8.3.7.64-8.3.3.35 Manager-M-series Release Notes McAfee Network Security Platform 8.3 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. Network Security Platform follows a release process that is based on customer requirements and best practices followed by other McAfee teams. For details, read KB78795. This release of Network Security Platform is to provide few features and enhancements on the Manager and M-series Sensor software. Release parameters Version Network Security Manager software version 8.3.7.64 Signature Set 8.7.109.5 M-series Sensor software version 8.3.3.35 Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.8.0_92, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. 1
Manager 8.3 uses JRE version 1.8.0_92 and MySQL version 5.6.30. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Manager software version 8.3 is not supported on McAfee-built Dell based Manager Appliances. McAfee recommends that you use Intel-based Manager Appliances instead. Upgrade recommendations McAfee regularly releases updated versions of the signature set. You can choose to automatically download and deploy the signature set in the Manager. The following is the upgrade matrix supported for this release: Component Manager/Central Manager software Minimum Software Version 8.1: 8.1.7.33, 8.1.7.82 Upgrade from Manager versions 8.1.7.91 and 8.1.7.96 are not supported. M-series Sensor software 8.1: 8.1.3.124, 8.1.3.130 8.3: 8.3.7.28, 8.3.7.44 (only for McAfee CTD), 8.3.7.52 8.3: 8.3.3.9, 8.3.3.27 Heterogeneous support This version of 8.3 Manager software can be used to configure and manage the following hardware: Hardware NS9x00-series Sensors (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300) Version 8.1, 8.3 NS3x00-series and NS5x00-series Sensors are not compatible with Manager version 8.3.7.28. See Known Issues for more information. Virtual IPS Sensors (IPS-VM100 and IPS-VM600) 8.1, 8.3 Virtual Security System Sensors (IPS-VM100-VSS) 8.1, 8.3 M series Sensors (M-1250, M-1450, M-2750, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) 8.1, 8.3 Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.3 M-8000XC Cluster Appliance 8.1, 8.3 NTBA Appliances (T-200, T-500, T-600, T-1200) 8.1, 8.3 Virtual NTBA Appliances (T-VM, T-100VM, T-200VM) 8.1, 8.3 Integration support The above mentioned Network Security Platform software versions support integration with the following product versions: Table 1-1 Network Security Platform compatibility matrix Product Version supported McAfee epo 5.9.1, 5.9.0 McAfee Global Threat Intelligence Compatible with all versions 2
Table 1-1 Network Security Platform compatibility matrix (continued) Product Version supported McAfee Endpoint Intelligence Agent 2.6 McAfee Logon Collector 3.0.7 McAfee Threat Intelligence Exchange 2.0.1 McAfee Data Exchange Layer 3.0.1 McAfee Advanced Threat Defense 4.0.4.23 McAfee Virtual Advanced Threat Defense 3.10.0.35 McAfee Cloud Threat Detection 2.2 McAfee MOVE AntiVirus Agentless 4.0.0.317 McAfee MOVE AntiVirus Multi-Platform 4.5.0.211 McAfee Vulnerability Manager 7.5.10 McAfee Host Intrusion Prevention 8.0 Intel Security Controller 2.5 New features This release is to provide fixes for some of the previously known issues, and does not include any new features. Enhancements This release is to provide fixes for some of the previously known issues, and does not include any enhancements. Resolved issues The current release of the product resolved these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the high-severity Manager software issues: ID # 1203559 The Sensor upgrade from the Manager fails for one of the Sensor in a failover pair. 1200406 The Report Format option for PDF in Executive Summary IPS reports do not generate, the Report Format output options for PDF are not working as expected. 1187413 In the Snort Variables window under Custom Attack Editor, when you delete and add another Snort variable, the Please enter macro name error is displayed. 1182267 When you use the custom attack editor to modify the Supported Device Type setting via bulk editing, the snort rule remains at 0% processing. 1173256 The Manager does not load all the pages inc Internet Explorer browser. The following table lists the medium-severity Manager software issues: 3
ID # 1213844 The Manager is vulnerable to CVE-2017-12617 Apache Tomcat vulnerability. 1211699 Imported signature set displays incorrect BTP value after saving. 1211559 When you import alerts in.csv format, alerts greater than 100,000 are not imported form attack log. 1208081 Attack log filter for Malware Confidence column for Very High fails. 1207143 Automatic update enabled for an NTBA Appliance generates the fault Key Value not found in the properties file once a day. 1205693 After a new monitor is added to the Dashboard tab, the page takes too long to refresh and load the information. 1205683 Admin Domains allocation screen does not load correctly. 1205317 The Device Summary Report of a particular child domain includes Sensor information of other domains. 1204401 The ems.log files are filled with "Alert Synchronization successful" entries. 1201957 The alert for failure to connect to the update server is incorrectly generated. 1201692 A quarantined host IP address cannot be released due to SNMP error. 1201574 Available devices and interfaces are not shown in the Scope page under Policy <Admin Domain Name> Intrusion Prevention Exceptions Ignore Rules. 1199474 Tables and rows in the Application Visualization module are not purged which leads to stale data being present in the Manager database. 1195755 Multiple attacks are smart blocked without configuring the policy. 1195746 The Central Manager does not synchronize changes to Block Settings without changing part of another attack set profile. 1195244 The Details tab for the ICMP_ECHO Anomaly alert in the Attack Log page does not show any information after details of another attack is viewed. 1195127 An attempt to quarantine an endpoint fails due to a communication error between the Manager and the selected device. 1194707 The Automatically-Generated Reports option in the Manager <Admin Domain Name> Reporting Report Automation is not displayed in the Manager. 1191523 The XC Load Balancer faults are not sent to the Manager. 1189283 The Manager quarantine API locks up after roughly two weeks of usage. 1188358 Data retrieved from an NTBA Appliance does not appear in the Dashboard tab. 1188271 The Manager displays the cannot invoke on IPv6 error message during quarantine of an IPv6 host. 1188068 The quarantine windows does not display all the hosts that are in quarantine. 1187598 The Sensor automatically deploys updates every one hour without configuration changes. 1187415 When you use the custom attack editor, you are unable to use one or more snort variables. 1187341 The Executive Summary report generation fails after a Manager upgrade. 1187289 / 1182351 The epolicy Orchestrator is unable to pull logs from the Manager after the Manager is upgraded. 1185999 High-risk endpoints are not displayed in the Manager. 1185264 Creating any signature with source or destination fixed IP tests causes compilation failure. 1185116 The daily report for Top N Attacks displays the option Select Alerts to Display which is applicable only to weekly reports. 1184403 Log messages are repeated and incorrectly printed. 4
ID # 1183929 The Summary page for a failover pair displays two different names. 1183405 The Manager fails to establish communication with its database. 1183383 OpenSSL vulnerabilities: Encrypt-Then-Mac renegotiation crash (CVE-2017-3733) BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) Truncated packet could crash via OOB read (CVE-2017-3731) Bad (EC) DHE parameters cause a client crash (CVE-2017-3730) Montgomery multiplication may produce incorrect results (CVE-2016-7055) 1182546 After editing Custom Attacks and saving the changes, IPS Policy editor cannot be modified unless you logout from the client and login again. 1182531 After Manager upgrade to verison 8.3, all alerts are not synchronized to the Secondary Manager database in an MDR pair. 1182409 The Manager attempts to connect to msas.mcafee.com without using the proxy. 1182238 Unable to view the source user information in Attack Log. 1181775 SNMP notification sends incorrect values for the ivsensoripaddress field. 1180895 The RADIUS Server page does not appear when selected. 1180405 The Manager fails to save advanced configuration option to Restrict SSH Access to CLI, in the Advanced Device Settings page under Devices <Admin Domain Name> Global IPS Device Settings. 1175740 When you save a UDS with an IPv4 address, the process sticks at 0%. 1175719 The Manager health check fails due to database login in the Health Check page under Manager <Admin Domain Name> Troubleshooting. 1174422 The Active Directory server over SSL does not work when custom certificate is used for the Active Directory server. 1173927 The Manager dashboard does not display the Throughput Usage, Memory Usage, and CPU Usage monitors. 1172820 When you use a web proxy with XFF headers, the IP on the X-Forwarded-For field does not correspond with the reported Attacker IP. 1172736 LDAP over SSL does not work after a Manager upgrade. 1168696 The performance charts displays no data for the Minutes filter under Devices <Admin Domain Name> Devices <Device Name> Troubleshooting Performance Charts. 1166814 The Faults Report does not display the alert Successful scheduled Botnet detectors download even though callback detectors are successfully updated. 1149111 Quarantined IP addresses are not displayed in the Manager. The following table lists the low-severity Manager software issues: ID # 1192416 Unable to add an Additional Text information in the Syslog and E-mail fault notification. Resolved Sensor software issues The following table lists the high-severity Sensor software issues: ID # 1201115 Due to a deadlock condition in the Management processor, packet forward to datapath processors are stopped. This in turn results in auto recovery or reboot. 5
The following table lists the medium-severity Sensor software issues: ID # 1206355 The Sensor may reboot in scenarios when guest portal is enabled and hundred thousand guest portal requests per second are consistently seen on the Sensor in a period of 10 to15 minutes. 1203842 The Sensor may go to bad health in scenarios where attack Callback Detectors: Connection Using High Confidence C&C Server Domain Name Detected is disabled and an error scenario is not handled. 1203549 Smart blocked attacks show different results in the syslog notification for IV_RESULT_STATUS. 1201623 For certain set of attacks, the attack ID logging causes an exception and the Sensor autorecovers. 1198805 During a fan hardware issue, "Fan normal" event is falsely seen even though the fan is not restored to normal state. 1193438 The Sensor reboots suddenly due to a datapath exception raised while sending netflows to NTBA. 1193022 Trust establishment between Manager and Sensor is down on port R1 for a short period. 1191197 Log errors such as "Port Speed Unknown" are generated for 10G and 40G ports. 1190201 The modified management port speed setting is not saved after reboot. 1189509 The Sensor logs have a typo in the reboot message. 1186342 Invalid "<" and ">" characters are sent as part of URL information to Advanced Threat Defense. 1184582 In the Sensor, the Ignore rule does not work when same TCP/HTTP based protocol packet in the flow is resent. 1181109 The Sensor observes latency due to improper distribution of MPLS traffic. 1180807 The Sensor reboots continuously due to an issue in the datapath processor when SSL decryption and malware are enabled. 1178512 TCP packets are dropped by the Sensor if you attempt a configuration update simultaneously while traffic is run by a test generator. 1176466 The Sensor reboots when stale TCP connections between the Sensor and NTBA Appliance containing large data are not closed. 1173413 Configuration push fails after certain number of times when there are Alert Exceptions with "Any Any" or when IPv6 Alert Exceptions and no IPv6 Scanning is enabled. Internal resources fail to get freed for such configurations. 1170675 The Sensor forwards malformed packets to Advanced Threat Defense which results in packet drop. 1164047 Filename and domain in URL path contains duplicate domain name information when submitted to Advanced Threat Defense, 1159576 Out-of-order TCP segments are queued for download which results in timeout or in exceptionally long delays. 1156996 McAfee Logon Collector configuration update fails in the Sensor due to running out of internal resources. Allocated internal resources are not freed when not in use. 1133656 The Sensor incorrectly blocks unsupported and unknown ciphers incorrectly and infrequently. 1113653 The Sensor fails to block retransmitted packets for malware attacks configured for blocking. 6
Installation instructions Manager server/client system requirements The following table lists the 8.3 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Japanese operating system Only X64 architecture is supported. Recommended Windows Server 2012 R2 Standard Edition operating system. Memory 8 GB Supports up to 3 million alerts in Solr. >16 GB Supports up to 10 million alerts in Solr. CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 7
Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter (Server with a GUI) Japanese operating system Only X64 architecture is supported. Windows Server 2012 R2 Standard Edition operating system. Memory 8 GB >16 GB Supports up to 3 million alerts in Solr. Supports up to 10 million alerts in Solr. Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.5 Update 3 ESXi 6.0 Update 1 CPU Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00 GHz Memory Internal Disks Physical Memory: 16 GB 1 TB The following table lists the 8.3 Manager client requirements when using Windows 7, Windows 8, or Windows 2012: Operating system Minimum Windows 7, English or Japanese Windows 8, English or Japanese Windows 8.1, English or Japanese Windows 10, English or Japanese The display language of the Manager client must be the same as that of the Manager server operating system. Recommended Windows 10, English or Japanese RAM 2 GB 4 GB 8
Minimum Recommended CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 10, 11, or Microsoft Edge Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported.) To avoid the certificate mismatch error and security warning, add add the Manager web certificate to the trusted certificate list. Internet Explorer 11 Mozilla Firefox 20.0 or later Google Chrome 24.0 or later In Mozilla Firefox version 52 or Google Chrome version 42 and above, the NPAPI plug-in is disabled by default. For the Manager client, in addition to Windows 7, Windows 8, and Windows 8.1, you can also use the operating systems mentioned for the Manager server. The following are Central Manager and Manager client requirements when using Mac: Mac operating system Yosemite El Capitan Browser Safari 8 or 9 For more information, see McAfee Network Security Platform Installation Guide. Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Network Security Platform software issues: KB86387 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8.3 product documentation list The following software guides are available for Network Security Platform 8.3 release: Quick Tour Custom Attacks Definition Guide Installation Guide (includes Upgrade Guide) XC Cluster Administration Guide Manager Administration Guide Integration Guide Manager API Reference Guide NTBA Administration Guide CLI Guide Best Practices Guide 9
IPS Administration Guide Troubleshooting Guide Virtual IPS Administration Guide Copyright 2017 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 00