Release Notes Revision A

McAfee Web Gateway 7.5.2

Contents About this release New features and enhancements Resolved issues Installation instructions Known issues Find product documentation

About this release This document contains important information about the current release. We strongly recommend that you read the entire document. ®

McAfee Web Gateway (Web Gateway) 7.5.2 is provided as a controlled release. It is a major version that includes new features and enhancements and resolves issues present in previous versions.

New features and enhancements This release of the product includes these new features and enhancements. To support the introduction of new features and enhancements in recent product releases, we recommend a memory upgrade on the physical or virtual platform that is used to run a Web Gateway appliance on. For more information about this upgrade, see the Setting up Web Gateway chapter of the McAfee Web Gateway Installation Guide.

1

DXL and TIE integration Web Gateway now supports the use of messages in DXL format to retrieve and send web security information from and to connected McAfee products. DXL messages can, for example, be used to retrieve file reputation scores from a TIE (Threat Intelligence Exchange) server and send them to connected products. The use of these messages is part of the web security architecture that is provided by McAfee and is also known as Security Connected. For more information about DXL and TIE integration, see the Proxies chapter of the McAfee Web Gateway Product Guide. For information about an extension for working with a McAfee ePO server, which is required for DXL messaging, see this McAfee Knowledge Center article: KB84824.

Improvements for the application launch pad In the user interface of Web Gateway, you can specify a name and description for your organization, customize the look of the text, and import images of your organization and product logos. You can also customize the header, footer, and sidebar that frame the launch pad. Before you use this new launch pad feature, we recommend that you import the revised Single Sign On rule set from the rule set library. After importing, you can still access the original Launchpad.html file, which is saved as Launchpad-bak1.html. You must, however, reconfigure the customized values in the Launchpad.html file. These values, such as the name of your organization, are not migrated. The new Single Sign On rule set requires DAT file version 47 or later. As long as SSO updates are enabled, the update server automatically delivers these later versions. Web Gateway also still supports the earlier Single Sign On rule set. For more information about these improvements, see the Cloud single sign-on chapter of the McAfee Web Gateway Product Guide.

New cloud SSO connectors 58 new connectors for configuring cloud single sign-on (SSO) have been added, bringing the total to 881. You can add connectors to lists that control access to cloud applications and associate end users with these lists in rules. For more information about these connectors, see the Cloud single sign-on chapter of the McAfee Web Gateway Product Guide and the McAfee Web Gateway SSO Catalog.

2

Network interface bonding The interfaces of two or more different NICs on a Web Gateway appliance can be configured for network interface bonding. This feature enables different network interfaces to act as a single channel while increasing bandwidth and providing high availability. If you have implemented a bonding configuration, which was available as an unsupported feature before the release of Web Gateway 7.5.2, remove any settings of this configuration before upgrading to this new version. Otherwise you risk creating an unstable state on the appliance. After the upgrade, you can again implement network interface bonding as described in the documentation. For more information about this feature and how to implement it, see the System configuration chapter of the McAfee Web Gateway Product Guide.

Source-based routing You can now configure source-based routing on the user interface. Source-based routing allows you to base routing decisions on the source IP address that is submitted with requests for web access. Using this routing method, you can separate management traffic from other traffic. For more information about source-based routing, see the System configuration chapter of the McAfee Web Gateway Product Guide.

Logon message about browser usage A message on the logon page provides important information for an end user who logs on with a Google Chrome browser. This browser type cannot be used for logon much longer, as it will soon cease to support Java. For more information about this message, see the Setting up Web Gateway chapter of the McAfee Web Gateway Installation Guide.

Configurable logon message You can configure a message on the logon page for Web Gateway that provides, for example, information about regulatory compliance. For more information about this message, see the System configuration chapter of the McAfee Web Gateway Product Guide.

Additional incident messages Additional incident messages have been created for reporting the following. •

Next-hop proxy issues

•

User logouts

For more information about incident messages, see the Configuration lists chapter of the McAfee Web Gateway Product Guide.

3

Administrative enhancements The following enhancements have been added to the user interface to increase the range and ease of administrator activities. •

The number of alert messages displayed on the dashboard has been reduced to avoid information overflow.

•

A next-hop proxy is no longer shown as unavailable when sending an HTTPS request to it did not lead to receiving a response. If the initial handshake could be performed and the CONNECT header could be sent, the next-hop proxy is shown as available.

•

Additional rule sets for configuring web security measures are available in the rule set library. Each rule set is provided in both the simplified and complete rules format.

•

Additional telemetry options have been added to extend the range of feedback that you can send to McAfee.

Internal improvements in processing web traffic The internal process of handling web traffic has been improved as follows. •

•

Handling of request headers has been improved. •

Faulty headers received in requests from IFP clients can be interpreted correctly and processed without causing errors.

•

Headers received in folded format can be processed.

Extraction of information from compressed files has been extended to cover more file types. •

Compressed security ID files used for Kerberos authentication with a Microsoft Windows 2012 domain controller can be opened.

•

Zipped archive files of the 64-bit type that are larger than 4 GB can be opened.

•

A better performance in processing a high number of tunneled connections has been achieved.

•

Elliptic curve ciphers received in traffic from a web server can be processed.

•

When different SSL certificates are received on different server connections that are submitted for communication on the same client connection, SSL scanning continues by performing an additional CERTVERIFY cycle. Submitting these certificates no longer leads to an inconsistent certificate error and requests are not blocked. We recommend that you review your whitelist for bypassing SSL scanning (if you have any) after upgrading to the new version. Due to the improved handling of SSL-secured traffic, which also includes the support of ECDHE ciphers, more of this traffic can now be processed and filtered. Many websites need, therefore, no longer be whitelisted. Whitelisting websites and using these lists in rules, for example, in a host tunneling rule, might have been required in earlier product versions to prevent blocking due to SSL handshake failures and other issues.

4

Hardware enhancements The following enhancements have been added on the hardware platforms for running Web Gateway as a physical appliance. •

A 1GbE-size quad port copper PCI card can be installed as an additional NIC on a physical appliance of the model C series.

•

An nshield Solo 6000+ card can be installed as a Hardware Security Module (HSM) card on a physical appliance.

•

A command line tool for configuring the Remote Management Module (RMM) on Intel-based appliance models has been implemented.

For more information about the additional cards that can be installed, see the Installing a PCI card chapter of the McAfee Web Gateway Product Guide.

Resolved issues The following issues are resolved in this release of the product. Bugzilla reference numbers are in parentheses.

Network communication •

Two port forwarding rules could be configured for the same port, although the port must be unique, if the preceding column of the user interface also contained a value. (1035638) The current product version displays a warning if port forwarding rules are configured in this way and allows you to reconfigure them.

•

When running as an HTTP proxy, Web Gateway could not resume a web server connection after spoofing the IP address of the server had led to a timeout. The client connection closed after the default timeout had elapsed, disregarding the configured timeout. (1038799)

•

When Web Gateway was running in FIPS mode, an attempt to join the appliance to a Microsoft Windows domain controller in a closed environment caused the core process on Web Gateway to fail. (1048669)

•

When Web Gateway was running as an FTP proxy, an incorrectly configured path name part triggered an infinite loop in a system program, which let the core process consume all CPU resources. (1049649)

•

When a client sent a POST request with an incomplete body, Web Gateway forwarded the request to the web, but when the client sent the remainder, the request was rejected. (1051315)

•

When running as an HTTPS proxy, Web Gateway slowed down after the server connection was closed while client connections remained open until the end of the timeout period. (1053817)

•

When running as a SOCKS proxy, Web Gateway encountered an event handling problem, which caused the core process to fail with term signal 11. (1056019)

•

When running as a SOCKS proxy, Web Gateway forwarded web pages that should have been blocked according to the configured rules. (1056994)

•

When Web Gateway was running as a server for ICAP and ICAPS traffic, entering the listener port for ICAPS traffic in the relevant list before the listener port for ICAP traffic prevented the ICAP port from listening. (1058716)

5

Excessive workload and load balancing •

Performance of a Web Gateway appliance was heavily impacted when its workload increased due to processing additional traffic from subnets that had bypassed the appliance before. (1029534)

•

When Web Gateway was running as a SOCKS proxy, the number of connections and CPU usage increased until the appliance could not be accessed anymore. (1034278)

•

A load balancer in a next-hop proxy configuration failed to process HTTP traffic received from Web Gateway due to problems with the way Web Gateway handled the CONNECT request. (1039746)

File recognition and handling •

The media type filter did not recognize the media type of an application/x-shockwave flash file, although the magic byte inside the file indicated the type. (1037907)

•

The file openers failed to detect the name of a file with embedded objects and the media type of these objects, which was due to the use of a particular body-related property in a rule. (1040542)

•

When a corrupted application/vnd.ms-powerpoint file was downloaded, it was not recognized as corrupted, so the download caused the core process to fail. (1041126)

•

An application/executable file that was embedded in a PDF file could not be detected. (1044672)

•

Although blocking criteria were configured that specified an expression in uppercase letters and case sensitivity, a matching Microsoft Excel file in PDF format was not blocked, as the file openers did not preserve uppercase letters when saving the file. (1048298)

•

While a file was downloaded, its name was shown on the progress page with an incorrect extension. (1050446)

Authentication and quota management •

The current volume quota was not kept for a user when an appliance was restarted, but the data was deleted if the user had submitted no further request for web access during the remaining session time. (1036969)

•

After user authentication had failed in SSL-secured communication, values for user-related authentication properties were not kept during the SSL tunneling process. (1037765)

•

In a high availability cluster with two Web Gateway appliances as nodes, user authentication was performed on one node, but when trying to connect to the other node, the user was prompted again for authentication, although the session period had not yet expired. Reason was that different IDs for the user's client system had been calculated on each node. (1039749)

•

The daily volume quota was not reset at the first access to the data after midnight local time, but after midnight UTC time. (1041019)

•

The monthly time quota was not reset for users who consumed no more time until the end of the month after the time stamp for last web access had been reset during a daily quota reset. These users had to continue with the time remaining from the previous month. (1065257)

Web filtering

6

•

Disabling cloud lookups led to an empty URL category list when the URL.Geolocation property was used in a rule. As the list was empty, no blocking of URLs belonging to bad categories was performed by later rules. (1021852)

•

Certificate verification on an SSL-secured connection failed due to a common name mismatch, as common names had been used in an encoded format. (1042021)

•

A video file that a user requested for downloading was not scanned by the stream scanner, but in the normal way, which prevented the user from properly viewing the video. (1049974)

•

When the List.OfMediaType.EraseList property was processed, some media types had not all their occurrences removed. (1051149)

•

The settings for configuring an SSL certificate with certificate authority information could not be accessed, which was caused by using libraries for the Java application on Web Gateway that were not the libraries shipped with the product. (1056725)

•

When swapping buffer data received from the OpenSSL library, an error occurred with address handling. The error led to a timeout on the connection between Web Gateway and McAfee Advanced Threat Defense. (1061303) ®

•

When performing a task on a private key for the Hardware Security Module, an overload in request processing and a problem with response handling by the listener thread caused a lack of resources that led to a failure of the HSM Agent. (1063281)

Logging •

After an appliance had joined a Central Management cluster, it did not send logging messages to McAfee Web Reporter, as the configuration file for the log manager had been deleted. (948851) ®

•

Performing log file compression blocked working threads for writing log buffer lines to disk, which slowed down Web Gateway and caused it to fail to respond to synchronization messages from the load balancer. (1030598)

•

When an authentication error that prevented a file upload had been corrected, the upload was completed successfully, but the schedules log still recorded an upload failure. (1037841)

•

Some log file fields were missing from log entries when a URL had been processed that was sent in invalid UTF8 code. (1033618)

•

When a cron job for log file rotation was performed, an alert about an abnormal exit was written into the messages log, although the job had successfully been completed. (1034403)

•

A typo appeared in a log entry within the storage log on Web Gateway. (1050984)

Backup •

Restoring a policy data backup on an appliance failed because no valid license had been imported before. (1042288)

•

Restoring policy data backup on an appliance according to schedule failed when using a backup file that had been retrieved from a different appliance. The failure was caused by using an incorrectly labeled option for restricting the backup to policy data on the user interface. (1043516)

•

After a scheduled job had uploaded a backup file, an empty paragraph remained within the backup metadata. (1052503)

•

Importing a configuration backup caused a stack overflow due to the use of an outdated SOCKS version, which prevented the daemon from starting. (1034923)

Miscellaneous •

The SNMP subagent failed during an OID query and reported segmentation faults. The faults were reported because a link had not been created that the script for controlling the status of the subagent relied on. This led to an inconsistent state of the Baseboard Management Controller. (1026606)

•

When permission to create and delete rule sets had been configured for an administrator role, rule sets could only be created, not deleted in this role. (1037018)

•

When working with the hybrid solution, updates to Web Gateway versions were possible that did not allow synchronization with Web Protection SaaS, as the update script ignored the relevant upgrade protection restrictions. (1039636)

7

•

When an internal data structure of Web Gateway had been corrupted due to a race condition, a write access caused the core process to fail with term signal 11. (1040511)

•

Access to the user interface was delayed in the initializing connections phase, as a regular expression for configuring IP address exceptions consumed a large amount of stack resources. (1040733)

•

When the License.RemainingDays property was configured in an error handling rule with 90 days for sending an email notification, the notification was in a few cases triggered even with more than 400 days still remaining. (1058578)

•

When a node was unavailable within a transit net group in Central Management, access to another node in the same group was delayed. The delay occurred because the initial dashboard tab of the user interface on the other node was not displayed until the timeout for retrieving data from the unavailable node had expired. (1040813)

•

An appliance could not be added as a node to a Central Management cluster when a third device was apparently involved in the process. This device slowed down the process and eventually caused it to fail. (1047197)

•

References to properties in imported templates for messages to the user were provided as plain text and not as links to a window for property configuration. (1061831)

Installation instructions The requirements for installing Web Gateway 7.5.2, on an appliance depend on the version you are currently running. •

When running an earlier 7.5.x version, you can immediately upgrade to the new version. See Upgrade from 7.3.x or later.

•

When running a 7.4.x or 7.3.x version, you can upgrade to the new version after activating a repository. See Upgrade from 7.3.x or later.

•

When running a 7.2.x or any earlier 7.x version: •

Create a configuration backup. Use the options provided under Troubleshooting | Backup/Restore on the user interface to create the backup.

•

Upgrade to the new version. See Upgrade from 7.2.x or earlier 7.x. The upgrade process includes a major upgrade of the operating system. It takes several steps and more time than usual. If the upgrade process fails or is interrupted, you can re-image the appliance using an image of the new version and install the configuration backup.

Alternatively, you can:

•

•

Create a configuration backup.

•

Re-image the appliance using an image of the new version and install the configuration backup.

When running a 6.8.x or 6.9.x version, you must re-image the appliance using an image of the new version.

Download an image of the new version from the download page of the McAfee Content & Cloud Security Portal at https://contentsecurity.mcafee.com/software_mwg7_download.

8

For more information on re-imaging, see the McAfee Web Gateway Installation Guide.

Upgrade from 7.3.x or later When running an earlier 7.5.x version, you can immediately upgrade to the new version. With a 7.4.x or 7.3.x version, you must activate a repository before upgrading. You can perform the upgrade on the user interface or from a system console.

Activate the repository Activate the repository for the new version before upgrading from a 7.4.x or 7.3.x version. You can activate the repository from a local system console, which is directly connected to an appliance, or work remotely using SSH. Task 1

Log on to the appliance you want to perform the upgrade on.

2

Run the following command: mwg-switch-repo 7.5.2

You can now upgrade to the new version on the user interface or from a system console.

Upgrade on the user interface You can work with the options of the user interface to perform the upgrade. Task 1

Select Configuration | Appliances.

2

On the appliances tree, select the appliance you want to perform the upgrade on. The appliance toolbar appears on the upper right of the tab.

3

Click Update Appliance Software. The upgrade to the new version is performed. The upgrade process also logs you off from the user interface.

4

When a message informs you that the upgrade has completed, proceed as follows: a

Log on to the user interface again.

b

Select Configuration | Appliances, then select your appliance.

c

On the appliance toolbar, click Reboot.

When the restart has completed, you can log on to the user interface again and start working with the new version.

9

Upgrade from a system console You can upgrade from a local system console, which is directly connected to an appliance, or remotely using SSH. Task 1

Log on to the appliance you want to perform the upgrade on.

2

Run the following two commands: yum upgrade yum yum upgrade The upgrade to the new version is performed.

3

When a message informs you that the upgrade has completed, then run the following command: reboot

When the restart has completed, a logon prompt appears. You can now log on to the user interface and start working with the new version.

Upgrade from 7.2.x or earlier 7.x When running a 7.2.x version or any earlier 7.x version, use a system console to upgrade to the new version. You can use a local system console, which is immediately connected to an appliance, or work remotely using SSH. Task 1

Log on to the appliance you want to perform the upgrade on.

2

Run the following two commands: yum upgrade yum yumconf\* mwg-dist-upgrade 7.5.2 The upgrade to the new version is performed in two phases. After each phase, the appliance restarts automatically.

10

3

Proceed in one of the following ways to complete the installation: •

If you are using a local system console: When the second restart has completed, a logon prompt appears. You can now log on to the user interface and start working with the new version.

•

If you are using SSH: When the appliance restarts after the first upgrade phase, you are disconnected and the second upgrade phase begins. After this phase has completed, including the automatic restart, you can log on to the user interface and start working with the new version. If you log on before the second upgrade phase has completed, a message states that this phase is still in progress. When the appliance restarts at the end of this phase, you are disconnected again. Then you need to log on again to be able to work with the new version. You can also run the following command to view messages about the upgrade progress: tail -F /opt/mwg/log/update/mlos2.upgrade.log When you see that the upgrade has completed, press Ctrl+C to stop the monitoring process. You can now log on to the user interface and start working with the new version.

Known issues For a list of known issues in this product release, see this McAfee Knowledge Center article: KB82983.

Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. Task 1

Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.

2

In the Knowledge Base pane, click a content source: •

Product Documentation to find user documentation

•

Technical Articles to find KnowledgeBase articles

3

Select Do not clear my filters.

4

Enter a product, select a version, then click Search to display a list of documents.

Product documentation Every McAfee product has a comprehensive set of documentation. For Web Gateway, this includes the following: •

McAfee Web Gateway Product Guide — Describes the features and capabilities of Web Gateway, providing an overview of the product, as well as detailed instructions on how to configure and maintain it

•

McAfee Web Gateway Installation Guide — Describes how to set up Web Gateway, as well as several devices that can be run with the product

11

•

McAfee Web Gateway Quick Start Guide — Describes high-level steps for setting up a Web Gateway version that is shipped as pre-installed appliance software on a hardware platform This document is shipped in printed format with the pre-installed software and the hardware. Web Gateway 7.5.2 is not provided as pre-installed software.

•

McAfee Web Gateway SSO Catalog — Provides a list of the cloud applications and services that are supported by Web Gateway with preconfigured connectors or connector templates

Copyright © 2015 McAfee, Inc. www.intelsecurity.com Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others. A00