I‑series Release Notes

Network Security Platform 7.1 Revision C

Contents About this document New features Resolved issues Known issues Installation instructions Product documentation

About this document This document contains important information about the current release. We strongly recommend that you read the entire document. This release notes is to announce the availability of a maintenance release for McAfee I‑series Sensor software version 7.1. This release is to provide fixes for some of the I‑series Sensor software issues. This release was developed for use with: •

Network Security Manager image version: 7.1.5.7

•

Signature set: 7.5.32.9

•

Network Security Sensor I‑series image version: 7.1.1.8 This version of 7.1 Manager software can be used to configure and manage the following hardware: I‑series Sensors, M‑series Sensors, N‑series Sensors, XC Cluster, and NTBA Appliances.

New features This release of the product includes this new feature.

CLI command to capture hardware errors in log The following command has been included in the debug mode: log datapath errors : Dumps hardware errors in the Sensor log file. Sensor model

Datapath number

I‑1200, I‑1400

1

I‑2600, I‑2700

2

1

Sensor model

Datapath number

I‑3000

4

I‑4000, I‑4010

8

Resolved issues Resolved Sensor software issues The following table lists the high‑severity Sensor software issues: ID #

Issue Description

838173 [I‑3000, I‑4010] The Sensor remains in the uninitialized state when SSL is enabled but IPv6 is disabled. 796871 Negated Snort IP address rules may result in a Sensor reboot. 786995 The Sensor when rebooted with FO kit controller cable removed causes the Sensor ports to show incorrect port state. 740525 In certain cases, the Sensor can cause out‑of‑order packets that result in certain servers requiring to reassemble packets. The following table lists the medium‑severity Sensor software issues: ID #

Issue Description

822746 The "show flows" command takes a long time to execute. 822316 For certain unsupported SSL certificates, the Sensor may reboot while updating the certificate from the Manager. 821844 A rare Linux kernel race condition was observed when the driver attempts to send TCP packet after the peer connection is reset. This may cause the Sensor to reboot. 810394 After ports go to bypass mode, when the FO kit is connected, the Sensor port state changes are not reflected correctly on the Manager interface. 797961 When packet logs are generated at a very high rate (as during Forensic Packet Logging), there is a rare chance of a race condition to occur. This can result in an internal deadlock causing the configuration update from the Manager to fail. 784007 In a very rare scenario when the Sensor is processing excessive alerts and packet log data, it may reboot. 781204 Fix the rare kernel hang in Sensor due to NTP leap indicator message. This bug is applicable only if NTP is enabled on the Sensor during the time when leap second is added. 781065 A rare race condition between snort engine initialization and configuration update can cause the Sensor to reboot. 773568 The shell marker resource statistics is incorrectly showing high percentage in the CLI. 759048 When SYN‑ACK is received before SYN, ACL groups may not work on SPAN ports. 754858 Enhance the latency monitoring feature to ensure the Sensor does not cause high latency under DoS attacks. 737227 SSH Login Brut Force Detected is not detected if the attack filter has IP address ranges configured. 727475 On SPAN port, the alert raised for the sub‑interface shows the incorrect interface.

Resolved Manager software issues The following table lists the high‑severity Manager software issues:

2

ID #

Issue Description

816769 Evidence reports are not getting exported. 814217 Proxy server option not available in Central Manager. 812792 Central Manager ‑ Manager communication problem in MDR. 804199 7.x Manager imposed a new limit on rule objects at 10. This is not feasible for NAC implementations. 794387 Layer 7 data forward to Syslog is not available. 793083 Automated import of Vulnerability data to Manager failed. 769535 Javascript errors when adding an address to a CIDR sub‑interface. 736305 Alert Data Pruning fails on the Secondary Manager. 734882 Nessus report failed to import in Manager. 788994 Java process reaches 100% of the CPU utilization due to issue in Sensor CLI audit log feature. 787714 Error when running alert table offline update scripts after Manager upgrade. 776788 Compilation error occurs when deploying signature set/UDS to Sensors. 761812 Unable to quarantine hosts. 676022 Problem with trustedsource checks when using a proxy server. The following table lists the medium‑severity Manager software issues: ID #

Issue Description

835447 Wrong error message when selecting higher number of flows to SSL decryption. 834588 Bulk Edit for Multiple policies does not take effect if attacks are selected using a filter based on signature set version. 831023 Unable to configure SNMP access to multiple M‑8000XC Sensors. 830514 Customized Policies Granularity settings changes automatically. 826007 Tomcat CVE vulnerabilities. 824780 Configuration update status is not written on the "iv_audit" table correctly. 824721 Blocked simulated results are not sent correctly via syslog. 823167 Default set whois server "www.internic.net" rejects Port:43 access from the Manager. 819319 No way to know if it is AM or PM for the displayed time in Version Control. 817486 Some of the Edit Attack Detail options that are unavailable are not grayed out. 816318 Alert Unavailable in Real‑Time Threat Analyzer if the report language is set to Chinese. 815741 The custom monitor is not displaying the port name. 815137 Error message when a host is successfully released from Quarantine. 814526 Unable to quarantine an attacker VM via vCenter. 814397 Error while saving Protection Profile settings. 813825 Unable to push update configuration to the Sensor. 812125 For Reconnaissance Attacks, the Custom Attack Editor does not display "Selected Attacks" and "Threshold" after saving the UDS. 811754 Central Manager to Manager synchronization fails on inclusion of a Snort rule. 811548 Unable to generate the Default ‑Top 10 Application Categories by Bandwidth Usage report correctly.

3

ID #

Issue Description

809640 For Reconnaissance Attacks, the signature set compilation fails when the UDS is added on to the Manager. 809595 BTP value of alert detail on Real‑Time Threat Analyzer is incorrect. 809240 Unable to change the following notification filter settings in the Syslog settings for Network Threat Behavior Analysis. 808244 The Network Security Platform extension caused high utilization on the ePO server during an ePO Server upgrade. 808241 The Real‑Time Threat Analyzer freezes. 807549 Sensor shows update required after Manager service restart even when there is no change on the Manager. 807529 XC Cluster's port status does not reflect actual port status. 807275 Syslog sends to facility mailog, when configured to send to facility local0. 807003 Two entries of "Not applicable" countries are shown in the Source Country report. 806687 Special characters are not allowed in proxy settings. 805003 Threat Analyzer Watch List not highlighting attacks for specific IP addresses. 803638 Relevancy is not working even after importing data from the MVM database to the Manager via Scheduled Import. 803467 Java high CPU utilization (95%+) after Manager upgrade. 803113 Not able to find "GenVulReportFlat.dtd" to import the third‑party report. 801944 Ports speed and duplex are shown incorrectly in the TAP mode. 799772 The "Automated Downloading" Save button logs out user from the Manager console when using Firefox 15.0.1. 798736 Customer is unable to add, remove, and delete scheduled reports. 798733 Host name and session start are not correct for the ePO host entries in the Real‑Time Threat Analyzer. 797931 Attack Filter is not getting applied on policy for LOIC Reconnaissance attacks from Threat Analyzer. 797126 In Threat Analyzer, user is unable to close the Manage Attack Filter window if the Filter Assignment window is closed first. 796702 The Manager sends a wrong syslog facility to the Syslog server. 796623 The Customized Community field value is overwritten by the Community String field value when they have different values. 795738 The "Device re‑discovery failure" alert occurs when a Sensor is rebooted. 795496 The Attack Destination Reputation Summary dashboard shows incorrect Source Reputation data. 795323 Java process reaches 100% of the CPU utilization and was unable to connect because of applications query in firewall module. 795260 The Hourly Data Mining and the Daily Data Mining fields are not displayed under the correct section on the Manager user interface. 795116 Fields in Next‑generation report generated for bot are blank. 793262 Child user can see data in reports for all Sensors. 791266 Dashboard is not showing the port throughput. 791131 The MDR dump also contains the APP_VIZ tables leading to a big file size. 791130 The Configuration Tables backup does not exclude all the tables it should.

4

ID #

Issue Description

791128 Keycertgen utility is not replacing the certification files. 790821 The Destination Country filter in the Threat Analyzer does not populate any values. 789080 Manager can create more ACL rules than compared to the Sensor limit. 788916 Attack Encyclopedia not available for some of the attacks after Manager upgrade. 787786 Backup type in Automation setting does not save the provided value. 787719 Unable to read imported MVM 7.0 xml reports Host_Data.xml or Risk_Data.xml in Manager. 785128 Should not display the earlier UDS attacks on importing new signature set. 783834 The Show Diff on the policy settings displays incorrect information for Syslog and SNMP notification. 781083 The threatanalyzer log increases in size after session time out. 778826 Auto Update / Auto Deployment updates even Sensor is configured to offline updates. 778176 The Disable Blocking option is not working for 5.1 Sensors after changing the signature set. 773103 NSLookup through Real‑Time Threat Analyzer for most IP addresses does not return results. 769560 Unable to save the Archive scheduler configuration. 768564 Java process reaches 100% of the CPU utilization because of issue in the Sensor CLI audit log feature. 767827 Signature software image‑signature file combo download signature push failure after Sensor upgrade. 766993 Unable to save changes in the Maintenance tab. 766619 [Central Manager] Not able to save a display filter if you use the Sensor name in the display filter. 764986 SMTP address field of NTBA alert notification is limited to 24 characters. 763608 VLAN scanning exception for a port cluster only displays one of the port pairs. 760406 Unable to select policy of child domain in Traditional report. 757998 Unable to add fixed field value comparison based custom signatures. 757982 SNMP trap showing wrong interface information. 756261 The Port Utilization graph does not show data when zoomed back into 5 minutes' view. 755788 Alerts displayed must be in the local time of the NTBA Appliance. 755442 Newly added CIDR blocks are not displayed in the Manager. 755207 Numerous Java Null Pointer exceptions causing Real‑Time Threat Analyzer performance issues. 752900 Logger names (SyslogAlertForwarder, SyslogFaultForwarder etc.) are missing in the Syslog header messages. 751933 [Threat Analyzer] The Sensor sometimes sends "duration" as non‑zero for individual alerts but on the Threat Analyzer, the source and destination port are shown as '0'. 751559 The Sensor compilation fails if the Sensor has any Interface group created with a SPAN port inside it. 751478 The columns in report are not aligned properly. 743522 "An internal application error occurred" message is displayed when generating report. 741806 Deprecated signature still appears in the Signature description. 738499 The Update server Automation weekly schedule option goes back to SUNDAY. 737369 Manager fails to retrieve some data in failover.

5

ID #

Issue Description

731653 Performance Monitoring Alerts are not being sent to the trap receiver system. 724762 The Network Access Zone and the Monitoring Port are not available after restarting the Threat Analyzer. 707841 Timestamp format exception when running an archive restore. 703025 Out of memory error during compilation due to bug in readFully JAVA API. 688926 Incident Generator is not working.

Known issues I‑series Sensor software issues: KB75581 Manager software issues: KB76517

Installation instructions Review the following before you install the Manager software: The following table lists the 7.1 Manager server requirements:

OS

Minimum required

Recommended

Any of the following:

Same as the minimum required.

• Windows Server 2008 R2 Standard or Enterprise Edition, English OS, SP1 (64 bit) (Full Installation) • Windows Server 2008 R2 Standard or Enterprise Edition, Japanese OS, SP1 (64 bit) (Full Installation) Only X64 architecture is supported.

Memory

4GB

8GB

CPU

Server model processor such as Intel Xeon

Same

Disk space 40GB

80GB disk with 8MB memory cache

Network

100Mbps card

1000Mbps card

Monitor

32‑bit color, 1024 x 768 display setting

1280 x 1024

The following are the system requirements for hosting Central Manager/Manager server on a VMware platform.

6

Component Minimum

Recommended

OS

Same as minimum required.

Any of the following: • Windows Server 2008 R2 – Standard or Enterprise Edition with SP1 (English) (64 bit) • Windows Server 2008 R2 – Standard or Enterprise Edition with SP1 (Japanese) (64 bit) Only X64 architecture is supported.

Memory

4 GB

8 GB

Virtual CPUs 2

2 or more

Disk Space

80GB

40GB

Component

Minimum

Virtualization software • VMWare ESX Server version 4.0 update 1 and version 4.1 • ESXi 5.0 CPU

Intel Xeon ® CPU ES 5335 @ 2.00GHz; Physical Processors – 2; Logical Processors – 8; Processor Speed – 2.00GHz.

Memory

Physical Memory: 16GB

Internal Disks

1 TB

The following table lists the 7.1 Manager client requirements when using Windows 7: Minimum

Recommended

OS

Windows 7

RAM

2 GB

4 GB

CPU

1.5 GHz processor

1.5 GHz or faster

Browser

• Internet Explorer 8.0 or 9.0

Internet Explorer 9.0

• Mozilla Firefox 4.0 and above The following table lists the 7.1 Manager client requirements when using Windows XP SP3: Minimum

Recommended

OS

Windows XP SP3

RAM

1 GB

2 GB

Browser

• Internet Explorer 7.0 or 8.0

Internet Explorer 8.0

• Mozilla Firefox 4.0 and above For the Manager client, in addition to Windows 7 and Windows XP, you can also use the operating systems mentioned for the Manager server. For more information, see McAfee Network Security Platform Installation Guide. McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors.

7

The minimum required software versions to upgrade to this release of 7.1 are listed below: Software Component

Minimum Version for Upgrade

Manager/Central Manager

6.1.1.7 and above

I‑series

6.1.1.7 and above

For more information, see McAfee Network Security Platform Upgrade Guide.

Product documentation Every McAfee product has a comprehensive set of documentation.

Find product documentation 1

Go to the McAfee Technical Support Service Portal at http://mysupport.mcafee.com.

2

Under Self Service, access the type of information you need: To access...

Do this...

User documentation

1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document.

KnowledgeBase

• Click Search the KnowledgeBase for answers to your product questions. • Click Browse the KnowledgeBase for articles listed by product and version.

Copyright © 2013 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. 0C-00