Security Management Center 5.8.3 Release Notes
Transcription
Security Management Center 5.8.3 Release Notes
Release Notes Revision A McAfee Security Management Center 5.8.3 Contents About this release Resolved issues Installation instructions Upgrade instructions System requirements Build version Compatibility Known issues Find product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. Resolved issues These issues have been resolved since SMC version 5.8.2. For a list of issues that have been resolved in earlier releases, see the Release Notes for the specific release. Issue Description Diagram not drawn when selecting elements in the System Status view (#105250) When you select an element in the System Status view, you might see the error message "Auto generation failed", and the diagram showing connectivity to other elements is not drawn. Remote upgrade fails due to low disk space (#105510) When a remote upgrade is started, a temporary copy of the engine image is made. If there is not enough disk space on the SMC installation partition, the upgrade can fail with the error "rdiff invocation failed, return code [100]:io error". Workaround: Make sure there is enough disk space. After node reboot, the element status may indicate No Policy Installed (#111656) After rebooting the node, the element status may show "No Policy Installed" and "N/A" as the policy, even though a policy is in use and the element is shown as green. In addition, on the node level the correct policy information is shown. The problem is rare but might occur in some setups. Workaround: Refresh the policy on the engine. 1 Issue Description Standby Management Server certification can fail during installation (#113604) Standby Management Server certification can fail during installation. Creating encrypted Management Server backup fails (#113786) Creating an encrypted Management Server backup fails with the following error message: "pad block corrupted." Creating normal Management Server backups works. SSL VPN endpoint conflict not detected (#113875) Policy validation does not detect a conflict if an endpoint is enabled both for the SSL VPN Portal and for an SSL VPN Tunnel and the same port is used for both. Workaround: 1. Install the standby server in standalone mode. 2. Certify the server using the command sgCertifyMgtSrv.bat/sh standby. 3. Run sgOnlineReplication.bat/sh to initiate the original replication between the servers. If you see the message "Replication operation successfully completed.", the replication succeeded and possible timeout messages can be ignored. Workaround: Configure different ports for SSL VPN Portal and SSL VPN Tunnel or use separate endpoints for them. Alert chain Final Action cannot be changed (#114130) The Final Action in an Alert Chain cannot be changed. The Final Action reverts to its original value when you save the Alert Chain. Network elements in Antispoofing and Routing panes may display IP address 0.0.0.0/0 (#114179) Network elements that are used in the Routing and Antispoofing panes of the Engine Editor may display IP address 0.0.0.0/0. Network information is still correct in the routing or antispoofing configuration. Adding blacklist scope for an Inspection rule with the Terminate action fails (#114200) Adding a "Block Traffic Between Endpoints" blacklist scope for an Inspection rule with the Terminate action fails when Connection Source and Connection Destination are selected as the Endpoint Address types. Saving the Action Options fails and an error message is shown: "Blacklist Endpoint 1 address mode and Blacklist Endpoint 2 address mode must be identical." Workaround: Use either of these workarounds: - Create a new Alert Chain or use the Save As option to save a copy of the Alert Chain. Set the Final Action in the new Alert Chain element. Add the new Alert Chain to the Alert Policy. - Export the Alert Chain element. Edit the XML file and change the value of the final_action attribute to one of the following options: 0=None, 1=Acknowledge, 2=Redirect 3=Return. Import the modified XML file. Workaround: Open the properties of the Network element and click OK to save and refresh the element. Workaround: Use another type of blacklist scope, when applicable. Results in Search Rules view are reset every 15 minutes (#114206) The search results in the Search Rules view are reset every 15 minutes when the system internally updates elements. Search results are also reset when you save a change to an element during the same Management Client session. Workaround: Click another tab in the security policy, and then switch back to the original tab to return to the search results. 2 Issue Description Node-Initiated Contact to Management Server option can't be saved (#114270) "Node-Initiated Contact to Management Server" option cannot be saved in Engine Editor Interface Options. Policy Snapshot of Firewall that has interfaces with dynamic IP addresses may be corrupted (#114336) Policy Snapshot actions, such as View, Compare, or Restore, may result in the following error message: "DTD claims: Required attribute "dynamic_ip" missing from element <dyn_interface_asn_level>." This may happen with Policy Snapshots of Firewall elements that have interfaces with dynamic IP addresses configured. Importing the same Firewall element also fails. Rule with negation expression including Alias element do not match traffic (#114420) After upgrading the SMC to version 5.8.2 and installing a policy, rules with an Expression element that includes negation for an Alias element might not match traffic. A typical problematic expression is the negation of $ Local Protected Sites to represent networks other than local networks. Workaround: 1. Right-click the Firewall element and select Tools | Export to export the element as an XML file. 2. Open the XML file using a text editor. 3. Change the line reverse_connection="false" to reverse_connection="true" and save the XML file. 4. Create a zip file of the edited XML file. 5. Select File | Import | Import Elements to import the edited XML file. Workaround: 1. Create an IPv4 network element with the IP address 0.0.0.0 and the netmask 0.0.0.0. 2. Edit the problematic expression, adding at the beginning: ipv4_network intersection (current expression). Installation instructions Note The sgadmin user is reserved for McAfee use on Linux, so it must not exist before the McAfee Security Management Center is installed for the first time. The main installation steps for the McAfee Security Management Center and the Firewall, IPS, or Layer 2 Firewall engines are as follows: 1. Install the Management Server, the Log Server(s), and optionally the Web Portal Server(s). 2. Import the licenses for all components (you can generate licenses on our website at https://my.stonesoft.com/managelicense.do). 3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the Security Engine Configuration view. 4. Generate initial configurations for the engines by right-clicking each Firewall, IPS, or Layer 2 Firewall element and selecting Save Initial Configuration. 5. Make the initial connection from the engines to the Management Server and enter the one-time password provided during Step 4. 6. Create and upload a policy on the engines using the Management Client. The detailed installation instructions can be found in the product-specific installation guides. For a more thorough explanation of using the McAfee Security Management Center, refer to the Management Client online Help or the McAfee SMC Administrator’s Guide. For background information on how the system works, consult the McAfee SMC Reference Guide. All guides are available for download at https://www.stonesoft.com/en/customer_care/documentation/current/. 3 Upgrade instructions Note McAfee Security Management Center (Management Server, Log Server and Web Portal Server) must be upgraded before the engines are upgraded to the same major version. McAfee Security Management Center (SMC) version 5.8.3 requires an updated license if upgrading from version 5.7 or lower. Unless the automatic license update functionality is in use, request a license upgrade on our website at https://my.stonesoft.com/managelicense.do and activate the new license using the Management Client before upgrading the software. To upgrade an earlier version of the SMC to McAfee Security Management Center version 5.8.3, we strongly recommend that you stop all the McAfee NGFW services and take a backup before continuing with the upgrade. After taking the backup, run the appropriate setup file depending on the operating system. The installation program detects the old version and does the upgrade automatically. Versions lower than 5.2.0 require an upgrade to version 5.2.0 – 5.7.4 before upgrading to version 5.8.3. System requirements Basic management system hardware requirements • Intel Core family processor or higher recommended, or equivalent on a non-Intel platform • A mouse or pointing device (for Management Client only) • SVGA (1024x768) display or higher (for Management Client only) • Disk space for Management Server: 6 GB • Disk space for Log Server: 50 GB • Memory requirements for 32-bit operating systems: • o 2 GB RAM for Server (3 GB minimum if all components are installed on the same server) o 1 GB RAM for Management Client Memory requirements for 64-bit operating systems: o 6 GB RAM for Server (8 GB minimum if all components are installed on the same server) o 2 GB RAM for Management Client Operating systems McAfee Security Management Center supports the following operating systems and versions: • Microsoft® Windows Server 2012™ R2 (64-bit)* • Microsoft® Windows Server 2008™ R1 SP2 and R2 SP1 (64-bit)* • Microsoft® Windows 7™ SP1 (64-bit)* • CentOS 6 (for 32-bit and 64-bit x86)** • Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86)** • SUSE Linux Enterprise 11 SP3 (for 32-bit and 64-bit x86)** • Ubuntu 12.04 LTS (for 64-bit x86)** *) Only the U.S. English language version has been tested, but other locales may work as well. **) 32-bit compatibility libraries lib and libz are needed on all Linux platforms. Note 32-bit Windows environments are no longer officially supported in SMC 5.8. 4 Web Start Clients In addition to the operating systems listed above, McAfee Security Management Center can be accessed through Web Start by using the following Mac OS and JRE versions: • Mac OS 10.9 with JRE 1.7.0_67 Build version McAfee Security Management Center version 5.8.3 build version is 8824. This release contains Dynamic Update package 632. Product Binary Checksums • smc_5.8.3.8824.iso SHA1SUM: 8ea1b06e9e36471c832d0ae37cb52d09dc27bc62 SHA512SUM: 9f7f2fbfbdf75a8a777dc3e4190b6629730fef0d21347259fa99577b62326362611b285617f5f5c58 4ed43246b1d688bfc24f5fada80ba7461c72e031e01bf3d • smc_5.8.3.8824.zip SHA1SUM: 888b44159472adf65bb4c763df578aa4af7b78bd SHA512SUM: ffd5bb6c0295b6b3c622d1a87d6a28c7de9efe7c0b27729d7756730763e7dffecf9fc3acaab98b4dd 6f82351e73707d2f02e1ddf89d3c0a813e89aee9508daf8 • smc_5.8.3.8824_linux.zip SHA1SUM: 4e9dae2dcbf6eea443218853773bfceb440f1e1d SHA512SUM: a1dfed20ebcb39f0c7ba7b9e61ce444f89b43fe94aa391dc5c9d9b96ed2c9fc06fa7f5d77178c7aa6e d5abe7ac2913d5ca43768f41b7484abdc8f021726804d3 • smc_5.8.3.8824_webstart.zip SHA1SUM: e8bf5bfe080127d227a2c110ced02214ae6bd539 SHA512SUM: d3c0b767d0d4f72be79849da033fd0d2ea5b5a36a431a053169a9fa680e680577e3d69c0246d059 55ddf3d5bbd136531815b66a6787d6fe8a6cb03385e89910f • smc_5.8.3.8824_windows.zip SHA1SUM: 94bfb3d2c52e3e61cd0223771ae444d0b3a4207d SHA512SUM: 31c1aaed5f809242a70ff5df0873edf459d33684cb294bcad5ef76ecf6f6a6966e594989d6e260582 1e3abeb89ba96830dd56ed15a0d83107bed961b11869590 5 Compatibility McAfee Security Management Center version 5.8 is compatible with the following McAfee and NGFW component versions: • McAfee Next Generation Firewall (NGFW) 5.7 and 5.8 • Stonesoft Security Engine 5.4 and 5.5 • Stonesoft Firewall engine 5.3 • Stonesoft SSL VPN 1.5 • McAfee ePolicy Orchestrator (McAfee ePO) 4.6 and 5.0 • McAfee Enterprise Security Manager (McAfee ESM) 9.2.0 and later (9.1.0 CEF only) Note SMC 5.8 no longer supports legacy Stonesoft IPS Analyzers, Combined Sensor-Analyzers, or Sensor versions 5.2 or lower. Native Support To utilize all the features of McAfee Security Management Center version 5.8, the following McAfee component versions are required: • McAfee Next Generation Firewall (NGFW) 5.8 Known issues For a list of known issues in this product release, see this McAfee Knowledge Center article: KB82953. Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the online Knowledge Center. 1. Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center. 2. Enter a product name, select a version, then click Search to display a list of documents. Copyright © 2015 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. 00-A 6