Security Management Center 5.8.3 Release Notes

Transcription

Security Management Center 5.8.3 Release Notes
Release Notes
Revision A
McAfee Security Management Center 5.8.3
Contents
 About this release
 Resolved issues
 Installation instructions
 Upgrade instructions
 System requirements
 Build version
 Compatibility
 Known issues
 Find product documentation
About this release
This document contains important information about the current release. We strongly recommend that
you read the entire document.
Resolved issues
These issues have been resolved since SMC version 5.8.2. For a list of issues that have been resolved in
earlier releases, see the Release Notes for the specific release.
Issue
Description
Diagram not drawn
when selecting
elements in the System
Status view (#105250)
When you select an element in the System Status view, you might see
the error message "Auto generation failed", and the diagram showing
connectivity to other elements is not drawn.
Remote upgrade fails
due to low disk space
(#105510)
When a remote upgrade is started, a temporary copy of the engine
image is made. If there is not enough disk space on the SMC installation
partition, the upgrade can fail with the error "rdiff invocation failed,
return code [100]:io error".
Workaround: Make sure there is enough disk space.
After node reboot, the
element status may
indicate No Policy
Installed (#111656)
After rebooting the node, the element status may show "No Policy
Installed" and "N/A" as the policy, even though a policy is in use and
the element is shown as green. In addition, on the node level the
correct policy information is shown. The problem is rare but might occur
in some setups.
Workaround: Refresh the policy on the engine.
1
Issue
Description
Standby Management
Server certification can
fail during installation
(#113604)
Standby Management Server certification can fail during installation.
Creating encrypted
Management Server
backup fails (#113786)
Creating an encrypted Management Server backup fails with the
following error message: "pad block corrupted." Creating normal
Management Server backups works.
SSL VPN endpoint
conflict not detected
(#113875)
Policy validation does not detect a conflict if an endpoint is enabled both
for the SSL VPN Portal and for an SSL VPN Tunnel and the same port is
used for both.
Workaround:
1. Install the standby server in standalone mode.
2. Certify the server using the command sgCertifyMgtSrv.bat/sh standby.
3. Run sgOnlineReplication.bat/sh to initiate the original replication
between the servers. If you see the message "Replication operation
successfully completed.", the replication succeeded and possible timeout
messages can be ignored.
Workaround: Configure different ports for SSL VPN Portal and SSL VPN
Tunnel or use separate endpoints for them.
Alert chain Final Action
cannot be changed
(#114130)
The Final Action in an Alert Chain cannot be changed. The Final Action
reverts to its original value when you save the Alert Chain.
Network elements in
Antispoofing and
Routing panes may
display IP address
0.0.0.0/0 (#114179)
Network elements that are used in the Routing and Antispoofing panes
of the Engine Editor may display IP address 0.0.0.0/0. Network
information is still correct in the routing or antispoofing configuration.
Adding blacklist scope
for an Inspection rule
with the Terminate
action fails (#114200)
Adding a "Block Traffic Between Endpoints" blacklist scope for an
Inspection rule with the Terminate action fails when Connection Source
and Connection Destination are selected as the Endpoint Address types.
Saving the Action Options fails and an error message is shown:
"Blacklist Endpoint 1 address mode and Blacklist Endpoint 2 address
mode must be identical."
Workaround:
Use either of these workarounds:
- Create a new Alert Chain or use the Save As option to save a copy of
the Alert Chain. Set the Final Action in the new Alert Chain element. Add
the new Alert Chain to the Alert Policy.
- Export the Alert Chain element. Edit the XML file and change the value
of the final_action attribute to one of the following options: 0=None,
1=Acknowledge, 2=Redirect 3=Return. Import the modified XML file.
Workaround: Open the properties of the Network element and click OK
to save and refresh the element.
Workaround: Use another type of blacklist scope, when applicable.
Results in Search Rules
view are reset every 15
minutes (#114206)
The search results in the Search Rules view are reset every 15 minutes
when the system internally updates elements. Search results are also
reset when you save a change to an element during the same
Management Client session.
Workaround: Click another tab in the security policy, and then switch
back to the original tab to return to the search results.
2
Issue
Description
Node-Initiated Contact
to Management Server
option can't be saved
(#114270)
"Node-Initiated Contact to Management Server" option cannot be saved
in Engine Editor Interface Options.
Policy Snapshot of
Firewall that has
interfaces with dynamic
IP addresses may be
corrupted (#114336)
Policy Snapshot actions, such as View, Compare, or Restore, may result
in the following error message: "DTD claims: Required attribute
"dynamic_ip" missing from element <dyn_interface_asn_level>." This
may happen with Policy Snapshots of Firewall elements that have
interfaces with dynamic IP addresses configured. Importing the same
Firewall element also fails.
Rule with negation
expression including
Alias element do not
match traffic
(#114420)
After upgrading the SMC to version 5.8.2 and installing a policy, rules
with an Expression element that includes negation for an Alias element
might not match traffic. A typical problematic expression is the negation
of $ Local Protected Sites to represent networks other than local
networks.
Workaround:
1. Right-click the Firewall element and select Tools | Export to export
the element as an XML file.
2. Open the XML file using a text editor.
3. Change the line reverse_connection="false" to
reverse_connection="true" and save the XML file.
4. Create a zip file of the edited XML file.
5. Select File | Import | Import Elements to import the edited XML
file.
Workaround:
1. Create an IPv4 network element with the IP address 0.0.0.0 and the
netmask 0.0.0.0.
2. Edit the problematic expression, adding at the beginning:
ipv4_network intersection (current expression).
Installation instructions
Note
The sgadmin user is reserved for McAfee use on Linux, so it must not exist before the McAfee Security
Management Center is installed for the first time.
The main installation steps for the McAfee Security Management Center and the Firewall, IPS, or Layer
2 Firewall engines are as follows:
1. Install the Management Server, the Log Server(s), and optionally the Web Portal Server(s).
2. Import the licenses for all components (you can generate licenses on our website at
https://my.stonesoft.com/managelicense.do).
3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the
Security Engine Configuration view.
4. Generate initial configurations for the engines by right-clicking each Firewall, IPS, or Layer 2
Firewall element and selecting Save Initial Configuration.
5. Make the initial connection from the engines to the Management Server and enter the one-time
password provided during Step 4.
6. Create and upload a policy on the engines using the Management Client.
The detailed installation instructions can be found in the product-specific installation guides. For a more
thorough explanation of using the McAfee Security Management Center, refer to the Management Client
online Help or the McAfee SMC Administrator’s Guide. For background information on how the system
works, consult the McAfee SMC Reference Guide. All guides are available for download at
https://www.stonesoft.com/en/customer_care/documentation/current/.
3
Upgrade instructions
Note
McAfee Security Management Center (Management Server, Log Server and Web Portal Server) must be
upgraded before the engines are upgraded to the same major version.
McAfee Security Management Center (SMC) version 5.8.3 requires an updated license if upgrading from
version 5.7 or lower. Unless the automatic license update functionality is in use, request a license
upgrade on our website at https://my.stonesoft.com/managelicense.do and activate the new license
using the Management Client before upgrading the software.
To upgrade an earlier version of the SMC to McAfee Security Management Center version 5.8.3, we
strongly recommend that you stop all the McAfee NGFW services and take a backup before continuing
with the upgrade. After taking the backup, run the appropriate setup file depending on the operating
system. The installation program detects the old version and does the upgrade automatically.
Versions lower than 5.2.0 require an upgrade to version 5.2.0 – 5.7.4 before upgrading to version
5.8.3.
System requirements
Basic management system hardware requirements
•
Intel Core family processor or higher recommended, or equivalent on a non-Intel platform
•
A mouse or pointing device (for Management Client only)
•
SVGA (1024x768) display or higher (for Management Client only)
•
Disk space for Management Server: 6 GB
•
Disk space for Log Server: 50 GB
•
Memory requirements for 32-bit operating systems:
•
o
2 GB RAM for Server (3 GB minimum if all components are installed on the same
server)
o
1 GB RAM for Management Client
Memory requirements for 64-bit operating systems:
o
6 GB RAM for Server (8 GB minimum if all components are installed on the same
server)
o
2 GB RAM for Management Client
Operating systems
McAfee Security Management Center supports the following operating systems and versions:
•
Microsoft® Windows Server 2012™ R2 (64-bit)*
•
Microsoft® Windows Server 2008™ R1 SP2 and R2 SP1 (64-bit)*
•
Microsoft® Windows 7™ SP1 (64-bit)*
•
CentOS 6 (for 32-bit and 64-bit x86)**
•
Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86)**
•
SUSE Linux Enterprise 11 SP3 (for 32-bit and 64-bit x86)**
•
Ubuntu 12.04 LTS (for 64-bit x86)**
*) Only the U.S. English language version has been tested, but other locales may work as well.
**) 32-bit compatibility libraries lib and libz are needed on all Linux platforms.
Note
32-bit Windows environments are no longer officially supported in SMC 5.8.
4
Web Start Clients
In addition to the operating systems listed above, McAfee Security Management Center can be accessed
through Web Start by using the following Mac OS and JRE versions:
•
Mac OS 10.9 with JRE 1.7.0_67
Build version
McAfee Security Management Center version 5.8.3 build version is 8824.
This release contains Dynamic Update package 632.
Product Binary Checksums
•
smc_5.8.3.8824.iso
SHA1SUM:
8ea1b06e9e36471c832d0ae37cb52d09dc27bc62
SHA512SUM:
9f7f2fbfbdf75a8a777dc3e4190b6629730fef0d21347259fa99577b62326362611b285617f5f5c58
4ed43246b1d688bfc24f5fada80ba7461c72e031e01bf3d
•
smc_5.8.3.8824.zip
SHA1SUM:
888b44159472adf65bb4c763df578aa4af7b78bd
SHA512SUM:
ffd5bb6c0295b6b3c622d1a87d6a28c7de9efe7c0b27729d7756730763e7dffecf9fc3acaab98b4dd
6f82351e73707d2f02e1ddf89d3c0a813e89aee9508daf8
•
smc_5.8.3.8824_linux.zip
SHA1SUM:
4e9dae2dcbf6eea443218853773bfceb440f1e1d
SHA512SUM:
a1dfed20ebcb39f0c7ba7b9e61ce444f89b43fe94aa391dc5c9d9b96ed2c9fc06fa7f5d77178c7aa6e
d5abe7ac2913d5ca43768f41b7484abdc8f021726804d3
•
smc_5.8.3.8824_webstart.zip
SHA1SUM:
e8bf5bfe080127d227a2c110ced02214ae6bd539
SHA512SUM:
d3c0b767d0d4f72be79849da033fd0d2ea5b5a36a431a053169a9fa680e680577e3d69c0246d059
55ddf3d5bbd136531815b66a6787d6fe8a6cb03385e89910f
•
smc_5.8.3.8824_windows.zip
SHA1SUM:
94bfb3d2c52e3e61cd0223771ae444d0b3a4207d
SHA512SUM:
31c1aaed5f809242a70ff5df0873edf459d33684cb294bcad5ef76ecf6f6a6966e594989d6e260582
1e3abeb89ba96830dd56ed15a0d83107bed961b11869590
5
Compatibility
McAfee Security Management Center version 5.8 is compatible with the following McAfee and NGFW
component versions:
•
McAfee Next Generation Firewall (NGFW) 5.7 and 5.8
•
Stonesoft Security Engine 5.4 and 5.5
•
Stonesoft Firewall engine 5.3
•
Stonesoft SSL VPN 1.5
•
McAfee ePolicy Orchestrator (McAfee ePO) 4.6 and 5.0
•
McAfee Enterprise Security Manager (McAfee ESM) 9.2.0 and later (9.1.0 CEF only)
Note
SMC 5.8 no longer supports legacy Stonesoft IPS Analyzers, Combined Sensor-Analyzers, or Sensor
versions 5.2 or lower.
Native Support
To utilize all the features of McAfee Security Management Center version 5.8, the following McAfee
component versions are required:
•
McAfee Next Generation Firewall (NGFW) 5.8
Known issues
For a list of known issues in this product release, see this McAfee Knowledge Center article: KB82953.
Find product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the online Knowledge Center.
1. Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.
2. Enter a product name, select a version, then click Search to display a list of documents.
Copyright © 2015 McAfee, Inc. Do not copy without permission.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United
States and other countries. Other names and brands may be claimed as the property of others.
00-A
6