McAfee Network Security Platform 9.1

9.1.7.15-9.1.5.9 Manager-NS-series Release Notes McAfee Network Security Platform 9.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. Network Security Platform follows a release process that is based on customer requirements and best practices followed by other McAfee teams. For details, read KB78795. This release of Network Security Platform is to provide new features and enhancements on the Manager and NS-series Sensor software. Release parameters Version Network Security Manager software version 9.1.7.15 Signature Set 9.8.1.3 NS-series Sensor software version 9.1.5.9 Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the Sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.8.0_131, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. 1

Manager 9.1 uses JRE version 1.8.0_131. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Manager software version 9.1 is not supported on McAfee-built Dell-based Manager Appliances. McAfee recommends that you use Intel-based Manager Appliances instead. Upgrade support McAfee regularly releases updated versions of the signature set. You can choose to automatically download and deploy the signature set in the Manager. Consider the following before upgrading to Network Security Manager version 9.1: If you are using the Manager version 8.3.7.44 with McAfee Cloud Threat Detection (McAfee CTD) environment only, then you can upgrade to Manager version 9.1. This version supports integration with McAfee CTD. If you are on Manager version 8.3.7.44, note that the Manager version 9.1 does not support the KVM and NSX environments. In this case, McAfee recommends you to continue using the Manager version 8.3.7.44. Manager version 8.3.7.44 does not support NS-series Sensor version 8.1.5.210. The following is the upgrade matrix supported for this release: Component Minimum Software Version Manager/Central Manager software 8.1: 8.1.7.82, 8.1.7.91 8.3: 8.3.7.28, 8.3.7.44 (only for McAfee CTD), 8.3.7.52 9.1: 9.1.7.11 NS-series Sensor software (NS3x00, NS5x00, NS7x00, NS9x00) NS9x00, NS7x00 8.1: 8.1.5.175, 8.1.5.210 8.3: 8.3.5.11, 8.3.5.32 NS5x00, NS3x00 8.1: 8.1.5.175, 8.1.5.210 8.3: 8.3.5.15, 8.3.5.32 Heterogeneous support This version of 9.1 Manager software can be used to configure and manage the following devices: Device NS-series Sensors (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300) NS-series Sensors (NS7150, NS7250, NS7350) 9.1 Virtual IPS Sensors (IPS-VM100 and IPS-VM600) Network Security Manager version 9.1 does not support KVM environment. Version 8.1, 8.3, 9.1 8.1, 8.3, 9.1 Virtual Security System (IPS-VM100-VSS) 8.3, 9.1 Network Security Manager version 9.1 does not support VMware NSX environment. M-series Sensors (M-1250, M-1450, M-2750, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) 8.1, 8.3, 9.1 2

Device Version Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.3, 9.1 M-8000XC Cluster Appliance 8.1, 8.3, 9.1 NTBA Appliances (T-200, T-500, T-600, T-1200) 8.1, 8.3, 9.1 Virtual NTBA Appliances (T-VM, T-100VM, T-200VM) 8.1, 8.3, 9.1 Integration support The above mentioned Network Security Platform software versions support integration with the following product versions: Table 1-1 Network Security Platform compatibility matrix Product Version supported McAfee epo 5.9.0, 5.3.2 McAfee Global Threat Intelligence McAfee Endpoint Intelligence Agent 2.6 McAfee Logon Collector 3.0.7 McAfee Threat Intelligence Exchange 2.1.0, 2.0.1 McAfee Data Exchange Layer 3.0.1, 3.0.0 Compatible with all versions McAfee Advanced Threat Defense 4.0.2.42, 3.8.0.29 McAfee Virtual Advanced Threat Defense 4.0.2.42, 3.10.0.35 McAfee Cloud Threat Detection 1.1.1 McAfee MOVE AntiVirus Agentless 4.0.0.317 McAfee MOVE AntiVirus Multi-Platform 4.5.0.211 McAfee Vulnerability Manager 7.5.12, 7.5.10 McAfee Host Intrusion Prevention 8.0 New features This release provides fixes for some of the previously known issues, and does not include any new features. Enhancements Updated certificates with extended validity have been used to digitally sign the Network Security Manager binary files. Resolved issues The current release of the product resolves these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues This release does not contain any resolved issues for the Manager. 3

Resolved Sensor software issues The following table lists the high-severity Sensor software issues: ID # Issue Description 1176966 [NS9300] Packets are dropped due to improper distribution of MPLS traffic. The following table lists the medium-severity Sensor software issues: ID # Issue Description 1197096 The Sensor reads the incorrect input without proper validation and starts establishing trust using SHA2 based signature methods. 1191197 Log errors such as Port Speed Unknown are raised for 10G and 40G ports. 1190265 Alerts are generated even after layer 7 DDoS response status is disabled. 1190212 A Sensor reboot is required to reflect the speed change in the management port. 1189509 The Sensor logs have text error in the reboot message. 1189286 The Sensor does not switch to layer 2 mode when the link to an interconnect port fails. 1186342 Invalid < and > characters are sent as part of URL information to Advanced Threat Defense. 1184582 In the Sensor, the Ignore Rule does not work when same TCP/HTTP based protocol packet in the flow is resent. 1184408 After an upgrade, the Sensor experiences exception while processing signature set that causes it to go to bad health or experience auto recovery. This happens more often when there are Ignore Rule with Any Any or IPv6 Ignore Rule and IPv6 scanning is disabled. 1179570 The Sensor fails to decrypt SSL traffic due to which attacks are not detected. 1173413 Configuration update fails after a certain number of times when there are Ignore Rule with Any Any or IPv6 Ignore Rule and IPv6 scanning is disabled. Internal resources fail to free for such configurations. 1170675 Invalid characters are sent as URL information to Advanced Threat Defense. 1169932 Out-of-order TCP segments are queued for download which results in timeout or in exceptionally long delays. 1166917 Incorrect alert is generated for high layer 2 drop in the Manager. 1167880 The Sensor cannot extract the file name when SMTP traffic has multiple attachments. 1167372 After Sensor upgrade, FTP traffic does not flow through the Sensor. 1166353 For XFF traffic, the Sensor does not send true client's IP address to syslog server. 1166244 [NS9300] For a failover pair, when the Sensor switches from layer 2, the packets loop. 1164826 Syslog alerts sent from the Sensor displays the timestamp incorrectly with a 12-hour difference. 1164047 Filename and domain in URL path contains duplicate domain name information when submitted to Advanced Threat Defense. 1163689 Whitelisted entries with more than two labels does not generate an exact match. 1161864 Sensor reboots or auto recovers when entries to the IP Reputation caches are added even after reaching the maximum table size. 1154129 The Sensor fails to plot the interface throughput statistics. 1151327 In a rare condition, the malware processing engine experiences an exception while processing an SMTP attachment file having large encoded content. 1149298 Internal resource leak in the malware processing modules causes the Sensor to stop sending files to the Advanced Threat Defense appliance. 1149107 Port throughput utilization is miscalculated for ports with speed greater than 1G. 1147374 The output for resolve gti server CLI command displays incorrect destination. 4

ID # Issue Description 1144527 In a rare condition, the Sensor crashes during initialization and triggers auto recovery. 1142858 [NS9300] DNS packets are duplicated multiple times when connected in a failover mode. 1137245 Layer 7 DDOS response action configuration does not work correctly. 1137285/ 1135165 Sensor fails to trigger a match in a SNORT rule when the pattern is embedded in a HTTP response beyond 256 bytes. 1134703 [NS7x00, NS5x00, NS3x00] Links are flapping randomly because of incorrect internal ports timeout configuration. 1132187 The link on the interfaces of the Sensor suddenly switches on and off. 1120248 FTP file transfer cannot be blocked with advanced malware policy. 1113653 The Sensor fails to block retransmitted packets for malware attacks configured for blocking. 5

Installation instructions Manager server/client system requirements The following table lists the 9.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Recommended Windows Server 2016 Standard Edition operating system Memory 8 GB Supports up to 3 million alerts in Solr. >16 GB Supports up to 10 million alerts in Solr. CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 6

Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Windows Server 2016 Standard Edition operating system Memory 8 GB >16 GB Supports up to 3 million alerts in Solr. Supports up to 10 million alerts in Solr. Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.1 Update 2 ESXi 5.5 Update 3 ESXi 6.0 Update 1 ESXi 6.5 7

The following table lists the 9.1 Manager client requirements when using Windows 7, Windows 8, or Windows 10: Operating system Minimum Windows 7, English or Japanese Windows 8, English or Japanese Windows 8.1, English or Japanese Windows 10, English or Japanese The display language of the Manager client must be the same as that of the Manager server operating system. Recommended Windows 10, English or Japanese RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 10, 11 Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported) To avoid the certificate mismatch error and security warning, add the Manager web certificate to the trusted certificate list. Internet Explorer 11 Mozilla Firefox 20.0 or later Google Chrome 24.0 or later In Mozilla Firefox version 52 or Google Chrome version 42 and above, the NPAPI plug-in is disabled by default. For the Manager client, in addition to Windows 7, Windows 8, Windows 8.1 and Windows 10, you can also use the operating systems mentioned for the Manager server. The following are Central Manager and Manager client requirements when using Mac: Mac operating system Yosemite El Capitan Browser Safari 8 or 9 For more information, see McAfee Network Security Platform Installation Guide. Known issues For a list of known issues in this product release, see KBxxxx. Network Security Platform software issues: KB88813 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8

9.1 product documentation list The following software guides are available for Network Security Platform 9.1 release: Quick Tour AWS Deployment Guide Installation Guide (includes Upgrade Guide) CLI Guide Manager Administration Guide XC Cluster Administration Guide Custom Attack Definitions Guide Integration Guide Manager API Reference Guide Best Practices Guide IPS Administration Guide Troubleshooting Guide NTBA Administration Guide Copyright 2017 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 00