Release Notes McAfee Security Management Center 5.8.1

Release Notes
Revision A
McAfee Security Management Center 5.8.1
Contents
 About this release
 Resolved issues
 Installation instructions
 Upgrade instructions
 System requirements
 Build version
 Compatibility
 Known issues
 Find product documentation
About this release
This document contains important information about the current release. We strongly recommend that
you read the entire document.
Resolved issues
These issues have been resolved since SMC version 5.8.0. For a list of issues that have been resolved in
earlier releases, see the Release Notes for the specific release.
Issue
Description
Policy validation may
not detect unreachable
rules with overlapping
Service definitions
(#108881)
Policy validation may not detect unreachable rules with overlapping
Service definitions. Two rules with the same Source and Destination
definitions and overlapping (but not identical) Service destination port
ranges do not trigger a warning about unreachable rules.
Extra characters added
to Logging Profile
header (#109860)
When editing a Logging Profile header, extra characters are added. As a
result, the Logging Profile is unable to parse received syslog packets.
The extra characters are visible in the editor.
Log Filter that matches
any IP address matches
log entries related to
Port Scan detection
(#110258)
When Port Scan detection is enabled for all traffic, the network range
causes it to match a Log Filter that matches any IP address.
Workaround: Use Src and Dst IP Address filters instead, or filter out
entries related to Port Scan detection from the results.
1
Issue
Description
Antispoofing view may
not be updated to show
routing changes
(#110500)
The Antispoofing view might not be updated to reflect changes in the
routing configuration. Some examples:
1. Changing from a default route that uses Router elements to a default
route that uses NetLinks. The change is taken into account, but the Any
Network element is removed from the Antispoofing view.
2. Adding a network-specific route on the wrong interface and then
correcting the configuration. The Antispoofing view does not take the
correction into account. Instead, it shows the network on both
interfaces.
Workaround:
1. Add the Any Network element manually to the Antispoofing view.
2. You cannot delete automatically added networks in the Antispoofing
view. You can, however, disable a network that is associated with the
wrong interface.
Restoring backup with
recent dynamic update
package may cause
policy installation to fail
(#110558)
Restoring a Management Server backup that has a recent dynamic
update package on a fresh SMC installation succeeds without errors or
notifications. Policy installation may still fail after this, especially when
the Inspection rules in the policy include Correlation Situations. This
may happen when the backup has a newer dynamic update package
than the fresh SMC installation.
Workaround: Before you install a policy after restoring a Management
Server backup, activate a dynamic update package that is the same or
newer than the one included in the backup.
Cluster node names
cannot be edited
(#111907)
When upgrading to SMC 5.8.0, the names of nodes in an engine cluster
have the format <clustername> node <n>. It is not possible to edit the
node names in the Engine Editor.
Deleting SSL VPN Portal
element fails
(#112075)
If you try to delete an SSL VPN Portal element in the VPN Configuration
view, the following error is displayed: "Database problem. Failed to
collect references: <portal>".
Workaround: You can select a different SSL VPN Portal element for the
engine in the Engine Editor. When you have changed the selected SSL
VPN Portal element, you can delete the unnecessary SSL VPN Portal
elements after the upgrade.
Geolocation resolving
does not work for IPv4
addresses (#112160)
Geolocation resolving does not work for IPv4 addresses. Geolocation
maps are available in Reports, Statistics, and Overviews, but IPv4
addresses are not resolved on the map.
Workaround: Copy the GeoLiteCity.dat file to the Data folder in the
installation directory: <SG_HOME>/data.
Multi-Link configuration
with CVI address as the
only interface IP
address fails to install
(#112225)
After the upgrade to SMC 5.8.0, a Multi-Link configuration in which at
least one of the NetLink interfaces only has a CVI address fails to install.
The following error message is displayed: "Upload Failure: Operation
failed.Internal error. Details:Failed to build specific configuration for.
Details: Internal error."
Server Pool element
without member
servers causes policy
installation to fail
(#112240)
Installing a policy can fail without any error message if the policy refers
to a Server Pool element that does not have any member servers
defined. This occurs when such a Server Pool element is referred to
within a group or otherwise the Server Pool element itself is not set in
the rule.
Workaround: Remove the references to partially-configured Server Pool
elements.
Security Management
Center response to
CVE-2014-3566
(POODLE SSLv3
vulnerability)
(#112476)
CVE-2014-3566 is a vulnerability in the SSLv3 protocol. By default,
access to specific SMC services via HTTPS is disabled. You can connect
to the Web Portal Server, SMC API, and the Authentication Server
Identity Provider and Web Services by using TLS v1, v1.1, v1.2, and
SSL v3. The client and the server negotiate the used protocol.
2
Issue
Description
Japanese localization
not available
See more details and workaround options from KB83239.
Installation instructions
Note
The sgadmin user is reserved for McAfee use on Linux, so it must not exist before the McAfee Security
Management Center is installed for the first time.
The main installation steps for the McAfee Security Management Center and the Firewall, IPS, or Layer
2 Firewall engines are as follows:
1. Install the Management Server, the Log Server(s), and optionally the Web Portal Server(s).
2. Import the licenses for all components (you can generate licenses on our website at
https://my.stonesoft.com/managelicense.do).
3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the
Security Engine Configuration view.
4. Generate initial configurations for the engines by right-clicking each Firewall, IPS, or Layer 2
Firewall element and selecting Save Initial Configuration.
5. Make the initial connection from the engines to the Management Server and enter the one-time
password provided during Step 4.
6. Create and upload a policy on the engines using the Management Client.
The detailed installation instructions can be found in the product-specific installation guides. For a more
thorough explanation of using the McAfee Security Management Center, refer to the Management Client
online Help or the McAfee SMC Administrator’s Guide. For background information on how the system
works, consult the McAfee SMC Reference Guide. All guides are available for download at
https://www.stonesoft.com/en/customer_care/documentation/current/.
Upgrade instructions
Note
McAfee Security Management Center (Management Server, Log Server and Web Portal Server) must be
upgraded before the engines are upgraded to the same major version.
McAfee Security Management Center (SMC) version 5.8.1 requires an updated license if upgrading from
version 5.7 or lower. Unless the automatic license update functionality is in use, request a license
upgrade on our website at https://my.stonesoft.com/managelicense.do and activate the new license
using the Management Client before upgrading the software.
Note
It is not possible to upgrade SMC version 5.7.4, which will be released later, to SMC version 5.8.1.
To upgrade an earlier version of the SMC to McAfee Security Management Center version 5.8.1, we
strongly recommend that you stop all the McAfee NGFW services and take a backup before continuing
with the upgrade. After taking the backup, run the appropriate setup file depending on the operating
system. The installation program detects the old version and does the upgrade automatically.
Versions lower than 5.2.0 requires an upgrade to version 5.2.0 – 5.7.3 before upgrading to version
5.8.1.
3
System requirements
Basic management system hardware requirements
•
Intel Core family processor or higher recommended, or equivalent on a non-Intel platform
•
A mouse or pointing device (for Management Client only)
•
SVGA (1024x768) display or higher (for Management Client only)
•
Disk space for Management Server: 6 GB
•
Disk space for Log Server: 50 GB
•
Memory requirements for 32-bit operating systems:
•
o
2 GB RAM for Server (3 GB minimum if all components are installed on the same
server)
o
1 GB RAM for Management Client
o
6 GB RAM for Server (8 GB minimum if all components are installed on the same
server)
o
2 GB RAM for Management Client
Memory requirements for 64-bit operating systems:
Operating systems
McAfee Security Management Center supports the following operating systems and versions:
•
Microsoft® Windows Server 2012™ R2 (64-bit)*
•
Microsoft® Windows Server 2008™ R1 SP2 and R2 SP1 (64-bit)*
•
Microsoft® Windows 7™ SP1 (64-bit)*
•
CentOS 6 (for 32-bit and 64-bit x86)**
•
Red Hat Enterprise Linux 6 (for 32-bit and 64-bit x86)**
•
SUSE Linux Enterprise 11 SP3 (for 32-bit and 64-bit x86)**
•
Ubuntu 12.04 LTS (for 64-bit x86)**
*) Only the U.S. English language version has been tested, but other locales may work as well.
**) 32-bit compatibility libraries lib and libz are needed on all Linux platforms.
Note
32-bit Windows environments are no longer officially supported in SMC 5.8.
Web Start Clients
In addition to the operating systems listed above, McAfee Security Management Center can be accessed
through Web Start by using the following Mac OS and JRE versions:
•
Mac OS 10.9 with JRE 1.7.0_67
4
Build version
McAfee Security Management Center version 5.8.1 build version is 8817.
This release contains Dynamic Update package 612.
Product Binary Checksums
smc_5.8.1.8817.iso
SHA1SUM 093d1d04aab22133401b276cc42b4ca22eb2fe97
smc_5.8.1.8817.zip
SHA1SUM 97f3502274b94b9102e8ae72390715afe4c90b53
smc_5.8.1.8817_linux.zip
SHA1SUM 88cee29d328f2e8d4e80608f4ab103d865c1fafe
smc_5.8.1.8817_windows.zip
SHA1SUM 4a7e3cb110f455769e3c37afaa01c4d8510f7034
smc_5.8.1.8817_webstart.zip
SHA1SUM a760d21d5364d02114a65be291c21c2c3fc4b032
Compatibility
McAfee Security Management Center version 5.8 is compatible with the following McAfee and Stonesoft
component versions:
•
McAfee NGFW versions 5.7 and 5.8
•
Stonesoft Security Engine versions 5.4 and 5.5
•
Stonesoft Firewall engine version 5.3
•
Stonesoft SSL VPN version 1.5
•
McAfee ePolicy Orchestrator (ePO) 4.6 and 5.0
Note
SMC 5.8 no longer supports legacy Stonesoft IPS Analyzers, Combined Sensor-Analyzers, or Sensor
versions 5.2 or lower.
Native Support
To utilize all the features of McAfee Security Management Center version 5.8, the following McAfee
component versions are required:
•
McAfee NGFW 5.8
Known issues
For a list of known issues in this product release, see this McAfee Knowledge Center article: KB82953.
5
Find product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the online Knowledge Center.
1. Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.
2. Enter a product name, select a version, then click Search to display a list of documents.
Copyright © 2014 McAfee, Inc. Do not copy without permission.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United
States and other countries. Other names and brands may be claimed as the property of others.
00-A
6
`