Enterprise Security Manager 9.6.1 Release Notes

Enterprise Security Manager 9.6.1 Release Notes
Release Notes
McAfee Enterprise Security Manager 9.6.1
Contents
About this release
New features
Known issues
Upgrade instructions
Find product documentation
About this release
This document contains important information about the current release. We recommend that you
read the whole document.
New features
Hardware/Software support
•
Hardware - Upgrade to ensure support for the next generation of hardware.
•
Software - This release includes support for:
•
Microsoft Windows 10
•
Microsoft Windows 10, Windows Management Instrumentation (WMI) data source
•
Microsoft Windows Server 2016
syslog collector
The syslog collector now parses host names that begin with numbers.
1
Known issues
•
10.0.x known issues - see McAfee KnowledgeBase article: KB88184.
•
9.6.x known issues - see McAfee KnowledgeBase article: KB86880.
Upgrade instructions
To prepare your system for the release, download the upgrade files for:
•
McAfee Enterprise Security Manager (McAfee ESM)
•
Nitro Intrusion Prevention System (Nitro IPS)
•
McAfee Advanced Correlation Engine (ACE)
•
McAfee Application Data Monitor (ADM)
•
McAfee Database Event Monitor (DEM)
•
McAfee Event Receiver
•
McAfee Enterprise Log Manager (ELM)
®
®
®
®
Upgrade them in the order described.
For information about installing the devices, see McAfee Enterprise Security Manager Installation Guide.
Tasks
•
Download the upgrade files on page 5
When the system is ready to upgrade, download the upgrade files to your local system.
•
Upgrade the system on page 6
Upgrade the ESM and its devices in a specific order, based on your FIPS mode. After you
upgrade, rewrite the device settings and roll out the policy.
Preparing to upgrade
You must do several things before you can upgrade your ESM devices.
2
1
Make sure that the ESM database rebuild from a previous build (9.6.x or later) is complete, and
that you can schedule the outage window for this upgrade.
2
Complete a database backup of the ESM. Export or back up the following items to ensure ease of
recovery if an upgrade renders a rule, event, or other content unusable:
Alarms:
In System Properties, click Alarms, highlight each alarm, then click Export and save the
file.
Watchlists:
In System Properties, click Watchlists, highlight each watchlist, then click Export and save
the file.
Custom rules: In Default Policy on the Policy Editor, follow this process for each rule type except Data
Source, Windows Events, ESM, Normalization, Variable, and Preprocessor.
1 In the Rule Types pane, click a rule type.
2 In the Filters/Tagging pane, click the Advanced tab, select user defined in the Origin field,
then click Refresh
.
3 Highlight the rules, click File | Export | Rules, then save them in XML format.
Policies:
In Default Policy on the Policy Editor, click File | Export | Policy, then select All custom rules
and custom variables.
Type of
information
Details
Device types
supported
The ESM, ESM/Event Receiver, or ESM/Log Manager (ENMELM) only
communicates with 9.6.x devices. To check the model of your device, issue the
cat /proc/cpuinfo command. The output includes the CPU number on the
model name line.
Save receiver
settings
Make sure all Receiver settings are saved before updating from versions 9.x to
9.6.x. If you don't save the settings, a problem occurs that can cause issues on
the receiver and other devices. Make sure all settings for every device are saved
before updating to any version.
Rebuild time
Table rebuild time varies for ESM, Event Receiver, and ENMELM. To speed up the
upgrade of the ESM database:
• Set collection duration of events, flows, and logs to a longer pull time, allowing
more time for the rebuild. On the ESM console, click System Properties | Events,
Flows & Logs, then set Auto check interval.
• Turn off collection of events, flows, and logs until the rebuild finishes. Complete
this step only if the number of events and flows sent to the ESM is low. On the
ESM console, click System Properties | Events, Flows & Logs, then deselect Auto check
interval.
Upgrade paths
You must upgrade prior versions to 9.4.2 or later before you can upgrade to the
9.6.x release.
Upgrade
Receiver-HA
devices
To upgrade Receiver-HA devices, you must first check the Receiver's high
availability status.
Make sure all device settings are saved before updating to any version.
3
Special upgrade scenarios
In special situations, you must take additional steps before or after upgrading.
Situation
Action
Installing a new
McAfee ESM
model
Register your hardware in 30 days to ensure that you receive policy, parser, and
rule updates as part of your maintenance contract. If you don't register, you
can't receive upgrades.
To get your permanent user name and password, email Licensing@McAfee.com
with the following information:
• McAfee grant number
• Contact name
• Account name
• Contact email address
• Address
Obtaining offline
rule updates
1 Go to Product Downloads, Free Security Trials, and Tools.
2 Click Download, enter your grant number, type the letters as displayed, then
submit.
3 Select McAfee Enterprise Security Manager and click the All Versions tab.
4 Download the rules for your version of McAfee ESM.
Resolving device
communication
issues
If you upgraded a McAfee device before upgrading McAfee ESM or the ESM is in
the middle of upgrading, this message might appear: The device needs to be
upgraded before the operation can be performed. Verify that McAfee ESM has the
correct version.
1 On the McAfee ESM console, select the device in the system navigation tree,
then click the Properties icon
.
2 Click Connection, then click Status.
3 Retry the operation that resulted in the message.
Upgrading a
redundant ESM
Upgrade the primary McAfee ESM first, then upgrade the redundant McAfee ESM.
1 On the primary McAfee ESM, select the ESM on the navigation tree and click
the Properties icon.
2 Click Events, Flows & Logs and deselect Auto check interval.
3 After upgrading the redundant McAfee ESM, re-enable the collection of events,
flows, and logs on the primary McAfee ESM.
McAfee ePO with
Policy Auditor
If the McAfee ePO device is already on the McAfee ESM, you must refresh it.
1 If you are not on an all-in-one device, upgrade the McAfee Event Receiver
where the McAfee ePO device is connected.
2 On the McAfee ESM console, click ePO Properties | Device Management, then click
Refresh.
You can set up auto-retrieval on the Device Management tab.
3 Click Receiver Properties, then click the Vulnerability Assessment tab.
4 Click Write.
5 Repeat step 2 to get VA data on the McAfee ESM.
6 Log off the McAfee ESM console, then log back on.
4
Situation
Action
Upgrading high
availability (HA)
Event Receivers
Before you upgrade, set your preferred primary Event Receiver to No Preference,
which allows you to use the Fail-Over option.
Rebuilding the
ELM management
database
Indexing your ELM management database can require additional time, depending
on your ELM model. For example, the number of storage pools you have, the
amount of data sent from logging devices, and your network bandwidth can
increase the time it takes to complete indexing.
You must upgrade the secondary Event Receiver, click Fail-Over, then upgrade the
new secondary Event Receiver. In this way, a primary Event Receiver collects
data throughout the process, ensuring minimal data loss. After you upgrade both
Event Receivers, reapply your preferred primary Event Receiver.
But, this background task minimally impacts your performance and, when
complete, provides improved querying on your historical data.
To check the status of the rebuild, go to ELM Properties | ELM Information.
If the message Database is rebuilding appears in the Active Status field, do not stop
or start the ELM database. The system indexes all new ELM data on the sending
device before sending that data to the ELM.
If you have event receiver logging to the ELM and they are near maximum
capacity, contact Support.
Upgrading a
redundant ELM
Upgrade the standby ELM first, then upgrade the active ELM.
Never turn off a device during a rebuild.
The upgrade process suspends the ELM redundancy. After upgrading both ELMs,
you must restart the ELM redundancy.
1 Upgrade the standby ELM.
2 Upgrade the active ELM.
3 On the system navigation tree, select the standby ELM and go to ELM Properties |
ELM Redundancy | Return to Service.
4 Go to ELM Properties | ELM Information and click Refresh. Both the active and standby
ELMs display an OK status.
5 If the standby ELM displays a Not OK status, click Refresh again. After a few
minutes, the standby ELM status changes to OK, redundant ELM resync is 100%
complete. You might need to click Refresh several times.
Download the upgrade files
When the system is ready to upgrade, download the upgrade files to your local system.
Task
1
Go to Product Downloads, Free Security Trials, and Tools.
2
Click Download, enter your grant number, type the letters as displayed, then submit.
3
Select McAfee Enterprise Security Manager and click the All Versions tab.
4
Download the release file to your local system, then upgrade your ESM and devices.
5
Upgrade the system
Upgrade the ESM and its devices in a specific order, based on your FIPS mode. After you upgrade,
rewrite the device settings and roll out the policy.
Before you begin
•
Read the entire release notes before beginning the upgrade.
•
Make sure that your system is running version 9.6 or later.
•
If you recently upgraded to 9.6, verify that the database rebuild is complete.
When upgrading, all active collectors (such as Windows, eStreamer, and Checkpoint) stop collecting
data until you rewrite the device settings and roll out the policy.
Task
1
Depending on your FIPS mode, upgrade all devices in the following order.
Mode
Order
Non-FIPS 1 Upgrade standalone ESMs first, then ESM combo devices you might have.
2 Wait for the database to build.
3 Upgrade the ELM.
4 Upgrade the McAfee Event Receiver, ACE, DEM, and ADM.
This process differs from the process to upgrade a redundant ESM.
FIPS
1 Upgrade standalone ELMs.
2 Upgrade the McAfee Event Receiver, ACE, DEM, and ADM.
3 Upgrade ESM, Event Receiver, or ELM combo devices. You can begin when all device
upgrades start.
Failure to upgrade the devices before upgrading McAfee ESM when in FIPS mode can
affect ELM log collection.
2
Verify that you have communication with the devices.
3
Download the manual rules update to McAfee ESM.
4
Apply the updated rules.
a
5
6
On the system navigation tree, select the system, then click the Properties icon
b
On the System Information page, click Rules Update, then click Manual Update.
c
Browse to the update file, click Upload, then click OK.
.
To rewrite device settings for each device, follow this process to apply all release settings.
a
On the McAfee ESM console, select the device in the system navigation tree, then click the
Properties icon.
b
Follow these steps for each device.
Device type
Process
McAfee Event
Receiver or ESM/
Event Receiver
combo
• For data sources: Click Data Sources | Write.
ACE
• For risk correlation: Click Risk Correlation Management | Write.
• For VA sources: Click Vulnerability Assessment | Write.
• For historical correlation: Click Historical | Enable Historical Correlation | Apply. If it's
already selected, deselect it, select it again, then click Apply.
• For rule correlation: Click Rule Correlation, select Enable Rule Correlation, and click
Apply. If it's already selected, deselect it, select it again, then click Apply.
DEM or ADM
• For virtual devices (ADM): Click Virtual Devices | Write.
• For database servers: Click Database Servers | Write.
6
Roll out the policy to all upgraded devices.
7
To take the selected device out of bypass mode, click Device Configuration | Interfaces.
8
If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties | Device
Configuration | Sync ELM).
Find product documentation
On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.
Task
1
Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2
In the Knowledge Base pane under Content Source, click Product Documentation.
3
Select a product and version, then click Search to display a list of documents.
Tasks
•
Use ESM Help on page 8
Have questions about how to use ESM? Use the online Help as your context-sensitive
information source, where you find conceptual information, reference materials, and
step-by-step instructions on how to use ESM.
•
Frequently asked questions on page 9
Here are answers to frequently asked questions.
Find localized information
We provide localized (translated) McAfee ESM release notes, Help, product guide, and installation
guide for:
•
Chinese, Simplified
•
Chinese, Traditional
•
English
•
French
7
•
German
•
Japanese
•
Korean
•
Portuguese, Brazilian
•
Spanish
Access localized online Help
Changing the language setting in ESM automatically changes the language used in the online Help.
1
Log on to ESM.
2
On the system navigation pane of the ESM console, select Options.
3
Select a language, then click OK.
4
Click the Help icon in the upper right corner of the ESM windows or select the Help menu. The Help
displays in the language you selected.
If the Help appears in English only, localized Help is not yet available. A future update installs localized
Help.
Find localized product documentation on the Knowledge Center
1
Visit the Knowledge Center.
2
Search for localized product documentation using the following parameters:
•
Search terms — product guide, installation guide, or release notes
•
Product — McAfee Enterprise Security Manager
•
Version — Choose a release version
3
In the search results, click the relevant document title.
4
On the page with the PDF icon, scroll down until you see language links on the right side. Click the
relevant language.
5
To open the localized version of the product document, click the PDF link.
Use ESM Help
Have questions about how to use ESM? Use the online Help as your context-sensitive information
source, where you find conceptual information, reference materials, and step-by-step instructions on
how to use ESM.
Task
1
8
To open ESM Help, do one of the following:
•
Select the menu option Help | Help Contents.
•
Click the question mark in the upper right of ESM screens to find context-sensitive Help specific
to that screen.
2
From the Help window:
•
Use the Search field to find any word in the Help. Results appear below the Search field. Click the
relevant link to display the Help topic in the pane on the right.
•
Use the Contents tab (table of contents) to view a sequential list of topics in the Help.
•
Use the Index to find a specific term in the Help. Keywords are organized alphabetically so you
can scroll through the list until you find the keyword you want. Click the keyword to display that
Help topic.
•
Print the current Help topic (without scroll bars) by clicking the printer icon in the upper right of
the Help topic.
•
Find links to related Help topics by scrolling to the bottom of the Help topic.
Frequently asked questions
Here are answers to frequently asked questions.
Where can I find ESM information in other languages?
We localize the ESM release notes, Help, product guide, and installation guide. Find localized
information on page 7
Where can I learn more about McAfee ESM?
•
Use ESM Help on page 8
•
Visit the Knowledge Center
•
Visit the Expert Center
•
Watch McAfee ESM videos
Which SIEM devices are supported?
Visit the McAfee ESM website
How do I configure specific data sources?
Find current data source configuration guides on the Knowledge Center
How do I learn about changes and additions to data sources, custom types, rules, and
content packs?
•
Log on to the Knowledge Center and subscribe to the KB75608 article. You will receive
notifications when the article is changed.
•
For information about content packs, read the KB article on the Knowledge Center.
© 2017 Intel Corporation
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/
registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising