is enabled, disabling monitoring ports from the Manager is not possible. 1032799 When a pluggable network interface module is added to a Sensor, the ports are not displayed on the Manager under Devices <Admin Domain Name> Devices <Device Name> Setup Physical Ports Monitoring Ports. 1031501 Traffic is forwarded to SPAN ports after hitless reboot/auto-recovery. 1031253 The Sensor reboots randomly due to enabling of unsupported NAC feature. 1027922 The Sensor is not able to send the event logs to the syslog server on a custom UDP port. By default, it sends the logs on port 514. 1027794 Inactive user account gets locked unexpectedly. 1025927 The show gti stats file CLI command is deprecated. Information previously shown in the output of this command is now available in show GTI IP reputation statistics. 1024701 The Sensor may reboot after a long run due to exhaustion of system resources. 1024681 The Sensor detects HTTP: Web application server attack detected as a false positive alert. This issue is addressed in the signature set versions later than 8.7.45.5. 1024477 The Advanced Threat Defense dashboard sometimes displays hash value instead of the file name. 1021595 In an ACL summary alert, country name is missing for the source and destination IP addresses. 1021386 In rare occasions, the Sensor goes into a lockout condition which results in a hung state or reboot. 1018458 An internal hardware event log buffer is not getting cleared in some scenarios. 1015306 Due to incorrect XFF parsing, the non-true client gets quarantined. 1012922 SSL Decryption fails with Internet Explorer 11 on Windows 8 and with TLS enabled. 1012154 The Sensor can sometimes go to layer 2 or reboot when new configuration updates are deployed to the Sensor. 1011827 The Sensor at times generates incorrect fan faults. 1010209 The Sensor connectivity status with GTI server fault is not automatically cleared in the System Faults page. 1006274 Under heavy load, the Sensor can stop transmitting traffic. 1005234 After rebooting a Sensor, the interconnecting port comes up as 1 Gigabit instead of 40 Gigabit. 974849 File save option does not work when IPv6 is used for Sensor-Manager connectivity. 974810 Malware blacklist/whitelist feature does not work after hitless reboot due to a race condition. 973547 When SSL is enabled, CPU utilization is incorrectly reported as High. When L7 data capture is enabled, some delay is seen in the alert response from the Manager. 6

Installation instructions Manager server/client system requirements The following table lists the 8.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Japanese operating system Only x64 architecture is supported. Recommended Same as the minimum required. Memory 8 GB 8 GB or more CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 7

Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter (Server with a GUI) Japanese operating system Only X64 architecture is supported. Same as minimum required. Memory 8 GB 8 GB or more Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.0 ESXi 5.1 ESXi 5.5 CPU Memory Internal Disks Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00 GHz Physical Memory: 16 GB 1 TB The following table lists the 8.1 Manager client requirements when using Windows 7 or Windows 8: Operating system Minimum Windows 7 English or Japanese Windows 8 English or Japanese Windows 8.1 English or Japanese The display language of the Manager client must be same as that of the Manager server operating system. Recommended RAM 2 GB 4 GB 8

Minimum Recommended CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 9, 10 or 11 Mozilla Firefox Google Chrome in not supported since the NPAPI plug-in is disabled by default and will not be supported by Google going forward. This means that Java applet support is also disabled by default. Internet Explorer 11 Mozilla Firefox 20.0 or above For the Manager client, in addition to Windows 7 and Windows 8, you can also use the operating systems mentioned for the Manager server. The following table lists the 8.1 Central Manager / Manager client requirements when using Mac: Mac operating system Lion Mountain Lion Browser Safari 6 or 7 For more information, see McAfee Network Security Platform Installation Guide. Upgrade recommendations McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. The following is the upgrade matrix supported for this release: Component Minimum Software Version Manager/Central Manager software 7.1 7.1.3.5, 7.1.5.7, 7.1.5.10, 7.1.5.14, 7.1.5.15 8.1 8.1.3.4, 8.1.3.6, 8.1.7.5, 8.1.7.12, 8.1.7.13 NS-series Sensor software NS9300 7.1 7.1.5.33, 7.1.5.40, 7.1.5.72, 7.1.5.91 8.1 8.1.5.14, 8.1.5.71 NS9200, NS9100 7.1 7.1.5.11, 7.1.5.23, 7.1.5.40, 7.1.5.72, 7.1.5.91 8.1 8.1.5.14, 8.1.5.71 NS7300, NS7200, NS7100 8.1 8.1.5.39, 8.1.5.57, 8.1.5.75 Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Manager software issues: KB81373 NS-series Sensor software issues: KB82173 9

Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8.1 product documentation list The following software guides are available for Network Security Platform 8.1 release: Quick Tour Installation Guide Upgrade Guide Manager Administration Guide Manager API Reference Guide (selective distribution - to be requested via support) CLI Guide IPS Administration Guide Custom Attacks Definition Guide XC Cluster Administration Guide Integration Guide NTBA Administration Guide Best Practices Guide Troubleshooting Guide 2016 Intel Corporation Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others. 0C-00