Release Notes McAfee Enterprise Security Manager 9.6.1 Contents About this release New features Known issues Upgrade instructions Find product documentation About this release This document contains important information about the current release. We recommend that you read the whole document. New features Hardware/Software support • Hardware - Upgrade to ensure support for the next generation of hardware. • Software - This release includes support for: • Microsoft Windows 10 • Microsoft Windows 10, Windows Management Instrumentation (WMI) data source • Microsoft Windows Server 2016 syslog collector The syslog collector now parses host names that begin with numbers. 1 Known issues • 10.0.x known issues - see McAfee KnowledgeBase article: KB88184. • 9.6.x known issues - see McAfee KnowledgeBase article: KB86880. Upgrade instructions To prepare your system for the release, download the upgrade files for: • McAfee Enterprise Security Manager (McAfee ESM) • Nitro Intrusion Prevention System (Nitro IPS) • McAfee Advanced Correlation Engine (ACE) • McAfee Application Data Monitor (ADM) • McAfee Database Event Monitor (DEM) • McAfee Event Receiver • McAfee Enterprise Log Manager (ELM) ® ® ® ® Upgrade them in the order described. For information about installing the devices, see McAfee Enterprise Security Manager Installation Guide. Tasks • Download the upgrade files on page 5 When the system is ready to upgrade, download the upgrade files to your local system. • Upgrade the system on page 6 Upgrade the ESM and its devices in a specific order, based on your FIPS mode. After you upgrade, rewrite the device settings and roll out the policy. Preparing to upgrade You must do several things before you can upgrade your ESM devices. 2 1 Make sure that the ESM database rebuild from a previous build (9.6.x or later) is complete, and that you can schedule the outage window for this upgrade. 2 Complete a database backup of the ESM. Export or back up the following items to ensure ease of recovery if an upgrade renders a rule, event, or other content unusable: Alarms: In System Properties, click Alarms, highlight each alarm, then click Export and save the file. Watchlists: In System Properties, click Watchlists, highlight each watchlist, then click Export and save the file. Custom rules: In Default Policy on the Policy Editor, follow this process for each rule type except Data Source, Windows Events, ESM, Normalization, Variable, and Preprocessor. 1 In the Rule Types pane, click a rule type. 2 In the Filters/Tagging pane, click the Advanced tab, select user defined in the Origin field, then click Refresh . 3 Highlight the rules, click File | Export | Rules, then save them in XML format. Policies: In Default Policy on the Policy Editor, click File | Export | Policy, then select All custom rules and custom variables. Type of information Details Device types supported The ESM, ESM/Event Receiver, or ESM/Log Manager (ENMELM) only communicates with 9.6.x devices. To check the model of your device, issue the cat /proc/cpuinfo command. The output includes the CPU number on the model name line. Save receiver settings Make sure all Receiver settings are saved before updating from versions 9.x to 9.6.x. If you don't save the settings, a problem occurs that can cause issues on the receiver and other devices. Make sure all settings for every device are saved before updating to any version. Rebuild time Table rebuild time varies for ESM, Event Receiver, and ENMELM. To speed up the upgrade of the ESM database: • Set collection duration of events, flows, and logs to a longer pull time, allowing more time for the rebuild. On the ESM console, click System Properties | Events, Flows & Logs, then set Auto check interval. • Turn off collection of events, flows, and logs until the rebuild finishes. Complete this step only if the number of events and flows sent to the ESM is low. On the ESM console, click System Properties | Events, Flows & Logs, then deselect Auto check interval. Upgrade paths You must upgrade prior versions to 9.4.2 or later before you can upgrade to the 9.6.x release. Upgrade Receiver-HA devices To upgrade Receiver-HA devices, you must first check the Receiver's high availability status. Make sure all device settings are saved before updating to any version. 3 Special upgrade scenarios In special situations, you must take additional steps before or after upgrading. Situation Action Installing a new McAfee ESM model Register your hardware in 30 days to ensure that you receive policy, parser, and rule updates as part of your maintenance contract. If you don't register, you can't receive upgrades. To get your permanent user name and password, email Licensing@McAfee.com with the following information: • McAfee grant number • Contact name • Account name • Contact email address • Address Obtaining offline rule updates 1 Go to Product Downloads, Free Security Trials, and Tools. 2 Click Download, enter your grant number, type the letters as displayed, then submit. 3 Select McAfee Enterprise Security Manager and click the All Versions tab. 4 Download the rules for your version of McAfee ESM. Resolving device communication issues If you upgraded a McAfee device before upgrading McAfee ESM or the ESM is in the middle of upgrading, this message might appear: The device needs to be upgraded before the operation can be performed. Verify that McAfee ESM has the correct version. 1 On the McAfee ESM console, select the device in the system navigation tree, then click the Properties icon . 2 Click Connection, then click Status. 3 Retry the operation that resulted in the message. Upgrading a redundant ESM Upgrade the primary McAfee ESM first, then upgrade the redundant McAfee ESM. 1 On the primary McAfee ESM, select the ESM on the navigation tree and click the Properties icon. 2 Click Events, Flows & Logs and deselect Auto check interval. 3 After upgrading the redundant McAfee ESM, re-enable the collection of events, flows, and logs on the primary McAfee ESM. McAfee ePO with Policy Auditor If the McAfee ePO device is already on the McAfee ESM, you must refresh it. 1 If you are not on an all-in-one device, upgrade the McAfee Event Receiver where the McAfee ePO device is connected. 2 On the McAfee ESM console, click ePO Properties | Device Management, then click Refresh. You can set up auto-retrieval on the Device Management tab. 3 Click Receiver Properties, then click the Vulnerability Assessment tab. 4 Click Write. 5 Repeat step 2 to get VA data on the McAfee ESM. 6 Log off the McAfee ESM console, then log back on. 4 Situation Action Upgrading high availability (HA) Event Receivers Before you upgrade, set your preferred primary Event Receiver to No Preference, which allows you to use the Fail-Over option. Rebuilding the ELM management database Indexing your ELM management database can require additional time, depending on your ELM model. For example, the number of storage pools you have, the amount of data sent from logging devices, and your network bandwidth can increase the time it takes to complete indexing. You must upgrade the secondary Event Receiver, click Fail-Over, then upgrade the new secondary Event Receiver. In this way, a primary Event Receiver collects data throughout the process, ensuring minimal data loss. After you upgrade both Event Receivers, reapply your preferred primary Event Receiver. But, this background task minimally impacts your performance and, when complete, provides improved querying on your historical data. To check the status of the rebuild, go to ELM Properties | ELM Information. If the message Database is rebuilding appears in the Active Status field, do not stop or start the ELM database. The system indexes all new ELM data on the sending device before sending that data to the ELM. If you have event receiver logging to the ELM and they are near maximum capacity, contact Support. Upgrading a redundant ELM Upgrade the standby ELM first, then upgrade the active ELM. Never turn off a device during a rebuild. The upgrade process suspends the ELM redundancy. After upgrading both ELMs, you must restart the ELM redundancy. 1 Upgrade the standby ELM. 2 Upgrade the active ELM. 3 On the system navigation tree, select the standby ELM and go to ELM Properties | ELM Redundancy | Return to Service. 4 Go to ELM Properties | ELM Information and click Refresh. Both the active and standby ELMs display an OK status. 5 If the standby ELM displays a Not OK status, click Refresh again. After a few minutes, the standby ELM status changes to OK, redundant ELM resync is 100% complete. You might need to click Refresh several times. Download the upgrade files When the system is ready to upgrade, download the upgrade files to your local system. Task 1 Go to Product Downloads, Free Security Trials, and Tools. 2 Click Download, enter your grant number, type the letters as displayed, then submit. 3 Select McAfee Enterprise Security Manager and click the All Versions tab. 4 Download the release file to your local system, then upgrade your ESM and devices. 5 Upgrade the system Upgrade the ESM and its devices in a specific order, based on your FIPS mode. After you upgrade, rewrite the device settings and roll out the policy. Before you begin • Read the entire release notes before beginning the upgrade. • Make sure that your system is running version 9.6 or later. • If you recently upgraded to 9.6, verify that the database rebuild is complete. When upgrading, all active collectors (such as Windows, eStreamer, and Checkpoint) stop collecting data until you rewrite the device settings and roll out the policy. Task 1 Depending on your FIPS mode, upgrade all devices in the following order. Mode Order Non-FIPS 1 Upgrade standalone ESMs first, then ESM combo devices you might have. 2 Wait for the database to build. 3 Upgrade the ELM. 4 Upgrade the McAfee Event Receiver, ACE, DEM, and ADM. This process differs from the process to upgrade a redundant ESM. FIPS 1 Upgrade standalone ELMs. 2 Upgrade the McAfee Event Receiver, ACE, DEM, and ADM. 3 Upgrade ESM, Event Receiver, or ELM combo devices. You can begin when all device upgrades start. Failure to upgrade the devices before upgrading McAfee ESM when in FIPS mode can affect ELM log collection. 2 Verify that you have communication with the devices. 3 Download the manual rules update to McAfee ESM. 4 Apply the updated rules. a 5 6 On the system navigation tree, select the system, then click the Properties icon b On the System Information page, click Rules Update, then click Manual Update. c Browse to the update file, click Upload, then click OK. . To rewrite device settings for each device, follow this process to apply all release settings. a On the McAfee ESM console, select the device in the system navigation tree, then click the Properties icon. b Follow these steps for each device. Device type Process McAfee Event Receiver or ESM/ Event Receiver combo • For data sources: Click Data Sources | Write. ACE • For risk correlation: Click Risk Correlation Management | Write. • For VA sources: Click Vulnerability Assessment | Write. • For historical correlation: Click Historical | Enable Historical Correlation | Apply. If it's already selected, deselect it, select it again, then click Apply. • For rule correlation: Click Rule Correlation, select Enable Rule Correlation, and click Apply. If it's already selected, deselect it, select it again, then click Apply. DEM or ADM • For virtual devices (ADM): Click Virtual Devices | Write. • For database servers: Click Database Servers | Write. 6 Roll out the policy to all upgraded devices. 7 To take the selected device out of bypass mode, click Device Configuration | Interfaces. 8 If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties | Device Configuration | Sync ELM). Find product documentation On the ServicePortal, you can find information about a released product, including product documentation, technical articles, and more. Task 1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab. 2 In the Knowledge Base pane under Content Source, click Product Documentation. 3 Select a product and version, then click Search to display a list of documents. Tasks • Use ESM Help on page 8 Have questions about how to use ESM? Use the online Help as your context-sensitive information source, where you find conceptual information, reference materials, and step-by-step instructions on how to use ESM. • Frequently asked questions on page 9 Here are answers to frequently asked questions. Find localized information We provide localized (translated) McAfee ESM release notes, Help, product guide, and installation guide for: • Chinese, Simplified • Chinese, Traditional • English • French 7 • German • Japanese • Korean • Portuguese, Brazilian • Spanish Access localized online Help Changing the language setting in ESM automatically changes the language used in the online Help. 1 Log on to ESM. 2 On the system navigation pane of the ESM console, select Options. 3 Select a language, then click OK. 4 Click the Help icon in the upper right corner of the ESM windows or select the Help menu. The Help displays in the language you selected. If the Help appears in English only, localized Help is not yet available. A future update installs localized Help. Find localized product documentation on the Knowledge Center 1 Visit the Knowledge Center. 2 Search for localized product documentation using the following parameters: • Search terms — product guide, installation guide, or release notes • Product — McAfee Enterprise Security Manager • Version — Choose a release version 3 In the search results, click the relevant document title. 4 On the page with the PDF icon, scroll down until you see language links on the right side. Click the relevant language. 5 To open the localized version of the product document, click the PDF link. Use ESM Help Have questions about how to use ESM? Use the online Help as your context-sensitive information source, where you find conceptual information, reference materials, and step-by-step instructions on how to use ESM. Task 1 8 To open ESM Help, do one of the following: • Select the menu option Help | Help Contents. • Click the question mark in the upper right of ESM screens to find context-sensitive Help specific to that screen. 2 From the Help window: • Use the Search field to find any word in the Help. Results appear below the Search field. Click the relevant link to display the Help topic in the pane on the right. • Use the Contents tab (table of contents) to view a sequential list of topics in the Help. • Use the Index to find a specific term in the Help. Keywords are organized alphabetically so you can scroll through the list until you find the keyword you want. Click the keyword to display that Help topic. • Print the current Help topic (without scroll bars) by clicking the printer icon in the upper right of the Help topic. • Find links to related Help topics by scrolling to the bottom of the Help topic. Frequently asked questions Here are answers to frequently asked questions. Where can I find ESM information in other languages? We localize the ESM release notes, Help, product guide, and installation guide. Find localized information on page 7 Where can I learn more about McAfee ESM? • Use ESM Help on page 8 • Visit the Knowledge Center • Visit the Expert Center • Watch McAfee ESM videos Which SIEM devices are supported? Visit the McAfee ESM website How do I configure specific data sources? Find current data source configuration guides on the Knowledge Center How do I learn about changes and additions to data sources, custom types, rules, and content packs? • Log on to the Knowledge Center and subscribe to the KB75608 article. You will receive notifications when the article is changed. • For information about content packs, read the KB article on the Knowledge Center. © 2017 Intel Corporation Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project