McAfee Security Management Center Release Notes

Release Notes
Revision A
McAfee Security Management Center 5.8.2
Contents
 About this release
 Enhancements
 Resolved issues
 Installation instructions
 Upgrade instructions
 System requirements
 Build version
 Compatibility
 Known issues
 Find product documentation
About this release
This document contains important information about the current release. We strongly recommend that
you read the entire document.
Enhancements
This release of the product includes these enhancements, which have been added since version SMC
5.8.1.
Integration with McAfee ESM
SMC API now enables requests for sending blacklist entries. The SMC API request is later used by
McAfee® Enterprise Security Manager (McAfee ESM). McAfee ESM is used for security information event
management (SIEM), and it is already integrated with the SMC through syslog. The new blacklisting
integration enables administrators to create new blacklist entries for McAfee NGFW engines directly
from the McAfee ESM user interface.
Improved Log Server performance
The receiving performance of the Log Server has significantly increased. When used for receiving and
storing logs only, the performance will scale up linearly up to 10 CPU cores.
SMC API enhancements
Full support for create, read, update, and delete operations on Expression network elements. Support
for using all System Aliases for retrieving group content and rule content.
1
Resolved issues
These issues have been resolved since SMC version 5.8.1. For a list of issues that have been resolved in
earlier releases, see the Release Notes for the specific release.
Issue
Description
The Log Server on a
Windows 64-bit
platform may stop log
reception (#92645)
The Log Server on a Windows 64-bit platform may stop receiving logs.
This can happen if the Log Server is configured to monitor a third-party
element using the "Ping" Probing Profile. When the problem occurs, the
Log Server does not listen on port 3020.
Workaround: Restart the Log Server to restart log reception. To prevent
the problem from happening again, use a different Probing Profile.
Engine Editor always
prompts to save
changes when closed
(#107151)
The Engine Editor always prompts to save changes when it is closed,
even if there have not been any changes made.
Management Server
backup size increases
(#107796)
The Management Server backup size increases due to Snapshots not
being deleted. By default, the Management Server stores 100
Snapshots per managed element (The MAX_NB_SNAPSHOTS parameter
in the <SGHOME>/data/SGConfiguration.txt file defines the limit).
However, Snapshots that exceed the set limit are not deleted.
Workaround: Contact Technical Support for a workaround.
Policy installation can
fail if policy is not based
on default Template
Policy (#109416)
Policy installation can fail if the policy is not based on the default
Template Policy. The error may refer to a "Syntax error" and state that
"creating sg_inspection configuration failed."
This error occurs when the default Template Policy is not used and the
installed policy does not have any IPv6 Access rules defined.
Workaround: Add an IPv6 Access rule to the policy. If the Template
Policy that is used does not have the IPv6 rule insert point, you must
first add the insert point to the Template Policy.
Creating rules from log
events fails (#111491)
It is currently not possible to use log entry details to create rules. The
problem applies to all policy types.
Changing Physical
Interface properties on
Master Engine can clear
Virtual Resource
allocation (#111537)
In configurations where Virtual Resources have been allocated to VLAN
Interfaces on a Master Engine, the Virtual Resources might be cleared
after making changes to Physical Interface properties on the Master
Engine.
Workaround: Allocate the Virtual Resources again after making changes
to the Physical Interface properties.
Not possible to create
or edit elements using
Mac OS X (#111953)
If you use the Management Client using Web Start and the operating
system on your client computer is Mac OS X, you might not be able to
create elements or edit existing elements. When trying to create or edit
an element, you might see a Class Cast exception error message.
Workaround: Locate the SgClientConfiguration.txt file in the .stonegate
folder on your client computer. Add this line to the file:
NIMBUS_LF=true
This line fixes the issue and also improves the rendering in Mac OS X.
Policy installation error
when Forward action
used for VPNs
(#112121)
Policy installation fails in a VPN setup where the Forward action is used
to forward traffic from the client VPN to another VPN tunnel. The error
message has the following content: "Failed to generate the tunnels of
the <name of VPN> VPN referenced in the rule...".
Workaround: Select the "Restrict Virtual Address Ranges" option for VPN
endpoint firewalls. To locate the option, open the Firewall for editing
and, in the Engine Editor, go to VPN > VPN Client.
2
Issue
Description
NGF-321-C2 front panel
image not shown in
System Status view
(#112200)
The NGF-321-C2 appliance front panel image is not shown correctly in
the System Status view.
Opening External
Gateway Site properties
fails (#112308)
Opening the properties of an External Gateway Site element fails with
the following error message: "Failed to display." This happens both in
the Route-Based VPN view and in the Gateways view.
Workaround: Open the External Gateway Site element properties from
the Sites branch of the External Gateway properties.
Default columns in
Blacklist Monitoring
view are for old engine
versions (#112328)
The columns that are shown by default in the Blacklist Monitoring view
are meant for old engine versions. Because of this, sorting entries by
source IP address, for example, does not work as expected.
Workaround: Click Columns in the top panel of the Blacklist Monitoring
view and select Column Selection. In the Column Selection dialog, select
columns starting with the "BL " string instead of ports and addresses.
You can add the following columns to the view: BL Dst Addr, BL Dst
Port, BL Protocol, BL Src Addr, and BL Src Port.
Duplicating some
Application elements
creates broken
references (#112385)
Duplicating some Application elements creates broken references to
sub-applications. These sub-applications are normally not visible in the
Management Client. Installing a policy or exporting an element fails due
to the broken references. The error message that is shown includes the
following: "Missing regular expression on..."
Workaround: Delete the duplicate Application element. The subapplications cannot be edited.
Using elements without
IP addresses as Access
rule matching criteria
may create a rule that
never matches
(#112405)
Using several elements that have no IP address as matching criteria in
the Source or Destination cell of an Access rule may create a rule that
never matches. Using User, Domain Name, or Zone elements in the
format ( <first_element> and <second_element> ) can cause this.
Moving Firewall policy
from one template to
another can cause
Access rules to
disappear (#112479)
Moving a Firewall policy under a custom template to a Firewall Template
or vice versa may cause Access rules to disappear. The rules reappear
when the policy is moved back to the original template.
Snapshot comparison to
most recently saved
policy fails (#112504)
A policy Snapshot comparison with the option "Compare Snapshot to
Most Recently Saved Policy" fails. The error message can vary,
depending on the configuration.
Default name used for
VPN Gateways causes
new virtual security
engine creation to fail
(#112616)
When adding a second virtual security engine for a Master Engine,
saving it fails with the message: "Failed to save Virtual Firewall XXX Element name - Primary is already used".
Workaround: In a custom template, add a second insert point, select all
the rules in the policy, then drag and drop them to the new insert point.
After that, move the policy to a different template.
The internal Gateway element is created automatically when the Firewall
element is created. The default name for the VPN Gateway is the same
for all virtual security engine VPN gateways on the Master engine.
Workaround: In the Engine Editor, expand the VPN branch, and on the
Client page, set the Gateway Display Name to be unique for each VPN
Gateway.
3
Issue
Description
SMC replication in highavailability setup may
fail in timeout after
upgrade to SMC 5.7.3
(#112830)
The automatic replication of SMC configuration data in a high-available
setup may fail in timeout after upgrading to SMC 5.7.3. Automatic
replication is considered failed when it takes more than 10 minutes. This
is more likely to occur when the primary Management Server runs on
Windows and the backup is of a significant size.
Workaround: Reducing the number of stored snapshots may help speed
up the replication enough for automatic replication to succeed.
Policy installation fails
for certain appliance
models with initial
license (# 112841)
Policy installation fails for certain newly installed appliance models that
use the initial license. This affects, for example, models FWL-321-C1,
FWL-325-C1, and FW-315.
Workaround: Install a permanent license for the appliance. A permanent
license can be registered and downloaded from
https://my.stonesoft.com/managelicense.do. Log in using the appliance
POS code that is shown on a sticker on the appliance.
Policy installation might
fail when same gateway
element is referenced
by site-to-site VPN and
mobile VPN (#112866)
Installing a policy on a Firewall might fail with the following error: "The
IPsec Client Gateway and the <gateway> are involved in the following
client-to-gateway VPNs: <VPN name>, <VPN name>. In the rule
tagged <rule tag>, the action section must reference a specific VPN.
Failed to build specific configuration for <gateway>."
This might happen when the same VPN Gateway element is referenced
by one or more site-to-site VPNs and one or more mobile VPNs.
See workaround options in KB83790.
sgInfo task for
generating engine
sgInfos automatically
fails (#113045)
Creating a new sgInfo task for generating engine sgInfos automatically
fails. The following error is shown: "Unexpected parameter index.
Declared size= 5. processing table size= 6. Type= 1". Existing sgInfo
tasks also fail to run.
Workaround: You can use the Get sgInfo command in the Management
Client to generate engine sginfos.
Incorrect warning about
Anti-Virus settings
(#113063)
If the Anti-Virus feature is enabled on engines lower than version 5.8 in
Access rule Action options and File Filtering is also enabled, an incorrect
warning message is displayed when you install the policy: "Anti-Virus
settings in IPv4 Access rule @<rule tag> are ignored: the installed
software version <version build> does not support Anti-Virus on Master,
IPS or Layer engines." File Filtering must be enabled in the policy to
turn on Anti-Virus scanning.
Snapshot-related
actions may fail after
activating dynamic
update 614 or newer
(#113077)
Restoring a snapshot, comparing snapshots, previewing a snapshot, and
other actions related to snapshots may fail if you have activated
dynamic update 614 or newer. A problem related to System report
updates was introduced in dynamic update 614.
The error message that is shown typically includes the following, but the
content of the first line varies depending on the action: "Database
problem. Details: Parse error in file System Snapshot
(6XX)exported_data.xml at line XXXX: DTD claims: Element <report>
has no attribute "style_template_key"
Automatic rules for IPv6
traffic do not work
(#113092)
IPv6 traffic does not match Automatic rules that should redirect IPv6
traffic to IPv6 Access rules.
Workaround: Automatic rules for IPv6 traffic can be removed by editing
the Template Policy.
4
Issue
Description
Engine state
synchronization traffic
might fail if target IP
address is changed
(#113210)
In the default configuration, the target IP address for state
synchronization traffic is the same for both the primary and the backup
state synchronization interfaces. If the engine configuration is changed
so that the IP addresses are no longer identical, the generated policy
only allows traffic from the backup state synchronization interface. The
primary state synchronization channel is shown as failed.
Workaround: Configure the same target IP address for both the primary
and the backup state synchronization traffic.
Warning of user
database replication
when SSL VPN Portal
set up on Virtual
Firewall (#113216)
If an SSL VPN Portal is enabled on a Virtual Firewall interface, when the
policy is installed, the message "requires user authentication but user
account replication to the Virtual Firewall is disabled" is shown. User
database replication cannot be enabled for the Virtual Firewall. Instead,
it needs to be enabled on the Master Engine. The warning is present,
even when user database replication is correctly enabled on the Master
Engine.
Automatic policy refresh
may fail after dynamic
update package has
been activated
(#113345)
Automatic policy refresh may fail after a dynamic update package has
been activated. You can configure automatic downloads for dynamic
update packages on the Updates tab of the Global System Properties
dialog box.
Workaround: Go to File > System Tools > Global System Properties. On
the Updates tab, select "Notify When Updates Have Been Activated."
Manually refresh the policy after the dynamic update package has been
activated.
SMC upgrade may fail
on Linux if revert has
been done in the past
(#113351)
Upgrading the SMC to version 5.7.4, 5.8.0, or 5.8.1 on the Linux
operating system may fail if you have performed a rollback in the past
using the <install dir>/uninstall/revert.sh script.
Workaround: Make sure that the <install dir>/backups folder has no
folder name starting with sgrollbackfolder...
Empty log files may
interfere with engine
status monitoring
(#113486)
When engine nodes generate a large amount of log data in real time,
some log entries may be sent as re-ordered by the engine, which forces
the Log Server to create several .arch files for the same engine (the log
entries are time-ordered). The Log Server reassembles some of these
log files to reduce the number of generated .arch files. If a file that does
not exist anymore is accessed, an empty log file may be generated.
When the empty log file is found, it is moved to a corrupted folder and
the following Alert is generated: "The file PathReference: <path>.arch is
corrupted." Having many empty log files reduces Log Server
performance and results in a large number of Alerts. Empty log files are
detected when they are accessed in the Logs view or in Reports.
Reduced Log Server performance may be indicated by monitored engine
nodes briefly blinking red and then returning to green status.
This behavior is more likely to occur when deep inspection is enabled
and extensive logging is configured, and other resource-intensive tasks
like Overviews or Reports are also used.
Workaround for Windows operating systems: If Alerts about corrupted
log files are continuously generated, see KB83773 for a workaround for
deleting empty log files before the SMC detects them.
Removing node from
cluster fails (#113631)
The Remove Node option on cluster element fails to save the change.
The following error message is displayed: "Failed to save Firewall
Cluster. Database problem. Write Interfaces for <name> failed".
File Filtering policy
Action option not
supported by current
engine versions
(#113688)
File filtering policy rules have an action option "Decompress Archives
and Rematch Content". By default, this option is enabled. However,
current engine versions do not support this option.
5
Issue
Description
Link-Local IPv6 Unicast
Addresses Network
element cannot be
added to Routing tree
(#113839)
A Link-Local IPv6 Unicast Addresses Network element cannot be added
to the Routing tree. If there is an existing Link-Local IPv6 Unicast
Addresses Network, the correct firewall configuration is generated.
VLAN interface IDs are
not updated in Routing
and Antispoofing panes
(#113998)
VLAN interface IDs are not updated in the Routing and Antispoofing
panes if the interface ID of a physical interface is changed. The
Interfaces pane and the generated configuration are correctly updated.
Web Start Management
Clients fail to open
Statistics arrangement
of Logs view with Java
JRE 8u31 (#114070)
Management Clients launched using Web Start fail to open the Statistics
arrangement of the Logs view when Java Runtime Environment (JRE)
version 8u31 is installed on the client computer. The following error is
shown: "Cannot open the Statistics view. 25196".
Workaround: Install the Management Client locally on your computer or
downgrade the JRE to an older version, such as JRE 8u25.
Installation instructions
Note
The sgadmin user is reserved for McAfee use on Linux, so it must not exist before the McAfee Security
Management Center is installed for the first time.
The main installation steps for the McAfee Security Management Center and the Firewall, IPS, or Layer
2 Firewall engines are as follows:
1. Install the Management Server, the Log Server(s), and optionally the Web Portal Server(s).
2. Import the licenses for all components (you can generate licenses on our website at
https://my.stonesoft.com/managelicense.do).
3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the
Security Engine Configuration view.
4. Generate initial configurations for the engines by right-clicking each Firewall, IPS, or Layer 2
Firewall element and selecting Save Initial Configuration.
5. Make the initial connection from the engines to the Management Server and enter the one-time
password provided during Step 4.
6. Create and upload a policy on the engines using the Management Client.
The detailed installation instructions can be found in the product-specific installation guides. For a more
thorough explanation of using the McAfee Security Management Center, refer to the Management Client
online Help or the McAfee SMC Administrator’s Guide. For background information on how the system
works, consult the McAfee SMC Reference Guide. All guides are available for download at
https://www.stonesoft.com/en/customer_care/documentation/current/.
Upgrade instructions
Note
McAfee Security Management Center (Management Server, Log Server and Web Portal Server) must be
upgraded before the engines are upgraded to the same major version.
McAfee Security Management Center (SMC) version 5.8.2 requires an updated license if upgrading from
version 5.7 or lower. Unless the automatic license update functionality is in use, request a license
upgrade on our website at https://my.stonesoft.com/managelicense.do and activate the new license
using the Management Client before upgrading the software.
To upgrade an earlier version of the SMC to McAfee Security Management Center version 5.8.1, we
strongly recommend that you stop all the McAfee NGFW services and take a backup before continuing
with the upgrade. After taking the backup, run the appropriate setup file depending on the operating
system. The installation program detects the old version and does the upgrade automatically.
Versions lower than 5.2.0 requires an upgrade to version 5.2.0 – 5.7.4 before upgrading to version
5.8.2.
6
System requirements
Basic management system hardware requirements
•
Intel Core family processor or higher recommended, or equivalent on a non-Intel platform
•
A mouse or pointing device (for Management Client only)
•
SVGA (1024x768) display or higher (for Management Client only)
•
Disk space for Management Server: 6 GB
•
Disk space for Log Server: 50 GB
•
Memory requirements for 32-bit operating systems:
•
o
2 GB RAM for Server (3 GB minimum if all components are installed on the same
server)
o
1 GB RAM for Management Client
o
6 GB RAM for Server (8 GB minimum if all components are installed on the same
server)
o
2 GB RAM for Management Client
Memory requirements for 64-bit operating systems:
Operating systems
McAfee Security Management Center supports the following operating systems and versions:
•
Microsoft® Windows Server 2012™ R2 (64-bit)*
•
Microsoft® Windows Server 2008™ R1 SP2 and R2 SP1 (64-bit)*
•
Microsoft® Windows 7™ SP1 (64-bit)*
•
CentOS 6 (for 32-bit and 64-bit x86)**
•
Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86)**
•
SUSE Linux Enterprise 11 SP3 (for 32-bit and 64-bit x86)**
•
Ubuntu 12.04 LTS (for 64-bit x86)**
*) Only the U.S. English language version has been tested, but other locales may work as well.
**) 32-bit compatibility libraries lib and libz are needed on all Linux platforms.
Note
32-bit Windows environments are no longer officially supported in SMC 5.8.
Web Start Clients
In addition to the operating systems listed above, McAfee Security Management Center can be accessed
through Web Start by using the following Mac OS and JRE versions:
•
Mac OS 10.9 with JRE 1.7.0_67
7
Build version
McAfee Security Management Center version 5.8.2 build version is 8821.
This release contains Dynamic Update package 626.
Product Binary Checksums
smc_5.8.2.8821.iso
SHA1SUM a8f3424706420de554244a3a99739e254d0a3269
smc_5.8.2.8821.zip
SHA1SUM 0d40f01cee498de1392f706c67b65ff755ce269d
smc_5.8.2.8821_linux.zip
SHA1SUM 4aac22e1cf87d344b90c1292d239566c9437af1c
smc_5.8.2.8821_windows.zip
SHA1SUM 8e29ce588e2160b276a1d7152323a981f6d0d90a
smc_5.8.2.8821_webstart.zip
SHA1SUM 734d17333f01b13aca78256c7328f026ff8e988b
Compatibility
McAfee Security Management Center version 5.8 is compatible with the following McAfee and NGFW
component versions:
•
McAfee Next Generation Firewall (NGFW) 5.7 and 5.8
•
Stonesoft Security Engine 5.4 and 5.5
•
Stonesoft Firewall engine 5.3
•
Stonesoft SSL VPN 1.5
•
McAfee ePolicy Orchestrator (McAfee ePO) 4.6 and 5.0
•
McAfee Enterprise Security Manager (McAfee ESM) 9.2.0 and later (9.1.0 CEF only)
Note
SMC 5.8 no longer supports legacy Stonesoft IPS Analyzers, Combined Sensor-Analyzers, or Sensor
versions 5.2 or lower.
Native Support
To utilize all the features of McAfee Security Management Center version 5.8, the following McAfee
component versions are required:
•
McAfee Next Generation Firewall (NGFW) 5.8
Known issues
For a list of known issues in this product release, see this McAfee Knowledge Center article: KB82953.
8
Find product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the online Knowledge Center.
1. Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.
2. Enter a product name, select a version, then click Search to display a list of documents.
Copyright © 2015 McAfee, Inc. Do not copy without permission.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United
States and other countries. Other names and brands may be claimed as the property of others.
00-A
9