9.1.7.49-9.1.5.20 Manager-NS-series Release Notes McAfee Network Security Platform 9.1 Revision C Contents About the release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About the release This document contains important information about the current release. We recommend that you read the whole document. Network Security Platform follows a release process that is based on customer requirements and best practices followed by other McAfee teams. For details, read KB78795. This release of Network Security Platform is to provide new features and enhancements on the Manager and NS-series Sensor software. Release parameters Version Network Security Manager software version 9.1.7.49 Signature Set 9.8.11.1 NS-series Sensor software version 9.1.5.20 Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the Sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the JRE version 1.8.0_144, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. 1
Manager 9.1 uses JRE version 1.8.0_144. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Manager software version 9.1 is not supported on McAfee-built Dell-based Manager Appliances. McAfee recommends that you use Intel-based Manager Appliances instead. Upgrade support McAfee regularly releases updated versions of the signature set. You can choose to automatically download and deploy the signature set in the Manager. Consider the following before upgrading to Network Security Manager version 9.1: If you are using the Manager version 8.3.7.44 with McAfee Cloud Threat Detection (McAfee CTD) environment only, then you can upgrade to Manager version 9.1. This version supports integration with McAfee CTD. Manager version 8.3.7.44 does not support NS-series Sensor version 8.1.5.210. The following are the upgrade matrices supported for this release: Manager: Current version Upgrade path to 9.1 8.1.3.4, 8.1.3.6, 8.1.7.5, 8.1.7.12, 8.1.7.13 8.1.7.82 9.1.7.49 8.1.7.33, 8.1.7.52, 8.1.7.82, 8.1.7.91, 8.1.7.96, 8.1.7.100, 8.1.7.105 9.1.7.49 8.3.7.7, 8.3.7.28, 8.3.7.44, 8.3.7.52, 8.3.7.64, 8.3.7.68, 8.3.7.86 9.1.7.49 9.1.7.11, 9.1.7.15 9.1.7.49 NS-series Component Upgrade path to 9.1 8.1.5.14, 8.1.5.39, 8.1.5.57, 8.1.5.135 8.1.5.175 9.1.5.20 8.1.5.175, 8.1.5.210, 8.1.5.215, 8.1.5.217 9.1.5.20 8.3.5.6, 8.3.5.11, 8.3.5.32, 8.3.5.47, 8.3.5.48 9.1.5.20 9.1.5.9 9.1.5.20 Network Security Manager versions up to 8.1.7.13 uses the SHA1 certificate which employs a 1024-bit encryption based signature. Starting with Manager version 8.1.7.82, the Manager uses the SHA256 certificate which employs a 2048-bit encryption based signature. Hence, a direct upgrade is not possible due to a certificate mismatch. Network Security Platform version 8.2 is End-of-Life. If you are currently on version 8.2 and would like to upgrade to 9.1, read the following: NS-series Sensor version 8.2 supports SHA1 signing algorithm which is not supported by version 9.1. NS-series Sensor version 9.1 supports 2048-bit RSA keys with Sha256WithRSAEncryption based signature. If you wish to upgrade the NS-series Sensor version 8.2 to 9.1, you must first upgrade to NS-series Sensor version 8.3.5.47 and then upgrade to version 9.1.5.9 or later. 2
Heterogeneous support This version of 9.1 Manager software can be used to configure and manage the following devices: Device NS-series Sensors (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300) NS-series Sensors (NS7150, NS7250, NS7350) 9.1 Virtual IPS Sensors (IPS-VM100 and IPS-VM600) Network Security Manager version 9.1 does not support KVM environment. Version 8.1, 8.3, 9.1 8.1, 8.3, 9.1 Virtual Security System (IPS-VM100-VSS) 8.3, 9.1 Network Security Manager version 9.1 does not support VMware NSX environment. M-series Sensors (M-1250, M-1450, M-2750, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) 8.1, 8.3, 9.1 Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.3, 9.1 M-8000XC Cluster Appliance 8.1, 8.3, 9.1 NTBA Appliances (T-200, T-500, T-600, T-1200) 8.1, 8.3, 9.1 Virtual NTBA Appliances (T-VM, T-100VM, T-200VM) 8.1, 8.3, 9.1 Integration support The above mentioned Network Security Platform software versions support integration with the following product versions: Table 1-1 Network Security Platform compatibility matrix Product Version supported McAfee epo 5.9.1, 5.9.0, 5.3.3 McAfee Global Threat Intelligence McAfee Endpoint Intelligence Agent 2.6 McAfee Logon Collector 3.0.7 McAfee Threat Intelligence Exchange 2.1.0, 2.0.1 McAfee Data Exchange Layer 3.0.1, 3.0.0 Compatible with all versions McAfee Advanced Threat Defense 4.2.0.4, 4.0.2.42 McAfee Virtual Advanced Threat Defense 4.2.0.4, 4.0.2.42 McAfee Cloud Threat Detection 2.2 McAfee MOVE AntiVirus Agentless 4.0.0.317 McAfee MOVE AntiVirus Multi-Platform 4.5.0.211 McAfee Vulnerability Manager 7.5 McAfee Host Intrusion Prevention 8.0 3
New features This release of Network Security Platform includes the following new features: Migration from Oracle JRE to Azul Zulu JRE Starting with this release, the Manager uses Azul Zulu JRE instead of the Oracle JRE. Enhancements This release provides fixes for some of the previously known issues, and does not include any enhancements. Resolved issues The current release of the product resolves these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the medium-severity Manager software issues: ID # 1220109 After deploying changes to the Sensors, alerts are not generated for the imported Snort rules. 1216184 After adding a custom attack, the Benign Trigger Probability (BTP) value is displayed incorrectly. 1215552 After upgrade, the JAR file for the older version of Struts is not removed from the installation directory. 1214486 After importing or saving a custom attack, the conditions set in the signature changes. 1214225 Partial signature is displayed in the Attack tab in the Custom Attack editor. 1213844 The Manager is vulnerable against Apache Tomcat vulnerability (CVE-2017-12617). 1212345 After deploying changes to the Sensors, the Deploy Pending Changes page displays that changes are pending after successful deployment. 1211699 The Benign Trigger Probability (BTP) value changes after saving imported custom attacks. 1211098 Importing the custom attack signatures fails. 1209040 The "Internet Connectivity Required for vnsp Cluster Usage" warning is displayed when the vnsp Cluster is set to Offline mode. 1208081 Attack Log filter for Malware Confidence column when set to Very High fails. 1207705 While deleting large number of alerts from Attack Log, some alerts are not deleted. 1205856 After a health check, the policies in use are reported as "not in use". 1205683 The Allocated Interfaces page in the Manager <Admin Domain Name> Setup Admin Domains does not display the allocated interface names. 1203747 The Benign Trigger Probability (BTP) value in UDS does not map to correct malware confidence (severity) level. 1202303 Incorrect attack information is sent via Syslog. 1191950 The Manager does not display the severity information after receiving the analysis result from Advanced Threat Defense. 1191664 An attempt to deploy the Sensor configurations fails after a Sensor upgrade. 4
ID # 1188068 The Quarantine page does not display all the hosts that are in quarantine. 1187289 After the Manager is upgraded, epolicy Orchestrator is unable to retrieve logs from the Manager. 1184808 Snort signatures are not triggered on HTTP response data. 1174800 Smart blocking does not work for TFTP: Get Sensitive file. 1173927 The Manager dashboard does not display the Throughput Usage, Memory Usage, and CPU Usage monitors. Resolved Sensor software issues The following table lists the high-severity Sensor software issues: ID # 1201115 Due to a deadlock condition in the Management processor, packet forward to datapath processors are stopped. This in turn results in auto recovery or reboot. The following table lists the medium-severity Sensor software issues: ID # 1217050 checkmangerconnectivity does not include testing of certain port connectivity (8501, 8502, 8503) for SHA256 supported images. 1216899 During an upgrade, certain configurations are not getting upgraded correctly (intfporttype). 1214880 The Sensor will send additional 28 bytes to an ARP packet when the Sensor is in Layer 3 off mode, which could cause traffic outage. 1212425 [NS7x00] The Management port does not have an option to configure duplex setting. 1206771 In a rare scenario, the software within the internal switch experiences an exception when the Sensor reboots. 1206355 The Sensor may reboot in scenarios when the guest portal is enabled and high volume of guest portal requests per second are consistently seen on the Sensor in a period of 10 to15 minutes. 1205277 Geo Lookup for Connection Limiting Policies is not working. 1204946 The firewall rules with IP addresses in XFF header are not blocked in some scenarios and alerts are generated with IP addresses in reverse order in other scenarios. 1203842 The Sensor may go to bad health in scenarios where the Callback Detectors: Connection Using High Confidence C&C Server Domain Name Detected attack is disabled and an error scenario is not handled. 1203549 Smart blocked attacks show different results in the syslog notification for IV_RESULT_STATUS. 1201623 For certain set of attacks, the attack ID logging causes an exception and the Sensor autorecovers. 1200028 The Sensor experiences an exception in the datapath processor when the policy contains flowbits in Snort rules. 1198805 During a fan fault, the fan abnormal event is being cleared. 1196178 The Sensor is not sending files to Advanced Threat Defense because of certain internal resource exhaustion. 1193022 Trust establishment between the Manager and Sensor brings down port R1 for a short period. 1192121 The SNMP agent is unable to get total byte received counter for the interconnect port. 1191836 The NSP Analysis engine incorrectly detects "MALWARE: XOR-Encoded Shellcode" and "MALWARE: Shellcode" files as malicious in scenarios when the Sensor runs out of memory. 1188347 When a "GET" request is split across multiple packets, the Sensor is unable to generate an alert for the HTTP GET request. 1186245 The SSL attacks are not detected because the Sensor runs out of certain resources. 5
ID # 1177466 The Sensor is ignoring flowbits and does not generate alerts. 1133906 Packet captures were not working when the internal resources related to packet capture filtering are not getting initialized during the Sensor bringup. 1133656 The Sensor blocks unsupported and unknown ciphers incorrectly and infrequently. Installation instructions Manager server/client system requirements The following table lists the 9.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Recommended Windows Server 2016 Standard Edition operating system Memory 8 GB Supports up to 3 million alerts in Solr. >16 GB Supports up to 10 million alerts in Solr. CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) 6
The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Windows Server 2016 Standard Edition operating system Memory 8 GB >16 GB Supports up to 3 million alerts in Solr. Supports up to 10 million alerts in Solr. Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.1 Update 2 ESXi 5.5 Update 3 ESXi 6.0 Update 1 ESXi 6.5 The following table lists the 9.1 Manager Appliance (Linux) hardware and software specifications 7
Table 5-3 Hardware and Software specifications Component Hardware Regulatory Model Name CPU Hard Drive DVD ROM DIMM Integrated LAN USB ports Video Serial Port Software Specifications R1000 Intel Xeon Silver 4114 2.2Ghz10C, Skylake1 per system 2.5" Enterprise HDD2TBSATA III (6Gbps)7200 RPM2 per system None Manager software version 9.1 McAfee Linux OS (MLOS) version 64GB DDR42133Mhz 2 x 10 Gbe 2 x 3.0 on front and 3 x 3.0 on rear panel DB-15 HD VGA on front & rear panel RJ45 on rear panel 3.4.0.8756 or above The following table lists the 9.1 Manager client requirements when using Windows 7, Windows 8, or Windows 10: Operating system Minimum Windows 7, English or Japanese Windows 8, English or Japanese Windows 8.1, English or Japanese Windows 10, English or Japanese The display language of the Manager client must be the same as that of the Manager server operating system. Recommended Windows 10, English or Japanese RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 10, 11 Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported) To avoid the certificate mismatch error and security warning, add the Manager web certificate to the trusted certificate list. Internet Explorer 11 Mozilla Firefox 20.0 or later Google Chrome 24.0 or later In Mozilla Firefox version 52 or Google Chrome version 42 and above, the NPAPI plug-in is disabled by default. For the Manager client, in addition to Windows 7, Windows 8, Windows 8.1 and Windows 10, you can also use the operating systems mentioned for the Manager server. 8
The following are Central Manager and Manager client requirements when using Mac: Mac operating system Yosemite El Capitan Browser Safari 8 or 9 For more information, see McAfee Network Security Platform Installation Guide. Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Network Security Platform software issues: KB88813 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 9.1 product documentation list The following software guides are available for Network Security Platform 9.1 release: Quick Tour AWS Deployment Guide Installation Guide (includes Upgrade Guide) CLI Guide Manager Administration Guide XC Cluster Administration Guide Custom Attack Definitions Guide Integration Guide Manager API Reference Guide Best Practices Guide IPS Administration Guide Troubleshooting Guide NTBA Administration Guide Copyright 2018 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 00