NGFW Security Management Center Appliance Release Notes 6.3.0 Revision D Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes Contents • About this release on page 2 • Build version on page 2 • System requirements on virtualization platforms on page 3 • Compatibility on page 3 • New features on page 4 • Enhancements on page 5 • Resolved issues on page 7 • Installation instructions on page 8 • Known issues on page 10 • Find product documentation on page 10 About this release This document contains important information about this software release for the Forcepoint NGFW Security Management Center Appliance (SMC Appliance). We strongly recommend that you read the entire document. The SMC Appliance ships with pre-installed Forcepoint NGFW Security Management Center (SMC) software. The pre-installed SMC includes a Management Server and a Log Server. You can alternatively install the SMC Appliance software on a virtualization platform. Note: The SMC Appliance does not support high-availability for the Management Server or the Log Server. Build version SMC 6.3.0 build version is 10417. This release contains Dynamic Update package 988. Product binary checksums Use the checksums to make sure that the files downloaded correctly. To install the SMC Appliance software on a virtualization platform, use the .iso installation file. To upgrade the SMC Appliance, use the .sap file. For more information, see the Forcepoint Next Generation Firewall Installation Guide. 2 Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes • smca-6.3.0_10417.x86_64.iso SHA1SUM: 085c092b087e4557b7ff2471b04667ed59e1c6e5 SHA256SUM: 50d0ae141e5d61f58fd0ca2dd3737cf0ae3153ed5b4ff9b6e029646b93033182 SHA512SUM: c0b273acd4f83d2a89698062e1ea4be2 a969828094a872bac4490602ac141b35 f33eef87ec18f7fcf82a70f4b352be1f 325319ca82f94e6c517427e01f37f6fd • 6.3.0U001.sap SHA1SUM: a2d77d2700d7eb9f16eab53c6d02acbf7b09412a SHA256SUM: e6ed10da7dd74e6171a5bf2953a567689b1797a5bce4727f80607910c9b6c9aa SHA512SUM: 9ea9ac5a1ed2c3f8a4fd7e67b073515f e043c44cb0d3908e292c31f512b4bbd8 9722fbbfd184fa1baa2d8bba9ab460ab c833a742bf6481c47ad068497dd2ac29 System requirements on virtualization platforms We strongly recommend using a pre-installed SMC Appliance as the hardware solution. You can alternatively install the SMC Appliance software on a virtualization platform. The following requirements apply: • VMware ESXi version 6.0 or higher as the hypervisor • 120 GB virtual disk minimum • 8 GB RAM minimum • At least one network interface Note: The .iso installation file that is used to install the SMC Appliance software on a virtualization platform is available only for major versions of the SMC Appliance. To install the maintenance version, first install the .iso for the major version, then upgrade to the maintenance version. Compatibility SMC 6.3 is compatible with the following component versions. Note: Some versions of Forcepoint NGFW might have reached end-of-life status. We recommend that you use a Long-Term Support version that is still supported. For more information about the Forcepoint NGFW lifecycle policy, see Knowledge Base article 10192. SMC 6.3 can manage all compatible Forcepoint NGFW engine versions up to and including version 6.3. 3 Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes • Forcepoint™ Next Generation Firewall (Forcepoint NGFW) 6.2 and 6.3 • Stonesoft® Next Generation Firewall by Forcepoint (Stonesoft NGFW) 6.0 and 6.1 • McAfee® Next Generation Firewall (McAfee NGFW) 5.7, 5.8, 5.9, and 5.10 • Stonesoft Firewall/VPN Express 5.5 • McAfee® ePolicy Orchestrator® (McAfee ePO™) 5.0.1 and 5.1.1 • McAfee® Enterprise Security Manager (McAfee ESM) 9.2.0 and later (9.1.0 CEF only) New features This release of the product includes these new features. For more information and configuration instructions, see the Forcepoint Next Generation Firewall Product Guide and the Forcepoint Next Generation Firewall Installation Guide. Support for Forcepoint Endpoint Context Agent Support for Forcepoint Endpoint Context Agent (ECA) allows you to use endpoint information in the Forcepoint NGFW policy to control access, identify users, and log their actions. ECA is a Windows client application that provides endpoint information to the NGFW Engine. ECA is a replacement for McAfee Endpoint Intelligence Agent (McAfee EIA). CAUTION: If McAfee Endpoint Intelligence Agent (McAfee EIA) is configured on the NGFW Engine when you upgrade to version 6.3 or later, the NGFW Engine node is returned to the initial configuration state and stops processing traffic. You must remove the McAfee Endpoint Intelligence Agent (McAfee EIA) configuration and refresh the policy before you upgrade to version 6.3 or later. For more information, see Knowledge Base article 14093. Multi-Layer Deployment for NGFW Engines in the Firewall/ VPN role Multi-layer deployment is now supported for NGFW Engines in the Firewall/VPN role. In multi-layer deployment, NGFW Engines in the Firewall/VPN role have both layer 2 physical interfaces and layer 3 physical interfaces. The same NGFW Engine can now provide the features of the Firewall/VPN role, as well as the inspection features of the IPS and Layer 2 Firewall roles. Route-based VPN improvements The user interface for configuring a route-based VPN has been improved. Instead of configuring a single RouteBased VPN element, you can create individual Route-Based VPN Tunnel elements. The route-based VPN tunnels can be used in Administrative Domains other than the Shared Domain. Improvements in Forcepoint Advanced Malware Detection In addition to the cloud sandbox, Forcepoint Advanced Malware Detection now also supports on-premises local sandboxes. Other improvements include the following: 4 Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes • The NGFW Engine can now delay file transfers until the results of the sandbox scan are received. • The NGFW Engine now separately requests a file reputation for each file in .zip archives. • The reporting tools in the external portal have been improved, and it is easier to access reports in the external portal from the Management Client. NGFW on Azure and Hyper-V You can now deploy NGFW Engines in the Microsoft Azure cloud to provide VPN connectivity, access control, and inspection for services in the Microsoft Azure cloud. The Microsoft Hyper-V virtualization platform on Windows 2012 and 2016 servers is now also supported for NGFW deployment on a virtualization platform in a private cloud. Only NGFW Engines in the Firewall/VPN role are supported in the Microsoft Azure cloud and on the Microsoft Hyper-V virtualization platform. Support for Forcepoint User ID Service Forcepoint User ID Service collects information about users, groups, and IP addresses from Windows Active Directory (AD) servers and AD domains. You can use the information from the Forcepoint User ID Service in the Forcepoint NGFW policy to identify users and control access. Support for HTTPS in Sidewinder HTTP Proxy The Sidewinder HTTP Proxy can now provide decryption, inspection, protocol validation, certificate validation, and certificate revocation checking for the HTTPS protocol. Enhancements This release of the product includes these enhancements. Enhancements in SMC version 6.3.0 Enhancement Description New commands for SMC Appliance The following new subcommands of the smca-system command have been added: • smca-system serial-number — Shows the hardware serial number for the SMC Appliance. • smca-system fingerprint — Shows the fingerprint for the CA used by the Management Client. Second interface on the SMC Appliance You can now configure a second interface on the SMC Appliance when you install the appliance. Support for serial console connections on the SMC Appliance You can now connect to the SMC Appliance using a serial console connection, or make outbound serial console connections from the SMC Appliance to other devices, such as Forcepoint NGFW appliances. 5 Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes Enhancement Description Rate limit per Virtual NGFW Engine for traffic from the Master NGFW Engine You can now set a rate limit per Virtual NGFW Engine for traffic from the Master NGFW Engine to the Virtual NGFW Engine. When the limit is set, a single Virtual NGFW Engine that is under very heavy load cannot disrupt the operation of the other Virtual NGFW Engines that are hosted by the Master NGFW Engine. Dedicated control plane operation You can now dedicate a specified number of CPUs to control plane operations. Even under very heavy loads, you can continue to manage NGFW Engines and refresh policies, and the status of the NGFW Engines remains green in the Home view. Changes related to certificates The NGFW Engine can now validate certificates and check the certificate revocation status for features that have certificate validation and certificate revocation checks enabled, such as features that use a TLS Profile in the configuration. Except for VPN certificates, most elements related to certificates are now found in the Administration > Certificates branch of the Configuration view. There is no longer a separate Pending Certificate Request element. Certificate requests are now created as TLS Credentials elements. The state of the TLS Credentials element indicates whether is it a signed certificate or a certificate request. Limit for half-open TCP connections As part of the SYN flood protection feature, you can now set a limit for the number of half-open TCP connections. When the limit is reached, SYN flood protection is enabled. Improvements to SSM architecture Improvements to SSM integration remove some previous limitations on inspection when Sidewinder Proxies are used. These former limitations include matching traffic based on Network Applications, file filtering, and URL filtering. New Combined Protocol elements allow you to apply a standard Protocol element and a Sidewinder Proxy Protocol element to the same traffic. New commands for managing NGFW Engines and NGFW appliances It is now possible to power off an NGFW Engine remotely through the Management Client. In addition, you can now also reset an NGFW appliance to factory settings through the Management Client. To increase security, you can set how many times you want the stored data on the file system of the NGFW appliance to be overwritten. Task for validating policies There is a new task for validating policies. The Validate Policy task allows you to validate the policy installed on NGFW Engines or Master NGFW Engines or the Alert Policy installed in an administrative Domain. You can run the Validate Policy task either manually or according to a schedule. Updated product names The NGFW product names have been updated. Stonesoft Management Center is now called Forcepoint NGFW Security Management Center (SMC), and Stonesoft Next Generation Firewall (Stonesoft NGFW) is now called Forcepoint Next Generation Firewall (Forcepoint NGFW). The new product names are used in the SMC installer, the SMC installation directory, in the Management Client, and in the list of services in the Windows Control Panel. Improvements in change approval process It is now possible to give individual administrators permission to approve changes. Previously, only administrators with unrestricted permissions (superusers) could approve changes. You can also specify whether administrators are allowed to approve their own changes. 6 Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes Enhancement Description Home page improvements in the Management Client You can now easily customize the home page for components in the Home view. You can use drag-and-drop to re-organize the panes and select new panes from a predefined selection of panes to replace existing panes on the home page. You can now include statistics in home pages. The Management Server and the Log Server now have their own home page in the Home view. Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Description Issue number If you drag and drop the dynamic IP address of a physical interface to another interface, then change the IP address to a static IP address on the original interface without saving the configuration, the interface configuration becomes unusable. If the IP address on the original endpoint was used as a VPN endpoint, you can no longer open the VPN Endpoints view in the Engine Editor or any VPN where a gateway with the VPN endpoint in question is used. SMC-1873 An administrator that has the Administrative Rights option Manage Alerts in the Administrator Role is not able to install an Alert Policy for a domain. SMC-2005 The SSH key fingerprints for the Sidewinder SSH Proxy are shown in a different format than SSH clients typically display them, which can make it difficult to verify the fingerprint. SMC-3782 Only one hyphen can be used in the FQDN contact address for a dynamic interface. SMC-4846 If a policy is installed on multiple NGFW Engines, even if one of the NGFW Engines reports a failure, the policy installation is reported to have completed successfully. SMC-4908 The "$$ Local Cluster" alias does not cover dynamic IP addresses for Single Firewalls. SMC-4980 System elements can show in the search results when you search for unused elements. System elements cannot be deleted. SMC-5044 Even though you can configure status monitoring and log reception for other types of servers, such as Active Directory Servers, you can only add Host and Router elements to the Monitoring tab in the Log Server Properties dialog box. SMC-5053 It is not possible to use the Enforce TCP MSS option in the action options for an IPv6 Access rule. SMC-5189 In the initial configuration file for the engine, special characters, such as @, are saved as encoded values. The engine does not interpret the encoding. As a result, PPP settings might not work correctly when you use a saved initial configuration file when you make initial contact with the Management Server. SMC-5930 When setting the Distinguished Name of a Phase-1 ID for a VPN endpoint, you cannot use special characters, such as @. SMC-6120 The maximum length for the name in a Domain Name element is 63 characters. SMC-6452 The Default NAT option for element-based NAT includes all default routes. When there is a default route through both a NetLink and a router, the routing configuration is not generated correctly. Policy installation fails and the following message is shown: "The addresses specified for the Multi-Link Balancing CVI-X, CVI-Y are not included in its netlinks." SMC-6539 7 Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes Description Issue number When anti-malware is configured to use an HTTP proxy, the Access rule that allows retrieving anti-malware database updates is not automatically generated. SMC-7275 If an Access rule references a a Zone element and a Group that includes an IP Address list element, the matching does not work correctly. SMC-7440 Syslog data is not forwarded if the target host has only an IPv6 address defined. SMC-7469 When you add an IP address to an interface, antispoofing entries that have been manually added are removed from the interface. SMC-8382 Installation instructions Use these high-level steps to install the SMC Appliance. For detailed information about installing the SMC Appliance and the NGFW Engines, see the Forcepoint Next Generation Firewall Installation Guide. All guides are available for download at https://support.forcepoint.com. Steps 1) Turn on the SMC Appliance. 2) Select the keyboard layout for accessing the SMC Appliance on the command line. 3) Accept the EULA. 4) Enter the account name and password. For credential requirements, see the Forcepoint Next Generation Firewall Installation Guide. 5) Make your security selections. 6) Complete the network interface and network setup fields. 7) Enter a host name for the Management Server. 8) Select the time zone. 9) (Optional) Configure NTP settings. 10) After the SMC Appliance has restarted, install the Management Client. You can use Java Webstart or install the Management Client from a file to allow remote access to the SMC. Java Web Start is enabled by default on the Management Server that is pre-installed on the SMC Appliance. 11) Import the licenses for all components. You can generate licenses at https://stonesoftlicenses.forcepoint.com. 12) Create the NGFW Engines elements, then install and configure the NGFW Engines. 8 Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes Upgrade the SMC Appliance Upgrade the SMC Appliance from a previous version to version 6.3.0. CAUTION: Before upgrading the SMC Appliance from version 6.2.0, install the 6.2.0P001 patch. For more information, see Knowledge Base article 14168. Note: The SMC Appliance must be upgraded before the engines are upgraded to the same major version. SMC 6.3 requires an updated license. • If the automatic license update function is in use, the license is updated automatically. • If the automatic license update function is not in use, request a license upgrade on our website at https://stonesoftlicenses.forcepoint.com. Activate the new license using the Management Client before upgrading the software. Steps 1) Log on to the SMC Appliance. 2) Enter sudo ambr-query, then press Enter to check for available patches. 3) Enter sudo ambr-load <patch>, then press Enter to load the patch on the SMC Appliance. To load the patch that upgrades the SMC Appliance to version 6.3.0, enter sudo ambr-load 6.3.0U001, then press Enter. Note: If you downloaded the patch and transferred it to the SMC Appliance, append the load command with the -f option and specify the full path to the patch file. For example, sudo ambr-load –f /var/tmp/6.3.0U001.sap. 4) Enter sudo ambr-install <patch>, then press Enter to install the patch on the SMC Appliance. To install the 6.3.0U001 SAP, enter sudo ambr-install 6.3.0U001, then press Enter. The installation process prompts you to continue. 5) Enter Y. Result The installation process restarts the appliance and installs the patch. When the upgrade is finished, the appliance restarts. The appliance is now running SMC Appliance 6.3.0. Installing SMC Appliance patches We recommend checking the availability of SMC Appliance patches regularly, and installing the patches when they become available. The SMC Appliance patches can include improvements and enhancements to the SMC software, the operating system, or the SMC Appliance hardware. 9 Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes For detailed information about installing SMC Appliance patches, see the Forcepoint Next Generation Firewall Installation Guide. All guides are available for download at https://support.forcepoint.com. Known issues For a list of known issues in this product release, see Knowledge Base article 14117. Find product documentation On the Forcepoint support website, you can find information about a released product, including product documentation, technical articles, and more. You can get additional information and support for your product on the Forcepoint support website at https://support.forcepoint.com. There, you can access product documentation, Knowledge Base articles, downloads, cases, and contact information. Product documentation Every Forcepoint product has a comprehensive set of documentation. • Forcepoint Next Generation Firewall Product Guide • Forcepoint Next Generation Firewall online Help Note: By default, the online Help is used from the Forcepoint help server. If you want to use the online Help from a local machine (for example, an intranet server or your own computer), see Knowledge Base article 10097. • Forcepoint Next Generation Firewall Installation Guide Other available documents include: • Forcepoint Next Generation Firewall Hardware Guide for your model • Forcepoint NGFW Security Management Center Appliance Hardware Guide • Forcepoint Next Generation Firewall Quick Start Guide • Forcepoint NGFW Security Management Center Appliance Quick Start Guide • Forcepoint NGFW SMC API Reference Guide • Stonesoft VPN Client User Guide for Windows or Mac • Stonesoft VPN Client Product Guide 10 © 2017 Forcepoint Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon Company. All other trademarks used in this document are the property of their respective owners.