Forcepoint NGFW Security Management Center Appliance 6.3.0

NGFW Security
Management Center
Appliance
Release Notes
6.3.0
Revision D
Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes
Contents
•
About this release on page 2
•
Build version on page 2
•
System requirements on virtualization platforms on page 3
•
Compatibility on page 3
•
New features on page 4
•
Enhancements on page 5
•
Resolved issues on page 7
•
Installation instructions on page 8
•
Known issues on page 10
•
Find product documentation on page 10
About this release
This document contains important information about this software release for the Forcepoint NGFW Security
Management Center Appliance (SMC Appliance).
We strongly recommend that you read the entire document.
The SMC Appliance ships with pre-installed Forcepoint NGFW Security Management Center (SMC) software.
The pre-installed SMC includes a Management Server and a Log Server. You can alternatively install the SMC
Appliance software on a virtualization platform.
Note: The SMC Appliance does not support high-availability for the Management Server or the
Log Server.
Build version
SMC 6.3.0 build version is 10417.
This release contains Dynamic Update package 988.
Product binary checksums
Use the checksums to make sure that the files downloaded correctly.
To install the SMC Appliance software on a virtualization platform, use the .iso installation file. To upgrade the
SMC Appliance, use the .sap file. For more information, see the Forcepoint Next Generation Firewall Installation
Guide.
2
Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes
•
smca-6.3.0_10417.x86_64.iso
SHA1SUM:
085c092b087e4557b7ff2471b04667ed59e1c6e5
SHA256SUM:
50d0ae141e5d61f58fd0ca2dd3737cf0ae3153ed5b4ff9b6e029646b93033182
SHA512SUM:
c0b273acd4f83d2a89698062e1ea4be2
a969828094a872bac4490602ac141b35
f33eef87ec18f7fcf82a70f4b352be1f
325319ca82f94e6c517427e01f37f6fd
•
6.3.0U001.sap
SHA1SUM:
a2d77d2700d7eb9f16eab53c6d02acbf7b09412a
SHA256SUM:
e6ed10da7dd74e6171a5bf2953a567689b1797a5bce4727f80607910c9b6c9aa
SHA512SUM:
9ea9ac5a1ed2c3f8a4fd7e67b073515f
e043c44cb0d3908e292c31f512b4bbd8
9722fbbfd184fa1baa2d8bba9ab460ab
c833a742bf6481c47ad068497dd2ac29
System requirements on virtualization
platforms
We strongly recommend using a pre-installed SMC Appliance as the hardware solution. You can alternatively
install the SMC Appliance software on a virtualization platform.
The following requirements apply:
•
VMware ESXi version 6.0 or higher as the hypervisor
•
120 GB virtual disk minimum
•
8 GB RAM minimum
•
At least one network interface
Note: The .iso installation file that is used to install the SMC Appliance software on a virtualization
platform is available only for major versions of the SMC Appliance. To install the maintenance
version, first install the .iso for the major version, then upgrade to the maintenance version.
Compatibility
SMC 6.3 is compatible with the following component versions.
Note: Some versions of Forcepoint NGFW might have reached end-of-life status. We recommend
that you use a Long-Term Support version that is still supported. For more information about the
Forcepoint NGFW lifecycle policy, see Knowledge Base article 10192.
SMC 6.3 can manage all compatible Forcepoint NGFW engine versions up to and including version 6.3.
3
Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes
•
Forcepoint™ Next Generation Firewall (Forcepoint NGFW) 6.2 and 6.3
•
Stonesoft® Next Generation Firewall by Forcepoint (Stonesoft NGFW) 6.0 and 6.1
•
McAfee® Next Generation Firewall (McAfee NGFW) 5.7, 5.8, 5.9, and 5.10
•
Stonesoft Firewall/VPN Express 5.5
•
McAfee® ePolicy Orchestrator® (McAfee ePO™) 5.0.1 and 5.1.1
•
McAfee® Enterprise Security Manager (McAfee ESM) 9.2.0 and later (9.1.0 CEF only)
New features
This release of the product includes these new features. For more information and configuration instructions, see
the Forcepoint Next Generation Firewall Product Guide and the Forcepoint Next Generation Firewall Installation
Guide.
Support for Forcepoint Endpoint Context Agent
Support for Forcepoint Endpoint Context Agent (ECA) allows you to use endpoint information in the Forcepoint
NGFW policy to control access, identify users, and log their actions. ECA is a Windows client application that
provides endpoint information to the NGFW Engine. ECA is a replacement for McAfee Endpoint Intelligence
Agent (McAfee EIA).
CAUTION: If McAfee Endpoint Intelligence Agent (McAfee EIA) is configured on the NGFW
Engine when you upgrade to version 6.3 or later, the NGFW Engine node is returned to the
initial configuration state and stops processing traffic. You must remove the McAfee Endpoint
Intelligence Agent (McAfee EIA) configuration and refresh the policy before you upgrade to
version 6.3 or later. For more information, see Knowledge Base article 14093.
Multi-Layer Deployment for NGFW Engines in the Firewall/
VPN role
Multi-layer deployment is now supported for NGFW Engines in the Firewall/VPN role. In multi-layer deployment,
NGFW Engines in the Firewall/VPN role have both layer 2 physical interfaces and layer 3 physical interfaces. The
same NGFW Engine can now provide the features of the Firewall/VPN role, as well as the inspection features of
the IPS and Layer 2 Firewall roles.
Route-based VPN improvements
The user interface for configuring a route-based VPN has been improved. Instead of configuring a single RouteBased VPN element, you can create individual Route-Based VPN Tunnel elements. The route-based VPN
tunnels can be used in Administrative Domains other than the Shared Domain.
Improvements in Forcepoint Advanced Malware Detection
In addition to the cloud sandbox, Forcepoint Advanced Malware Detection now also supports on-premises local
sandboxes. Other improvements include the following:
4
Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes
•
The NGFW Engine can now delay file transfers until the results of the sandbox scan are received.
•
The NGFW Engine now separately requests a file reputation for each file in .zip archives.
•
The reporting tools in the external portal have been improved, and it is easier to access reports in the external
portal from the Management Client.
NGFW on Azure and Hyper-V
You can now deploy NGFW Engines in the Microsoft Azure cloud to provide VPN connectivity, access control,
and inspection for services in the Microsoft Azure cloud. The Microsoft Hyper-V virtualization platform on
Windows 2012 and 2016 servers is now also supported for NGFW deployment on a virtualization platform in a
private cloud. Only NGFW Engines in the Firewall/VPN role are supported in the Microsoft Azure cloud and on
the Microsoft Hyper-V virtualization platform.
Support for Forcepoint User ID Service
Forcepoint User ID Service collects information about users, groups, and IP addresses from Windows Active
Directory (AD) servers and AD domains. You can use the information from the Forcepoint User ID Service in the
Forcepoint NGFW policy to identify users and control access.
Support for HTTPS in Sidewinder HTTP Proxy
The Sidewinder HTTP Proxy can now provide decryption, inspection, protocol validation, certificate validation,
and certificate revocation checking for the HTTPS protocol.
Enhancements
This release of the product includes these enhancements.
Enhancements in SMC version 6.3.0
Enhancement
Description
New commands for SMC
Appliance
The following new subcommands of the smca-system command have been
added:
•
smca-system serial-number — Shows the hardware serial number for
the SMC Appliance.
•
smca-system fingerprint — Shows the fingerprint for the CA used by
the Management Client.
Second interface on the SMC
Appliance
You can now configure a second interface on the SMC Appliance when you
install the appliance.
Support for serial console
connections on the SMC
Appliance
You can now connect to the SMC Appliance using a serial console connection,
or make outbound serial console connections from the SMC Appliance to other
devices, such as Forcepoint NGFW appliances.
5
Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes
Enhancement
Description
Rate limit per Virtual NGFW
Engine for traffic from the
Master NGFW Engine
You can now set a rate limit per Virtual NGFW Engine for traffic from the
Master NGFW Engine to the Virtual NGFW Engine. When the limit is set, a
single Virtual NGFW Engine that is under very heavy load cannot disrupt the
operation of the other Virtual NGFW Engines that are hosted by the Master
NGFW Engine.
Dedicated control plane
operation
You can now dedicate a specified number of CPUs to control plane operations.
Even under very heavy loads, you can continue to manage NGFW Engines
and refresh policies, and the status of the NGFW Engines remains green in the
Home view.
Changes related to certificates The NGFW Engine can now validate certificates and check the certificate
revocation status for features that have certificate validation and certificate
revocation checks enabled, such as features that use a TLS Profile in the
configuration.
Except for VPN certificates, most elements related to certificates are now found
in the Administration > Certificates branch of the Configuration view.
There is no longer a separate Pending Certificate Request element. Certificate
requests are now created as TLS Credentials elements. The state of the TLS
Credentials element indicates whether is it a signed certificate or a certificate
request.
Limit for half-open TCP
connections
As part of the SYN flood protection feature, you can now set a limit for the
number of half-open TCP connections. When the limit is reached, SYN flood
protection is enabled.
Improvements to SSM
architecture
Improvements to SSM integration remove some previous limitations on
inspection when Sidewinder Proxies are used. These former limitations include
matching traffic based on Network Applications, file filtering, and URL filtering.
New Combined Protocol elements allow you to apply a standard Protocol
element and a Sidewinder Proxy Protocol element to the same traffic.
New commands for managing
NGFW Engines and NGFW
appliances
It is now possible to power off an NGFW Engine remotely through the
Management Client. In addition, you can now also reset an NGFW appliance to
factory settings through the Management Client. To increase security, you can
set how many times you want the stored data on the file system of the NGFW
appliance to be overwritten.
Task for validating policies
There is a new task for validating policies. The Validate Policy task allows you
to validate the policy installed on NGFW Engines or Master NGFW Engines or
the Alert Policy installed in an administrative Domain. You can run the Validate
Policy task either manually or according to a schedule.
Updated product names
The NGFW product names have been updated. Stonesoft Management Center
is now called Forcepoint NGFW Security Management Center (SMC), and
Stonesoft Next Generation Firewall (Stonesoft NGFW) is now called Forcepoint
Next Generation Firewall (Forcepoint NGFW). The new product names are
used in the SMC installer, the SMC installation directory, in the Management
Client, and in the list of services in the Windows Control Panel.
Improvements in change
approval process
It is now possible to give individual administrators permission to approve
changes. Previously, only administrators with unrestricted permissions
(superusers) could approve changes. You can also specify whether
administrators are allowed to approve their own changes.
6
Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes
Enhancement
Description
Home page improvements in
the Management Client
You can now easily customize the home page for components in the Home
view. You can use drag-and-drop to re-organize the panes and select new
panes from a predefined selection of panes to replace existing panes on the
home page. You can now include statistics in home pages. The Management
Server and the Log Server now have their own home page in the Home view.
Resolved issues
These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the
Release Notes for the specific release.
Description
Issue number
If you drag and drop the dynamic IP address of a physical interface to another interface,
then change the IP address to a static IP address on the original interface without saving the
configuration, the interface configuration becomes unusable. If the IP address on the original
endpoint was used as a VPN endpoint, you can no longer open the VPN Endpoints view in the
Engine Editor or any VPN where a gateway with the VPN endpoint in question is used.
SMC-1873
An administrator that has the Administrative Rights option Manage Alerts in the Administrator
Role is not able to install an Alert Policy for a domain.
SMC-2005
The SSH key fingerprints for the Sidewinder SSH Proxy are shown in a different format than
SSH clients typically display them, which can make it difficult to verify the fingerprint.
SMC-3782
Only one hyphen can be used in the FQDN contact address for a dynamic interface.
SMC-4846
If a policy is installed on multiple NGFW Engines, even if one of the NGFW Engines reports a
failure, the policy installation is reported to have completed successfully.
SMC-4908
The "$$ Local Cluster" alias does not cover dynamic IP addresses for Single Firewalls.
SMC-4980
System elements can show in the search results when you search for unused elements.
System elements cannot be deleted.
SMC-5044
Even though you can configure status monitoring and log reception for other types of
servers, such as Active Directory Servers, you can only add Host and Router elements to the
Monitoring tab in the Log Server Properties dialog box.
SMC-5053
It is not possible to use the Enforce TCP MSS option in the action options for an IPv6 Access
rule.
SMC-5189
In the initial configuration file for the engine, special characters, such as @, are saved as
encoded values. The engine does not interpret the encoding. As a result, PPP settings might
not work correctly when you use a saved initial configuration file when you make initial contact
with the Management Server.
SMC-5930
When setting the Distinguished Name of a Phase-1 ID for a VPN endpoint, you cannot use
special characters, such as @.
SMC-6120
The maximum length for the name in a Domain Name element is 63 characters.
SMC-6452
The Default NAT option for element-based NAT includes all default routes. When there is a
default route through both a NetLink and a router, the routing configuration is not generated
correctly. Policy installation fails and the following message is shown: "The addresses
specified for the Multi-Link Balancing CVI-X, CVI-Y are not included in its netlinks."
SMC-6539
7
Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes
Description
Issue number
When anti-malware is configured to use an HTTP proxy, the Access rule that allows retrieving
anti-malware database updates is not automatically generated.
SMC-7275
If an Access rule references a a Zone element and a Group that includes an IP Address list
element, the matching does not work correctly.
SMC-7440
Syslog data is not forwarded if the target host has only an IPv6 address defined.
SMC-7469
When you add an IP address to an interface, antispoofing entries that have been manually
added are removed from the interface.
SMC-8382
Installation instructions
Use these high-level steps to install the SMC Appliance.
For detailed information about installing the SMC Appliance and the NGFW Engines, see the Forcepoint Next
Generation Firewall Installation Guide. All guides are available for download at https://support.forcepoint.com.
Steps
1)
Turn on the SMC Appliance.
2)
Select the keyboard layout for accessing the SMC Appliance on the command line.
3)
Accept the EULA.
4)
Enter the account name and password.
For credential requirements, see the Forcepoint Next Generation Firewall Installation Guide.
5)
Make your security selections.
6)
Complete the network interface and network setup fields.
7)
Enter a host name for the Management Server.
8)
Select the time zone.
9)
(Optional) Configure NTP settings.
10)
After the SMC Appliance has restarted, install the Management Client.
You can use Java Webstart or install the Management Client from a file to allow remote access to the
SMC. Java Web Start is enabled by default on the Management Server that is pre-installed on the SMC
Appliance.
11)
Import the licenses for all components.
You can generate licenses at https://stonesoftlicenses.forcepoint.com.
12)
Create the NGFW Engines elements, then install and configure the NGFW Engines.
8
Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes
Upgrade the SMC Appliance
Upgrade the SMC Appliance from a previous version to version 6.3.0.
CAUTION: Before upgrading the SMC Appliance from version 6.2.0, install the 6.2.0P001 patch.
For more information, see Knowledge Base article 14168.
Note: The SMC Appliance must be upgraded before the engines are upgraded to the same major
version.
SMC 6.3 requires an updated license.
•
If the automatic license update function is in use, the license is updated automatically.
•
If the automatic license update function is not in use, request a license upgrade on our website at
https://stonesoftlicenses.forcepoint.com. Activate the new license using the Management Client before
upgrading the software.
Steps
1)
Log on to the SMC Appliance.
2)
Enter sudo ambr-query, then press Enter to check for available patches.
3)
Enter sudo ambr-load <patch>, then press Enter to load the patch on the SMC Appliance.
To load the patch that upgrades the SMC Appliance to version 6.3.0, enter sudo ambr-load 6.3.0U001,
then press Enter.
Note: If you downloaded the patch and transferred it to the SMC Appliance, append the load
command with the -f option and specify the full path to the patch file. For example, sudo
ambr-load –f /var/tmp/6.3.0U001.sap.
4)
Enter sudo ambr-install <patch>, then press Enter to install the patch on the SMC Appliance.
To install the 6.3.0U001 SAP, enter sudo ambr-install 6.3.0U001, then press Enter.
The installation process prompts you to continue.
5)
Enter Y.
Result
The installation process restarts the appliance and installs the patch. When the upgrade is finished, the appliance
restarts. The appliance is now running SMC Appliance 6.3.0.
Installing SMC Appliance patches
We recommend checking the availability of SMC Appliance patches regularly, and installing the patches when
they become available.
The SMC Appliance patches can include improvements and enhancements to the SMC software, the operating
system, or the SMC Appliance hardware.
9
Forcepoint NGFW Security Management Center Appliance 6.3.0 | Release Notes
For detailed information about installing SMC Appliance patches, see the Forcepoint Next Generation Firewall
Installation Guide. All guides are available for download at https://support.forcepoint.com.
Known issues
For a list of known issues in this product release, see Knowledge Base article 14117.
Find product documentation
On the Forcepoint support website, you can find information about a released product, including product
documentation, technical articles, and more.
You can get additional information and support for your product on the Forcepoint support website at
https://support.forcepoint.com. There, you can access product documentation, Knowledge Base articles,
downloads, cases, and contact information.
Product documentation
Every Forcepoint product has a comprehensive set of documentation.
•
Forcepoint Next Generation Firewall Product Guide
•
Forcepoint Next Generation Firewall online Help
Note: By default, the online Help is used from the Forcepoint help server. If you want to use
the online Help from a local machine (for example, an intranet server or your own computer),
see Knowledge Base article 10097.
•
Forcepoint Next Generation Firewall Installation Guide
Other available documents include:
•
Forcepoint Next Generation Firewall Hardware Guide for your model
•
Forcepoint NGFW Security Management Center Appliance Hardware Guide
•
Forcepoint Next Generation Firewall Quick Start Guide
•
Forcepoint NGFW Security Management Center Appliance Quick Start Guide
•
Forcepoint NGFW SMC API Reference Guide
•
Stonesoft VPN Client User Guide for Windows or Mac
•
Stonesoft VPN Client Product Guide
10
© 2017 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
Raytheon is a registered trademark of Raytheon Company.
All other trademarks used in this document are the property of their respective owners.
Download PDF
Similar pages