8.1.19.23-8.1.15.14 Manager-M-series FIPS Release Notes Network Security Platform 8.1 Revision A Contents About this release New features Enhancements Resolved issues Known issues Installation instructions Product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. The FIPS-enabled software combination recommended by McAfee to use along with this release of M-series Sensor software are as listed below: Network Security Manager software version: 8.1.19.23 Signature Set: 8.7.53.3 M-series Sensor software version: 8.1.15.14 New features This release is to provide fixes for some of the previously known issues, and does not include any new features. 1
Enhancements Updated certificates with extended validity have been used to digitally sign the Network Security Manager binary files. Resolved issues The current release of the product resolves these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues This release does not contain any resolved issues for the Manager. Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: ID # Issue Description 1106100 The Sensor reboots on its own at times which can cause loss of unsaved data. 1102919 vulnerability in Linux ipc mechanisms (msgq and shm and possibly sem) 1098272 The front-end processor encounters a rare exception causing the Sensor to reboot or enter Layer 2 mode. 1094233 The Sensor goes to bad health due to exception in the malware processing engine. 1072752 Insufficient memory on the Sensor for the latest signature set updates. 1071663 When L7 data collection is disabled, sometimes the maximum percentage of L7 Dcap flows shows incorrect usage statistics in the Sensor CLI show mem-usage. 1063164 Alerts for snort attacks are not generated in the Threat Analyzer. 1058892 Link failure fault, for port pairs of interconnect ports, is incorrectly raised when the port is in "Not used" state in the Physical Ports page in the Manager. 1056146 The Sensor at times fails to block Utorrent/BitTorrent application. 1052324 False positive alerts are raised from the Sensor while signature is pushed to the Sensor. 1015306 Due to incorrect XFF parsing, the non-true client is quarantined. Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Manager software issues: KB81373 M-series Sensor software issues: KB81374 2
Installation instructions Review the following before you install the Manager software: The following table lists the 8.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Only x64 architecture is supported. Recommended Same as the minimum required. Memory 8 GB 8 GB or more CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 3
Table 6-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) Windows Server 2012 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter (Server with a GUI) Only X64 architecture is supported. Same as minimum required. Memory 8 GB 8 GB or more Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 6-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.0 ESXi 5.1 ESXi 5.5 Update 3 ESXi 6.0 Update 1 CPU Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00 GHz Memory Internal Disks Physical Memory: 16 GB 1 TB 4
The following table lists the 8.1 Manager client requirements when using Windows 7, Windows 8, or Windows 10: Operating system Minimum Windows 7 English or Japanese Windows 8 English or Japanese Windows 8.1 English or Japanese Windows 10 English or Japanese The display language of the Manager client must be same as that of the Manager server operating system. Recommended RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 9, 10 or 11 Mozilla Firefox Google Chrome is not supported since the NPAPI plug-in is disabled by default and will not be supported by Google going forward. This means that Java applet support is also disabled by default. Internet Explorer 11 Mozilla Firefox 41.0.2 or above In Mozilla Firefox version 52 and above the NPAPI plug-in is disabled and will not be supported by Mozilla going forward. This means that pages that uses Java in the Manager will not render properly on Mozilla Firefox version 52 and above. The following table lists the 8.1 Central Manager / Manager client requirements when using Mac: Mac operating system Lion Mountain Lion Browser Safari 6 or 7 For the Manager client, in addition to Windows 7 and Windows 8, you can also use the operating systems mentioned for the Manager server. For more information, see McAfee Network Security Platform Installation Guide. McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. Migrating the Manager This section shows you different scenarios of deployment from which you can migrate to the Manager. 5
Table 6-3 Upgrade scenarios and associated considerations Current Manager version Intended Manager version Scenario-specific considerations 6.1.15.x Applicable if the server and client requirements for Manager 8.1.x are met. The Manager will retain the 6.1 FIPS settings after the upgrade. For more information, see McAfee Network Security Platform 8.1 Upgrade Guide. 7.1.15.x (FIPS Manager in non-fips mode) 7.1.15.x (FIPS Manager in non-fips mode) 7.1.15.x 7.1.15.x 7.1.x.x (Non-FIPS Manager) 7.1.x.x (Non-FIPS Manager) (FIPS Manager in non-fips mode) (FIPS Manager in non-fips mode) (FIPS Manager in non-fips mode) None None 8.1.x.x (Non-FIPS Manager) (FIPS Manager in non-fips mode) Upgrade to and select non-fips mode during installation. 8.1.x.x (Non-FIPS Manager) Adding and non-compliant Sensors You can add both and non- M-series Sensor models to the Manager. The table below shows the upgrade scenarios for different Sensor versions. The software versions listed under the migrated Sensor software in the table, Sensor upgrade scenario below are mandatory to the upgrade path. The user must upgrade to these 8.1 FIPS software versions prior to any future 8.1 FIPS Sensor software. Sensor upgrade path Upgrade to the mandatory 8.1 FIPS Sensor image is supported through the upgrade paths mentioned in this section. Use netboot to convert the M-series Sensor running this mandatory 8.1 FIPS image to any non-fips or an older 6.1/7.1 FIPS image. This M-series Sensor will retain the bootloader that is capable of verifying SHA256 signed images. This is by design. The minimum Sensor software version required, to upgrade to 8.1, is 6.1 or later. 6
Table 6-4 Sensor upgrade scenarios Sensor model Current Sensor software Migrated Sensor software M-series 6.1.15.101 8.1.15.14 M-series 7.1.15.11 M-series 8.1.3.130 Non- 8.1.15.14 8.1.15.14 To upgrade Sensor software to 8.1 FIPS SHA256 compatible image make note of the following points. The 8.1 FIPS Sensor image on M-series may take 7-15 minutes to run all the FIPS power-on and known answer tests before the user can log on to the Sensor. Upgrading M-series to 8.1.15.14 also upgrades their bootloaders to verify the loading of subsequent images signed with SHA256. To check the bootloader version and support for image verification of images signed with SHA256, refer to KB85240. The automatic reset configuration on the Sensor requires a corresponding database delete on the Manager. If not the installation will not be complete. The upgrade of M-8000 to 8.1.15.14 FIPS image requires a synchronization of the symmetric key set using the set fips sharedkey command, algorithm tests and bootloader updates on the M-8000P and M-8000S units. Please contact McAfee Technical Support for assistance. Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8.1 product documentation list The following software guides are available for Network Security Platform 8.1 release: FIPS Deployment Guide Quick Tour Installation Guide Upgrade Guide Manager Administration Guide Manager API Reference Guide (selective distribution - to be requested via support) CLI Guide IPS Administration Guide 7
Custom Attacks Definition Guide XC Cluster Administration Guide Integration Guide NTBA Administration Guide Best Practices Guide Troubleshooting Guide Copyright 2017 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 0A-00