Stonesoft Management Center Release Notes 6.1.3 Revision A
Contents About this release on page 2 System requirements on page 2 Build version on page 3 Compatibility on page 4 New features on page 5 Enhancements on page 7 Resolved issues on page 8 Installation instructions on page 10 Known issues on page 11 Find product documentation on page 11 About this release This document contains important information about the current release of Stonesoft Management Center by Forcepoint (SMC; formerly known as McAfee Security Management Center). We strongly recommend that you read the entire document. System requirements Make sure that you meet these basic hardware and software requirements. Basic management system hardware requirements You can install SMC on standard hardware. Intel Core family processor or higher recommended, or equivalent on a non-intel platform A mouse or pointing device (for Management Client only) SVGA (1024x768) display or higher (for Management Client only) Disk space for Management Server: 6 GB Disk space for Log Server: 50 GB Memory requirements for 32-bit Linux operating systems: 2 GB RAM for the Management Server, Log Server, or Web Portal Server (3 GB if all servers are installed on the same computer) 1 GB RAM for Management Client 2
Memory requirements for 64-bit operating systems: 6 GB RAM for the Management Server, Log Server, or Web Portal Server (8 GB if all servers are installed on the same computer) 2 GB RAM for Management Client Operating systems SMC supports the following operating systems and versions. Note: Only U.S. English language versions have been tested, but other locales might also work. Supported Microsoft Windows operating systems: Windows Server 2012 R2 (64-bit) Windows Server 2008 R1 SP2 and R2 SP1 (64-bit) Windows 7 SP1 (64-bit) Windows 10 Supported Linux operating systems: CentOS 6 (for 32-bit and 64-bit x86) CentOS 7 (for 64-bit x86) Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86) Red Hat Enterprise Linux 7 (for 64-bit x86) SUSE Linux Enterprise 11 SP3 (for 32-bit and 64-bit x86) SUSE Linux Enterprise 12 SP1 (for 32-bit and 64-bit x86) Ubuntu 12.04 LTS (for 64-bit x86) Ubuntu 14.04 LTS (for 64-bit x86) Ubuntu 16.04 LTS (for 64-bit x86) Web Start client In addition to the operating systems listed, SMC can be accessed through Web Start by using Mac OS 10.9 and JRE 1.8.0_77 or a later critical patch update (CPU) release. Build version SMC 6.1.3 build version is 10226. This release contains Dynamic Update package 911. 3
Product binary checksums Use the checksums to make sure that the installation files downloaded correctly. smc_6.1.3_10226.zip SHA1SUM: e38c33834d8dd14551ab551d7173ff0609adc1a7 SHA256SUM: c62ba069161ac8efaac616ba32cd8319d26c3153a1412db3c9fb370bc8e5a3b8 SHA512SUM: 2609e8f8d60a4859ecb3b616a61af018 2c1715be9eb749e64d84e1733cd24ea2 b8cc156108de80dd230be664f0b1140d 08d21ac46a25aa2f99483fb65c0594c0 smc_6.1.3_10226_linux.zip SHA1SUM: 2a280c56ee5a381e799c313861ff02902b9c031d SHA256SUM: d2bb17f9171d98ff48a9499212f0962e52c14bb2f7a7789a0c73e8f6750af8e2 SHA512SUM: 855d9b720635033f7ccfc10f042bdf88 dc5cd86181cea80e39ebd89857dcbf7f 444dea5f5ba52bcef5d3997003eeef6c 340119e207df3a7fb64134b66718d54d smc_6.1.3_10226_windows.zip SHA1SUM: 0ee35261a2e4a91d82e2d43c46cd4c6ab0dbfacd SHA256SUM: 11735fda6a030cb6058c6e0046848ce03403531981a6e3224f91f11b9db9f26f SHA512SUM: c4d2cf907f8b65230e4d056da418fe8b b75a77c72299835cd691131502ba2fa4 4bf5d5314026825a6955473c0b8e0132 3866628d7110746da6a679beab4643ff smc_6.1.3_10226_webstart.zip SHA1SUM: 8bfad527218744183834f6181d952946c56dcbe8 SHA256SUM: f5d544846e118aca33364238a3266aa5184ce4d0e5b2a3009fec92f8075486ab SHA512SUM: 900749bf9b79d43eba108b903fb70135 c4a837c46ed5c5b40d98b3376c0471d2 ba795577c61ff3ef84e2636cf6d7d879 b928b81b228e2cc490704a39263829bc Compatibility SMC 6.1 has the following requirements for compatibility and native support. Note: SMC 6.1 can manage all compatible NGFW engine versions up to and including version 6.1. 4
Compatible component versions SMC 6.1 is compatible with the following component versions. Stonesoft Next Generation Firewall by Forcepoint (Stonesoft NGFW) 6.0 and 6.1. McAfee Next Generation Firewall (McAfee NGFW) 5.7, 5.8, 5.9, and 5.10. Stonesoft Security Engine 5.5 McAfee epolicy Orchestrator (McAfee epo ) 5.0.1 and 5.1.1 McAfee Endpoint Intelligence Agent (McAfee EIA) 2.5 McAfee Enterprise Security Manager (McAfee ESM) 9.2.0 and later (9.1.0 CEF only) For more information about the Stonesoft Next Generation Firewall lifecycle policy, see Knowledge Base article 10192. Native support To use all features of SMC 6.1, Forcepoint NGFW 6.1 is required. New features This release of the product includes these new features. For more information and configuration instructions, see the Stonesoft Next Generation Firewall Product Guide and the Stonesoft Next Generation Firewall Installation Guide. Status cards and element home pages in the Home view The Home view now shows the status of monitored components and devices as cards. When you select the status card for a Security Engine, VPN, or VPN Gateway, the element s home page opens. The home page shows information about the configuration status of the element. You can open the properties of the Security Engine, VPN, or VPN Gateway or the Security Engine s policy from the element s home page. If the configuration of a Security Engine has not yet been completed, you can continue the configuration (for example, save the engine s initial configuration or upload a policy to the engine) directly from the Security Engine s home page. The remaining configuration steps are shown on the home page. Other changes in the Home view The Active alerts for a monitored component are shown in the Home view. There are new options for organizing how the Security engines are shown in the System Status tree. You can now organize the Security Engines by appliance model, group, or geolocation. 5
Geo-protection and IP address categorization You can now configure geo-protection to allow or block traffic. There are predefined Country elements that represent IP addresses registered in specific countries. You can use Country elements to filter traffic in Access rules based on the source or destination country, or entire continents. They can also be used in NAT rules, Inspection rules, and File Filtering rules. You can use predefined IP address lists to control access to known good or bad IP addresses. You can either use the predefined IP address lists or create new IP address lists. You can also import IP address lists through the SMC API to the SMC. For more information, see the Stonesoft SMC API Reference Guide. Integration of Sidewinder Proxies On Sidewinder firewalls, proxies provide high assurance protocol validation. On Forcepoint NGFW, Sidewinder Proxies enable some of the proxy features that are available on Sidewinder. In Forcepoint NGFW version 6.1, the following Sidewinder Proxies are supported: HTTP, SSH, TCP, and UDP. You can use Sidewinder Proxies on Forcepoint NGFW to enforce protocol validation and to restrict the allowed parameters for each protocol. Sidewinder Proxies are primarily intended for users in high assurance environments, such as government or financial institutions. In environments that limit access to external networks or access between networks with different security requirements, you can use Sidewinder Proxies for data loss protection. Changes in category-based URL filtering Category-based web filtering now uses URL categories provided by Forcepoint ThreatSeeker Intelligence Cloud. There are new types of elements for configuring URL filtering: URL Category elements are Network Application elements that represent the categories for category-based URL filtering. URL Category Group elements contain several related URL Categories. URL List elements are Network Application elements that allow you to manually define lists of URLs that you want to allow or block. The way that category-based URL filtering is applied to traffic has changed. You can now use URL Categories, URL Category Groups, and URL Lists in the Service cell of Access rules to configure URL filtering. It is no longer possible to configure URL filtering using Situation elements in the Inspection Policy. Note: These changes affect all existing users of category-based URL filtering. Legacy URL Situation elements can no longer be used in policies for Forcepoint NGFW version 6.1 or higher. If rules in your policy contain legacy URL Situation elements, you must replace them with URL Category elements. Redirection of web traffic to TRITON AP-WEB Cloud TRITON AP-WEB Cloud is a cloud-based web security proxy service. Forcepoint NGFW can now redirect web traffic to the TRITON AP-WEB Cloud for inspection. Forcepoint NGFW redirects web traffic to the TRITON AP-WEB Cloud using a predefined policy-based VPN. The traffic is inspected in the TRITON AP-WEB Cloud and transparently forwarded to the destination. Note: To use TRITON AP-WEB Cloud to inspect web traffic, you must have a subscription to the TRITON AP-WEB Cloud service. 6
In addition to an IPv4 or IPv6 address, you can now use a fully qualified domain name (FQDN) as a dynamic contact address of an external VPN gateway. Connecting through a VPN to a dynamic FQDN endpoint allows TRITON AP-WEB Cloud to offer addresses from the geographically closest service point. The TRITON AP-WEB Cloud service requires the endpoint to use a MAC address as a unique identifier. You can now define VPN-specific exceptions to the IKE Phase-1 ID for endpoints on VPN Gateways. Exceptions are useful in cases where an external VPN gateway requires specific information in the IKE phase-1 value. Enhancements This release of the product includes these enhancements. Enhancements in SMC version 6.1.0 Enhancement Simplified service configuration and customization improvements in SSL VPN Portal Fully qualified domain names as contact addresses in external VPN gateways VPN-specific exceptions for IKE Phase-1 ID Possibility to modify text size in Configuration view and Policy Editing view Possibility to resolve IP addresses from DNS names New fonts You can now allow access to intranet services in the SSL VPN Portal with a freeform URL. It is no longer necessary to configure each SSL VPN Portal service separately. End users can access the services by typing the URL directly in the SSL VPN Portal. You can now also modify the look-and-feel of the SSL VPN Portal and create a custom theme with company colors and logos for the SSL VPN Portal in the Management Client. In addition to an IPv4 or IPv6 address, you can now use a fully qualified domain name (FQDN) as a dynamic contact address of an external VPN gateway. You can now define VPN-specific exceptions to the IKE Phase-1 ID for endpoints on VPN Gateways. Exceptions are useful in cases where an external VPN gateway requires specific information in the IKE phase-1 value. You can now modify the text size in the Configuration view and in the Policy Editing view. You can now resolve an IP address from a DNS name in the Management Client when defining an IP address for an interface. All fonts have been changed in the Management Client. If you use the Management Client from a remote desktop, the new fonts are rendered better than the previously used fonts. Enhancements in SMC version 6.1.1 Enhancement New Task scheduling options New options for scheduling Tasks have been added, and the existing options for scheduling Tasks have been improved to give you more precise control over when tasks are repeated. 7
Enhancement File Filtering Situations can be used in Alert policies Usability enhancements in the Home view You can now use System Situations for file filtering, such as File_Malware- Blocked, in rules in the Alert Policy. You can now customize the Home view more flexibly, and see more status information in the Home view. Enhancements in SMC version 6.1.3 Enhancement Longer maximum tracking period in Overviews Custom timeout for status surveillance alerts You can now view Overview statistics over a longer period of time. The maximum tracking period is now one month. When the Management Server is unable to contact an engine, it sends an alert after the timeout is reached. By default, the length of the timeout is 15 minutes. You can now change the length of the timeout. To change the timeout, add the following parameter to the <installation direcotry>/data/sgconfiguration.txt file on the Management Server: STATE_SURVEILLANCE_FREQUENCY=<time in milliseconds> Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. When an Exception rule in the Inspection policy that blacklists traffic uses Attacker or Victim as the address of an endpoint, the scope of the blacklist entry might be too wide. Some Situations, especially Correlation Situations, might not include Attacker or Victim information. When this information is missing, the blacklist entry uses Any as the address of the endpoint. You cannot add Users from domains other than the Default LDAP Domain to a rule using the Edit Source or Edit Destination right-click options. The following validation warning is shown even if anti-malware is not enabled in the engine properties and there are no Access rules that enable file filtering: "Anti-Malware is enabled in rule @260036.0, but no Anti-Malware Add-Ons are enabled in the properties of Firewall Cluster <name>. General Checks Anti-Malware Scan is enabled in rule @260036.0, but the GTI usage has not been authorized in the Global System Properties. Anti- Malware cannot be used." For more information, see Knowledge Base article 10202. When you use administrative Domains, it might not be possible to create a user in the InternalDomain LDAP domain in any Domain other than the Shared Domain. The following type of message is shown: "Invalid Parameter: DB key missing". The Show Fingerprint option in the Start menu and the sgshowfingerprint command do not provide output. Issue number SMC-1260 SMC-1739 SMC-1812 SMC-3020 SMC-3031 8
In rare cases in environments with multiple Management Servers, an active Management Server might be shown in the Isolated state in the Control Management Servers dialog box. Automatic replication fails for the Management Server in the Isolated state, but manual replication is successful. When you save the initial configuration for an engine, there is the option to select the security policy to be installed automatically once the engine makes initial contact with the Management Server. If you select this option, and do not soon make initial contact, the Management Server might run out of memory. Setting the channel to Automatic on a Wireless Interface is only supported on engine versions 6.0 or higher. Policy validation does not prevent this configuration on older engine versions, but policy installation fails because the configuration is not supported. When you add an interface to a Single Firewall, validation in the Engine Editor does not prevent adding static IPv4 address to interfaces that have dynamic IPv4 addresses or that are configured to use PPP. You cannot use dynamic IPv4 addresses and static IPv4 addresses on the same interface. You can add only one IP address to each SSID Interface of a Wireless Interface. If you import a new license or close the License Properties dialog box by clicking OK, the Management Server tries to contact Forcepoint servers even when the Enable Sending Proof-of-License Codes to FORCEPOINT Servers option is not selected in the Global System Properties dialog box. The following message might be shown: "Update server not available - can't get url: https:// update.stonesoft.com/index.rss. Server could not save appliance initial configuration. Appliance Initial Configuration upload failed: appliance Proof-of-Serial is missing." It is also not possible to add the Proof-of-Serial code for a Single Firewall element after you have saved the element for the first time. When you select an NGFW Engine element in the Home view, a list of active alerts is shown. When you click an alert, the alert might not open. The following message might be shown: "Cannot open the Active Alerts view". Creating new Virtual NGFW Engines using the SMC API fails. Importing MIBs fails. The sgrestoremgtbackup command does not list the available backup files in a logical order. The files are not ordered alphabetically or chronologically. When you delete an Incident Case element, the files attached to it are not deleted. The files are still stored in the <installation directory>/data/incidents/<ic_id> directory on the Management Server. In the Home view, the appliance diagram does not show the status of Aggregated Link interfaces on Master Engines that are assigned to Virtual Security Engines. When you select a third-party element in the Home view, the Third Party Diagram might take a long time to appear. When there is large number of monitored third-party elements, drawing diagrams might use too much memory. When you use administrative Domains, it is not possible to create new elements using the + in the Home view for a specific Domain. If you remove an IP address from an interface and add the same IP address to another interface without saving the intermediate changes, the IP address is configured on both interfaces. Issue number SMC-3161 SMC-3209 SMC-3693 SMC-3698 SMC-3772 SMC-4058 SMC-4107 SMC-4155 SMC-4185 SMC-4218 SMC-4293 SMC-4494 SMC-4905 SMC-4943 SMC-5007 9
If an Overview Template element does not include information about the date when it was created and the administrator who created it, you cannot delete the Overview Template. It is not possible to save changes to SMC API Client elements unless you change the authentication key. When you add a contact address to a Tunnel Interface or change the IP address of a Tunnel Interface, routing for the Tunnel Interface might become invalid. Issue number SMC-5041 SMC-5073 SMC-5231 Installation instructions Use these high-level steps to install SMC and the Forcepoint NGFW engines. For detailed information, see the Stonesoft Next Generation Firewall Installation Guide. All guides are available for download at https://support.forcepoint.com. Note: The sgadmin user is reserved for SMC use on Linux, so it must not exist before SMC is installed for the first time. Note: If a Linux system has limited resources, and you are installing only the Management Client, you can install a 32-bit version of the SMC. SMC 6.1 is the last SMC release that has a 32-bit version of the SMC. If you are installing SMC servers, we recommend that you install a 64-bit SMC version. Note: If you are installing a 32-bit version of the SMC on a 64-bit Linux operating system, the compatibility libraries lib and libz are required. Steps 1) Install the Management Server, the Log Servers, and optionally the Web Portal Servers. 2) Import the licenses for all components. You can generate licenses at https://stonesoftlicenses.forcepoint.com. 3) Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the Configuration view. 4) To generate initial configurations for the engines, right-click each Firewall, IPS, or Layer 2 Firewall element, then select Configuration > Save Initial Configuration. Make a note of the one-time password. 5) Make the initial connection from the engines to the Management Server, then enter the one-time password. 6) Create and upload a policy on the engines using the Management Client. 10
Upgrade instructions Take the following into consideration before upgrading to SMC 6.1. Note: SMC (Management Server, Log Server, and Web Portal Server) must be upgraded before the engines are upgraded to the same major version. SMC 6.1 requires an updated license. If the automatic license update function is in use, the license is updated automatically. If the automatic license update function is not in use, request a license upgrade on our website at https://stonesoftlicenses.forcepoint.com. Activate the new license using the Management Client before upgrading the software. To upgrade an earlier version of the SMC to 6.1, we strongly recommend that you stop all Stonesoft NGFW services and create a backup before continuing with the upgrade. After creating the backup, run the appropriate setup file, depending on the operating system. The installation program detects the old version and does the upgrade automatically. Upgrading is supported from SMC versions 5.6.2 6.1.2. Versions earlier than 5.6.2 require an upgrade to one of these versions before upgrading to 6.1.3. Known issues For a list of known issues in this product release, see Knowledge Base article 10584. Find product documentation On the Forcepoint support website, you can find information about a released product, including product documentation, technical articles, and more. You can get additional information and support for your product on the Forcepoint support website at https://support.forcepoint.com. There, you can access product documentation, Knowledge Base articles, downloads, cases, and contact information. Product documentation Every Forcepoint product has a comprehensive set of documentation. Stonesoft Next Generation Firewall Product Guide Stonesoft Next Generation Firewall online Help Note: By default, the online Help is used from the Forcepoint help server. If you want to use the online Help from a local machine (for example, an intranet server or your own computer), see Knowledge Base article 10097. Stonesoft Next Generation Firewall Installation Guide Other available documents include: 11
Stonesoft Next Generation Firewall Hardware Guide for your model Stonesoft Next Generation Firewall Quick Start Guide Stonesoft SMC API Reference Guide Stonesoft VPN Client User Guide for Windows or Mac Stonesoft VPN Client Product Guide 12
2017 Forcepoint Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon Company. All other trademarks used in this document are the property of their respective owners.