Network Security Platform 8.2.7.5-8.2.3.7 M

Network Security Platform 8.2.7.5-8.2.3.7 M
8.2.7.5-8.2.3.7 Manager-M-series Release Notes
Network Security Platform 8.2
Revision B
Contents
About this release
New features
Enhancements
Resolved issues
Installation instructions
Known issues
Product documentation
About this release
This document contains important information about the current release. We strongly recommend that
you read the entire document.
Network Security Platform follows a new release process starting with the 8.2 release. The changes in
the release process are based on customer requirements, and best practices followed by other McAfee
teams. For details, read KB78795.
This maintenance release of Network Security Platform is to provide few features and enhancements
on the Manager and M-series Sensor software.
•
Network Security Manager software version: 8.2.7.5
•
Signature Set: 8.7.44.13
•
M-series Sensor software version: 8.2.3.7
This version of 8.2 Manager software can be used to configure and manage the following hardware:
•
7.1, 7.5, 8.1 and 8.2 M‑series and Mxx30-series Sensors
•
8.1 and 8.2 Virtual IPS Sensors
1
•
7.1, 8.1 and 8.2 NS-series (NS9100, NS9200, NS9300) Sensors
•
7.1, 7.5, 8.1 and 8.2 XC Cluster Appliances
•
7.1, 7.5, 8.1 and 8.2 NTBA Appliance software (Physical and Virtual)
•
7.1 I-series Sensors
Currently port 4167 is used as the UDP source port number for the SNMP command channel
communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound
connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the
same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version
1.7.0_67, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to
bind for IPv6.
Manager 8.2 uses JRE version 1.7.0_67. If you have IPv6 Sensors behind a firewall, you need to
update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to
function between those IPv6 Sensors and the Manager.
With release 8.1 onwards, Network Security Platform no longer supports the Network Access Control
module and N-series Sensors. If you are using Network Access Control with N-series (NAC-only)
Sensors, McAfee recommends that you continue to use the 7.1.3.6 version. If you are using the
Network Access Control module in M-series Sensors, continue to use the 7.5.3.30 version. That is, you
should not upgrade the Manager or the Sensors to 8.1 for such cases.
Manager software version 7.5 and above are not supported on McAfee-built Dell‑based Manager
Appliances. McAfee recommends that you use Intel-based Manager Appliances instead.
New features
This release of Network Security Platform includes the following new features.
Advanced botnet detection for DNS traffic
In this release, Network Security Platform can analyze DNS traffic to detect advanced botnets such as
Fast Flux Service Network (FFSN) and Domain Generation Algorithms (DGA) with better accuracy and
confidence. From this release, the Sensor additionally analyzes DNS traffic to detect blacklisted
domains in the callback detectors. This release additionally supports a user-defined list of whitelisted
domains, also referred to as domain name exceptions.
•
Inspecting DNS traffic for whitelisted and blacklisted domains: In the earlier releases, the
Sensor inspects the TCP 3-way handshake and the subsequent HTTP packets to detect blacklisted
domains, IP addresses, and URLs defined in the callback detectors. So, if the bot uses a different
L7 protocol, it might be able to avoid detection.
In this release, the Sensor inspects the DNS response packets to check for any whitelisted and
blacklisted domains. Blocking blacklisted domains in the DNS traffic can preempt a bot from
reaching its C&C domain. Also, this strategy is not limited by the L7 protocol used by the bot.
•
2
Sinkholing botnet traffic: An additional feature in this release is sinkholing of traffic related to
a blacklisted domain. When the Sensor detects a blacklisted domain in the DNS response, the
Sensor drops this DNS packet. The Sensor then forwards a crafted DNS response, which carries
a loopback IP address for the blacklisted domain, and the configured TTL for this record. You
can also configure an IPv4 address instead of the loopback IP address. This forces the bot to
send the callback traffic to the sinkhole. You can use this feature to avoid callback traffic in your
production network. By using proper tools, you can also capture the callback traffic for further
offline analysis.
•
•
To configure DNS sinkholing and whitelist processing select Policy | <Admin Domain> | Intrusion
Prevention | Inspection Option Policies | <Policy> | Inspection Options | Advanced Botnet Detection.
•
To configure the IPv4 address and TTL for sinkholing blacklist traffic, select Devices | <Admin
Domain> | Devices | <Device Name> | Setup | Advanced | Protocol Settings.
Domain Name Exceptions: You can import a list of domains to be whitelisted into the
Manager. The Sensor inspects the DNS responses first for the whitelisted domains. By
whitelisting your organization's public and internal domains, you can preserve the Sensor's
resources by not analyzing the known DNS traffic for FFSN or DGA.
When the Sensor detects a whitelisted domain name in the DNS traffic, it exempts that DNS
traffic from any further DNS-based botnet detection. However, the Sensor might inspect the
subsequent L7 traffic to the whitelisted domain for IPS.
McAfee recommends that you add internal domains to the whitelist to reduce impact on the
Sensor.
To import the whitelist domains, select Policy | <Root Admin Domain> | Intrusion Prevention | Exceptions |
Domain Name Exceptions in the root admin domain.
The show botnet-usage debug mode command now displays information related to DNS-based
whitelist/blacklist detection.
•
FFSN detection: Generally, an FFSN consists of hundreds of compromised hosts commanded and
controlled by a server (C&C server). The compromised hosts are referred to as flux agents. The
main objective of an FFSN is to ensure high-availability of the malicious content on the C&C server
as well as to prevent the C&C server from being identified and subsequently blocked. To achieve
this objective, the FFSN domain resolves to the IP addresses of the flux agents. Therefore, the IP
addresses for the FFSN domain are in a flux.
By inspecting DNS responses, the Sensor first identifies the suspected domains. Then, the Sensor
gathers data from the DNS traffic related to these domains. The Sensor does a complex heuristic
analysis of the collected data to accurately identify FFSN domains. The Sensor also identifies other
endpoints communicating with the FFSN domains.
To configure FFSN detection select Policy | <Admin Domain> | Intrusion Prevention | Inspection Option Policies |
<Policy> | Inspection Options | Advanced Botnet Detection.
•
DGA detection: For a botnet to be active, the bots must be able to communicate with the C&C
server. Some hackers use DGA technique to keep the C&C infrastructure concealed but available to
the bots. Bots use the DGA technique to generate a very high number of such domain names over
a short period of time. The attacker registers one of the random domain names generated by the
DGA technique. So, the bot is now able to access the C&C server. Attackers register DGA domains
for short periods. This makes it difficult for security applications and reputation systems to blacklist
the domain.
By doing a heuristic analysis of the DNS responses, the Sensor exposes the C&C infrastructure of
the DGA-based botnet and also identify other endpoints communicating with the C&C domain.
The Sensor also monitors any endpoint talking to the C&C server and reports back these activities
as well.
To configure DGA detection select Policy | <Admin Domain> | Intrusion Prevention | Inspection Option Policies |
<Policy> | Inspection Options | Advanced Botnet Detection.
3
The following CLI commands are supported for this feature:
•
show botnet-alertstats — Displays the count of all the botnet-related alerts raised by the
Sensor. This command shows the count for the new botnet alerts in this release as well as the
botnet alerts from the earlier releases.
•
dumpdgastats — [Debug mode] Dumps DGA-related data to a Sensor log. Use this command to
provide diagnostic data to McAfee Technical Support.
For more information, see Network Security Platform IPS Administration Guide.
New capabilities in Advanced Malware Policies
In release 8.2, Network Security Platform provides the following enhancements to the Advanced
Malware Policies:
•
Malware detection in Flash files — The Sensor has an in-built Flash engine to inspect Flash
(.swf, .cwf, .zwf) files for potential malware. The Sensor supports detection of malicious Flash files
using heuristic analysis and without signatures. The Sensor detects various Flash exploitation
techniques such as Vector spraying, presence of shell code and similar exploitation techniques. The
Sensor also scans and detects malicious Flash files embedded within PDF files. You can also opt to
use the Gateway Anti-Malware Engine to scan the malicious Flash files.
•
Enhanced malware detection for PDF files — The PDF emulation engine running on the Sensor
has been further enhanced to extract and inspect PDF objects that are encrypted, PDF files in XDP
format, and malicious PDF files embedded within other PDF files. This release also supports
enhanced performance for extraction and inspection of PDF files.
The XDP file inspection is not supported for FTP.
•
Enhanced malware detection in unknown APK files using McAfee Cloud — The Sensor
computes the APK file's SHA-256 Hash and make the initial request to McAfee Cloud. If the file is
known and reported as clean by McAfee Cloud, the Sensor allows the file to enter the network. For
known malicious APKs, the Sensor will raise a malware detected alert. If the file is an unknown
APK, the Sensor will send the file to the Manager and raise a file-submitted alert. The Manager will
upload the unknown APK file to McAfee Cloud for scanning.
•
Malware detection of FTP traffic — In earlier releases, the Sensor extracted files from the HTTP
and SMTP traffic for malware inspection. In release 8.2, the Sensor can extract files from FTP as
well.
The Flash file inspection is not supported for FTP.
4
•
Malware detection of files downloaded using HTTP range request — In release 8.2, the
Sensor can extract, scan, and analyze files that were either downloaded in multiple segments using
HTTP range requests.
•
Malware downselectors in the Sensor — Earlier, all the files extracted by Network Security
Platform were sent to Advanced Threat Defense for dynamic analysis. Dynamic analysis is a time
taking process, hence there is a need to carefully employ this process for improved user
experience. In release 8.2, Network Security Platform will submit files to Advanced Threat Defense,
for dynamic analysis, only if other engines that are enabled report back a malware confidence
lower than medium. In earlier releases, Network Security Platform submitted files for analysis to all
engines enabled in tandem. With this release, Network Security Platform will perform malware
analysis on files in the following sequence:
•
M-series and Virtual IPS: Blacklist and Whitelist | TIE/GTI File Reputation/McAfee Cloud (for apk files) | PDF/
Flash Analysis | PDF non-malicious indicators | Trusted certificate check for executables | Advanced Threat Defense or
NTBA (if Advanced Threat Defense is disabled)
•
NS-series: Blacklist and Whitelist | TIE/GTI File Reputation/McAfee Cloud (for apk files) | PDF/Flash Analysis | PDF
non-malicious indicators | Trusted certificate check for executables | Advanced Gateway Anti-Malware | Advanced Threat
Defense
Like mentioned above, if any of the engines return the confidence level as < medium, then these files
will be submitted to Advanced Threat Defense for dynamic analysis.
You can view these options under Policy | <Admin Domain Name> | Intrusion Prevention | Advanced Malware |
Advanced Malware Policies.
The following new CLI commands have been added to advanced malware policies:
•
set malwareEngine <engine> <status> — Use this command to enable/disable any of the
malware engines.
•
show malwareEngine status — Displays the status of all the malware engines.
•
unknownapktocloud <on|off|status> — Use this command to disable the upload of "unknown
mobile apk" file to the Manager. If disabled, the Sensor will not generate unknown mobile apk alert.
The following CLI commands have been updated to include information about the Flash engine and
McAfee Cloud engine:
•
show malwareenginestats
•
show malwarefilestats
•
show malwareserverstats
•
show malwareclientstats
For more information, see Network Security Platform IPS Administration Guide.
Multi-user support for Advanced Threat Defense integration
With the 8.2 release, the Manager allows different Sensors to have their own analyzer profile as per
configured by the respective Sensor users. This implies that the users can use a single Advanced
Threat Defense device, but can use a different analyzer profile per IPS device or per interface. Earlier,
only one predefined analyzer profile (nsp) was allowed for all the files submitted by the IPS Sensors
connected to Advanced Threat Defense. Now, user needs to log on to the Advanced Threat Defense
web application using the respective Network Security Platform user credentials as applicable to the
different Sensors integrated with Advanced Threat Defense and upload a sample file for analysis. By
default "nsp" is used for file submission but it can be overridden, if users have defined their own
analyzer profiles.
You can view these options under Devices | <Admin Domain Name> | Global | IPS Device Settings | ATD Integration.
For more information, see Network Security Platform Integration Guide.
5
Prioritization of inline traffic
With release 8.2, the IPS Sensor has the ability to prioritize traffic sent from ports configured as
in-line ports over that sent from SPAN ports. This feature is activated by default and kicks in only
during periods of heavy traffic load in the network.
When you deploy a port in inline mode, the Sensor has a default feature enabled to prioritize such
packets during heavy network load conditions over packets emerging from a SPAN port.
Since this feature is enabled by default, you will be able to disable it and view its status through the
CLI. The following commands have been added to the debug mode of the CLI:
•
show inline traffic prioritization status — Displays the status of this feature.
•
set inline traffic prioritization <enable|disable> — Provides you the option to enable or
disable this feature.
For more information, see Network Security Platform IPS Administration Guide.
Enhancements
This release of Network Security Platform includes the following enhancements:
Gateway Anti-Malware updates
In 8.1, Sensors sent files with potential malware to the NTBA Appliance for scanning. With 8.2,
NS-series Sensors have an in-built Gateway Anti-Malware Engine that scans files. M-series Sensors will
continue sending files to NTBA for scanning in 8.2 as well.
The IPS Sensor (M-series and NS-series with Sensor software 8.1) sends the file with potential
malware to the NTBA Appliance. The Gateway Anti-Malware Engine running on the NTBA Appliance
scans the file, and NTBA sends back the reported confidence level to the Sensor. The Sensor then
sends the alert to the Manager, and the configured response action takes place.
From the Manager, you can schedule Gateway Anti-Malware updates at:
•
Root level: Devices | <Admin Domain Name> | Global | Common Device Settings | GAM Updating
•
Device level: Devices | <Admin Domain Name> | Devices | <NTBA Appliance> | Setup | GAM Updating
By default, the Inherit Settings? and Enable Automatic Updating? check boxes are enabled. This allows you to
inherit any settings done at the root-level node to be applied to the child nodes as well.
The show gam engine stats, downloadgamupdate, and show gam scan stats commands have been
updated to support Gateway Anti-Malware updates.
6
Manager UI redesign to migrate away from Java
Network Security Manager is in the process of moving away from client side Java to use extJS, for
overall performance improvement and better user experience. In release 8.2, the following existing UI
pages have been enhanced to use the extJS framework:
•
Attack Set Profiles (formerly, Rule Sets): In 8.2, Rule Sets is renamed to Attack Set Profiles.
The Manager UI has been enhanced for the following page: Policy | <Admin Domain Name> | Intrusion
Prevention | Objects | Attack Set Profiles (earlier the path was Policy | <Admin Domain Name> | Intrusion Prevention
| Advanced | Rule Sets).
The Definitions tab is renamed as the Properties tab. Similarly, the Rules tab is renamed as the Attacks to
Include/Exclude tab.
•
IPS Policies: The Manager UI has been enhanced for the following page: Policy | <Admin Domain
Name> | Intrusion Prevention | IPS Policies.
•
Merge IPS and Reconnaissance Policies: Earlier the IPS and reconnaissance policies had to be
assigned separately. As part of simplifying policy management in release 8.2, reconnaissance
policies are deprecated in the Central Manager and the Manager. The IPS policies now include all
reconnaissance attack definitions. Now, you can use a single policy to manage exploit and
reconnaissance attacks. Moreover, you can now apply customized reconnaissance correlation
attacks per interface.
Consider an upgrade scenario, where you have customized attack definitions in the reconnaissance
policies in your earlier release and you want to upgrade to release 8.2. recommend that you merge
the IPS and reconnaissance policies when you are ready to upgrade Sensors to 8.2 (that is, after
you upgrade the Manager to 8.2).
In 8.2, the following new page is added for merging IPS and reconnaissance policies: Policy | <Admin
Domain Name> | Intrusion Prevention | Advanced | Reconnaissance Attack Settings Merge Utility.
If you have pre-8.2 Sensors, you must use the Reconnaissance Policies page to manage reconnaissance
policies and attack customizations. To apply reconnaissance policies to pre-8.2 Sensors, use the
Devices tab of the Policy Manager. The Reconnaissance section in the Devices tab is available only for
pre-8.2 Sensors. So, reconnaissance attacks in the IPS policies apply only to 8.2 Sensors;
reconnaissance attacks in the reconnaissance policies apply only to pre-8.2 Sensors.
When there are no more pre 8.2 Sensors in your setup, the Reconnaissance Policies option is removed
from the Resource Tree. Later, if you add a pre-8.2 Sensor to the Manager, the Reconnaissance Policies
option is available again.
•
Ignore Rules (formerly, Exception Objects): In 8.2, Exception Objects is renamed to Ignore Rules.
The Manager UI has been enhanced for the following page: Policy | <Admin Domain Name> | Intrusion
Prevention | Exceptions | Ignore Rules (earlier the path was Policy | <Admin Domain Name> | Exceptions |
Exception Objects).
Ignore Rules is not available currently in the Central Manager. If you have pre-8.2 devices in your
deployment, you can still manage Exception Objects from the Central Manager. If you do not have
any pre-8.2 devices in your setup, then you must use Ignore Rules from the respective Managers.
Even if there are no pre-8.2 Sensors in your deployment, Exception Objects is available in Central
Manager 8.2.
7
•
Policy Manager: Earlier, the policies were assigned to interfaces in Devices | <Admin Domain Name> |
Devices | <Device Name> | IPS Interfaces | <Interface Name> | Protection Profile and assigned to devices in Devices
| <Admin Domain Name> | Devices | <Device Name> | Policy | Protection Profile.
In 8.2, the following new page is added for managing the assignment of policies to devices and
interfaces: Policy | <Admin Domain Name> | Intrusion Prevention | Policy Manager.
Using this page, all Sensors can be managed.
•
Inspection Options Policies (formerly, Protection Profile): In 8.2, Protection Options is renamed
to Inspection Options. Earlier, Protection Options were configured in Devices | <Admin Domain Name> | Devices |
<Device Name> | IPS Interfaces | <Interface Name> | Protection Profile.
In 8.2, the following new page is added for managing the protection options policies: Policy | <Admin
Domain Name> | Intrusion Prevention | Inspection Option Policies. The policy assignment must be done at the
interface level.
•
Quarantine: Earlier, management of quarantine for endpoints was performed in Endpoints page in
the Threat Analyzer.
In 8.2, in addition to the Threat Analyzer, endpoints can be quarantined even from the following new
page: Analysis | Quarantine.
•
Policy Group: In the Policy Groups page, you can create and manage a group of policies. After
creating a policy group, it is assigned to the corresponding Sensor interfaces and sub-interfaces to
manage the inbound and outbound traffic. To access the Policy Groups page, select Policy | <Admin
Domain Name> | Intrusion Prevention | Objects | Policy Groups.
The policy group is optional.
For more information, see Network Security Platform IPS Administration Guide.
Application Visualization enhancement
The current Application Visualization lists statistics that include information about network bandwidth
usage by applications, attacks detected in applications and the number of connections. All these
statistics can be viewed under Analysis | Real-Time Threat Analyzer | Applications and GTI. Earlier the statistics
did not provide information about the port on which the application was detected in case of
non-standard ports.
With release 8.2, Network Security Platform displays the port number on which the application was
detected. This helps in the application analysis to understand what non-standard ports are being used
for the Top N Applications.
For more information, see Network Security Platform Manager Administration Guide.
Custom attacks enhancement
In Network Security Platform, custom signatures can be defined using different comparison options
and conditions. By default, the condition compares the string pattern defined to match the comparator.
In 8.2, the Does NOT Equal option in the Custom Attack Editor, allows you to define a condition where the
string pattern defined does not have to match with the comparator. This is a matching criteria that is
used to compare with the string pattern defined for matching while creating the condition for
comparison. The Does NOT Equal option is enabled by default. This new field is available only for String
Pattern Match and Packet Grep Protocol comparators.
For more information, see Network Security Platform Custom Attacks Definition Guide.
8
Persist UI customization across sessions
With this release, the following changes when made to columns persist per user account, even after
leaving the page and/or logging out of the Manager:
•
Column visibility (columns shown versus hidden)
•
Column width
•
Column presentation order (left to right)
•
Column sort order (up/down)
These options are supported on Analysis and Policy pages.
The Reset GUI Presentation button restores any changes made to the column or panel presentation to its
default setting. To access this button select, Manage | Users and Roles | My Account.
For more information, see Network Security Platform Manager Administration Guide.
Manager navigation path enhancements
The Manager navigation paths are updated for the following sections:
•
Alert archiving enhancement: In 8.2, the alert pruning functions under the Manage tab are
enhanced to provide ease of navigation and management of alerts. The following Manager UI
changes are made under the Maintenance tab:
8.1
8.2
Manage | Maintenance | Alert Data Statistics
Manage | Maintenance | Database Pruning | Alert Statistics
Manage | Maintenance | Backups
Manage | Maintenance | Database Backup
Manage | Maintenance | Database
Manage | Maintenance | Database Tuning
Manage | Maintenance | Pruning
Manage | Maintenance | Database Pruning
Manage | Maintenance | Pruning | Automated Pruning Manage | Maintenance | Database Pruning | File and Database
Pruning
Manage | Maintenance | Pruning | Disk Usage
Manage | Troubleshooting | Disk Usage
Manage | Maintenance | Alerts | Archiving | IPS
Manage | Maintenance | Alert Archiving | IPS
Manage | Maintenance | Alerts | Archiving | NTBA
Manage | Maintenance | Alert Archiving | NTBA
The UI changes for Backup, Database and Pruning are applicable to the Central Manager also.
The Application Visualization data that was displayed under Manage | Maintenance | Pruning | Automated
Pruning is removed in release 8.2.
•
Quarantine: The following UI enhancements are made to the Quarantine tab under Policy:
•
Policy | Quarantine | Summary page is removed
•
Policy | Quarantine | Browser Messages and Remediation Portal is now moved to Devices | <Device Name> |
Global | IPS Device Settings | Quarantine
9
•
Policy tab UI enhancements: The following changes have been implemented for the Policy tab
with 8.2 release:
Feature
8.1
8.2
Application Identification Devices | <Admin Domain Name> | Devices | Devices | <Admin Domain Name> | Devices |
<Device Name> | Policy | Application
<Device Name> | Setup | Application
Identification
Identification
Denial of Service and
its sub-tabs
Devices | <Admin Domain Name> | Devices | Devices | <Admin Domain Name> | Devices |
<Device Name> | Policy | Denial of Service
<Device Name> | Troubleshooting | Denial of
Service
Advanced and its
sub-tabs
Devices | <Admin Domain Name> | Devices | Devices | <Admin Domain Name> | Devices |
<Device Name> | Policy | Advanced
<Device Name> | Setup | Advanced
TCP Settings
TCP Settings
Protocol Settings
For more information, see Network Security Platform Manager Administration Guide and Network
Security Platform IPS Administration Guide.
Incident Generator
With release 8.2, the Incident Generator in the Threat Analyzer is no longer supported by Network Security
Platform.
Other IPS CLI enhancements
The following new CLI commands are added to the normal mode:
•
set flowvolumelimit enable/disable — This feature reports the connections with high volume
of the data transfer for both inbound and outbound connections. A threshold for the flow volume is
configured and the connections whose data transfer exceed the configured threshold would be
reported using the alert Flow with high volume has been detected. Use this command to enable/disable the
flow volume limit for both inbound and outbound direction.
•
show flowvolumelimit config — This command displays the flow volume limit configuration.
The following new CLI commands are added to the debug mode:
•
10
show feature status — This CLI command displays the enable/disable status for the following
features:
•
HTTP Response Scanning
•
Web Server Protection
•
NTBA
•
Malware Detection
•
Heuristic Web Application
•
IP Reputation
•
L7 Data Collection
•
Device Profiling
•
X-Forwarded-For
•
IPS Simulation
•
Advanced Botnet Detection
•
SSL Decryption
•
Advanced Traffic Detection
•
GTI Server
The following debug commands have been updated in this release:
•
datapathstat — The Sensor CLI command datapathstat now includes a new parameter,
rx-frames-distribution. The new parameter enables the datapathstat CLI command to display
the rx-frames distribution ratio across all cores in the Sensor.
•
dumpdebuglog — The following new modules are added to the dumpdebuglog CLI command in
addition to the existing modules:
•
•
•
cli
•
nacfo
•
logging
•
nacpolicy
•
logNode
•
deviceProfile
•
intfw
•
sofa
•
tsproc
ping — The Sensor can now be pinged multiple times using this command. Previously, the Sensor
could be pinged only once. With this release, the command pings the Sensor and returns a
response with the following values:
•
icmp_seq
•
packets received
•
ttl
•
packet loss
•
time taken
•
rtt min/avg/max
•
packets transmitted
sensor-datapath-stat-analysis log and sensor-datapath-stat-analysis show — With this
release, the three global policy attack set profiles (known as rule sets prior 8.2) namely, Default Inline
IPS, All Inclusive with Audit, and All inclusive without Audit are pushed to the Sensor, depending on the total
number of attack definitions that needs to be configured for the Sensor . Irrespective of the policy
assigned to the interface, the global policy attack set profiles are pushed to the Sensor. The
sensor-datapath-stat-analysis log and sensor-datapath-stat-analysis show commands
now contains a new value, Policy Ruleset on Sensor to display the global policy attack set
profiles.
This command is applicable in normal mode also.
•
show all datapath error-counters — This CLI command contains the following enhancements:
•
Previously, the error count for L3/L4 errors in a SPAN port could not be viewed even when the
errors sometimes crossed the specified threshold limit. With this release, a new counter,
getL3L4errorDropCount is added to the command which provides the error count for the L3/L4
errors.
•
This CLI command contains previously contained two ipProtocolErrorCount counters which
could cause miscalculation of the accumulated value. To avoid this, the ipProtocolErrorCount
counter is replaced with the icmpv6ChkSumErrorDropCount counter.
For more information, see Network Security Platform CLI Guide.
11
Resolved issues
These issues are resolved in this release of the product. For a list of issues fixed in earlier releases,
see the Release Notes for the specific release.
Resolved Manager software issues
The following table lists the medium-severity Manager software issues:
ID #
SR# Issue Description
1010078 NA
While creating a new user, the period "." cannot be typed in the Username field.
957285
NA
The Protection Profile page stops responding when opened in Chrome browser and
eventually lead to Java crashing.
956340
NA
The Manager fault for exceeding the 10,000 AD user groups limit is displayed
incorrectly in the Manager.
946781
NA
The Chrome browser crashes when the Manager is opened in Windows 8.0 mode.
Resolved Sensor software issues
The following table lists the medium-severity Sensor software issues:
ID #
12
SR#
Issue Description
1019138 NA
The User Defined Report in Traditional Report shows "McAfee NAC" for Alert/
Attack Type.
1010765 4-6531330130
The buffer leaks when Advanced Traffic Inspection is enabled.
1008874 4-6681349263
In rare scenarios, the frontend processor is stuck due to loop in acl cache
processing.
1007014 4-6843624841
When the Sensor experiences abnormal reboot, or in a failover
configuration if one of the Sensor reboots, then the front end processor
gets stuck in rare scenarios.
1005048 4-6799734661
The SNMP Get/Walk executed on the Sensor returns the SCP file server
credentials.
992436
4-6427239390
Firewall policy does not block some HTTPS applications.
982750
4-6099619631
In a rare case scenario, there is traffic delay shortly after a signature or
configuration update to the Sensor.
981250
NA
Filename is missing in Malware Details section of alert details for GTI and
ATD.
979110
4-6025808161
When quarantine is enabled in the connection limiting policy, the first
quarantined host is not released after the specified release time.
978286
4-6083314232
ARP packets (matching the MAC flip flop event) are dropped which leads
to network outage in rare scenarios. This happens when MAC flip flop
attack is disabled and “Heuristic Web Application Server
Protection(WASP)” is enabled on any interface of the Sensor.
977449
4-6208350339
After a Sensor name change, the $IV_SENSOR_NAME$ flag is not updated
until Sensor reboot.
973547
4-5996807719
In rare scenarios, when SSL is enabled, CPU utilization is incorrectly
reported as High.
973385
4-6027606839
In rare scenario, the Sensor reboots due to memory corruption in the
malware detection process.
970872
NA
When the PDF emulator engine is configured for malware detection, the
Sensor reboots in certain scenarios.
ID #
SR#
Issue Description
969760
4-3254872194
The GTI queries fail during DNS resolution when the Sensor processes
CNAME instead of A record of the proxy server.
969563
4-5926477162
Layer 7 data are missing for alerts generated by ATD.
968947
4-5487957247
The Sensor throughput value is displayed as 9GB for 1GB ports in the
Manager.
966281
4-5606846411
In rare scenarios, routers running EIGRP experience neighbor adjacency
flap while the Sensor processes the EIGRP update packets.
965633
NA
In rare scenarios, malware detection misses can happen while processing
SMTP traffic.
963593
4-5105955529
When PDF Emulation Engine is enabled in the malware policy, it may
cause an out-of-memory condition while processing certain PDF files,
resulting in a Sensor reboot.
961617
4-5514297706
[Failover] In rare scenarios, the Sensor reboots during trace upload.
961429
4-5622201530
In a rare scenario, the Sensor reboots with exception when snort
signatures are present.
957346
3-2901221972
Customizing flow packet logging on Manager causes excessive packet
logging from the Sensor to Manager. This leads to database tuning failure,
alert archival failure etc.
957173
4-5488302851
The Sensor causes RST packets to be sent out of order.
945675
4-4910150446
In extremely rare scenario, the traffic is not forwarded because of internal
switch buffer exhaustion.
943598
4-4692873853
In rare scenario with SSL and malware functionality enabled, the SSL
attacks are not detected.
913909
3-3176294553
When L7 data collection is enabled, the Sensor raises alerts for the
component attack but does not raise the correlated alerts.
907976
3-3033672232, In a failover pair after upgrade, the Active Fail-Open kit status switches
4-5327125501, between Inline and Bypass.
4-5734280453
882189
NA
With high amount of SSL traffic being decrypted, the Sensor throughput
could temporarily drop during the signature file update process.
13
Installation instructions
Manager server/client system requirements
The following table lists the 8.2 Manager server requirements:
Operating
system
Minimum required
Recommended
Any of the following:
Windows Server 2012 R2
Standard Edition
operating system.
• Windows Server 2008 R2 Standard or Enterprise Edition,
English operating system, SP1 (64-bit) (Full Installation)
• Windows Server 2008 R2 Standard or Enterprise Edition,
Japanese operating system, SP1 (64-bit) (Full
Installation)
• Windows Server 2012 R2 Standard Edition (Server with a
GUI) English operating system
• Windows Server 2012 R2 Standard Edition (Server with a
GUI) Japanese operating system
• Windows Server 2012 R2 Datacenter Edition (Server with
a GUI) English operating system
• Windows Server 2012 R2 Datacenter Edition (Server with
a GUI) Japanese operating system
Only X64 architecture is supported.
Memory
8 GB
8 GB or more
CPU
Server model processor such as Intel Xeon
Same
Disk space
100 GB
300 GB or more
Network
100 Mbps card
1000 Mbps card
Monitor
32-bit color, 1440 x 900 display setting
1440 x 900 (or above)
The following are the system requirements for hosting Central Manager/Manager server on a VMware
platform.
14
Table 5-1 Virtual machine requirements
Component
Minimum
Recommended
Operating system Any of the following:
• Windows Server 2008 R2 Standard or Enterprise
Edition, English operating system, SP1 (64-bit) (Full
Installation)
Windows Server 2012 R2
Standard Edition
operating system.
• Windows Server 2008 R2 Standard or Enterprise
Edition, Japanese operating system, SP1 (64-bit) (Full
Installation)
• Windows Server 2012 R2 Standard Edition (Server
with a GUI) English operating system
• Windows Server 2012 R2 Standard Edition (Server
with a GUI) Japanese operating system
• Windows Server 2012 R2 Datacenter Edition (Server
with a GUI) English operating system
• Windows Server 2012 R2 Datacenter (Server with a
GUI) Japanese operating system
Only X64 architecture is supported.
Memory
8 GB
8 GB or more
Virtual CPUs
2
2 or more
Disk Space
100 GB
300 GB or more
Table 5-2 VMware ESX server requirements
Component
Minimum
Virtualization software • ESXi 5.0
• ESXi 5.1
• ESXi 5.5
CPU
Intel Xeon ® CPU ES 5335 @ 2.00 GHz; Physical Processors – 2; Logical
Processors – 8; Processor Speed – 2.00 GHz
Memory
Physical Memory: 16 GB
Internal Disks
1 TB
The following table lists the 8.2 Manager client requirements when using Windows 7, Windows 8, or
Windows 2012:
Minimum
Operating
system
Recommended
• Windows 7 English or Japanese
• Windows 8 English or Japanese
• Windows 8.1 English or Japanese
The display language of the Manager client must be
same as that of the Manager server operating
system.
RAM
2 GB
4 GB
15
Minimum
Recommended
CPU
1.5 GHz processor
1.5 GHz or faster
Browser
• Internet Explorer 9, 10 or 11
• Internet Explorer 11
• Mozilla Firefox
• Mozilla Firefox 20.0 or
above
• Google Chrome (App mode in Windows 8 is not
supported)
• Google Chrome 24.0 or
above
Add the Manager web certificate to the trusted
certificate list to avoid the certificate mismatch error
and security warnings.
For the Manager client, in addition to Windows 7, Windows 8, and Windows 8.1, you can also use the
operating systems mentioned for the Manager server.
The following table lists the 8.2 Central Manager / Manager client requirements when using Mac:
Mac operating system
Browser
• Lion
Safari 6 or 7
• Mountain Lion
For more information, see McAfee Network Security Platform Installation Guide.
Upgrade recommendations
McAfee regularly releases updated versions of the signature set. Note that automatic signature set
upgrade does not happen. You need to manually import the latest signature set and apply it to your
Sensors.
The following is the upgrade matrix supported for this release:
Component
Minimum Software Version
Manager/Central Manager software
• 7.1 — 7.1.3.5, 7.1.5.7, 7.1.5.10, 7.1.5.14, 7.1.5.15
• 7.5 — 7.5.3.11, 7.5.5.6, 7.5.5.7, 7.5.5.10
• 8.1 — 8.1.3.4, 8.1.3.6, 8.1.7.5, 8.1.7.12
M-series Sensor software
• 7.1 — 7.1.3.119
• 7.5 — 7.5.3.95, 7.5.3.108
• 8.1 — 8.1.3.5, 8.1.3.43
Known issues
For a list of known issues in this product release, see this McAfee KnowledgeBase article:
Network Security Platform software issues: KB83288
16
Product documentation
Every McAfee product has a comprehensive set of documentation.
Find product documentation
1
Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center.
2
Enter a product name, select a version, then click Search to display a list of documents.
8.2 product documentation list
The following software guides are available for Network Security Platform 8.2 release:
•
Quick Tour
•
Installation Guide (includes Upgrade Guide)
•
Manager Administration Guide
•
Manager API Reference Guide (selective distribution - to be requested via support)
•
CLI Guide
•
IPS Administration Guide
•
Custom Attacks Definition Guide
•
XC Cluster Administration Guide
•
Integration Guide
•
NTBA Administration Guide
•
Best Practices Guide
•
Troubleshooting Guide
Copyright © 2015 McAfee, Inc. www.intelsecurity.com
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/
registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
0B-00
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement