advertisement
Release Notes
Revision A
McAfee Security Management Center 5.9.0
McAfee Next Generation Firewall
Contents
About this release
This document contains important information about the current release. We strongly recommend that you read the entire document.
System requirements
Make sure that you meet these basic hardware and software requirements.
Basic management system hardware requirements
You can install Security Management Center (SMC) on standard hardware.
• Intel Core family processor or higher recommended, or equivalent on a non-Intel platform
• A mouse or pointing device (for Management Client only)
• SVGA (1024x768) display or higher (for Management Client only)
• Disk space for Management Server: 6 GB
• Disk space for Log Server: 50 GB
1
2
• Memory requirements for 32-bit Linux operating systems:
• 2 GB RAM for the Management Server, Log Server, or Web Portal Server (3 GB if all servers are installed on the same computer)
• 1 GB RAM for Management Client
• Memory requirements for 64-bit operating systems:
• 6 GB RAM for the Management Server, Log Server, or Web Portal Server (8 GB if all servers are installed on the same computer)
• 2 GB RAM for Management Client
Operating systems
SMC supports the following operating systems and versions.
Only U.S. English language versions have been tested, but other locales might also work.
Supported Windows operating systems:
• Microsoft Windows Server 2012 R2 (64-bit)
• Microsoft Windows Server 2008 R1 SP2 and R2 SP1 (64-bit)
• Microsoft Windows 7 SP1 (64-bit)
Supported Linux operating systems:
• CentOS 6 (for 32-bit and 64-bit x86)
• CentOS 7 (for 64-bit x86)
• Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86)
• SUSE Linux Enterprise 11 SP3 (for 32-bit and 64-bit x86)
• Ubuntu 12.04 LTS (for 64-bit x86)
• Ubuntu 14.04 LTS (for 64-bit x86)
32-bit compatibility libraries lib and libz are needed on all Linux platforms.
Web Start client
In addition to the operating systems listed, SMC can be accessed through Web Start by using Mac OS version 10.9 and JRE version 1.8.0_45.
Build version
SMC 5.9.0 build version is 8926.
This release contains Dynamic Update package 648.
Product binary checksums
Use the checksums to make sure that the installation files downloaded correctly.
• smc_5.9.0.8926.iso
SHA1SUM: f305bd119864c9676f2115c53e3dd53a13668fbf
SHA512SUM:
331a121626c0a718f452222552ebdc0c
9423cfd0082c0de40d9b7c57473d4b83
04095cef780576e00aedf1c0659b9373 fb5a4fcdaa429cde8b0aebd4ac7cea20
• smc_5.9.0.8926.zip
SHA1SUM:
1f5173784f395bb4f42b70178c9185db2d7b168b
SHA512SUM:
681f60542f60aa515d08a215a736dd48 bffa143b5fb88703f8ba06b5b473bde4
2707a763c315eac8125f182d2dc497cb f08d0ac1f3203c1c18caa257d835c349
• smc_5.9.0.8926.linux.zip
SHA1SUM:
70ea4003429c1ad7a7a867685bd878c91b643356
SHA512SUM: fa93f19d761bf5eba6c1b0a9b56a8a5e
078a5f9169aca54ba1bd7fe6ca645869 d89fd3425b253c4ba680309d367762ce
854ff3b161dd28184c6b7fdfa87a2482
• smc_5.9.0.8926.windows.zip
SHA1SUM: b60d2fd6317d0289a678e3bcb4cb6140503c974d
SHA512SUM:
873efcf4973b47b9f0e08704510d5089
63b29315e29b14fa4230600b575f2f72 e56ea1b287e4c59b62c9687ef28584c3
32c63965718b56a255038881fbc125b3
• smc_5.9.0.8926.webstart.zip
SHA1SUM:
2070bdf9f388f823b47fe47d100304825504deb6
SHA512SUM: fccf250db2328f405a0933de120ed044
70b261447c51875460436bd910b57d32
6b1ff3df10ce066f2e20b45be7335c45
0ab58517e2bee2018d72dafb81d89233
Compatibility
SMC 5.9.0 has the following requirements for minimum compatibility and native support.
3
Minimum component versions
SMC version 5.9 is compatible with the following McAfee and Stonesoft component versions.
• McAfee ® Next Generation Firewall (McAfee NGFW) 5.7, 5.8, and 5.9
• Stonesoft Security Engine 5.4 and 5.5
• Stonesoft SSL VPN 1.5
• McAfee ® ePolicy Orchestrator ® (McAfee ePO ™ ) 5.0.1 and 5.1.1
• McAfee ® Endpoint Intelligence Agent (McAfee EIA) 2.4
• McAfee ® Enterprise Security Manager (McAfee ESM) 9.2.0 and later (9.1.0 CEF only)
In SMC 5.9, only monitoring is supported for the legacy Stonesoft SSL VPN. The SMC 5.9 release is the last version to support Stonesoft SSL VPN.
Native support
To use all features of SMC version 5.9, McAfee NGFW version 5.9 is required.
New features
This release of the product includes these new features.
Integration with McAfee Endpoint Intelligence Agent
McAfee Endpoint Intelligence Agent (McAfee EIA) is an endpoint solution that provides per-connection information to supported network devices, including McAfee NGFW. Whenever network connections are opened from an endpoint that runs McAfee EIA, the McAfee NGFW engine receives information about the user and applications related to that connection. This information can be used to decide which connections are allowed or discarded. The information can also be logged.
Dynamic routing configuration for BGP
Dynamic routing for the Border Gateway Protocol (BGP) can now be configured from the Management
Client. Several new dynamic routing elements can be used in the Dynamic Routing and Routing sections of the Engine Editor. In SMC 5.9, only BGP is currently supported; other dynamic routing protocols must still be configured on the command line.
Enhancements
This release of the product includes these enhancements.
Integration with McAfee ESM
SMC API now enables requests for sending blacklist entries. The SMC API request is later used by
McAfee ® Enterprise Security Manager (McAfee ESM). McAfee ESM is used for security information event management (SIEM), and it is already integrated with the SMC through syslog. The new blacklisting integration enables administrators to create new blacklist entries for McAfee NGFW engines directly from the McAfee ESM user interface.
4
Integration with McAfee ePolicy Orchestrator
Starting from SMC 5.8.0, the integration with McAfee ® ePolicy Orchestrator ® (McAfee ePO ™ ) allows administrators to configure an ePO Server element and view information related to the endpoint clients directly in the Management Client. By installing the Certificate Management Extension that is delivered with the SMC 5.9 release, the Inspection CA Certificate can be exported from the SMC and delivered through McAfee ePO version 5.0.1 or later.
New default template for PDF printing
There is a new default template for printing to PDF from the Management Client. The new template automatically generates a front page and a table of contents. When available, additional contextual information about the PDF export is included as side notes in the table of contents.
Digitally signed engine remote upgrades and dynamic update packages
Engine remote upgrade packages and dynamic update packages are now signed with digital signatures. SMC does not import these elements if the digital signature is not valid. Without the digital signature, you cannot use the sg-reconfigure tool to locally upgrade the engine.
HTTP redirection after authenticating with browser-based authentication
You can configure HTTP redirection to allow users to continue to their original destination after authentication. The redirection can be automatic, or you can make the user click a link to continue.
Multiple user accounts on engine
You can configure selected SMC administrator accounts to be replicated as local user accounts to the
McAfee NGFW engine. There can now be several administrators that log on to the engine with a personal account user name and password. If allowed in the administrator user profile, the administrators can execute commands with root permissions.
ICS protocol support
New Industrial Control System (ICS) applications that can be used in Access rules. This requires a special McAfee NGFW engine version. The supported ICS protocols are OPC UA and Modbus/TCP.
Improved configuration for Allow After action in File Filtering Policies
The dialog box for configuring the Allow After action in a File Filtering Policy has been redesigned to better visualize how you can use the reputation thresholds to define the action in the different file scanning methods. Using the reputation database on the McAfee Global Threat Intelligence cloud to identify and discard known malware files can significantly reduce the load on the traditional
Anti-Malware scanner that scans the remaining files directly on the McAfee NGFW engine. As the next layer of security, the user can perform dynamic analysis and sandboxing using the external McAfee
Advanced Threat Defense solution.
5
Resolved issues
These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release.
• Before SMC 5.8, the NAT-T options were checkboxes in the End-Point Properties dialog box. In 5.8, the options are found in a drop-down list with three options: Disabled, Enabled, and Forced.
The Forced NAT-T option is preserved on upgrade to SMC 5.8. However, when editing and saving an endpoint in 5.8, the previously made Forced NAT-T selection reverts to Disabled. (#114666)
• If you use the imported initial configuration file for the initial configuration of a Master Engine that hosts Virtual IPS engines or Virtual Layer 2 Firewalls, the Virtual Security Engine role might be incorrectly defined as Firewall. All Virtual Security Engines hosted by the same Master Engine must have the same role. (#114706)
• Log entries matching a rule can be opened with the Show Related Logs option. For Layer 2 Firewall
Policy and File Filtering Policy rules, the Logs view data is incorrectly filtered and matching log entries are not shown. (#114709)
• When you use the Create Rule option to create a rule from a log entry, three action options are available. If you select the Add Rules and Edit the Policy option, creating the rule might fail even if the correct policy opens for editing. Adding the rule to the Access rules fails in policies that have the
Automatic Rules Insert Point. (#114954)
• GTI File Reputation checks are enabled on the Add-Ons branch of the Engine Editor and configured in the File Filtering Policy. The Automatic rule for traffic between the McAfee NGFW engine and the
McAfee Global Threat Intelligence servers is incorrect and does not allow the necessary connections. (#115432)
• Loopback IP addresses cannot be used for the Identity for Authentication Requests interface option. Since an interface with a dynamic IP address cannot be selected as the Identity for Authentication Requests interface, but the Not Set option is not valid in the Engine Editor, it is not possible to save a Firewall element that only has interfaces with dynamic IP addresses. (#1029981)
• Policy validation shows a warning about a missing route to the Management Server when the engine is not in a directly connected network with the Management Server, or the route to the
Management Server is not the default route. The warning can be ignored if the correct route to the
Management Server has been configured for the engine in the Routing pane of the Engine Editor.
(#1043925)
• In the System Status view, when selecting a VPN gateway that has a VPN endpoint with a loopback IP address, the Connectivity tab does not show the status correctly. Neither the tunnels between the endpoints nor their status are properly shown. (#1046111)
• Active alerts view is aggregated by Situation. When checking details of a specific alert, the view is opened filtered by Situation and by Severity. If the alert situation has no Severity defined, all alerts are displayed in the Details view. (#1046497)
• In rare cases, saving or deleting a Firewall element might fail if a VPN Gateway associated with the
Firewall has been deleted, but the VPN Endpoints still exist. The following type of error message is shown: "Element does not exist or is not accessible by the user." (#1048234)
6
• In an SMC high availability setup, you might want to change a standby Management Server into the active Management Server and upgrade it. Database replication from the active Management
Server to standby Management Servers does not include replicating dynamic updates. After upgrading the original standby Management Server, there might be unexpected issues with communication with other SMC components. For example, log data reception from managed
Security Engines might fail due to the dynamic update level of the activated and upgraded standby
Management Server. (#1048598)
• Unlike in Firewall rules, new NAT rules have Source, Destination, and Service set to ANY by default.
(#1049456)
• A Policy Snapshot comparison with the latest saved policy or another snapshot might fail with messages such as "Database problem" and "Failed to construct following objects: <list of objects>." (#1049520)
• When creating a certificate request for the VPN gateway to be signed by an external certificate authority, a public key algorithm can be selected from three options. Different key lengths are valid for different algorithms. If ECDSA algorithm has been selected and then changed to RSA or DSA, the Key Length setting is not adjusted automatically to a valid value.
When a certificate request is saved, the Management Server sends the request for the engine to create the certificate. The engine creates it, but if the values are not correct, the certificate request does not appear in the user interface for the gateway to be exported for signing. (#1050765)
• In an SMC high availability setup, the primary Management Server might appear to be in "Full
Synchronization Needed (Isolated)" state. This can happen after an upgrade if the primary
Management Server was originally installed before SMC version 5.6 and standby Management
Servers were added later. (#1051934)
• In the Interfaces pane in the Engine Editor, you can move a Network element or a VLAN Interface by dragging and dropping it under a different physical interface. The directly connected Network is automatically moved to the new physical interface. After changing the interface configuration, you must manually update the routing configuration in the Routing pane.
On rare occasions, the antispoofing tree view is not automatically updated to reflect changes to routes under Network elements or VLAN Interfaces that were moved in the Routing pane.
(#1052658)
• Duplicating certain Application elements can create broken references to sub-applications. The sub-applications are normally not visible in the Management Client. Installing a policy or exporting an element fails due to the broken references. The error message includes the following:
"Missing regular expression on...". (#1053841)
• Users belonging to the SMC Authentication Server domain or linked users from external LDAP domains are not able to authenticate if their displayed user names include accented letters. In addition, these users cannot be modified. Upgrading the SMC to version 5.8.3 is not recommended in Authentication Server setups. (#1055352)
• When editing a QoS Policy, you cannot add or edit the values in the DSCP Match and DSCP Mark cells using the drop-down list. (#1064884)
7
Installation instructions
Use these high-level steps to install SMC and the McAfee NGFW engines.
For detailed information, see the McAfee Next Generation Firewall Installation Guide. All guides are available for download at https://support.mcafee.com
.
The sgadmin user is reserved for McAfee use on Linux, so it must not exist before SMC is installed for the first time.
Task
1 Install the Management Server, the Log Servers, and optionally the Web Portal Servers.
2 Import the licenses for all components.
You can generate licenses at https://ngfwlicenses.mcafee.com/managelicense.do
.
3 Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the
Security Engine Configuration view.
4 To generate initial configurations for the engines, right-click each Firewall, IPS, or Layer 2 Firewall element, then select Configuration | Save Initial Configuration.
Make a note of the one-time password.
5 Make the initial connection from the engines to the Management Server, then enter the one-time password.
6 Create and upload a policy on the engines using the Management Client.
Upgrade instructions
Take the following into consideration before upgrading to SMC version 5.9.
McAfee SMC (Management Server, Log Server, and Web Portal Server) must be upgraded before the engines are upgraded to the same major version.
• SMC version 5.9.0 requires an updated license if upgrading from version 5.8 or earlier.
• If the automatic license update function is in use, the license is updated automatically.
• If the automatic license update function is not in use, request a license upgrade on our website at https://ngfwlicenses.mcafee.com/managelicense.do
. Activate the new license using the
Management Client before upgrading the software.
• To upgrade an earlier version of the SMC to version 5.9, we strongly recommend that you stop all
McAfee NGFW services and create a backup before continuing with the upgrade. After creating the backup, run the appropriate setup file, depending on the operating system. The installation program detects the old version and does the upgrade automatically.
• Versions earlier than 5.2.0 require an upgrade to version 5.2.0–5.8.3 before upgrading to version
5.9.
Known issues
For a list of known issues in this product release, see KB84422 .
8
Find product documentation
After a product is released, information about the product is entered into the McAfee online Knowledge
Center.
Task
1 Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com
.
2 In the Knowledge Base pane, click a content source:
• Product Documentation to find user documentation
• Technical Articles to find KnowledgeBase articles
3 Select Do not clear my filters.
4 Enter a product, select a version, then click Search to display a list of documents.
Product documentation
Every McAfee product has a comprehensive set of documentation.
• McAfee Next Generation Firewall Product Guide
• McAfee Next Generation Firewall online Help
By default, the online Help is used from the McAfee help server. If you want to use the online Help from a local machine (for example, an intranet server or your own computer), see KB84639 .
• McAfee Next Generation Firewall Installation Guide
Other available documents include:
• McAfee Next Generation Firewall Quick Start Guide
• McAfee Next Generation Firewall Hardware Guide for your model
• McAfee SMC API Reference Guide
• Stonesoft IPsec VPN Client User's Guide
• Stonesoft IPsec VPN Client Administrator's Guide
Copyright © 2015 McAfee, Inc. www.intelsecurity.com
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
A00
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
advertisement