8.1.7.5-8.1.5.

14 NS-series Release Notes

Network Security Platform 8.1

Revision A

Contents
About this release
New features
Enhancements
Resolved issues
Installation instructions
Known issues
Product documentation

About this release

This document contains important information about the current release. We strongly recommend that
you read the entire document.
This maintenance release of Network Security Platform is to provide minor enhancements and few
fixes on the Sensor and Manager software.

Network Security Manager software version: 8.1.7.5

Signature Set: 8.6.33.7

NS-series Sensor software version: 8.1.5.14

Network Security Platform version 8.1 replaces 8.0 release. If you are using version 8.0 and require any
fixes, note that the fixes will be provided in version 8.1. There will not be any new maintenance
releases or hot-fix releases on version 8.0.
With release 8.1, Network Security Platform no longer supports the Network Access Control module and
N-series Sensors. If you are using Network Access Control with N-series (NAC-only) Sensors, McAfee
recommends that you continue to use the 7.1.3.6 version. If you are using the Network Access Control
module in M-series Sensors, continue to use the 7.5.3.30 version. That is, you should not upgrade the
Manager or the Sensors to 8.1 for such cases.
Manager software version 7.5 and above are not supported on McAfee-built Dellbased Manager
Appliances.

This version of 8.1 Manager software can be used to configure and manage the following hardware:

7.1, 7.5, 8.0, and 8.1 Mseries and Mxx30-series Sensors

8.0 Virtual IPS Sensors

7.1, 8.0 and 8.1 NS-series Sensors

7.1, 7.5, 8.0, and 8.1 XC Cluster Appliances

7.1, 7.5, 8.0, and 8.1 NTBA Appliance software (Physical and Virtual)

7.1 I-series Sensors

Currently port 4167 is used as the UDP source port number for the SNMP command channel
communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound
connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the
same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version
1.7.0_45, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to
bind for IPv6.
Manager 8.1 uses JRE version 1.7.0_51. If you have IPv6 Sensors behind a firewall, you need to
update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to
function between those IPv6 Sensors and the Manager.

New features
This release of Network Security Platform includes the following new feature.

Inspection of GTP tunneled traffic

McAfee Network Security Platform provides comprehensive protection against various malware attacks
for mobiles. The GTP (GPRS Tunneling Protocol) parsing provided in the Sensors scans network traffic
and when attacks are detected, raises alerts in the Manager. Based on the attack detected on the
mobile networks and based on the policies configured for that particular type of attack, the Sensor will
initiate necessary actions. GTP is supported in either inline or TAP/ SPAN modes for parsing tunneled
traffic.
Parsing of GTP tunneled traffic works on NS-series Sensors only.

You can enable the GTP feature on the Sensor using the following CLI command:
set parsetunneledtraffic enable/disable
For more details, see IPS Administration Guide.

Enhancements
This release of Network Security Platform includes the following enhancements.

Direct syslog forwarding for IPS attack events

So far, syslog forwarding had been restricted to Sensors sending attack information to the Manager,
which contains more security context. The Manager then collated this attack information and
forwarded it to the configured syslog server.
This meant that attack information sent to the syslog server was a collection of attack details polled
from all Sensors belonging to that Manager. Release 8.1 enables you to configure syslog forwarding for
each Sensor. You can either configure these settings by domain and have all Sensors inherit settings,
or drill down into each Sensor and set up a specific syslog server for that Sensor.
To configure syslog forwarding for all Sensors in a network, go to Devices | <Admin Domain Name> | Global |
Default Device Settings | IPS Devices | IPS Event Logging.

To configure syslog forwarding for an individual Sensor, go to Devices | <Admin Domain Name> | Devices |
<Device Name> | Setup | IPS Event Logging.
In addition, you have the ability to configure each domain or Sensor to forward attack details for
specific attacks. You can set up the filters to send attacks depending on:

Attack severity you can specify the minimum attack severity for which attack details must be
sent.

Attack definition you can instruct the Sensor to forward attack details only for select attacks. If
you adopt this approach, you will need to make sure that you enable syslog forwarding in the
attack definition.

You can also define a template for these notifications for each Sensor. The template enables you to
include details such as Sensor name, attack name, severity, source and destination IP addresses, etc.
depending on your organizations requirement.
A new CLI command is supported to view the Sensor syslog-related details:
show syslog statistics: Displays the number of alerts detected by the Sensor or received from
Sensor analysis, the number of alerts sent by the Sensor to the syslog server, and the number of
alerts not sent by the Sensor to the syslog server, which in other words is suppressed.
For more details, see IPS Administration Guide.

2048-bit certificates for encryption

The Manager and Sensor have so far established trust using 1024-bit certificates. With the growing
need for enhanced security, this connection is being upgraded to be encrypted using 2048-bit
certificates. Network Security Platform 8.1 supports heterogeneous environments, which
accommodate both 1024-bit and 2048-bit encryption. That is, the Manager is both 1024 and 2048-bit
capable, and can be used to manage Sensors running on 2048-bit capable and/or 1024-bit capable
software versions.
Trust establishment after upgrade is discussed below for each instance:
1024-bit encryption
When a Sensor with software that does not support 2048-bit encryption is loaded and the Manager is
upgraded to a version that supports 2048-bit encryption, the Sensor can establish trust with the
Manager using 1024-bit certificates.
2048-bit encryption
Both the 8.1 Manager and Sensor software support trust establishment using 2048-bit encryption
keys. During upgrade, once you have upgraded the Manager software to 8.1, the 7.x Sensors can
continue to connect to the Manager by establishing trust using 1024-bit encryption. After the Sensor
upgrade to 8.1 version is also complete, the Sensor will connect to the ports opened for 2048-bit
encryption. Once the certificates are updated, the Sensor and Manager establish communication using
2048-bit certificates.
The ports necessary for 2048-bit encryption are:
Port

Description

8506

Install channel (TCP)

8507

Alert channel (TCP)

8508

Packet log channel (TCP)

The upgrade from 1024-bit to 2048-bit encryption is done automatically with no user intervention
necessary. Once done, use the status command to view the encryption type, and show command to
view the ports used for 2048-bit encryption.
For more information, see Upgrade Guide.

XFF enhancements
Earlier, the Sensor parsed only the X-forwarded-for (XFF) HTTP header for getting the original source
IP address and displayed in the Threat Analyzer. However, if your Sensor is deployed on the proxy side
of the network, the Sensor is only able to obtain the external IP address of the source or destination
server. The original IP address of the host is not available in the Threat Analyzer and any action has to
be taken on the external IP address. To overcome this, Network Security Platform 8.1 the supports
extraction of True-Client-IP from the HTTP header (for example, Akamai) to obtain the original source
IP.
The original source IP can be used for the following features:

ACL search When executing ACL Reject, Deny, Scan, or Ignore, the Sensor will use the original source
IP.

IPS quarantine Any quarantine resulting from an attack will quarantine the original source IP,
and not the IP from the IP Header.

For more details, see IPS Administration Guide.

Logon Collector integration enhancements

Admin domain user groups that can be managed by the Sensor has been increased from 2,000 to
10,000. The number of user names that can be managed by the Sensor remains the same.
For more details, see IPS Administration Guide, Integration Guide.

Manager UI redesign to migrate away from Java [migration to extJS]

Network Security Manager is in the process of moving away from client side Java to use extJS, for
overall performance improvement and better user experience. In release 8.1, the following existing UI
pages have been enhanced to use the extJS framework:

Devices | <Admin Domain> | Devices | <Device_Name> | Device List | Device_Name mode | Physical Ports

For more details, see XC Cluster Administration Guide.

Utility tool to decrypt malware files enhancement

McAfee Network Security Platform allows downloading of malware files. These archived malware files
are encrypted and stored in the Manager server. A utility tool is now available that decrypts these
encrypted archived malware files.The utility tool is available in <app/diag/Malware Util>. The
decrypted malware files can be viewed in tftpin/malware/temp/.
For more details, see Manager Administration Guide.

Java 8 support for Manager client

Java version 8 is now supported for the Manager client. This version of Java is not bundled with the
Manager but supported. Hence any update for this version has to be downloaded externally and then
updated to the Manager.
For more details, see Manager Administration Guide and Installation Guide.

Manager reboot during upgrade

Previously, the system rebooted for every update during Manager upgrade irrespective of the
criticality. With this release, the system reboot is required only for critical updates. A pop-up appears
for every reboot, which provides the user an option to cancel the reboot if required.
For more details, see Upgrade Guide.

IPS CLI enhancements

This release of 8.1 supports the following new CLI command in the normal and debug modes:

show syslog statistics: Displays the number of alerts detected by the Sensor or received from
Sensor analysis, the number of alerts sent by the Sensor to the syslog server, and the number of
alerts not sent by the Sensor to the syslog server, which in other words is suppressed.

In 8.1, the following additional information are displayed after executing the show mem-usage
command in debug mode:

Attack IDs received from the

Signature Set

Maximum size of PRPT configuration

block

Maximum number of attacks

Size of the Signature file

Used PRPT configuration block size

The following additional information are displayed after executing the show malwareserverstats
command in debug mode:

Manager Protocol Statistics

Status of Primary Manager communication

Status of Manager Disaster Recovery (MDR) Manager Communication

With this release, the ARP spoofing CLI command will be disabled by default. The command will be
automatically disabled when you reset configuration settings or restore factory defaults or add a new
Sensor to the Manager.
For more details, see CLI Guide.

Resolved issues
These issues are resolved in this release of the product. For a list of issues fixed in earlier releases,
see the Release Notes for the specific release.

Resolved Manager software issues

The following table lists the medium-severity Manager software issues:
ID #

Issue Description

964765 The Manager using Apache Struts is vulnerable to CVE-2014-0094.

964715 The Botnet DAT update fails on multiple Sensors.
962218 The effective time for Firewall and QoS policies is based on the local time zone of the
corresponding Sensor.
960959 The SNMP server setting configuration is not displayed after saving due to incorrect
redirection.

ID #

Issue Description

960656 SNMP alert notification fails sometimes due to incorrect calculation of the Manager uptime.
959996 The Manager sends wrong port speed value to the Sensor while configuring monitoring port
with SFP+.
959807 Alert filter in the Real-Time Threat Analyzer shows alerts from unknown country, irrespective
of the source and destination countries selected.
959410 The Manager raises an "INFO" alert for malicious files before the files are sent to ATD for
analysis, and "HIGH" alert after the files are confirmed to be malicious by ATD. Both alerts
are generated with an "Acknowledged" flag. The "Acknowledged" flag remains the same
irrespective of the severity of the alert which makes it difficult to differentiate the alerts
generated.
959221 The Real-Time Threat Analyzer shows an error for multicast host IPv4 addresses while
creating a new exception object.
957285 The Protection Profile page stops responding when opened in Chrome browser and
eventually leads to Java crashing.
956340 The Manager fault for exceeding the 10,000 AD user groups limit is displayed incorrectly in
the Manager.
954516 The scheduled configuration backup cannot be restored completely due to inclusion of all the
tables during backup.
953875 The password control settings displays the wrong error message "minimum number of
Characters should be between 1 and 20".
952088 The Real-Time Threat Analyzer triggers attack by the host even after creating an exception
object.
951549 The Manager's connection with XC-240 load balancer is not recovered if the link is down for
more than 9 minutes.
950005 When "Layer 7" data is selected to be included in the Next Generation report for alert data,
the report is generated for dates not included in the report schedule.
949576 Incorrect pop-up message is displayed when the SSL flow count entered is more than the
maximum allowed limit.
949202 Scripts for alert notification does not execute if the attack-severity variable
($ATTACK_SEVERITY$) is used.
947428 The Fault Log report generates events for template Sensors of XC Cluster but no other
Cluster members.
946781 The Chrome browser crashes when the Manager is opened in Windows 8.0 mode.
The following table lists the low-severity Manager software issues:
ID #

Issue Description

962714

Malware archive fault message is misleading.

Resolved Sensor software issues

The following table lists the high-severity Sensor software issues:
ID #

Issue Description

895578 When TCP flow violation settings is configured to Stateless Inspection, the connection
tables on the Sensor is corrupted in some rare scenarios due to which attack detection
stops.
967324 In a fail-open scenario, when you attempt to restore inline traffic on a secondary Sensor
after unplugging and re-connecting the Ethernet cable, the restore fails.

ID #

Issue Description

973267 When Sensor - Manager connectivity is lost for extended duration due to Manager being
down or network issues, attack packets logs will not be saved into file but will continue to
remain in memory. Alerts continue to be saved into the file as usual.
972849 PDF-JS engine does not detect malware after a hitless reboot.
972327 On rare occasions, GTI IP Reputation process may restart after a hitless reboot.
971404 When IPv6 Snort rule is configured on the Manager followed by a configuration push, this
may cause an exception on the Sensor.
971043 Invalid packet seen when IP reassembly forward is triggered with jumbo fragmented traffic.
The following table lists the medium-severity Sensor software issues:
ID #

Issue Description

969760 The GTI queries fail since DNS resolution could not be configured.
967228 Sensor upgrade fails when upgraded after a trace upload.
965633 In rare scenarios, malware detection misses can happen while processing SMTP traffic.
965539 The Sensor failover pair generates GTI error messages and causes traffic outage.
964740 The power supply status changes constantly while being monitored with the SNMP server.
963593 When PDF Emulation Engine is enabled in the malware policy, it may cause an
out-of-memory condition while processing certain PDF files, resulting in a Sensor reboot.
961617 [Failover] In rare scenarios, the Sensor reboots during trace upload.
961429 In a rare scenario, the sensor reboots with exception when snort signatures are present.
957346 Customizing flow packet logging on Manager causes excessive packet logging from the
Sensor to Manager. This leads to database tuning failure, alert archival failure etc.
957155 In rare scenarios, the recon alerts show few reversed IP addresses.
955633 In a rare case scenario, the Manager is unable to create a Sensor failover pair.
954930 On upgrade of the Sensor software, the customized management MTU value is reset to its
default value.
954005 [M-1250, M-1450] The "Total IP no Credit Packets dropped" values are not cleared on port
4B by the "clrstat" command.
953253 The Sensor sends threshold alerts with incorrect information for observed values in the
alerts.
949270 The Sensor fails to update the signature set after upgrade due to IPv6 SNORT rule.
946864 In rare conditions, the Sensor generates "host ack sweep" attack even though the ACL is
configured to drop the traffic from the specific source host.
941194 During signature set update, the HTTP: Attempt to read password file attack may go
undetected for a very short time.
940899 When certain firewall, which validate the DNS transaction field, are added between the
Sensor and the DNS server, DNS queries for GTI are dropped.
940652 The Layer7 data collection update alert count is clubbed with the Sensor alert sent count,
due to which there is an inconsistency in the alert sent count between the Sensor and the
Manager database.
939311 The NTBA exporter is configured and cannot be reached due to which the Sensor gets into a
deadlock in some rare cases. During the deadlock the Sensor stops processing packets
thereby causing an outage.
934250 In rare case scenario, the Sensor raises false temperature alerts.
927369 In certain cases, source IP is not displayed in the Real-Time Threat Analyzer for ARP attacks
with a single attack counts.

ID #

Issue Description

927314 The failover Sensors experience stalled sibyte issue due to a memory leak.
926990 ARP attack doesn't display the VLAN sub-interface name in Threat Analyzer.
925881 The source IP address (octets) are reversed for ARP spoofing alerts. Also, the source IP
address is replaced with all 0's in the Evidence Report.
924389 Under certain conditions and on certain attacks, when aid log is enabled, the Sensor goes to
layer 2 mode.
923806 The Device DNS server connectivity status fault message, which should be raised only
when the configured DNS server is unreachable, is raised even when the user disables DNS.
923295 The Sensor incorrectly raises the "HTTP: Web Application Server Attack Detected" alert
occasionally, when a user edits or submits information in the internal web application.
918002 The hosts quarantined due to "BOT CC" attack, remains quarantined forever.
916569 Retransmitted SYN-ACK can cause attack to go undetected in SPAN.
914479 The Sensor reports an error "Sensor reassembly buffer memory exhausted" during a
denial-of-service attack.
913909 The Sensor raises component attacks but does not raise the correlated alerts.
909032 When alert throttling is enabled, multiple geo-locations are mapped to the same IP address
in the syslog messages.
908386 On rare occasions, the Application Visualization feature can cause database connectivity
fault with the "sumBandwidth" error.
905630 The password change in the Sensor is prompted after 45 days even if the age for the
password is set at 99 days.
901263 The quarantined host entries are not released from the Threat Analyzer, for component
alerts that have suppression failure set to True.
897178 In rare conditions of MDR setup, upon reporting an ACTIVE-ACTIVE fault, the Sensor
re-sends the status requests to the Managers and attempts to correct the MDR status of the
Managers.
881169 In a rare scenario, when AppID and SNORT signatures are configured with regular
expression and while processing a specific traffic, the Sensor incorrectly triggers the "SMTP:
Missing Important Command" (0x40405a00) alert.
880770 The message "Sensor is unreachable" is displayed in the primary Manager for all the
Sensors, when the Manager was replaced for an MDR pair.
The following table lists the low-severity Sensor software issues:
ID #

Issue Description

928931 The Threat Analyzer shows the "BOT: Zero Access Traffic Detected" direction incorrectly. This
requires fixes in Manager and signature set as well (use Manager version 8.1.3.3 or above,
and signature set version 8.6.28.4 or above).

Installation instructions
Manager server/client system requirements
The following table lists the 8.1 Manager server requirements:

Operating
system

Minimum required

Recommended

Any of the following:

Same as the minimum

required.

Windows Server 2008 R2 Standard or Enterprise Edition,

SP1 (Full Installation), English operating system
Windows Server 2008 R2 Standard or Enterprise Edition,
SP1 (Full Installation), Japanese operating system
Windows Server 2012 Standard Edition (Server with a GUI)
English operating system
Windows Server 2012 Standard Edition (Server with a GUI)
Japanese operating system
Windows Server 2012 R2 Standard Edition (Server with a
GUI) English operating system
Windows Server 2012 R2 Standard Edition (Server with a
GUI) Japanese operating system
Windows Server 2012 R2 Datacenter Edition (Server with a
GUI) English operating system
Windows Server 2012 R2 Datacenter (Server with a GUI)
Japanese operating system
Only X64 architecture is supported.

Memory

8 GB

8 GB or more

CPU

Server model processor such as Intel Xeon

Same

Disk space

100 GB

300 GB or more

Network

100 Mbps card

1000 Mbps card

Monitor

32-bit color, 1440 x 900 display setting

1440 x 900 (or above)

The following are the system requirements for hosting Central Manager/Manager server on a VMware
platform.

Table 5-1 Virtual machine requirements

Component

Minimum

Recommended

Operating
system

Any of the following:

Same as minimum
required.

Windows Server 2008 R2 Standard or Enterprise

Edition with SP1 English operating system
Windows Server 2008 R2 Standard or Enterprise
Edition with SP1 Japanese operating system
Windows Server 2012 Standard Edition (Server with a
GUI) English operating system
Windows Server 2012 Standard Edition (Server with a
GUI) Japanese operating system
Windows Server 2012 R2 Standard Edition (Server with
a GUI) English operating system
Windows Server 2012 R2 Standard Edition (Server with
a GUI) Japanese operating system
Windows Server 2012 R2 Datacenter Edition (Server
with a GUI) English operating system
Windows Server 2012 R2 Datacenter (Server with a
GUI) Japanese operating system
Only X64 architecture is supported.

Memory

8 GB

8 GB or more

Virtual CPUs

2 or more

Disk Space

100 GB

300 GB or more

Table 5-2 VMware ESX server requirements

Component

Minimum

Virtualization software ESXi 5.0

ESXi 5.1
ESXi 5.5
CPU

Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical

Processors 8; Processor Speed 2.00 GHz

Memory

Physical Memory: 16 GB

Internal Disks

1 TB

The following table lists the 8.1 Manager client requirements when using Windows 7 or Windows 8:
Minimum
Operating
system

Recommended

Windows 7 English or Japanese

Windows 8 English or Japanese
Windows 8.1 English or Japanese
The display language of the Manager client must be
same as that of the Manager server operating
system.

RAM

10

2 GB

4 GB

Minimum

Recommended

CPU

1.5 GHz processor

1.5 GHz or faster

Browser

Internet Explorer 9, 10 or 11

Internet Explorer 11

Mozilla Firefox

Mozilla Firefox 20.0 or

above

Google Chrome (App mode in Windows 8 is not

supported)

Google Chrome 24.0 or

above

If you are using Google Chrome, add the Manager

certificate to the trusted certificate list.

For the Manager client, in addition to Windows 7 and Windows 8, you can also use the operating
systems mentioned for the Manager server.
The following table lists the 8.1 Central Manager / Manager client requirements when using Mac:
Mac operating system

Browser

Lion

Safari 6 or 7

Mountain Lion
For more information, see McAfee Network Security Platform Installation Guide.

Upgrade recommendations
McAfee regularly releases updated versions of the signature set. Note that automatic signature set
upgrade does not happen. You need to manually import the latest signature set and apply it to your
Sensors.
The following is the upgrade matrix supported for this release:
Component

Minimum Software Version

Manager/Central Manager software

7.1 7.1.3.5, 7.1.5.7, 7.1.5.10, 7.1.5.14

7.5 7.5.3.11, 7.5.5.6, 7.5.5.7
8.0 8.0.5.9, 8.0.5.11
8.1 8.1.3.4, 8.1.3.6

NS-series Sensor software

NS9100, NS9200
7.1 7.1.5.11, 7.1.5.23, 7.1.5.40, 7.1.5.72, 7.1.5.91
8.0 8.0.5.8
NS9300
7.1 7.1.5.33, 7.1.5.40, 7.1.5.72, 7.1.5.91
8.0 8.0.5.8

11

Known issues
For a list of known issues in this product release, see this McAfee KnowledgeBase article:

Manager software issues: KB81373

NS-series Sensor software issues: KB82173

Product documentation
Every McAfee product has a comprehensive set of documentation.

Find product documentation

1

Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center.

Enter a product name, select a version, then click Search to display a list of documents.

Copyright 2014 McAfee, Inc. Do not copy without permission.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and
other countries. Other names and brands may be claimed as the property of others.
0A-00