McAfee Security Management Center Release Notes
Release Notes Revision A McAfee Security Management Center 5.8.2 Contents About this release Enhancements Resolved issues Installation instructions Upgrade instructions System requirements Build version Compatibility Known issues Find product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. Enhancements This release of the product includes these enhancements, which have been added since version SMC 5.8.1. Integration with McAfee ESM SMC API now enables requests for sending blacklist entries. The SMC API request is later used by McAfee® Enterprise Security Manager (McAfee ESM). McAfee ESM is used for security information event management (SIEM), and it is already integrated with the SMC through syslog. The new blacklisting integration enables administrators to create new blacklist entries for McAfee NGFW engines directly from the McAfee ESM user interface. Improved Log Server performance The receiving performance of the Log Server has significantly increased. When used for receiving and storing logs only, the performance will scale up linearly up to 10 CPU cores. SMC API enhancements Full support for create, read, update, and delete operations on Expression network elements. Support for using all System Aliases for retrieving group content and rule content. 1 Resolved issues These issues have been resolved since SMC version 5.8.1. For a list of issues that have been resolved in earlier releases, see the Release Notes for the specific release. Issue Description The Log Server on a Windows 64-bit platform may stop log reception (#92645) The Log Server on a Windows 64-bit platform may stop receiving logs. This can happen if the Log Server is configured to monitor a third-party element using the "Ping" Probing Profile. When the problem occurs, the Log Server does not listen on port 3020. Workaround: Restart the Log Server to restart log reception. To prevent the problem from happening again, use a different Probing Profile. Engine Editor always prompts to save changes when closed (#107151) The Engine Editor always prompts to save changes when it is closed, even if there have not been any changes made. Management Server backup size increases (#107796) The Management Server backup size increases due to Snapshots not being deleted. By default, the Management Server stores 100 Snapshots per managed element (The MAX_NB_SNAPSHOTS parameter in the <SGHOME>/data/SGConfiguration.txt file defines the limit). However, Snapshots that exceed the set limit are not deleted. Workaround: Contact Technical Support for a workaround. Policy installation can fail if policy is not based on default Template Policy (#109416) Policy installation can fail if the policy is not based on the default Template Policy. The error may refer to a "Syntax error" and state that "creating sg_inspection configuration failed." This error occurs when the default Template Policy is not used and the installed policy does not have any IPv6 Access rules defined. Workaround: Add an IPv6 Access rule to the policy. If the Template Policy that is used does not have the IPv6 rule insert point, you must first add the insert point to the Template Policy. Creating rules from log events fails (#111491) It is currently not possible to use log entry details to create rules. The problem applies to all policy types. Changing Physical Interface properties on Master Engine can clear Virtual Resource allocation (#111537) In configurations where Virtual Resources have been allocated to VLAN Interfaces on a Master Engine, the Virtual Resources might be cleared after making changes to Physical Interface properties on the Master Engine. Workaround: Allocate the Virtual Resources again after making changes to the Physical Interface properties. Not possible to create or edit elements using Mac OS X (#111953) If you use the Management Client using Web Start and the operating system on your client computer is Mac OS X, you might not be able to create elements or edit existing elements. When trying to create or edit an element, you might see a Class Cast exception error message. Workaround: Locate the SgClientConfiguration.txt file in the .stonegate folder on your client computer. Add this line to the file: NIMBUS_LF=true This line fixes the issue and also improves the rendering in Mac OS X. Policy installation error when Forward action used for VPNs (#112121) Policy installation fails in a VPN setup where the Forward action is used to forward traffic from the client VPN to another VPN tunnel. The error message has the following content: "Failed to generate the tunnels of the <name of VPN> VPN referenced in the rule...". Workaround: Select the "Restrict Virtual Address Ranges" option for VPN endpoint firewalls. To locate the option, open the Firewall for editing and, in the Engine Editor, go to VPN > VPN Client. 2 Issue Description NGF-321-C2 front panel image not shown in System Status view (#112200) The NGF-321-C2 appliance front panel image is not shown correctly in the System Status view. Opening External Gateway Site properties fails (#112308) Opening the properties of an External Gateway Site element fails with the following error message: "Failed to display." This happens both in the Route-Based VPN view and in the Gateways view. Workaround: Open the External Gateway Site element properties from the Sites branch of the External Gateway properties. Default columns in Blacklist Monitoring view are for old engine versions (#112328) The columns that are shown by default in the Blacklist Monitoring view are meant for old engine versions. Because of this, sorting entries by source IP address, for example, does not work as expected. Workaround: Click Columns in the top panel of the Blacklist Monitoring view and select Column Selection. In the Column Selection dialog, select columns starting with the "BL " string instead of ports and addresses. You can add the following columns to the view: BL Dst Addr, BL Dst Port, BL Protocol, BL Src Addr, and BL Src Port. Duplicating some Application elements creates broken references (#112385) Duplicating some Application elements creates broken references to sub-applications. These sub-applications are normally not visible in the Management Client. Installing a policy or exporting an element fails due to the broken references. The error message that is shown includes the following: "Missing regular expression on..." Workaround: Delete the duplicate Application element. The subapplications cannot be edited. Using elements without IP addresses as Access rule matching criteria may create a rule that never matches (#112405) Using several elements that have no IP address as matching criteria in the Source or Destination cell of an Access rule may create a rule that never matches. Using User, Domain Name, or Zone elements in the format ( <first_element> and <second_element> ) can cause this. Moving Firewall policy from one template to another can cause Access rules to disappear (#112479) Moving a Firewall policy under a custom template to a Firewall Template or vice versa may cause Access rules to disappear. The rules reappear when the policy is moved back to the original template. Snapshot comparison to most recently saved policy fails (#112504) A policy Snapshot comparison with the option "Compare Snapshot to Most Recently Saved Policy" fails. The error message can vary, depending on the configuration. Default name used for VPN Gateways causes new virtual security engine creation to fail (#112616) When adding a second virtual security engine for a Master Engine, saving it fails with the message: "Failed to save Virtual Firewall XXX Element name - Primary is already used". Workaround: In a custom template, add a second insert point, select all the rules in the policy, then drag and drop them to the new insert point. After that, move the policy to a different template. The internal Gateway element is created automatically when the Firewall element is created. The default name for the VPN Gateway is the same for all virtual security engine VPN gateways on the Master engine. Workaround: In the Engine Editor, expand the VPN branch, and on the Client page, set the Gateway Display Name to be unique for each VPN Gateway. 3 Issue Description SMC replication in highavailability setup may fail in timeout after upgrade to SMC 5.7.3 (#112830) The automatic replication of SMC configuration data in a high-available setup may fail in timeout after upgrading to SMC 5.7.3. Automatic replication is considered failed when it takes more than 10 minutes. This is more likely to occur when the primary Management Server runs on Windows and the backup is of a significant size. Workaround: Reducing the number of stored snapshots may help speed up the replication enough for automatic replication to succeed. Policy installation fails for certain appliance models with initial license (# 112841) Policy installation fails for certain newly installed appliance models that use the initial license. This affects, for example, models FWL-321-C1, FWL-325-C1, and FW-315. Workaround: Install a permanent license for the appliance. A permanent license can be registered and downloaded from https://my.stonesoft.com/managelicense.do. Log in using the appliance POS code that is shown on a sticker on the appliance. Policy installation might fail when same gateway element is referenced by site-to-site VPN and mobile VPN (#112866) Installing a policy on a Firewall might fail with the following error: "The IPsec Client Gateway and the <gateway> are involved in the following client-to-gateway VPNs: <VPN name>, <VPN name>. In the rule tagged <rule tag>, the action section must reference a specific VPN. Failed to build specific configuration for <gateway>." This might happen when the same VPN Gateway element is referenced by one or more site-to-site VPNs and one or more mobile VPNs. See workaround options in KB83790. sgInfo task for generating engine sgInfos automatically fails (#113045) Creating a new sgInfo task for generating engine sgInfos automatically fails. The following error is shown: "Unexpected parameter index. Declared size= 5. processing table size= 6. Type= 1". Existing sgInfo tasks also fail to run. Workaround: You can use the Get sgInfo command in the Management Client to generate engine sginfos. Incorrect warning about Anti-Virus settings (#113063) If the Anti-Virus feature is enabled on engines lower than version 5.8 in Access rule Action options and File Filtering is also enabled, an incorrect warning message is displayed when you install the policy: "Anti-Virus settings in IPv4 Access rule @<rule tag> are ignored: the installed software version <version build> does not support Anti-Virus on Master, IPS or Layer engines." File Filtering must be enabled in the policy to turn on Anti-Virus scanning. Snapshot-related actions may fail after activating dynamic update 614 or newer (#113077) Restoring a snapshot, comparing snapshots, previewing a snapshot, and other actions related to snapshots may fail if you have activated dynamic update 614 or newer. A problem related to System report updates was introduced in dynamic update 614. The error message that is shown typically includes the following, but the content of the first line varies depending on the action: "Database problem. Details: Parse error in file System Snapshot (6XX)exported_data.xml at line XXXX: DTD claims: Element <report> has no attribute "style_template_key" Automatic rules for IPv6 traffic do not work (#113092) IPv6 traffic does not match Automatic rules that should redirect IPv6 traffic to IPv6 Access rules. Workaround: Automatic rules for IPv6 traffic can be removed by editing the Template Policy. 4 Issue Description Engine state synchronization traffic might fail if target IP address is changed (#113210) In the default configuration, the target IP address for state synchronization traffic is the same for both the primary and the backup state synchronization interfaces. If the engine configuration is changed so that the IP addresses are no longer identical, the generated policy only allows traffic from the backup state synchronization interface. The primary state synchronization channel is shown as failed. Workaround: Configure the same target IP address for both the primary and the backup state synchronization traffic. Warning of user database replication when SSL VPN Portal set up on Virtual Firewall (#113216) If an SSL VPN Portal is enabled on a Virtual Firewall interface, when the policy is installed, the message "requires user authentication but user account replication to the Virtual Firewall is disabled" is shown. User database replication cannot be enabled for the Virtual Firewall. Instead, it needs to be enabled on the Master Engine. The warning is present, even when user database replication is correctly enabled on the Master Engine. Automatic policy refresh may fail after dynamic update package has been activated (#113345) Automatic policy refresh may fail after a dynamic update package has been activated. You can configure automatic downloads for dynamic update packages on the Updates tab of the Global System Properties dialog box. Workaround: Go to File > System Tools > Global System Properties. On the Updates tab, select "Notify When Updates Have Been Activated." Manually refresh the policy after the dynamic update package has been activated. SMC upgrade may fail on Linux if revert has been done in the past (#113351) Upgrading the SMC to version 5.7.4, 5.8.0, or 5.8.1 on the Linux operating system may fail if you have performed a rollback in the past using the <install dir>/uninstall/revert.sh script. Workaround: Make sure that the <install dir>/backups folder has no folder name starting with sgrollbackfolder... Empty log files may interfere with engine status monitoring (#113486) When engine nodes generate a large amount of log data in real time, some log entries may be sent as re-ordered by the engine, which forces the Log Server to create several .arch files for the same engine (the log entries are time-ordered). The Log Server reassembles some of these log files to reduce the number of generated .arch files. If a file that does not exist anymore is accessed, an empty log file may be generated. When the empty log file is found, it is moved to a corrupted folder and the following Alert is generated: "The file PathReference: <path>.arch is corrupted." Having many empty log files reduces Log Server performance and results in a large number of Alerts. Empty log files are detected when they are accessed in the Logs view or in Reports. Reduced Log Server performance may be indicated by monitored engine nodes briefly blinking red and then returning to green status. This behavior is more likely to occur when deep inspection is enabled and extensive logging is configured, and other resource-intensive tasks like Overviews or Reports are also used. Workaround for Windows operating systems: If Alerts about corrupted log files are continuously generated, see KB83773 for a workaround for deleting empty log files before the SMC detects them. Removing node from cluster fails (#113631) The Remove Node option on cluster element fails to save the change. The following error message is displayed: "Failed to save Firewall Cluster. Database problem. Write Interfaces for <name> failed". File Filtering policy Action option not supported by current engine versions (#113688) File filtering policy rules have an action option "Decompress Archives and Rematch Content". By default, this option is enabled. However, current engine versions do not support this option. 5 Issue Description Link-Local IPv6 Unicast Addresses Network element cannot be added to Routing tree (#113839) A Link-Local IPv6 Unicast Addresses Network element cannot be added to the Routing tree. If there is an existing Link-Local IPv6 Unicast Addresses Network, the correct firewall configuration is generated. VLAN interface IDs are not updated in Routing and Antispoofing panes (#113998) VLAN interface IDs are not updated in the Routing and Antispoofing panes if the interface ID of a physical interface is changed. The Interfaces pane and the generated configuration are correctly updated. Web Start Management Clients fail to open Statistics arrangement of Logs view with Java JRE 8u31 (#114070) Management Clients launched using Web Start fail to open the Statistics arrangement of the Logs view when Java Runtime Environment (JRE) version 8u31 is installed on the client computer. The following error is shown: "Cannot open the Statistics view. 25196". Workaround: Install the Management Client locally on your computer or downgrade the JRE to an older version, such as JRE 8u25. Installation instructions Note The sgadmin user is reserved for McAfee use on Linux, so it must not exist before the McAfee Security Management Center is installed for the first time. The main installation steps for the McAfee Security Management Center and the Firewall, IPS, or Layer 2 Firewall engines are as follows: 1. Install the Management Server, the Log Server(s), and optionally the Web Portal Server(s). 2. Import the licenses for all components (you can generate licenses on our website at https://my.stonesoft.com/managelicense.do). 3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the Security Engine Configuration view. 4. Generate initial configurations for the engines by right-clicking each Firewall, IPS, or Layer 2 Firewall element and selecting Save Initial Configuration. 5. Make the initial connection from the engines to the Management Server and enter the one-time password provided during Step 4. 6. Create and upload a policy on the engines using the Management Client. The detailed installation instructions can be found in the product-specific installation guides. For a more thorough explanation of using the McAfee Security Management Center, refer to the Management Client online Help or the McAfee SMC Administrator’s Guide. For background information on how the system works, consult the McAfee SMC Reference Guide. All guides are available for download at https://www.stonesoft.com/en/customer_care/documentation/current/. Upgrade instructions Note McAfee Security Management Center (Management Server, Log Server and Web Portal Server) must be upgraded before the engines are upgraded to the same major version. McAfee Security Management Center (SMC) version 5.8.2 requires an updated license if upgrading from version 5.7 or lower. Unless the automatic license update functionality is in use, request a license upgrade on our website at https://my.stonesoft.com/managelicense.do and activate the new license using the Management Client before upgrading the software. To upgrade an earlier version of the SMC to McAfee Security Management Center version 5.8.1, we strongly recommend that you stop all the McAfee NGFW services and take a backup before continuing with the upgrade. After taking the backup, run the appropriate setup file depending on the operating system. The installation program detects the old version and does the upgrade automatically. Versions lower than 5.2.0 requires an upgrade to version 5.2.0 – 5.7.4 before upgrading to version 5.8.2. 6 System requirements Basic management system hardware requirements • Intel Core family processor or higher recommended, or equivalent on a non-Intel platform • A mouse or pointing device (for Management Client only) • SVGA (1024x768) display or higher (for Management Client only) • Disk space for Management Server: 6 GB • Disk space for Log Server: 50 GB • Memory requirements for 32-bit operating systems: • o 2 GB RAM for Server (3 GB minimum if all components are installed on the same server) o 1 GB RAM for Management Client o 6 GB RAM for Server (8 GB minimum if all components are installed on the same server) o 2 GB RAM for Management Client Memory requirements for 64-bit operating systems: Operating systems McAfee Security Management Center supports the following operating systems and versions: • Microsoft® Windows Server 2012™ R2 (64-bit)* • Microsoft® Windows Server 2008™ R1 SP2 and R2 SP1 (64-bit)* • Microsoft® Windows 7™ SP1 (64-bit)* • CentOS 6 (for 32-bit and 64-bit x86)** • Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86)** • SUSE Linux Enterprise 11 SP3 (for 32-bit and 64-bit x86)** • Ubuntu 12.04 LTS (for 64-bit x86)** *) Only the U.S. English language version has been tested, but other locales may work as well. **) 32-bit compatibility libraries lib and libz are needed on all Linux platforms. Note 32-bit Windows environments are no longer officially supported in SMC 5.8. Web Start Clients In addition to the operating systems listed above, McAfee Security Management Center can be accessed through Web Start by using the following Mac OS and JRE versions: • Mac OS 10.9 with JRE 1.7.0_67 7 Build version McAfee Security Management Center version 5.8.2 build version is 8821. This release contains Dynamic Update package 626. Product Binary Checksums smc_5.8.2.8821.iso SHA1SUM a8f3424706420de554244a3a99739e254d0a3269 smc_5.8.2.8821.zip SHA1SUM 0d40f01cee498de1392f706c67b65ff755ce269d smc_5.8.2.8821_linux.zip SHA1SUM 4aac22e1cf87d344b90c1292d239566c9437af1c smc_5.8.2.8821_windows.zip SHA1SUM 8e29ce588e2160b276a1d7152323a981f6d0d90a smc_5.8.2.8821_webstart.zip SHA1SUM 734d17333f01b13aca78256c7328f026ff8e988b Compatibility McAfee Security Management Center version 5.8 is compatible with the following McAfee and NGFW component versions: • McAfee Next Generation Firewall (NGFW) 5.7 and 5.8 • Stonesoft Security Engine 5.4 and 5.5 • Stonesoft Firewall engine 5.3 • Stonesoft SSL VPN 1.5 • McAfee ePolicy Orchestrator (McAfee ePO) 4.6 and 5.0 • McAfee Enterprise Security Manager (McAfee ESM) 9.2.0 and later (9.1.0 CEF only) Note SMC 5.8 no longer supports legacy Stonesoft IPS Analyzers, Combined Sensor-Analyzers, or Sensor versions 5.2 or lower. Native Support To utilize all the features of McAfee Security Management Center version 5.8, the following McAfee component versions are required: • McAfee Next Generation Firewall (NGFW) 5.8 Known issues For a list of known issues in this product release, see this McAfee Knowledge Center article: KB82953. 8 Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the online Knowledge Center. 1. Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center. 2. Enter a product name, select a version, then click Search to display a list of documents. Copyright © 2015 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. 00-A 9
© Copyright 2024