Revision A McAfee Network Security Platform 9.1 (9.1.7.63-9.1.7.12 Manager-Virtual IPS Release Notes) Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. Network Security Platform follows a release process that is based on customer requirements and best practices followed by other McAfee teams. For details, read KB78795. This release of Network Security Platform is to provide enhancements on the Manager and Virtual IPS Sensor software for ESX alone. This release of Virtual IPS is not supported for VMware NSX, KVM, and AWS. Release parameters Version Network Security Manager software version 9.1.7.63 Signature Set 9.8.18.7 Virtual IPS Sensor software version 9.1.7.12 Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the Sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.8.0_153, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. 1
Manager 9.1 uses JRE version 1.8.0_153 and MySQL version 5.6.39. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Manager software version 9.1 is not supported on McAfee-built Dell-based Manager Appliances. McAfee recommends that you use Intel-based Manager Appliances instead. Upgrade support McAfee regularly releases updated versions of the signature set. You can choose to automatically download and deploy the signature set in the Manager. Manager: Current version Upgrade path to 9.1 8.1.3.4, 8.1.3.6, 8.1.7.5, 8.1.7.12, 8.1.7.13 8.1.7.82 9.1.7.63 8.1.7.33, 8.1.7.52, 8.1.7.82, 8.1.7.91, 8.1.7.96, 8.1.7.100, 8.1.7.105 9.1.7.63 8.3.7.7, 8.3.7.28, 8.3.7.44, 8.3.7.52, 8.3.7.64, 8.3.7.68, 8.3.7.86 9.1.7.63 9.1.7.11, 9.1.7.15, 9.1.7.49 9.1.7.63 All intermediate Manager versions, such as Hotfixes, below 8.1.7.33 must upgrade to 8.1.7.82 before upgrading to the latest 9.1 Manager version. All Manager versions above 8.1.7.33 can directly upgrade to the latest 9.1 Manager version. Virtual IPS: (IPS-VM600) Component Upgrade path to 9.1 8.0.7.9, 8.1.7.14, 8.1.7.32, 8.1.7.34, 8.1.7.44, 8.1.7.47 9.1.7.12 8.3.7.3, 8.3.7.6, 8.3.7.14, 8.3.7.47, 8.3.7.55, 8.3.7.56 9.1.7.12 9.1.7.4 9.1.7.12 All intermediate Sensor software versions for Virtual IPS, such as Hotfixes, can directly upgrade to the latest 9.1 Sensor software version. Heterogeneous support This version of 9.1 Manager software can be used to configure and manage the following devices: Device NS-series Sensors (NS3100, NS3200, NS5100, NS5200, NS7100, NS7200, NS7300, NS9100, NS9200, NS9300) NS-series Sensors (NS7150, NS7250, NS7350) 9.1 Version 8.1, 8.3, 9.1 Virtual IPS for ESXi server (IPS-VM100, IPS-VM600) IPS-VM100: 8.1, 8.3, 9.1 Virtual IPS for KVM (IPS-VM100, IPS-VM600) 8.3 Virtual IPS for VMware NSX (IPS-VM100-VSS) 8.1, 8.3, 9.1 Virtual IPS for AWS (IPS-VM100-VSS) 8.3, 9.1 M-series Sensors (M-1250, M-1450, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) IPS-VM600: 8.1, 8.3, 9.1 8.1, 8.3, 9.1 Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.3, 9.1 2
Device Version M-8000XC Cluster Appliance 8.1, 8.3, 9.1 NTBA Appliances (T-200, T-500, T-600, T-1200) 8.1, 8.3, 9.1 Virtual NTBA Appliances (T-VM, T-100VM, T-200VM) 8.1, 8.3, 9.1 New Sensor image for IPS-VM100 and IPS-VM100-VSS Sensor models are not supported from this release of 9.1. Integration support The above mentioned Network Security Platform software versions support integration with the following product versions: Product Version supported McAfee epo 5.9.1, 5.9.0 McAfee Global Threat Intelligence McAfee Endpoint Intelligence Agent 2.6 McAfee Logon Collector 3.0.7 McAfee Threat Intelligence Exchange 2.1.1, 2.0.0 McAfee Data Exchange Layer 3.1.0, 3.0.0 McAfee Advanced Threat Defense 4.2.0.20 McAfee Virtual Advanced Threat Defense 4.2.0.4 McAfee Vulnerability Manager 7.5 McAfee Host Intrusion Prevention 8.0 Compatible with all versions From this release of 9.1, integration with McAfee Cloud Threat Defense is no longer supported. New features This release provides fixes for some of the previously known issues, and does not include any new features. Enhancements This release provides fixes for some of the previously known issues, and does not include any enhancements. Resolved issues The current release of the product resolves these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the high-severity Manager software issues: 3
ID # 1233517 Upgrade from Manager version 8.x to 9.1.x, retains the older signature set version bundled with the Manager version. 1225603 [AWS] Manager fails to connect to AWS due to certificate update. The following table lists the medium-severity Manager software issues: ID # 1231606 Attack Log does not always display geo-location. 1229884 [AWS] The offline status icon for the virtual probe status in the Devices <Admin Domain Name> Devices <vnsp Cluster> Summary is not visible. 1229301 Unable to save the custom attacks when http-req-method and dns-qr options are not configured. 1229268 After device software deployment, the Sensor reboot option is checked for Sensors that are not selected for upgrade. 1228724 Unauthorized Manager roles can capture packets in the attack log. 1227695 While generating an automated monthly report, the previous 2 months' data is also included in the report. 1227689 Policy update fails in Attack Log and Threat Explorer. 1226390 While editing the policy for a Manager located in a different geographical location, warning warning.undefined.undefined is displayed. 1225368 After an upgrade, Device Summary and Version Summary reports fail. 1224465 The Alert Time Range field for the Executive Summary report displays duplicate values. 1224460/ 1198908 The Manager cannot be logged in using the RADIUS user credentials with the EAP-MD5 authentication method. 1224266 Unable to generate Next Generation reports when the Executable Classification field is selected. 1224017 Flow allocation changes are not updated in the Sensor. 1223948 Under the local Manager <Admin Domain Name> Reporting User Activity Log drop-down window, users created in the Central Manager Domain are missing. 1223816 Child domains in a Manager are not updated as the system health status is not refreshed. 1223378/ 1221186 Solr import fails with error message Input redirection is not supported, exiting the process immediately. 1223273 SSL keys to cannot be deployed to Sensors when the Manager is installed in the offline mode. 1221478 User defined signatures that are re-exported cannot be imported to other Managers. 1221232 After an upgrade, snort rules are not saved as the Protection Category field is mandatory. 1220665 Device Summary and System Health information are missing in the dashboard after configuring ems.properties. 1220109 After deploying changes to the Sensors, alerts are not generated for the imported Snort rules. 1219891 Inconsistency in the Auto-Acknowledge Alert field between the attack definition grid view and the attack definitions view. 1219199 The System Administrator and NOC Operator roles log out when viewing descriptions. 1218745 When deploying Intel Security Controller from the Manager, the signature files cannot be downloaded automatically. 1218577 In Trend Analysis reports, the Attack Count is incorrect. 1218045 After an upgrade to Manager version 9.1.7.11, deploying custom attacks fails with error message CompilationError Compilation Failed. 4
ID # 1217952 Top applications show TCP 0 as the first indicator. 1216753 Syslog messages contain irrelevant characters. 1215894 After an upgrade to Manager version to 9.1.7.11, older alerts are missing and attacks are unknown. 1215503 NTBA monitors do not display any information when Custom Time Period is selected in the Manager. 1215445 Descriptions are missing for signature sets that are downloaded automatically. 1214225 Partial signature is displayed in the Attack tab in the Custom Attack editor. 1213914 The REST API request using the parameter page=next does not work. 1213272 Configuration update fails in the Sensor as there is no limit set for rule objects and QoS policies. 1212345 After deploying changes to the Sensors, the Deploy Pending Changes page displays that changes are pending even after a successful deployment. 1209620 Excessive packet logging leads to packet log tables occupying high memory in large installations. 1207311 Unrelated lines of text are displayed in the ems.log. 1204420 The SNORT rule configured to ignore "X-Forwarded-for Header" is not working. This Manager fix will work only with signature set 8.7.116.2 or later. 1202303 Incorrect attack information is sent via Syslog. 1198866 Failed to create Protected VM Group for required subnets. 1111432 TOR traffic through a proxy server is not detected. The following table lists the low-severity Manager software issues: ID # 1230885 The following Apache vulnerabilities are addressesd: CVE-2018-1304 - The URL pattern of an empty string maps to the context root when used as part of a security constraint definition. The constraint is ignored which allows unauthorised users to gain access to web application resources. CVE-2018-1305 - Security constraints defined by annotations of Servlets are applied only when Servlet is loaded. As the constraints are not applied, it allows unauthorised users to access exposed resources. 1210987 Limitation error message appears in the Text-to-Match field while creating a Regex. Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: ID # 1224971 The SENSOR: Attack Marker Resources Exhausted alerts are generated. 1220164 The Sensor switches to Layer 2 mode when Callback Detectors and Heuristic Callback Discovery are enabled. 1219329 Configuration updates to a Sensor fails on the KVM hypervisor. 1217082 The connections are dropped incorrectly as the Layer 7 DoS response action is ignored. 1214529 Power supply status is incorrectly reported in the SNMP responses. 1211242 Alert Suppression displays incorrect values when a set pattern of n number of attacks are given. 5
ID # 1195319 Packet log is not available in the Manager for the attack TFTP: TFTP Server Error Packet Handling Buffer Overflow. 1149374 The Sensor health goes to a bad state due to an error from the datapath processor after a configuration update. Installation instructions Manager server/client system requirements The following table lists the 9.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Recommended Windows Server 2016 Standard Edition operating system Memory 8 GB Supports up to 3 million alerts in Solr. >16 GB Supports up to 10 million alerts in Solr. CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) 6
The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition,, SP1 (64-bit) (Full Installation) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Standard Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Standard Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Windows Server 2016 Datacenter Edition (Server with a GUI) Only X64 architecture is supported. Windows Server 2016 Standard Edition operating system Memory 8 GB >16 GB Supports up to 3 million alerts in Solr. Supports up to 10 million alerts in Solr. Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.1 Update 2 ESXi 5.5 Update 3 ESXi 6.0 Update 1 ESXi 6.5 Update 1 The following table lists the 9.1 Manager Appliance (Linux) hardware and software specifications 7
Table 5-3 Hardware and Software specifications Component Hardware Regulatory Model Name CPU Hard Drive DVD ROM DIMM Integrated LAN USB ports Video Serial Port Software Specifications R1000 Intel Xeon Silver 4114 2.2Ghz10C, Skylake1 per system 2.5" Enterprise HDD 2TB SATA III (6Gbps) 7200 RPM 2 per system None Manager software version 9.1 64GB DDR4 2133Mhz 2 x 10 Gbe 2 x 3.0 on front and 3 x 3.0 on rear panel DB-15 HD VGA on front & rear panel RJ45 on rear panel McAfee Linux OS (MLOS) version 3.4.0.8756 The following table lists the 9.1 Manager client requirements when using Windows 7, Windows 8, or Windows 10: Operating system Minimum Windows 7, English or Japanese Windows 8, English or Japanese Windows 8.1, English or Japanese Windows 10, English or Japanese The display language of the Manager client must be the same as that of the Manager server operating system. Recommended Windows 10, English or Japanese RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 10, 11 Mozilla Firefox Google Chrome (App mode in Windows 8 is not supported) To avoid the certificate mismatch error and security warning, add the Manager web certificate to the trusted certificate list. Internet Explorer 11 Mozilla Firefox 20.0 or later Google Chrome 24.0 or later In Mozilla Firefox version 52 or Google Chrome version 42 and above, the NPAPI plug-in is disabled by default. For the Manager client, in addition to Windows 7, Windows 8, Windows 8.1 and Windows 10, you can also use the operating systems mentioned for the Manager server. 8
The following are Central Manager and Manager client requirements when using Mac: Mac operating system Yosemite El Capitan Browser Safari 8 or 9 For more information, see McAfee Network Security Platform Installation Guide. Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Network Security Platform software issues: KB88813 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation Go to McAfee Documentation Portal to find the product documentation for this product. Or 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 9.1 product documentation list The following software guides are available for Network Security Platform 9.1 release: Quick Tour Virtual IPS Administration Guide Installation Guide (includes Upgrade Guide) CLI Guide Manager Administration Guide XC Cluster Administration Guide Custom Attack Definitions Guide Integration Guide Manager API Reference Guide Best Practices Guide IPS Administration Guide Troubleshooting Guide NTBA Administration Guide 9
Copyright 2018 McAfee, LLC McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. 0A00