Professional Documents
Culture Documents
Page 1
Network Security Manager Image for Windows Server 2003/MySQL Signature set
5.1.7.7 5.1.16.22
Network Security Network Security Network Security Sensor M-6050/ Sensor M-3050/ Sensor M-2750 M-8000 image M-4050 image image
5.1.7.33 5.1.7.31 5.1.7.43
This 5.1 maintenance release is for addressing Sensor software issues in M-series Sensor models: M-1250, M-1450, and M-2750.
The 5.1.7.7 Manager image includes a critical fix related to signature set push failure to I-series Sensors [version 5.1.1.16 and 5.1.5.6] with certain combinations of policies, UDSes, and alert filters.
This version of 5.1 Manager software can be used to configure and manage I-series, M-series, and N-series Sensors.
700-2013-00
Release Notes
Page 2
Contents
1 2 2.1 2.2 3 3.1 3.2 4 5 6 Whats new in this release ..................................................................................................... 3 Issues resolved in this release ................................................................................................ 3 Resolved Sensor software issues ........................................................................................................................ 3 Resolved Manager software issues ..................................................................................................................... 4 Known outstanding issues ...................................................................................................... 5 Known Sensor software issues ........................................................................................................................... 5 Known Manager software issues ......................................................................................................................... 5 Installation and upgrade notes ............................................................................................... 7 Technical assistance and problem reporting ............................................................................ 8 More Information ................................................................................................................... 8
700-2013-00
Release Notes
Page 3
The following table contains issues resolved in this release of Network Security Platform 5.1.
2.1
Issue
When the ACL Rule action is set to Permit for TCP-based protocols, network delay/packet drops is seen on connections matching the ACL Permit rule. Sensor performance can drop during policy push from the Manager to the Sensor. After a Sensor reboot, the ports are enabled before the Sensor is ready to process traffic. Some enhancements done to the SSH protocol (first released in signature sets 4.1.46.13/5.1.16.12), exposed an error condition in the Sensor software that could cause performance/latency issues on the Sensors when parsing certain types of SSH traffic. Sensor occasionally reboots to recover from an internal error. Alert process in the sensor crashes after sensor is up for long period of time.
473739 466116
Issue
SYN Cookie, Host Quarantine and Guest Access redirection do not work.
Issue
IP Spoofing outbound drop counter does not work.
700-2013-00
Page 4
Issue
The signature set push fails to an I-series Sensor (with version 5.1.1.16 or 5.1.5.6) when the Sensor is configured with certain combinations of policies, UDSes, and alert filters. The signature set push fails when trying to add M-6050 Sensors on a Manager upgraded from 4.1 to 5.1. During an upgrade from 5.1.1.5 to 5.1.5.6, scheduled reports are lost. Database purging fails for performance metrics data. If the report generation is canceled while generating a PDF report in Japanese, an error occurs.
Issue
"Sensor configuration download failure" and "Signature set download failure" fault messages show up after completing an upgrade from 3.1 > 4.1 > 5.1. Unable to open the View/Edit Attack response page in the Threat Analyzer. The Manager does not display the creation date for newly created incidents; the date is displayed after a restart of the Manager. Incorrect data is displayed in the Incident Viewer after acknowledging an alert. In the Big Movers report, the values displayed under 'Previous Attack Count Value' and 'Recent Attack Count Value' are interchanged. Syslog forwarding does not work for sending attack counts on custom strings. After upgrading to 5.1.5.6, a Local Manager connected to the Central Manager is unable to display data from an LDAP Server that was explicitly defined in a Local Manager before the upgrade. Unable to generate User Defined Reports. In Japanese OS, scheduled reports zip and html file name in the File Download window appear as garbled text. This fix ensures that the File Download window will render the file name in Japanese font properly, and the zip file name is also proper along with the extension. For rendering the .html file name in Japanese font, there is no JDK support for this issue http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4244499. Currently, the winRAR tool can be used for opening of this zip file but this will not render the .html file name in Japanese font properly.
471624 471756
The Threat Analyzer "Group By Interface" does not show the expected result when more than one Sensor reports attack on the same port number. Database connectivity issue with the secondary Manager of MDR and as a result, several email alerts are being generated.
700-2013-00
Release Notes
Page 5
3.1
Issue
[NAC]When multiple interfaces are active on a host simultaneously, and a single Sensor sees traffic from the same host, NAC can be done only on traffic from one of the interfaces. [McAfee NAC] The OS information for MAC hosts are displayed as Unknown instead of Unmanageable. Fragmented packets within tunneled traffic are dropped when both inner and outer headers are fragmented. ACLs do not work when applied to tunneled traffic. Attack detection does not work for tunneled flows containing MPLS or double VLAN tagged packets. When TACACS+ is used with a 64 character encryption key, remote authentication fails.
Workaround
Ensure that your NAC configuration is enabled for only one interface on the Sensor. None Disable tunneling using "set parsetunneledtraffic disable" None. None. Use a key of 63 characters or less.
432067 422502
Only in the case of copper SFPs set to 1Gbps w/auto-negotiation, Reconfigure using ISM to match peer ports can come up at 100Mbp or 10Mbps depending on the port setting. behavior of the peer device. All other configurations (fiber SFPs and 10Mbps or 100Mbps copper set to auto-negotiation) result in behavior that matches the documentation. If the peer device supports the configured speed the link comes up, otherwise it does not. Some stats displayed by the sensor CLI command show None inlinepktdropstats are not cleared when the clrstats command is entered at the CLI.
366047
3.2
Issue
After upgrading from 4.1.11.4 to 5.1.7.5, the scheduled reports generation fails.
Workaround
After upgrade, edit and save all scheduled reports once without any change. This will provide the information required for the report format. Following this, you can generate the upgraded scheduled reports. Newly created reports will work
700-2013-00
Release Notes
Page 6
241789
Workaround
Restart the Threat Analyzer.
475864 432613
Manually change the setting for IPv4 Fragment Reassembly after import. None
432259 374833
None None
The Resource Tree does not refresh after changing from span to Perform a manual refresh after inline mode. changing the mode. In Alert Manager, description for Entercept alerts is blank. The long running processes status page does not display status for online backup and reading from the database operations Bulk editing a very large number of attacks causes 100% CPU utilization. In some instances, the faultlog table may not get updated (for example, a fault persists after acknowledgement). Archive files larger than 4GB become corrupted due to .ZIP file format limitations. None. None. None. None. Any time you create an archive, validate the archive on a separate
700-2013-00
Release Notes
Page 7
Workaround
machine before deleting alerts and packet logs that have been archived. An archive file larger than 4GB is very likely corrupted.
454399
"Synchronization Required" (Manager List -> Policy Synchronization tab) status is not becoming true when Alert filters / Rule Sets are created in the Central Manager after upgrade. Reason column also remains blank.
None
Issue
NAZ Assigned by Admin is not updated in the NAC Dashboard. The Threat Analyzer displays the session time as "Not Available" for quarantined hosts after a sensor reboot. SNMP Traps are not including all details for UDS attacks.
Workaround
None None None.
Manager image
5.1.1.5 or above 4.1.11.5 or above
Upgrade from the 4.1 version of the Sensor software is not applicable for the following models: M-1250, M-1450, M-2750, M-3050, M-4050 If you have 4.1 M-6050/M-8000 Sensors in your setup, and are planning to upgrade to 5.1, note that features such as VLAN bridging and parsing of GRE tunneled traffic are not supported on M-series Sensors in 5.1.
700-2013-00
Release Notes
Page 8
5.1.1
On-line
Contact McAfee Technical Support at http://mysupport.mcafee.com Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.
5.1.2
Via Phone
Technical Support is available 7:00am to 5:00pm PST Monday-Friday. 24x7 Technical Support is available for customers with PrimeSupport Priority or Enterprise service contracts. Phone: 1-800-338-8754 (US Toll Free) or +1.972.963.8000 (Outside US) Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a username and password for the online case submission.
6 More Information
To view the complete Network Security Platform 5.1 Documentation, 1. 2. 3. Go to http://mysupport.mcafee.com/Eservice/ Click Read Product Documentation. To view sensor related information, under Product categories, select: Network Security Sensor Hardware - select the sensor model number followed by version as 5.1 Network Security Sensor Software - select the version as 5.1 4. Similarly, to view Manager related information, under Product categories, select: Network Security Manager Software Refer the table below if you are looking for more information on Network Security Platform 5.1:
Information regarding
Information on the immediate previous 5.1 releases: 5.1.7.7 - 5.1.7.4/5.1.7.2 [M-6050,M-8000/M-3050,M4050] 5.1.5.9 - 5.1.7.4/5.1.7.2 [M-6050,M-8000/M-3050,M4050] 5.1.5.9 - 5.1.3.12 [M-3050,M-4050] 5.1.5.7 - 5.1.3.5 [N-450] 5.1.5.6 - 5.1.5.6 [I-series] Features introduced in the previous 5.1 releases Resolved/known issues in previous versions of 5.1
Refer the Release Notes for the corresponding version. Refer the Release Notes for the corresponding version.
700-2013-00
Release Notes
Information regarding
Page 9
Sensor/Manager/Signature Set requirements Sensor requirements Compatibility with 3rd-Party tools Database requirements Manager system and client requirements Additional server requirements License requirements Upgrade instructions Sensor CLI commands Supported protocols list Providing a diagnostics trace for a sensor
Refer the corresponding Sensor Product Guide for the sensor model that you have purchased. Manager Installation Guide Manager Installation Guide Manager Installation Guide Manager Installation Guide Manager Installation Guide 4.1 to 5.1 Upgrade Guide Sensor CLI Guide Go to http://mysupport.mcafee.com/Eservice/ > Search the KnowledgeBase > KB61036. Troubleshooting Guide
700-2013-00