Beruflich Dokumente
Kultur Dokumente
Contents
About this release
New features
Enhancements
Resolved issues
Installation instructions
Known issues
Product documentation
This release of Network Security Platform is to provide few features and enhancements on the
Manager and M-series Sensor software.
1
This version of 8.3 Manager software can be used to configure and manage the following hardware:
Hardware Version
NS9x00-series Sensors (NS9100, NS9200, NS9300) 8.1, 8.2, 8.3
NS7x00-series Sensors (NS7100, NS7200, NS7300) 8.1, 8.2, 8.3
NS5x00-series Sensors (NS5100, NS5200) 8.1, 8.3
NS5x00-series Sensors are not compatible with Manager version 8.3.7.28. See Known
Issues for more information. Sensor software version 8.2 is currently not available for
NS5x00-series.
NS3x00-series Sensors are not compatible with Manager version 8.3.7.28. See Known
Issues for more information. Sensor software version 8.2 is currently not available for
NS3x00-series.
Sensor software versions 8.2 and 8.3 are currently not available for IPS-VM100-VSS.
Mseries Sensors (M-1250, M-1450, M-2750, M-2850, M-2950, M-3050, M-4050, 8.1, 8.2, 8.3
M-6050, M-8000)
Mxx30-series Sensors (M-3030, M-4030, M-6030, M-8030) 8.1, 8.2, 8.3
XC Cluster Appliances (XC-240) 8.1, 8.2, 8.3
NTBA Appliance software (T-200, T-500, T-600, T-1200, T-VM, T-100VM, T-200VM) 8.1, 8.2, 8.3
The above mentioned Network Security Platform software versions support integration with the
following product versions:
Currently port 4167 is used as the UDP source port number for the SNMP command channel
communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound
connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the
2
same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version
1.8.0_92, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to
bind for IPv6.
Manager 8.3 uses JRE version 1.8.0_92 and MySQL version 5.6.30. If you have IPv6 Sensors behind a
firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP
command channel to function between those IPv6 Sensors and the Manager.
Manager software version 8.3 is not supported on McAfee-built Dellbased Manager Appliances. McAfee
recommends that you use Intel-based Manager Appliances instead.
New features
This release is to provide fixes for some of the previously known issues, and does not include any new
features.
Enhancements
This release of Network Security Platform includes the following enhancements:
In version 8.3, an enhancement is made to reduce generation of excessive special alerts by delaying
the alert generation either by a maximum of 5 seconds, or until the layer 7 session is terminated.
3
Resolved issues
The current release of the product resolved these issues. For a list of issues fixed in earlier releases,
see the Release Notes for the specific release.
ID # Issue Description
1169061 The device integrated with the NTBA appliance is not displayed in the device list under
Devices | <Admin Domain Name> | Devices.
1118316 Incorrect description is displayed for alert details panel in Attack Log for Endpoint
Executable and Malware Files.
1114679 The Attack Log does not display data for EIA executables.
ID # Issue Description
1175740 Upon trying to save a customized signature after adding an IPv4 address, the process
sticks at 0%.
1166876 The Manager fails to generate automatic IPS configuration report daily.
1166084 The Attack logs saved in CSV format displays the Attacker Host Name and Target Host Name
inappropriately.
1165036 The signatures of the newly added attacks are not displayed in the policy editor.
1164536 Creating an Ignore Rule in the Manager displays error Unable to get Resources for Admin Domain.
failed to get sensor for subscriber "0".
1164024 In high availability mode, there is failure in alert channel after the secondary Sensor
reboots.
1163187 In the Attack Log page, the log files generated in CSV or PDF format for unacknowledged alerts
are incorrectly displayed as acknowledged alerts.
1162321 Custom roles created with View Only role are incorrectly applied as Edit roles.
1161236 Manager fails to perform configuration update on the Sensor due to compilation error.
1161090 / Snort rules that use Snort IP headers as filters work incorrectly as the Sensor triggers
1159384 alerts even when the parameters do not match with the header options.
1150853 The configuration options are disabled for alert relevance in Manager | <Admin Domain Name> |
Integration | Vulnerability Assessment | MVM | Alert Relevance.
4
ID # Issue Description
1149111 The IP address that is manually quarantined from the Attack Log page is not displayed in
the Manager's quarantine list.
1149099 The Manager sends additional messages in the syslog notification for some alerts.
1148663 The actions performed to enable or disable the monitoring ports in the Sensor are
displayed incorrectly in the User Activity Log page in the Manager. For example, if the port
action is from Enabled to Disabled, it is displayed as Disabled to Enabled in the Manager.
1148454 In the Manager, the list to select the child domain is disabled.
1147762 Expired SSL certificate can be imported to the Manager which is displayed as Valid.
1147619 Alert count mismatch exists between the Primary and Secondary Manager.
1145115 The data truncation error description is very long.
1143918 The Result column does not display attacks for smartblocked attacks in the Attack Log
after Manager upgrade.
1143558 E-mail notifications are incorrectly sent for alerts that are not configured to send
notifications.
1142684 Error is displayed in the Manager when the number of quarantined IP addresses exceeds
1000.
1142079 Attacks names are displayed as --- after a signature set upgrade under Policy | <Admin
Domain Name> | Intrusion Prevention | Policy Types | IPS Policies.
1142047 The Manager automatically deploys the signature sets even when automatic deployment
is disabled.
1141070 The performance charts for Device Throughput Usage, Port Throughput, and CPU Usage under
Devices | <Admin Domain Name> | Devices | <Device Name> | Troubleshooting | Performance Charts does
not display weekly data.
1140604 When deploying updates to the Sensor, the Running Tasks and User Activity Log pages displays
the device name as null.
1139033 Importing user-defined signatures in the Manager causes error.
1138655 In an MDR scenario, both the Primary and Secondary Manager sends fault notification for
port link failures.
1138335 Communication between the Manager and the Sensor is disconnected after restarting the
Manager service.
1136975 The trend analysis report scheduled for weekly or monthly time period does not display
the data for the last day.
1135691 The fault for Gateway Anti-Malware file update is displayed in the Manager even when it
successfully updated in the Sensor.
1131532 The syslog fault notifications for a high-availability Sensor cluster from the Manager,
contains the cluster name instead of the node name.
1128407 Executive Summary report shows several Address Not Resolved results in the Hostname
columns in the Top N Source IP and Top N Destination IP sections.
1126609 In the Attack Log page, the policy update fails when selecting a policy under Update Policy
options from the Other Actions list.
1125670 Link failure SNMP trap shows incorrect port name.
1118293 The Traffic Statistics page displays an error when clicked.
ID # Issue Description
1140630 The syslog notifications for performance faults does not include the value that triggered
the fault or the threshold.
5
Resolved Sensor software issues
The following table lists the medium-severity Sensor software issues:
ID # Issue Description
1184408 After an upgrade, the Sensor experiences exception while processing signature set causing
it to go to bad health or experience auto recovery. This happens more often when there
are Ignore Rule with Any Any or IPv6 Ignore Rule and IPv6 scanning is disabled.
1166353 For XFF traffic, the Sensor does not send true client IP address to the syslog server.
1164826 Syslog alerts sent from the Sensor display the timestamp incorrectly with a 12 hour
difference.
1164047 Filename and domain in URI path contain duplicate domain name information when
submitted to Advanced Threat Defense.
1163993 The show feature status command displays incorrect status of the configured features in
the Sensor since the operation fails.
1163689 Whitelisted entries with more than two labels do not generate an exact match like they
should.
1159776 The vulnerability scanner reports the following Sensor vulnerabilities:
SSH weak algorithms supported
SSH server CBC Mode Ciphers Enabled (CVE-2008-5161)
SSH weak MAC Algorithm Enabled
1159229 The Sensor fails to send packet log information when the packet log resources are not
initialized.
1156118 [M-2950] The Sensor switches to layer 2 bypass mode.
1152648 The management process incorrectly invalidates a valid memory which causes the Sensor
to go to bad health.
1152472 The Sensor is vulnerable to the following vulnerabilities:
CVE-2016-4953 CVE-2016-4956
CVE-2016-4954 CVE-2016-4957
CVE-2016-4955
1151327 In a rare condition, the malware processing engine experiences an exception while
processing an SMTP attachment file having large encoded content.
1150815 The events.log does not persist after Sensor reboot.
1149298 Internal resource leak in the malware processing modules cause the Sensor to stop
sending files to the Advanced Threat Defense appliance.
1149107 Port throughput utilization is wrongly calculated for ports with speed greater than 1G.
1147328 The Sensor is vulnerable to CVE-2016-4448.
1146928 The TCP: Microsoft Windows TCP IP Driver Denial of Service alert is generated due to incorrect packet
length.
1146409 The Sensor may go to bad health, autorecovers or reboots due to incorrect validation
during allocation or freeing of data buffers.
1145843 In a rare condition when multiple connection attempts, between the Sensor and Advanced
Threat Defense appliance or NTBA appliance, fails in a short span of time, the Sensor
reboots.
1144514 Default IP address is sometimes not available after you run the factory defaults command.
1143386 The alerts are not displayed in the malware dashboard due to internal resource exhaustion.
1140389 Unable to quarantine IP address 172.30.6.100.
6
ID # Issue Description
1139962 The ICMP Nachi Attack alert is incorrectly raised.
1139454 Sensor generates a false positive alert for the IGMP: Fragmented IGMP Packet Attack alert.
1138571 The Connection Count for TCP/UDP on Next Generation report always shows 0.
1137501 The Sensor is vulnerable to the following Improper Input Validation vulnerabilities:
CVE-2015-7704 CVE-2016-2516
CVE-2015-8138 CVE-2015-7975
CVE-2015-7705 CVE-2016-2517
CVE-2016-1550 CVE-2015-7976
CVE-2015-7974
1137245 Layer 7 DDOS response action configuration does not work correctly.
1136618 ISAKMP traffic is not dropped by the Sensor when the application Firewall policy is
configured to drop.
1133662 Deploying changes related to rate limiting policies every third time results in Sensor going
to bad health.
1133656 SSL connections for unsupported ciphers are not consistently detected and blocked.
1132694 In a rare scenario, VoIP calls get disconnected due to processing delays of VoIP traffic in
the Sensor.
1131649 In rare scenarios, malware engine does not come up, impacting the processing of files.
1129065 Manual signature set push causes Sensor to reboot.
1126206 Alerts have incorrect information when parsing XFF flows with persistent HTTP connection.
1117263 The Sensor raises SSL: Connections Exhausted message or the Sensor goes to bad health
because of incorrect software corruption.
1114845 During a configuration update, few UDP packets are dropped.
1097502 The Manager user interface incorrectly shows pending entries for Advanced Threat Defense
even when submitted files are not processed due to an overload or any other error
scenario.
1051747 The Next Generation report, Default - Top 10 Application Categories by Bandwidth Usage, displays traffic
volume in bytes instead of bits.
7
Installation instructions
Manager server/client system requirements
The following table lists the 8.3 Manager server requirements:
Memory 8 GB >16 GB
The following are the system requirements for hosting Central Manager/Manager server on a VMware
platform.
8
Table 5-1 Virtual machine requirements
Component Minimum Recommended
Operating Any of the following: Windows Server 2012 R2
system Standard Edition
Windows Server 2008 R2 Standard or Enterprise
operating system.
Edition, English operating system, SP1 (64-bit) (Full
Installation)
Windows Server 2008 R2 Standard or Enterprise
Edition, Japanese operating system, SP1 (64-bit)
(Full Installation)
Windows Server 2012 R2 Standard Edition (Server
with a GUI) English operating system
Windows Server 2012 R2 Standard Edition (Server
with a GUI) Japanese operating system
Windows Server 2012 R2 Datacenter Edition (Server
with a GUI) English operating system
Windows Server 2012 R2 Datacenter (Server with a
GUI) Japanese operating system
Memory 8 GB >16 GB
CPU Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical
Processors 8; Processor Speed 2.00 GHz
Memory Physical Memory: 16 GB
Internal Disks 1 TB
9
The following table lists the 8.3 Manager client requirements when using Windows 7, Windows 8, or
Windows 2012:
Minimum Recommended
Operating Windows 7, English or Japanese
system
Windows 8, English or Japanese
Windows 8.1, English or Japanese
Windows 10, English or Japanese
RAM 2 GB 4 GB
CPU 1.5 GHz processor 1.5 GHz or faster
Browser Internet Explorer 10, 11, or Microsoft Edge Internet Explorer 11
Mozilla Firefox Mozilla Firefox 20.0 or
later
Google Chrome (App mode in Windows 8 is not
supported.) Google Chrome 24.0 or
later
To avoid the certificate mismatch error and security
warning, add add the Manager web certificate to the
trusted certificate list.
If you are using Google Chrome 42 or later, the NPAPI plug-in is disabled by default, which means that
Java applet support is disabled by default. Perform the following steps to enable NPAPI plug-in:
3 Click Relaunch Now at the bottom of the page to restart Google Chrome for the changes to take
effect.
For the Manager client, in addition to Windows 7, Windows 8, and Windows 8.1, you can also use the
operating systems mentioned for the Manager server.
The following are Central Manager and Manager client requirements when using Mac:
El Capitan
For more information, see McAfee Network Security Platform Installation Guide.
Upgrade recommendations
McAfee regularly releases updated versions of the signature set. Note that automatic signature set
upgrade does not happen. You need to manually import the latest signature set and apply it to your
Sensors.
10
The following is the upgrade matrix supported for this release:
Known issues
For a list of known issues in this product release, see this McAfee KnowledgeBase article:
Network Security Platform software issues: KB86387
Product documentation
Every McAfee product has a comprehensive set of documentation.
2 Enter a product name, select a version, then click Search to display a list of documents.
Quick Tour
CLI Guide
Integration Guide
11
Best Practices Guide
Troubleshooting Guide
00