9.1.7.11-9.1.7.4 Manager-Virtual IPS Release Notes McAfee Network Security Platform 9.1 Revision C Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. Network Security Platform follows a release process that is based on customer requirements and best practices followed by other McAfee teams. For details, read KB78795. This release of Network Security Platform is to provide new features and enhancements on the Manager and Virtual IPS Sensor software. Release parameters Version Network Security Manager software version 9.1.7.11 Signature Set 9.8.1.3 Virtual IPS Sensor software version 9.1.7.4 Virtual Network Security Platform Controller 3.6.1 Virtual Network Security Platform Probe 3.6.1 1
Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the Sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.8.0_131, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 9.1 uses JRE version 1.8.0_131. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Manager software version 9.1 is not supported on McAfee-built Dell-based Manager Appliances. McAfee recommends that you use Intel-based Manager Appliances instead. Upgrade support McAfee regularly releases updated versions of the signature set. You can choose to automatically download and deploy the signature set in the Manager. Consider the following before upgrading to Network Security Manager version 9.1: If you are using the Manager version 8.3.7.44 with McAfee Cloud Threat Detection (McAfee CTD) environment only, then you can upgrade to Manager version 9.1. This version supports integration with McAfee CTD. If you are on Manager version 8.3.7.44, note that the Manager version 9.1 does not support the KVM and NSX environments. In this case, McAfee recommends you to continue using the Manager version 8.3.7.44. Manager versions 8.3.7.44 and 8.4.7.101 does not support Virtual IPS Sensor version 8.1.7.44 deployed in ESX environment. You have to follow the specified sequence while upgrading the components deployed in an AWS environment. For the upgrade sequence in an AWS deployment, see the section AWS sequence for upgrade in McAfee Network Security Platform 9.1 AWS Deployment Guide. With this release, upgrade for Virtual IPS Sensors deployed in an AWS environment is not supported. You have to replace the old AMI of the Virtual IPS Sensor with the new AMI. For steps on how to replace the Virtual IPS Sensor AMI, see the section Upgrade Virtual IPS Sensor in McAfee Network Security Platform 9.1 AWS Deployment Guide. After upgrading a vnsp Controller, you should stop the Controller instance, update the user data according to the new format, and then restart the Controller instance. For more information on vnsp Controller upgrade, see the section Upgrade a vnsp Controller in McAfee Network Security Platform 9.1 AWS Deployment Guide. The following is the upgrade matrix supported for this release: Component Manager/Central Manager software Virtual IPS Sensor (IPS-VM100 and IPS-VM600) Minimum Software Version 8.1: 8.1.7.82, 8.1.7.91 8.3: 8.3.7.28, 8.3.7.44 (only for McAfee CTD), 8.3.7.52 8.4: 8.4.7.101 (only for AWS) 8.1: 8.1.7.34, 8.1.7.44 8.3: 8.3.7.6, 8.3.7.14 (only for KVM, VMware NSX, and McAfee CTD environments), 8.3.7.18 (only for AWS), 8.3.7.48 2
Heterogeneous support This version of 9.1 Manager software can be used to configure and manage the following devices: Device NS-series Sensors (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300) Virtual IPS Sensors (IPS-VM100 and IPS-VM600) Version 8.1, 8.3, 9.1 8.1, 8.3, 9.1 Network Security Manager version 9.1 does not support KVM environment. Virtual Security System (IPS-VM100-VSS) 8.3, 9.1 Network Security Manager version 9.1 does not support VMware NSX environment. M-series Sensors (M-1250, M-1450, M-2750, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) 8.1, 8.3, 9.1 Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.3, 9.1 M-8000XC Cluster Appliance 8.1, 8.3, 9.1 NTBA Appliances (T-200, T-500, T-600, T-1200) 8.1, 8.3, 9.1 Virtual NTBA Appliances (T-VM, T-100VM, T-200VM) 8.1, 8.3, 9.1 Integration support The above mentioned Network Security Platform software versions support integration with the following product versions: Table 1-1 Network Security Platform compatibility matrix Product Version supported McAfee epo 5.9.0, 5.3.2 McAfee Global Threat Intelligence McAfee Endpoint Intelligence Agent 2.6 McAfee Logon Collector 3.0.7 McAfee Threat Intelligence Exchange 2.1.0, 2.0.1 McAfee Data Exchange Layer 3.0.1, 3.0.0 Compatible with all versions McAfee Advanced Threat Defense 4.0.2.42, 3.8.0.29 McAfee Virtual Advanced Threat Defense 4.0.2.42, 3.10.0.35 McAfee Cloud Threat Detection 1.1.1 McAfee MOVE AntiVirus Agentless 4.0.0.317 McAfee MOVE AntiVirus Multi-Platform 4.5.0.211 McAfee Vulnerability Manager 7.5.12, 7.5.10 McAfee Host Intrusion Prevention 8.0 New features This release of Network Security Platform includes the following new features: 3
Migration from SHA1 to SHA256 signing algorithm With this release, the Network Security Platform announces the deprecation of SHA1 certificates to sign Sensor-Manager communication and replaces this with SHA256 certificates for this signature. This results in more secure communication between the Sensor and the Manager. Previous Releases In Network Security Platform early 8.1 deployments, both the Sensor and Manager certificates used 1024-bit RSA keys and were signed with Sha1WithRSAEncryption based signature. The Manager ports 8501, 8502, and 8503 serve the TLS channels from the Sensor. The cipher used by the Sensor and Manager was TLS1.0-RSA-AES128-SHA1. Starting with release 8.1.7.5-8.1.7.14 upto but does not include 8.1.7.91-8.1.7.44, and 8.3.7.7-8.3.7.3, the Virtual IPS Sensor certificate used 2048-bit RSA keys and Sha256WithRSAEncryption based signature. The Manager certificate used 2048-bit RSA keys but retained Sha1WithRSAEncryption based signature. The Manager ports 8506, 8507, and 8508 served the TLS channels from the Sensor. The cipher used by the Sensor was TLS1.0-RSA-AES128-SHA1. Current Release From release 9.1.7.11-9.1.7.4, the Manager supports 2048-bit RSA keys with Sha256WithRSAEncryption based signature. This release of the Manager reuses ports 8501, 8502, and 8503 to support this new posture that was previously allocated to certificates using 1024-bit RSA keys. The cipher used by the Sensor is TLS1.2-RSA-AES128-GCM-SHA256. Hence, after upgrading the Manager, Sensors deployed on these ports using 1024-bit RSA keys and weaker signatures will not be supported. The Manager and Sensor supports 2048-bit RSA keys with Sha256WithRSAEncryption based signature in release 8.1.7.91-8.1.7.44. If you are upgrading from versions 8.2 (EOL) or 8.3, you must activate ports 8501, 8502, and 8503 for Sensor-Manager communication. For more information, refer to the section Migration from SHA1 to SHA256 signing algorithm in the McAfee Network Security Platform 9.1 Installation Guide. The following table captures the migration of certificates. Table 2-1 Ports used based on encryption keys, certificates, and cipher suites Manager Port Channel Description Sensor software with 2048-bit RSA keys, 2048-bit RSA keys, 1024-bit RSA keys, SHA256 certificate, and SHA1 certificate, and SHA1 certificate, and TLS1.2-RSA-AES128- TLS1.0-RSA- TLS1.0-RSA- GCM-SHA256 AES128-SHA1 AES128-SHA1 8501 Install Sensor Applicable --- Applicable 8502 Alert/Event Applicable --- Applicable 8503 Packet Log Applicable --- Applicable 8506 Install Sensor --- Applicable --- 8507 Alert/Event --- Applicable --- 8508 Packet Log --- Applicable --- 8504 File transfer Proprietary (file transfer channel) Proprietary (file transfer channel) Proprietary (file transfer channel) 8509 File transfer 2048-bit RSA Encryption 2048-bit RSA Encryption 1024-bit RSA Encryption 8510 File transfer 2048-bit RSA Encryption 2048-bit RSA Encryption 1024-bit RSA Encryption 4
For more information, see McAfee Network Security Platform 9.1 Installation Guide. On-premise Network Security Manager managing Sensors in an AWS environment McAfee Network Security Manager that is installed on-premises within your network can be used to manage Virtual IPS Sensors deployed in the AWS environment provided that the Manager is connected to AWS through a VPN. This Manager can also be used to manage physical Sensors. For more information, see McAfee Network Security Platform 9.1 AWS Deployment Guide. vnsp solution high availability With this release, the Virtual Network Security Platform provides high availability of the complete solution with the Manager Disaster Recovery (MDR), Controller High Availability (HA), and the Virtual IPS Sensor auto scaling feature. This enables the vnsp solution to work seamlessly without any interruption. Controller High Availability (HA) The Controller High Availability (HA) provides a failover mechanism where one of the Controllers is always active and reachable. In a Controller HA pair, one Controller is in Active mode and the other Controller is in Standby mode. The Controller that completes deployment first registers with the Network Security Manager and becomes Active. The second Controller after registration with the Network Security Manager will be in Standby mode. The Controller HA pair uses elastic IP addresses to establish trust with the Network Security Manager. To configure a Controller HA pair, go to Devices <Admin Domain Name> Global vnsp Controllers. For more information on Controller high availability, see McAfee Network Security Platform 9.1 AWS Deployment Guide. Manager Disaster Recovery (MDR) in an AWS environment With this release, the Network Security Manager supports Manager Disaster Recovery (MDR) for the cloud environment. An MDR pair consists of a Primary Manager and a Secondary Manager. Usually the Primary Manager is in Active state and the Secondary in Standby state. When one of the Managers is not reachable, the other Manager becomes active which allows the Sensor to parse the traffic without any disruption. The functionality of an MDR pair in an AWS environment is similar to an on-premise MDR pair which manages the hardware appliances. You can use the on-premise MDR pair to manage the Virtual IPS Sensors deployed in AWS. MDR for Virtual Sensors uses the same concept as an MDR which manages the hardware appliances. The Virtual IPS Sensor sends alerts to both the Managers. Hence when the Secondary Manager becomes active, all the alerts are available. Policies, clusters, and protected groups configured in the Primary Manager are replicated in the Secondary Manager. Once the Primary Manager becomes active again, data from the Secondary Manager are updated in the Primary Manager. To create an MDR pair, go to Manager <Admin Domain Name> Setup MDR. For more information on MDR, see McAfee Network Security Platform 9.1 AWS Deployment Guide. Auto scaling of Virtual IPS Sensors Failover mechanism for Virtual IPS Sensors is provided by AWS auto scaling feature. This feature also provides increased traffic throughput as many Sensors can be used to load balance the traffic. Alarms are configured for the auto scaling group which launches new Sensor instances when the traffic reaches the threshold limit. Parameters like CPU utilization is configured for a certain threshold limit beyond which the auto scaling group launches an extra instance of the Sensor to load balance the excess traffic. Thus, the traffic to be inspected is redirected to the new Sensor instance with no downtime. As there are multiple Sensor instances within an auto scaling group, the traffic is distributed among the Sensors thus reducing latency in the network during inspection. 5
To create an auto scaling group, in the AWS console, go to Services EC2 Compute AUTO SCALING. For more information on the auto scaling feature for Sensor, see McAfee Network Security Platform 9.1 AWS Deployment Guide. IDS deployment This release of Network Security Platform supports deployment of Virtual IPS Sensors in detection mode (IDS). Previously, the Virtual IPS Sensors in an AWS environment, could be deployed only in prevention mode (IPS). In IDS mode, a copy of the packet is sent to the Virtual IPS Sensor for inspection. The Virtual IPS Sensor does not prevent or block the attack. Once an attack is detected, the Virtual IPS Sensor resets the TCP channel to prevent further attacks. To change the inspection mode for a protected group, go to Devices <Admin Domain Name> Global vnsp Clusters. For more information on IDS load balancer, see McAfee Network Security Platform 9.1 AWS Deployment Guide. Product integration With this release, Network Security Platform supports integration with following products release versions: McAfee epolicy Orchestrator version 5.9.0 McAfee Advanced Threat Defense and Virtual Advanced Threat Defense version 4.0.2.42 Threat Intelligence Exchange version 2.1.0 McAfee Cloud Threat Detection version 1.1.1 For more information on the product integration, see McAfee Network Security Platform 9.1 Integration Guide. Enhancements This release of Network Security Platform includes the following enhancements: Jumbo frame parsing In the earlier release, you configured jumbo frame parsing using this command: set jumboframeparsing <enable disable> From this release you can enable jumbo frame parsing in the Manager. To enable jumbo frame parsing perform the following steps: 1 Select Devices <Admin Domain Name> Devices <vnsp_cluster_name> Setup Advanced IP Settings. 2 In the Common IP Parameters section, select Enabled from the Jumbo Frame Parsing drop-down list and click Update to update the Sensor of the configuration change. If the Virtual IPS Sensors are pre-9.1 software, reboot the Sensors to update it. Jumbo frame parsing is not supported for Virtual IPS Sensors deployed on KVM even though the option is available in the Manager. For more information on the status dashboard, see McAfee Network Security Platform 9.1 AWS Deployment Guide. 6
Shared secret key enhancements In the earlier release, you could set the shared secret key using two methods: 1 Log in to the Sensor and set the Shared secret key using the CLI command set cloud-cluster sharedsecretkey. 2 While configuring the instance details in AWS, scroll down to Advanced Details, and provide the User data in the format shown below. {"Sensor Shared Key":"Sensor_Sharet_Key"} With this release, you can also store the Sensor and Controller shared secret keys in Amazon S3 Bucket and pass the URL in the User Data in the Advanced area while launching the Sensor or Controller instance. For Sensor: {"Primary NSM IP":" 10.x.x.x", "Cluster Name": "Cluster_Name", "Cloud Data URL":"URL_for_S3_bucket"} For Controller: {"Primary NSM IP":" 10.x.x.x", "Controller Name": "Controller_Name", "Cloud Data URL":"URL_for_S3_bucket"} For more information on the status dashboard, see McAfee Network Security Platform 9.1 AWS Deployment Guide. VM (agent) Status Dashboard for AWS Each vnsp Controller maintains its own list of managed endpoints, and because the Manager can manage multiple vnsp Controllers, this list contains the managed endpoints across all vnsp Controllers. The earlier release of Network Security Platform, provided the option to check status of the managed endpoints by entering an IP address in the Devices <Admin Domain Name> Global vnsp Clusters Endpoint Actions Check Endpoint Status page. In release 9.1, to provide a per-cluster view of managed endpoints, the Check Endpoint Status option has been enhanced to View Managed Endpoints option. To view the managed endpoints per-cluster, go to Devices <Admin Domain Name> Global vnsp Clusters Endpoint Actions View Managed Endpoints. For more information on the status dashboard, see McAfee Network Security Platform 9.1 AWS Deployment Guide. Licensing and telemetry Licensing With release 9.1, you are able to use a Virtual IPS Sensor license to add vnsp Clusters. Each license supports a pre-defined number of Virtual IPS Sensors and this number is specific to the license file you have procured. The Manager periodically compares the number of Virtual IPS Sensors supported by your licenses with the installed number of Virtual IPS Sensors, and provides a compliance report. The Virtual IPS Sensor Compliance Report provides you the information whether if you are compliant with the maximum number of Virtual IPS Sensors allowed by your licenses. The report also lists the licenses added to the Manager and the Virtual IPS Sensors currently managed by it. Telemetry In the previous release of Network Security Platform, telemetry was used to ascertain proper functioning of Virtual IPS Sensors and Virtual Probes. 7
In 9.1 release, telemetry is supported for vnsp clusters. Telemetry for vnsp clusters is used to ascertain proper functioning of Virtual IPS Sensors and Virtual Probes. This information is sent to the McAfee GTI Server. Telemetry is automatically enabled when the first vnsp Cluster is defined in the Manager. For more information on licensing and telemetry, see McAfee Network Security Platform 9.1 AWS Deployment Guide. Network Security Manager benchmarking for vnsp Clusters The Virtual Network Security Manager components optimum limits in an AWS environment are listed below: Component Limits Virtual IPS Sensors 100 per Cluster vnsp Clusters 100 per Controller vnsp Controllers 30 Central Manager UI redesign to migrate away from Java In release 9.1, the following existing UI pages have been enhanced to use the extjs framework: Attack Log With release 9.1, the alerts that were previously displayed in the Alerts tab in the Real-Time Threat Analyzer in the Central Manager are now displayed in Attack Log. The following actions can be performed in the Central Manager Attack Log. Update Policy Delete Alerts Create exceptions Save Attack Log Perform GTI Forensics Acknowledge alerts Assignment of alert Unacknowledge alerts To view the alerts, go to Analysis <Admin Domain Name> Attack Log. To view Endpoint information, go to the Analysis <Admin Domain Name> Quarantine in the corresponding Manager. For more information, see McAfee Network Security Platform 9.1 Manager Administration Guide. Grouping alerts in the Attack Log page The Attack Log page, depending on the traffic passing through your network, might display several alerts that run into multiple pages. It becomes inefficient to search for specific groups of alerts. Version 9.1 enables you to filter the display of alerts based on specific criteria. The Group by this field option has been made available to group and view a consolidated list of alerts in the Attack Log page. Alerts can be grouped by any of the categories in the Attack Log page, except the following: Time, Attack Count, and Alert ID under the Event column NSP ID under the Attack column Packet Capture Layer 7 Data In a Central Manager setup, you can additionally group the alerts based on the version of the Manager. For more information, see McAfee Network Security Platform 9.1 Manager Administration Guide. 8
Configuration option changes for custom attack signatures While configuring user-defined signatures (UDS) for M-series Sensors from the Custom Attack Editor (under Policy <Root Admin Domain> Intrusion Prevention Policy Types IPS Policies), you only had the option to apply the UDS with a combination of both M-series and NS-series Sensors and not specific to either. In release 9.1, you have the following options to apply UDS specific to each Sensor: M-series only NS-series only Virtual IPS Sensors only In release 9.1, in addition to the options available to apply UDS for specific Sensor models, you have options to apply UDS in the following new combinations: Any M-series and NS-series Sensors only M-series and Virtual IPS Sensors only NS-series and Virtual IPS Sensors only For more information, see McAfee Network Security Platform 9.1 Custom Attack Definitions Guide. Resolved issues The current release of the product resolved these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the high-severity Manager software issues: ID # Issue Description 1191757 Attack detection occurs even after the protected group is removed or the subnet is removed from a protected group. 1187949 Virtual Probe status is displayed as inactive when active and vice versa. 1187413 In the Snort Variables window under Custom Attack Editor, after deleting and then adding a Snort variable displays the error, Please enter macro name. 1184643 Creation of new UDS fails with the error Number of Characters > 255 even when the number of characters are less than 255. 1180538 Characters specified within the specified range generates the error Number of Characters > 255. 1173256 The Manager user interface fails to load in Internet Explorer version 11. 1169061 The device integrated with the NTBA appliance is not displayed in the device list under Devices <Admin Domain Name> Devices. 1118316 Incorrect description is displayed in the alert details panel in Attack Log for Endpoint Executables and Malware Files. 1114679 The Attack Log does not display data for EIA executables. 1074542 Incorrect quarantined IP address is displayed for MAID alerts. The following table lists the medium-severity Manager software issues: 9
ID # Issue Description 1195755 Traffic is blocked using SmartBlocking even when SmartBlocking is disabled. 1194681 Custom attacks are not saved. 1194519 In the Quarantine page, the quarantined IP with the option Until explicitly released is not displayed. 1188068 The Quarantine page in the Manager does not display the list of all quarantined hosts. 1187415 In the Custom Attack Editor, Snort variable created to replace all variables fails with errors. 1187341 The Executive Summary report generation fails after a Manager upgrade. 1185999 High-risk endpoints are not displayed in the Manager. 1185264 Creating custom signature with fixed source or destination IP addresses causes test compilation failure. 1184847 Sensor settings cannot be saved under Devices <Admin Domain Name> Global IPS Device Settings Advanced Device Settings. 1184808 Snort signatures are not triggered for HTTP response data. 1184425 The Manager displays the error SensorConfigurationException: Agent Not Supported when an IP address is removed from the quarantined list in the Quarantine page. 1183929 Summary page of the failover peer displays two different names. 1182409 The Manager attempts to connect to msas.mcafee.com without using a proxy. 1182351 The epo Dashboard Data retriever user role does not allow epo integration with the Manager under Manager <Admin Domain Name> Users and Roles Roles. 1182238 Unable to view the source user information in Attack Log. 1180895 The RADIUS servers page under Manager <Admin Domain Name> Setup External Authentication RADIUS Servers displays the error An unexpected error occurred during the processing of your request. Check the log file for possible errors. 1180405 The Manager fails to enable the option Restrict SSH Access to CLI under Devices <Admin Domain Name> Devices <Device Name> Setup Advanced Advanced Device Settings. 1179146 The attempt to add a username that includes an apostrophe in the Add a User page fails. 1175719 The Manager health check fails due to database login under Manager <Admin Domain Name> Troubleshooting Health Check. 1173949 Snort rule for UDP packets does not generate alerts and drops the packets on port 53. 1173927 The Manager Dashboard page does not display the Throughput Usage, Memory Usage, and CPU Usage monitors. 1172736 LDAP over SSL does not work after a Manager upgrade. 1168696 The performance charts does not display data for Minutes filter under Devices <Admin Domain Name> Devices <Device Name> Troubleshooting Performance Charts. 1166814 The Faults report displays Scheduled botnet detectors download is in progress even after the callback detectors are successfully updated. 1165342 Quarantined hosts generates alerts in the Threat Analyzer. 1164024 Sensor performance alert causes alert channel to go down. 1156285 Running a health check fails when the Manager is connected through proxy settings. 1153987 A difference exists between severity of detected alerts and configured severity. 1153466 An error is displayed while exporting packet captures of an alert from the Attack Log page. 1153107 The Manager uses SHA128 bit encryption algorithm instead of SHA256. 1152473 In the Attack Log page, filtering attacks for Attack SmartBlocked are not displayed in the Results column. 1152295 When adding an Ignore Rule from the Attack Log page, the action to create a new rule object fails in the Add Ignore Rule window. 10
ID # Issue Description 1151225 The malware confidence (severity) for the same alert displays inconsistent value in the Manager (Attack Log, Alert Details, and Malware Files) and Syslog Message. 1150853 The configuration options are disabled for alert relevance in Manager <Admin Domain Name> Integration Vulnerability Assessment MVM Alert Relevance. 1150753 The Manager incorrectly considers a Sensor to be part of a failover pair. 1149195 Login for epo Dashboard Data Retriever user role displays an error. 1149111 Manually quarantined IP address from the Attack Log page is not displayed in the Manager quarantine list. 1149099 The Manager sends additional messages in the syslog notification for some alerts. 1148771 The Manager is vulnerable to CVE-2016-5385. 1148663 The actions performed to enable or disable the monitoring ports in the Sensor are displayed incorrectly in the User Activity Log page. For example, if the port action is from Enabled to Disabled, it is displayed as Disabled to Enabled in the Manager. 1148454 In the Manager, the list to select the child domain is disabled. 1147762 Expired SSL certificate can be imported to the Manager which is displayed as Valid. 1147619 Alert count mismatch exists between the Primary and Secondary Manager. 1146980 The Devices tab does not display the tab options. 1146835 When an attack is blocked using the Recommended for Smart Blocking (RfSB) feature, its attack result in the SNMP trap displays [777] instead of Smart Blocked. 1145115 The data truncation error description is very long. 1143918 The Result column does not display attacks for smartblocked attacks in the Attack Log after Manager upgrade. 1143558 E-mail notifications are incorrectly sent for alerts that are not configured to send notifications. 1143464 Direct link to view the Sensor status on the System Health monitor of the Dashboard page is disabled. 1143395 The An internal application error occurred message is displayed when trying to access the Global Threat Intelligence from the Manager. 1142684 Error is displayed in the Manager when the number of quarantined IP addresses exceeds 1000. 1142079 Attacks names are displayed as --- after a signature set upgrade under Policy <Admin Domain Name> Intrusion Prevention Policy Types IPS Policies. 1142047 The Manager automatically deploys the signature sets even when automatic deployment is disabled. 1141070 The performance charts for Device Throughput Usage, Port Throughput, and CPU Usage under Devices <Admin Domain Name> Devices <Device Name> Troubleshooting Performance Charts does not display weekly data. 1140604 When deploying updates to the Sensor, the Running Tasks and User Activity Log pages displays the device name as null. 1139033 Importing user-defined signatures in the Manager causes error. 1138655 In an MDR scenario, both the Primary and Secondary Managers send fault notification for port link failures. 1138335 Communication between the Manager and the Sensor is disconnected after restarting the Manager service. 1136975 The trend analysis report scheduled for weekly or monthly time period does not display the data for the last day. 1135691 The fault for Gateway Anti-Malware file update is displayed in the Manager even when it successfully updated in the Sensor. 1132046 File pruning option does not delete old signature files. 11
ID # Issue Description 1131532 The syslog fault notifications for a high-availability Sensor cluster from the Manager contains the cluster name instead of the node name. 1128407 Executive Summary report shows several Address Not Resolved results in the Hostname columns in the Top N Source IP and Top N Destination IP sections. 1127589 The Policy <Admin Domain Name> Intrusion Prevention Policy Types Inspection Options Policies page freezes when you enable endpoint reputation analysis and disable name resolution/global Threat Intelligence. 1127429 The Manager update date is not displayed in the Manager <Admin Domain Name> Troubleshooting Health Check page. 1126704 The Manager command channel should request for TLS1.2 connection with NTBA. 1126609 In the Attack Log page, the policy update fails when selecting a policy under Update Policy options from the Other Actions list. 1125670 SNMP trap displays incorrect port name. 1118293 The Traffic Statistics page displays an error when clicked. 1112616 Unable to export custom attacks in the Policy <Admin Domain Name> Intrusion Prevention Policy Types IPS Policies Custom Attacks Snort Format Other Actions Export page. 1109643 The clean files count for the Blacklist engine should be changed to NA instead of 0 in the Devices <Admin Domain Name> Devices <Device Name> Troubleshooting Traffic Statistics page. The following table lists the low-severity Manager software issues: ID # Issue Description 1140630 The syslog notifications for performance faults does not include the value that triggered the fault or the threshold. Resolved Sensor software issues The following table lists the high-severity Manager software issues: ID # Issue Description 1189343 Request to Controller to create policy fails if Cluster name is greater than 9 characters. 1188997 Controller registration fails if special characters are used in the shared secret key. The following table lists the medium-severity Sensor software issues: ID # Issue Description 1197096 The Sensor reads the incorrect input without proper validation and starts establishing trust using SHA2 based signature methods. 1189509 The Sensor logs have text error in the reboot message. 1184408 After an upgrade, the Sensor experiences exception while processing signature set causing it to go to bad health or experience auto recovery. This happens more often when there are Ignore Rule with Any Any or IPv6 Ignore Rule and IPv6 scanning is disabled. 1179570 The Sensor fails to decrypt SSL traffic due to which attacks are not detected. 1173413 Configuration update fails after a certain number of times when there are Ignore Rule with Any Any or IPv6 Ignore Rule and IPv6 scanning is disabled. Internal resources fail to free for such configurations. 1170675 Invalid characters are sent as URL information to Advanced Threat Defense. 1166917 Incorrect alert is generated for high layer 2 drop in the Manager. 1167880 The Sensor cannot extract the file name when SMTP traffic has multiple attachments. 1167372 After Sensor upgrade, FTP traffic does not flow through the Sensor. 12
ID # Issue Description 1166353 For XFF traffic, the Sensor does not send true client IP address to the syslog server. 1164826 Syslog alerts sent from the Sensor displays the timestamp incorrectly with a 12-hour difference. 1164156 Auto configuration template does not work. 1164047 Filename and domain in URL path contains duplicate domain name information when submitted to Advanced Threat Defense. 1163689 Whitelisted entries with more than two labels does not generate an exact match. 1161864 Sensor reboots or auto recovers when entries to the IP Reputation caches are added even after reaching the maximum table size. 1151327 In a rare condition, the malware processing engine experiences an exception while processing an SMTP attachment file having large encoded content. 1149298 Internal resource leak in the malware processing modules causes the Sensor to stop sending files to the Advanced Threat Defense appliance. 1147374 The output for resolve gti server CLI command displays incorrect destination. 1137285/ 1135165 Sensor fails to trigger a match in a SNORT rule when the pattern is embedded in a HTTP response beyond 256 bytes. 1137245 Layer 7 DDOS response action configuration does not work correctly. 1120248 FTP file transfer cannot be blocked with advanced malware policy. 1113653 The Sensor fails to block retransmitted packets for malware attacks configured for blocking. 13
Installation instructions Manager server/client system requirements The following table lists the 9.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Japanese operating system Windows Server 2016 Standard Edition (Server with a GUI) English operating system Windows Server 2016 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2016 Datacenter Edition (Server with a GUI) English operating system Windows Server 2016 Datacenter Edition (Server with a GUI) Japanese operating system Only X64 architecture is supported. Recommended Windows Server 2016 Standard Edition operating system Memory 8 GB Supports up to 3 million alerts in Solr. >16 GB Supports up to 10 million alerts in Solr. CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 14
Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Japanese operating system Windows Server 2016 Standard Edition (Server with a GUI) English operating system Windows Server 2016 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2016 Datacenter Edition (Server with a GUI) English operating system Windows Server 2016 Datacenter Edition (Server with a GUI) Japanese operating system Only X64 architecture is supported. Windows Server 2016 Standard Edition operating system Memory 8 GB >16 GB Supports up to 3 million alerts in Solr. Supports up to 10 million alerts in Solr. Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.1 Update 2 ESXi 5.5 Update 3 ESXi 6.0 Update 1 ESXi 6.5 15
The following table lists the 9.1 Manager client requirements when using Windows 7, Windows 8, or Windows 10: Operating system Minimum Windows 7, English or Japanese Windows 8, English or Japanese Windows 8.1, English or Japanese Windows 10, English or Japanese The display language of the Manager client must be the same as that of the Manager server operating system. Recommended RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 10, 11 Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported) To avoid the certificate mismatch error and security warning, add the Manager web certificate to the trusted certificate list. Internet Explorer 11 Mozilla Firefox 20.0 or later Google Chrome 24.0 or later In Mozilla Firefox version 52 or Google Chrome version 42 and above, the NPAPI plug-in is disabled by default. For the Manager client, in addition to Windows 7, Windows 8, Windows 8.1 and Windows 10, you can also use the operating systems mentioned for the Manager server. The following are Central Manager and Manager client requirements when using Mac: Mac operating system Yosemite El Capitan Browser Safari 8 or 9 For more information, see McAfee Network Security Platform Installation Guide. Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Network Security Platform software issues: KB88813 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 16
9.1 product documentation list The following software guides are available for Network Security Platform 9.1 release: Quick Tour AWS Deployment Guide Installation Guide (includes Upgrade Guide) CLI Guide Manager Administration Guide XC Cluster Administration Guide Custom Attack Definitions Guide Integration Guide Manager API Reference Guide Best Practices Guide IPS Administration Guide Troubleshooting Guide Copyright 2017 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 0C-00