Release Notes

Network Security Platform v5.1

Page 1

McAfee Network Security Platform

[formerly McAfee IntruShield]

Release Version 5.1

(Document was revised on 07/09/09)

Software versions in this release

This document applies only to the following software versions.

Network Security Manager Image for Windows Server 2003/MySQL Signature set
5.1.7.7 5.1.16.22

Network Security Network Security Network Security Sensor M-6050/ Sensor M-3050/ Sensor M-2750 M-8000 image M-4050 image image
5.1.7.33 5.1.7.31 5.1.7.43

Network Security Sensor M-1250/ M-1450 image

5.1.7.44

This 5.1 maintenance release is for addressing Sensor software issues in M-series Sensor models: M-1250, M-1450, and M-2750.

The 5.1.7.7 Manager image includes a critical fix related to signature set push failure to I-series Sensors [version 5.1.1.16 and 5.1.5.6] with certain combinations of policies, UDSes, and alert filters.

This version of 5.1 Manager software can be used to configure and manage I-series, M-series, and N-series Sensors.

700-2013-00

Release Notes

Network Security Platform v5.1

Page 2

Contents
1 2 2.1 2.2 3 3.1 3.2 4 5 6 Whats new in this release ..................................................................................................... 3 Issues resolved in this release ................................................................................................ 3 Resolved Sensor software issues ........................................................................................................................ 3 Resolved Manager software issues ..................................................................................................................... 4 Known outstanding issues ...................................................................................................... 5 Known Sensor software issues ........................................................................................................................... 5 Known Manager software issues ......................................................................................................................... 5 Installation and upgrade notes ............................................................................................... 7 Technical assistance and problem reporting ............................................................................ 8 More Information ................................................................................................................... 8

700-2013-00

Release Notes

Network Security Platform v5.1

Page 3

1 Whats new in this release

This section details the additions and/or enhancements delivered with the 5.1 Release.

Issues resolved in this release

The following table contains issues resolved in this release of Network Security Platform 5.1.

Infrastructure upgrade for Manager

With this release of 5.1, the Manager software runs on Apache httpd version 2.2.11 (bundled with OpenSSL version 0.9.8j).

2.1

Resolved Sensor software issues

High severity Sensor software issues ID #

496162 494437 485480 483130

Issue
When the ACL Rule action is set to Permit for TCP-based protocols, network delay/packet drops is seen on connections matching the ACL Permit rule. Sensor performance can drop during policy push from the Manager to the Sensor. After a Sensor reboot, the ports are enabled before the Sensor is ready to process traffic. Some enhancements done to the SSH protocol (first released in signature sets 4.1.46.13/5.1.16.12), exposed an error condition in the Sensor software that could cause performance/latency issues on the Sensors when parsing certain types of SSH traffic. Sensor occasionally reboots to recover from an internal error. Alert process in the sensor crashes after sensor is up for long period of time.

473739 466116

Medium severity Sensor software issues ID #

476538

Issue
SYN Cookie, Host Quarantine and Guest Access redirection do not work.

Low severity Sensor software issues ID #

466141

Issue
IP Spoofing outbound drop counter does not work.

700-2013-00

Release Notes 2.2

Network Security Platform v5.1

Page 4

Resolved Manager software issues

High severity Manager software issues ID #

473839 469523 462552 451630 451380

Issue
The signature set push fails to an I-series Sensor (with version 5.1.1.16 or 5.1.5.6) when the Sensor is configured with certain combinations of policies, UDSes, and alert filters. The signature set push fails when trying to add M-6050 Sensors on a Manager upgraded from 4.1 to 5.1. During an upgrade from 5.1.1.5 to 5.1.5.6, scheduled reports are lost. Database purging fails for performance metrics data. If the report generation is canceled while generating a PDF report in Japanese, an error occurs.

Medium severity Manager software issues ID #

474260 466520 465002 465731 466339 467085 467357 467358 471191

Issue
"Sensor configuration download failure" and "Signature set download failure" fault messages show up after completing an upgrade from 3.1 > 4.1 > 5.1. Unable to open the View/Edit Attack response page in the Threat Analyzer. The Manager does not display the creation date for newly created incidents; the date is displayed after a restart of the Manager. Incorrect data is displayed in the Incident Viewer after acknowledging an alert. In the Big Movers report, the values displayed under 'Previous Attack Count Value' and 'Recent Attack Count Value' are interchanged. Syslog forwarding does not work for sending attack counts on custom strings. After upgrading to 5.1.5.6, a Local Manager connected to the Central Manager is unable to display data from an LDAP Server that was explicitly defined in a Local Manager before the upgrade. Unable to generate User Defined Reports. In Japanese OS, scheduled reports zip and html file name in the File Download window appear as garbled text. This fix ensures that the File Download window will render the file name in Japanese font properly, and the zip file name is also proper along with the extension. For rendering the .html file name in Japanese font, there is no JDK support for this issue http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4244499. Currently, the winRAR tool can be used for opening of this zip file but this will not render the .html file name in Japanese font properly.

471624 471756

The Threat Analyzer "Group By Interface" does not show the expected result when more than one Sensor reports attack on the same port number. Database connectivity issue with the secondary Manager of MDR and as a result, several email alerts are being generated.

700-2013-00

Release Notes

Network Security Platform v5.1

Page 5

3 Known outstanding issues

The following tables contain the known, outstanding issues for this release of Network Security Platform 5.1.

3.1

Known Sensor software issues

Medium severity Sensor issues ID #

432648

Issue
[NAC]When multiple interfaces are active on a host simultaneously, and a single Sensor sees traffic from the same host, NAC can be done only on traffic from one of the interfaces. [McAfee NAC] The OS information for MAC hosts are displayed as Unknown instead of Unmanageable. Fragmented packets within tunneled traffic are dropped when both inner and outer headers are fragmented. ACLs do not work when applied to tunneled traffic. Attack detection does not work for tunneled flows containing MPLS or double VLAN tagged packets. When TACACS+ is used with a 64 character encryption key, remote authentication fails.

Workaround
Ensure that your NAC configuration is enabled for only one interface on the Sensor. None Disable tunneling using "set parsetunneledtraffic disable" None. None. Use a key of 63 characters or less.

432067 422502

426038 423144 394083 391706

Only in the case of copper SFPs set to 1Gbps w/auto-negotiation, Reconfigure using ISM to match peer ports can come up at 100Mbp or 10Mbps depending on the port setting. behavior of the peer device. All other configurations (fiber SFPs and 10Mbps or 100Mbps copper set to auto-negotiation) result in behavior that matches the documentation. If the peer device supports the configured speed the link comes up, otherwise it does not. Some stats displayed by the sensor CLI command show None inlinepktdropstats are not cleared when the clrstats command is entered at the CLI.

366047

3.2

Known Manager software issues

High severity Manager issues ID #

474838

Issue
After upgrading from 4.1.11.4 to 5.1.7.5, the scheduled reports generation fails.

Workaround
After upgrade, edit and save all scheduled reports once without any change. This will provide the information required for the report format. Following this, you can generate the upgraded scheduled reports. Newly created reports will work

700-2013-00

Release Notes

Network Security Platform v5.1

Page 6

High severity Manager issues ID # Issue Workaround

without any issue. 454395 After upgrading from 4.1 to 5.1, the configurations for alert filters The rule sets and alert filters created and rule sets created in the Central Manager [before upgrade] before upgrade can be pushed to the are not pushed to the Manager automatically. Manager by forcibly doing Full Synchronization through Central Manager. (Client on Windows 2003 and IE 6.0) Any Export/Import functionality closes the Configuration Tool window. This functionality is currently unavailable when using the ISM client on a Windows 2003 system. Use Windows XP instead. If you wish to use Windows 2003, use IE 7.0 as your browser.

241789

Medium severity Manager issues ID Summary

475945 On changing the NAZ policy on the Threat Analyzer for a VPN Host, the new NAZ policy name is not dynamically updated on the Threat Analyzer, but gets correctly updated on the Sensor. On importing the sensor configuration into the Manager, the IPv4 Fragment Reassembly field is not correctly updated. [IBAC] The backup AD for a domain in the user identity store is not used for role derivation lookup if the primary AD for the same domain is down. OS information for unmanageable hosts is not displayed in the Threat Analyzer Hosts page. When users with system security roles access the Manager using the Central Manager, and attempts to add/modify configurations, a blank page is displayed. Received the anomSnmpGetNextTimedDosEndTime exception while accessing the Manage DoS Filters page. In Alert Manager preferences, when the Max row limit value is increased, it requires a restart for the changes to take effect.

Workaround
Restart the Threat Analyzer.

475864 432613

Manually change the setting for IPv4 Fragment Reassembly after import. None

432259 374833

None None

344861 341718 315951 307619 280073 244712 231216 231052

None Restart the Alert Manager.

The Resource Tree does not refresh after changing from span to Perform a manual refresh after inline mode. changing the mode. In Alert Manager, description for Entercept alerts is blank. The long running processes status page does not display status for online backup and reading from the database operations Bulk editing a very large number of attacks causes 100% CPU utilization. In some instances, the faultlog table may not get updated (for example, a fault persists after acknowledgement). Archive files larger than 4GB become corrupted due to .ZIP file format limitations. None. None. None. None. Any time you create an archive, validate the archive on a separate

700-2013-00

Release Notes

Network Security Platform v5.1

Page 7

Medium severity Manager issues ID Summary

Workaround
machine before deleting alerts and packet logs that have been archived. An archive file larger than 4GB is very likely corrupted.

454399

"Synchronization Required" (Manager List -> Policy Synchronization tab) status is not becoming true when Alert filters / Rule Sets are created in the Central Manager after upgrade. Reason column also remains blank.

None

Low severity Manager issues ID #

449608 431480 233770

Issue
NAZ Assigned by Admin is not updated in the NAC Dashboard. The Threat Analyzer displays the session time as "Not Available" for quarantined hosts after a sensor reboot. SNMP Traps are not including all details for UDS attacks.

Workaround
None None None.

4 Installation and upgrade notes

The following table provides the Network Security Platform components versions supported for upgrading to this release of 5.1 Sensor and Manager software:

Manager image
5.1.1.5 or above 4.1.11.5 or above

M-6050, M-8000 Sensor Image

5.1.7.4 4.1.11.10 4.1.7.27

M-3050, M-4050 Sensor Image

5.1.7.2 5.1.3.12

M-2750 Sensor Image

5.1.7.4

M-1250/M-1450 Sensor Image

5.1.7.11

Upgrade from the 4.1 version of the Sensor software is not applicable for the following models: M-1250, M-1450, M-2750, M-3050, M-4050 If you have 4.1 M-6050/M-8000 Sensors in your setup, and are planning to upgrade to 5.1, note that features such as VLAN bridging and parsing of GRE tunneled traffic are not supported on M-series Sensors in 5.1.

700-2013-00

Release Notes

Network Security Platform v5.1

Page 8

5 Technical assistance and problem reporting

Technical support may request certain information from you to assist you in troubleshooting. A description of this information is provided in Troubleshooting Guide.

5.1.1

On-line
Contact McAfee Technical Support at http://mysupport.mcafee.com Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.

5.1.2

Via Phone
Technical Support is available 7:00am to 5:00pm PST Monday-Friday. 24x7 Technical Support is available for customers with PrimeSupport Priority or Enterprise service contracts. Phone: 1-800-338-8754 (US Toll Free) or +1.972.963.8000 (Outside US) Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a username and password for the online case submission.

6 More Information
To view the complete Network Security Platform 5.1 Documentation, 1. 2. 3. Go to http://mysupport.mcafee.com/Eservice/ Click Read Product Documentation. To view sensor related information, under Product categories, select: Network Security Sensor Hardware - select the sensor model number followed by version as 5.1 Network Security Sensor Software - select the version as 5.1 4. Similarly, to view Manager related information, under Product categories, select: Network Security Manager Software Refer the table below if you are looking for more information on Network Security Platform 5.1:

Information regarding
Information on the immediate previous 5.1 releases: 5.1.7.7 - 5.1.7.4/5.1.7.2 [M-6050,M-8000/M-3050,M4050] 5.1.5.9 - 5.1.7.4/5.1.7.2 [M-6050,M-8000/M-3050,M4050] 5.1.5.9 - 5.1.3.12 [M-3050,M-4050] 5.1.5.7 - 5.1.3.5 [N-450] 5.1.5.6 - 5.1.5.6 [I-series] Features introduced in the previous 5.1 releases Resolved/known issues in previous versions of 5.1

Where can I find?

Go to http://mysupport.mcafee.com/Eservice/ > Read Product Documentation > Network Security Sensor Software / Network Security Manager Software. Look for Release Notes marked with the released Sensor and Manager software versions in the title.

Refer the Release Notes for the corresponding version. Refer the Release Notes for the corresponding version.

700-2013-00

Release Notes
Information regarding

Network Security Platform v5.1

Where can I find?
Manager Installation Guide

Page 9

Sensor/Manager/Signature Set requirements Sensor requirements Compatibility with 3rd-Party tools Database requirements Manager system and client requirements Additional server requirements License requirements Upgrade instructions Sensor CLI commands Supported protocols list Providing a diagnostics trace for a sensor

Refer the corresponding Sensor Product Guide for the sensor model that you have purchased. Manager Installation Guide Manager Installation Guide Manager Installation Guide Manager Installation Guide Manager Installation Guide 4.1 to 5.1 Upgrade Guide Sensor CLI Guide Go to http://mysupport.mcafee.com/Eservice/ > Search the KnowledgeBase > KB61036. Troubleshooting Guide

700-2013-00