Beruflich Dokumente
Kultur Dokumente
version 8.2.0
This document provides information about McAfee Firewall Enterprise version 8.2.0, including download and installation instructions.
You can find additional information by using the resources listed in the following table.
Table 1 Product resources Resource Online Help McAfee Technical Support ServicePortal Location Online Help is built into Firewall Enterprise. Click Help on the toolbar or from a specific window. Visit mysupport.mcafee.com to find: Product updates Product installation files Product documentation KnowledgeBase Product announcements Technical support
Visit go.mcafee.com/goto/updates to download the latest Firewall Enterprise patches. 1 In a web browser, navigate to www.mcafee.com/us/downloads. 2 Provide your grant number, then navigate to the appropriate product and version.
In this document ... About this release Requirements New features Enhancements Resolved issues Known issues Upgrade a firewall to version 8.2.0 Perform a new installation
Note: This release does not support McAfee Firewall Enterprise on Crossbeam X-Series Platform. However, McAfee intends to support this platform in the future.
Installation options
The following installation options are available for version 8.2.0: Upgrade Upgrade a firewall from version 8.1.2 to version 8.2.0. For upgrade instructions, see Upgrade a firewall to version 8.2.0 in this document. New installation Re-image a firewall using version 8.2.0 installation media.
For more information, see the following resources: To find the latest information on McAfee firewall products and versions that Firewall Enterprise supports, refer to KnowledgeBase article KB67462. To learn about these products and how they interoperate with Firewall Enterprise, refer to the Using McAfee Firewall Enterprise with Other McAfee Products application note.
Requirements
Requirements
Before you install version 8.2.0, make sure the Admin Console and Firewall Enterprise requirements are met.
Requirements
Note: Firewall Enterprise on Riverbed Services Platform is installed in 32-bit mode by default.
New features
New features
The following new features are included in this release.
IPv6 support
This release introduces IPv6 support for the following configurations: Failover High Availability (HA) Supports IPv6 in peer-to-peer and primary/standby HA cluster configurations Domain name system (DNS) Supports split DNS with IPv6 configurations Border Gateway Protocol (BGP) Allows exchange of IPv4 and IPv6 routes
Note: IPv6 is enabled by default in 8.2.0.
The following restrictions apply: For each shared IPv6 address, cluster firewalls must be assigned an individual IPv6 address in the same scope. Load sharing HA does not support IPv6.
Enhancements
Enhancements
The following enhancements are included in this release.
Common Criteria
A McAfee Firewall Enterprise network environment can be configured to comply with Common Criteria evaluation standards.
Usability improvements
This release includes the following usability enhancements. Admin Console From the Access Control Rules window, select the Application Defense groups and McAfee Global Threat Intelligence reputation options while defining access control rules. Documentation The product guide has been streamlined to clarify topics and optimize Admin Console option definitions.
Resolved issues
Resolved issues
This release resolves the following issues.
Admin Console
Improves the stability of the graphical user interface BGP editor Improves the performance of dashboard when viewing data from firewall with a significant number of blackholed IP addresses Improves parsing of DNS configuration files during DNS interface modification Enhances Application defense usability Allows choosing of user_name as a column in the graphical user interface Audit Viewer Allows use of 0 as a netmask in VPN security associations Resolves the failed to connect to SSL issue when the audit viewer is launched in a new application window Resolves an issue with managing DNS configurations when non-resolvable NS or MX records are present Supports policies that use deprecated applications on the Rule Interactions tab Makes the Rule Interactions tab consistent with McAfee Firewall Enterprise Control Center Fixes the port display for the Deny All rule on the Rule Interactions tab Fixes an issue on the Rule Interactions tab with unsaved data on the Access Control Rules window Fixes the save issue for the Auto-recover on Reconnect checkbox on the High Availability window Fixes a dashboard timeout issue on the primary firewall Addresses issues with handling of SmartFilter custom sites
Crypto
Resolves incorrect UNIX permissions on fetched Certificate Revocation List (CRL) files Fixes NAT-T support for password-based dynamic VPNs Updates Trusted Internet CAs with the new list from Mozilla Removes DigiNotar from the list of Trusted Internet CAs
Resolved issues
High Availability
Improves failover processing when an interface failure occurs Resolves a startup issue that occurs during simultaneous booting of nodes in a peer-to-peer cluster Resolves an issue with a down interface on a load sharing primary Shares last application cache with secondary nodes
Policy
Allows UDP proxy rules that pass IPv4 and IPv6 with redirection to pass both address families Improves memory use during activation of large complex rule sets Improves validation of IPv4 addresses in configuration Improves validation of upstream proxy validation in the HTTP Application Defense Improves error checking when including generic Application Defense in an Application Defense group Improves usability with changes to policy validation and compilation Improves usability with better defaults for SSL rules Ensures that traffic is proxied if the policy requests it Resolves an issue with netgroups containing too many host objects Resolves a validation issue when using an application with multiple capabilities in a policy Resolves a traceback issue when using time periods with IPv6 enabled Fixes a timing issue in acld that causes Bad file descriptor traceback in audit Fixes an issue with netmaps when handling IPv6 traffic Fixes an error when using Geo-Location objects as endpoints in SSL rules Fixes a validation issue when adding a zone with an index of 63 Cleans up the posting of listens so that proxies listen to interfaces that are specified only in the policy
Proxies
Resolves the broken SmartFilter logo issue in block pages when Remote SmartFilter Administration Console is enabled Resolves an issue with truncation of group names when passing user information from Passport to SmartFilter Resolves an interface issue with DHCP Relay Resolves an issue with authenticated redirections Fixes handling of pings on a secondary node in a load sharing HA cluster to clean up attack audits Fixes a problem with the SmartFilter URL when using a non-default port Fixes Passport authentication handling when using Web login with active session mode Addresses UDP session hang on secondary nodes in a load sharing HA cluster Citrix Improves error handling in the UDP Citrix proxy FTP Adds support for QUOTE command in the FTP proxy
Resolved issues
HTTP Resolves an issue with the HTTP proxy to perform IPS scanning in URLs Corrects logging of HTTPS sites in SF.log when using remote SmartFilter console Prevents accidental HTTP protocol enforcement for non-HTTP protocols Provides stability fixes for the HTTP proxy Resolves an issue of denied headers in HTTP and blocked headers in the SMTP proxy Resolves session hang in the HTTP proxy when using SmartFilter Re-enables in-band authentication for non-transparent HTTPS Restores special case handling of in-band Passport authentication handling for non-transparent HTTP Adds attack detection and mitigation for slow header attacks on HTTP protocol Allows non-transparent HTTP to use minimal inspection Allows timeout invalid DNS responses to do subsequent re-querying H.323 Addresses H.323 handling of unregistration request messages without call signal addresses SMTP Improves the SMTP proxy debugging audits Resolves hang in the SMTP proxy during configuration changes under some circumstances Allows use of the BDAT verb in the SMTP proxy SNMP Improves the stability of the SNMP proxy SSH Relaxes validation of the X11 forwarding originator address field in the SSH proxy Sun RPC Improves error handling when passing Sun RPC through a proxy
Known issues
System
Improves debugging support on large memory systems Improves handling of DHCP addresses when modifying interfaces Improves error handling when processing audit files with corrupted data Allows passing of multicast traffic through the firewall when using transparent bridged interface and Link aggregation (LAGG) Supports the configuration of more than two interfaces on a bridge Adds AAAA records to BIND's root cache for the D and I root servers Rejoins multicast groups for IP filter rules when interfaces change Resolves a problem that dropped routing tables when zone modes are changed on a transparent firewall Resolves a problem that restarts a device when installing multiple packages before all packages are completely installed Resolves an issue with hostd performance Resolves a Type Enforcement error when exiting from emergency maintenance mode Fixes a Type Enforcement error when reconfigure mail is run when existing mail messages are queued in /var/spool/mqueue.c Fixes the kernel stability issues Corrects data returned by UCD-SNMP-MIB::ssCpuIdle.0 and HOST-RESOURCES-MIB::hrProcessorLoad SNMP OIDs Cleans up the extraneous debug audits from hostd
Security updates
Resolves CVE-2011-1910 and CVE-2011-2464 for BIND Resolves CVE-2010-1674 and CVE-2010-1675 for Quagga BGP
Known issues
For information about known issues for Firewall Enterprise version 8.2.0:
1 Visit mysupport.mcafee.com. 2 Log on with your user ID and password. The ServicePortal homepage appears with a welcome
message at the top. If you do not have an account but have received a grant number: In the User Login section, click New User. Complete the information and follow the prompts to set up your account. If you do not have an account or grant number, contact Customer Service.
3 In the Self Service section, click Search the KnowledgeBase. The KnowledgeBase welcome page
appears.
4 In the Ask a Question section, type KB72785, then click Ask. The KnowledgeBase article appears with
10
Note: To upgrade a High Availability cluster, upgrade the secondary/standby firewall first, then upgrade the primary firewall.
A successfully loaded message appears, and the package status changes to Loaded.
11
Manually load the package If your firewall is not connected to the Internet, use a web browser to download the package, then manually load the package on the firewall.
1 Use a web browser to download the 8.2.0 package. a Go to go.mcafee.com/goto/updates. b Scroll down to the McAfee Firewall Enterprise Upgrades and Patches entry for version 8.2.0, then
click Download.
c
d Click Download Patch for version 8.2.0. 2 Place the 8.2.0 file where the firewall can access it. Choose one of these options:
Local FTP site Place the package on an FTP site that the firewall has access to. HTTPS website Place the package on an HTTPS website that the firewall has access to. CD Place the package in a /packages directory on a CD, then insert the CD into the firewall CD-ROM drive. Directory on the firewall Use SCP to copy the package to the /home directory of your firewall administrator account.
Note: To transfer files to the firewall using SCP, SSH access must be enabled on the firewall.
3 In the Admin Console, go to Maintenance | Software Management, then click the Download
FTP Select if you placed the package on a local FTP site HTTPS Select if you placed the package on an HTTPS website CDROM Select if you created a CD that contains the package File Select if you copied the package to your home directory on the firewall
b In the Packages field, type 8.2.0. c
d Click OK. A confirmation message appears. 6 Click Yes. The firewall loads the package from the specified location. When the operation is complete,
a message appears.
7 Click OK. 8 Verify that 8.2.0 is loaded on your firewall. a Click the Manage Packages tab. b Verify that the Status of the 8.2.0 package is Loaded on <date>.
12
A warning appears stating that the firewall will restart after the patch is installed.
5 Click Yes.
The package is installed, then an Error message appears stating that the connection to the server has been lost.
6 Click OK.
The Admin Console update downloads, then a message appears asking if you want to install the package now.
3 Click Yes.
The Admin Console closes and the InstallShield Wizard window appears.
4 Click Next.
A progress bar appears while the Admin Console update installs. When the installation completes, the Update Complete window appears.
5 Click Finish. The Admin Console opens.
If the patch status is still Loaded, call technical support. You can also click View Package Details or View Log to see information about the installation. The patch is now installed.
13
Patch rollback
If the installed patch does not work to your satisfaction, you can use the Rollback feature to restore the firewall to a previous state.
Caution: If you use the Rollback feature, any configuration changes made after the patch was installed are lost. Therefore, rolling back is a recommended recovery option for only a short time after a patch installation. Note: A rollback always requires a restart.
14
Management Tools Download the McAfee Firewall Enterprise Admin Console executable (.exe) file or CD image (.iso) file.
Tip: Select the CD image file if you want to create a CD for use in installing the Management Tools.
Version 8.2.0 image Download the installation CD image (.iso) file or USB image (.zip) file.
Tip: Select the USB image file if your appliance does not have a CD-ROM drive.
4 Create physical installation media using the downloaded installation files.
If you downloaded the USB image file, write the image to a USB drive. Refer to KnowledgeBase article KB69115 for instructions.
15
If you downloaded the executable (.exe) file, locate the file on your computer, then double-click it. If you downloaded the CD image (.iso) file and used it to create a CD, insert the CD into the appropriate drive. The welcome window appears.
2 Follow the on-screen instructions to complete the setup program.
Note: McAfee recommends using the default settings. Tip: Consider installing an SSH client on your computer. Use the SSH client to provide secure command line access to the firewall.
Installation USB drive: If the firewall is on, insert the USB drive and restart. If the firewall is off, insert the USB drive and turn on the firewall. Installation CD: If the firewall is on, insert the CD and restart. If the firewall is off, turn it on and quickly insert the CD. The firewall starts and displays standard boot-up information.
2 When the firewall starts, configure it to boot from the inserted installation media.
Models without a CD-ROM drive Enter the boot menu, then select the installation USB drive. Models with a CD-ROM drive By default, the boot order is set to check the CD drive first. If the boot order has been altered and does not check the CD drive first, restart and enter the BIOS to adjust the boot order accordingly. The firewall boots from the installation media.
16
3 At the McAfee Inc. menu, accept the default, which is the Operational System. The welcome menu
appears.
4 At the Welcome to McAfee Firewall Enterprise menu, select a Firewall Enterprise boot option.
If you are using a locally attached terminal, press Enter to accept the default. If you intend to use a serial console, type 4 and press Enter.
5 When the installation complete message appears, remove the installation media from the firewall. 6 Press R to restart the firewall, then press Enter. The firewall restarts and displays standard restart
17
d Perform initial firewall configuration. 2 Install the Management Tools on a Windows-based computer.
18
Configure the RSP data flow to direct network traffic through the firewall.
d Perform initial firewall configuration. 2 Install the Management Tools on a Windows-based computer.
19
For support information, visit mysupport.mcafee.com. Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. 700-3493A00
20