Next Generation Firewall 5.8.1 Release Notes

Transcription

Next Generation Firewall 5.8.1 Release Notes
Release Notes
Revision A
McAfee Next Generation Firewall 5.8.1
Contents

About this release

New features

Enhancements

Changes

Known limitations

Resolved issues

System requirements

Installation instructions

Upgrade instructions

Build version

Compatibility

Known issues

Find product documentation
About this release
This document contains important information about the current release. We strongly recommend that
you read the entire document.
The Security Engine product name has changed in this release. The Security Engine is now known as
the “McAfee Next Generation Firewall” or “NGFW”. NGFW engines are still represented by Security
Engine elements in the Management Client.
New features
This release of the product includes these new features that have been added since NGFW 5.7.
New features introduced in NGFW 5.8
New SSL VPN
The 5.8 version provides a new SSL VPN feature that is built-in into the Next Generation Firewall
(NGFW). The same Firewall can host multiple SSL VPN Portals that each can have their own SSL VPN
Portal Policy. Outlook Web Access (OWA) and intranet browsing are among the assumed key use cases
the portal supports. The SSL VPN Portal Services can be based either on URL rewrites or DNS mapping
capabilities.
The new SSL VPN will eventually replace the separate Stonesoft legacy SSL VPN appliance.
File Filtering Policy (including McAfee ATD and McAfee GTI integration)
A new policy type has been introduced for File Filtering. Currently this policy type is selected on the
Inspection tab of the main policy that you upload on the NGFW engine. The matching criteria for the
File Type Policy rule include the source and destination of the file stream and the File Type. The NGFW
can be configured to allow or discard the traffic that matches the File Type Policy rule directly or allow it
only after additional checks have been performed. These checks include the File Reputation (McAfee
GTI) check, the McAfee Anti-Virus check, and the McAfee Advanced Threat Defense (ATD) check.
1
Enhancements
This release of the product includes these enhancements added since NGFW 5.7.
Enhancements introduced in NGFW 5.8.1
SIP protocol handling improved
SIP protocol handling has been improved.
Botnet detection improved
Botnet detection coverage has been expanded.
SNMP support for Virtual Engines
SNMP agent in Master Engine now shows also Virtual Engine Interfaces.
HTTPS based Application Identification improved
HTTPS based Application Identification has been improved.
glibc library upgrade in regards CVE-2015-0235
This release updates NGFW engine to use glibc library that is not vulnerable to GHOST vulnerability.
Note: Only hostnames that NGFW engine may look up come as part of the configuration from the
administrator, so there exists no attack vector for other entities than NGFW administrator themselves.
Enhancements introduced in NGFW 5.8
TCP inspection
The internal TCP inspection engine has been improved for performance and functionality. The
functionality enhancements include:
•
•
•
•
•
•
Anti-virus support in a Virtual Context
Anti-virus and anti-spam support on Inline Interfaces and Capture Interfaces on IPS and Layer
2 Firewalls
URL filtering support on Capture Interfaces
Enhanced NAT support with Anti-virus and Anti-spam
User Response support in Layer 2 Firewall role
TLS inspection for server protection on Capture Interfaces in IPS and Layer 2 Firewall roles.
McAfee Logon Collector (MLC) will replace the Stonesoft User Agent
McAfee Logon Collector (MLC) is a software component that is very similar to the Stonesoft User Agent.
Eventually, support for the legacy Stonesoft User Agent will end and MLC will replace it. In NGFW 5.8,
you can use either MLC or the Stonesoft User Agent to provide user information for Access rules, logs,
and reporting.
MLC introduces some benefits and new features that do not exist in the Stonesoft User Agent. It
supports High Availability, multiple Domains, and multiple AD forests. It can also monitor MS Exchange
Servers (in addition to Domain Controllers) for login information, which means that it provides better
coverage for user identification.
Interface link aggregation
Interface link aggregation has been enhanced to support up to 8 interfaces in load balancing mode.
Feature stability has been enhanced and Link Status test for aggregated interfaces is improved.
2
Changes
Strict TCP Mode for Deep Inspection
The Strict TCP Mode for Deep Inspection option in engine properties is now only for backward
compatibility. The new engine switches automatically between active stream processing and
transparent packet forwarding, depending on the configured features and received packets.
Anti-virus option moved under File Filtering Policy
The Anti-virus option, which was previously part of Access rule Allow Action Options, have been moved
to the new File Filtering Policy.
TCP Situations available for logging only
TCP Situation elements that previously contained options for controlling TCP inspection can now be
used only for logging. The TCP Situations now have no configurable options.
Anti-virus logging
The Anti-Virus_Virus-Found Situation has been replaced by the File_Malware-Blocked Situation.
Packet validity checking
McAfee NGFW in all roles checks the validity of packets to protect the engine from processing invalid
packets, which can be harmful to the McAfee NGFW. Depending on the action in the Inspection Policy,
McAfee NGFW in the IPS and Layer 2 Firewall roles can either terminate invalid packets or bypass the
traffic without processing the invalid packets. For self-protection reasons, McAfee NGFW in the
Firewall/VPN role always terminates invalid packets without establishing a connection.
Invalid Packet Situation logging
Configuring logging options for the “Invalid Packet” Situation Type in the Inspection Policy now enables
logging for all McAfee NGFW roles. Logging for the Firewall/VPN role could previously only be enabled
by selecting the Packet Filter diagnostic mode in the Firewall/VPN diagnostics for the engine. More
detailed information is now available in the Firewall logs when invalid packets are detected and
terminated.
Note! Invalid Packet Situations are always log rate limited.
Known limitations
Inspection in asymmetrically routed networks
In asymmetrically routed networks, using the stream modifying features (TLS Inspection, URL filtering,
and file filtering) may make connections stall. Even if these features are not configured, the engine may
report false positive out-of-window situations and drop those packets after a while.
SSL/TLS inspection in capture (IDS) mode
Due to SSL/TLS protocol security features, SSL/TLS decryption in capture (IDS) mode can only be
applied in a server protection scenario when RSA key exchange negotiation is used between the client
and the server.
Inline Interface disconnect mode in the IPS role
The “disconnect mode” for Inline Interfaces is not supported on IPS Virtual Appliances, IPS software
installations, IPS appliance models other than IPS-6xxx, or modular appliance models that have bypass
interface modules.
3
Resolved issues
These issues have been resolved since version NGFW 5.8.0. For a list of issues that have been fixed in
earlier releases, see the Release Notes for the specific release.
Issue
Role
Description
IPv6 ICMP Packet
Too Big messages
not allowed by
default (#87542)
FW
ICMPv6 Packet Too Big messages generated for VPN path MTU
discovery originate from cluster CVI addresses instead of NDI
addresses. By default, these messages are not allowed from
cluster CVI addresses.
Workaround: Add a rule to allow ICMPv6 Packet Too Big
messages from the cluster CVI addresses.
Inspection process
might restart
(#90139)
FW
L2FW
IPS
The inspection process might restart when some types of HTTP
traffic are inspected.
Policy installation
might pause traffic
flow through engine
(#98892)
FW
L2FW
IPS
The handling of policy installations on engines is not optimal.
This leads to unnecessarily long pauses in traffic flow during
the installation process.
HTTP redirection in
Access rules does
not work if Access
rules earlier have
used URL category
match (#101363)
FW
L2FW
IPS
HTTP redirection in Access rules does not work if Access rules
earlier have used URL category match.
Link Status test fails
after configuring
new interface for
new Virtual
Resource (#101522)
FW
L2FW
IPS
After adding an interface to a new Virtual Resource and
installing the policy, the Link Status test fails and one of the
nodes in the Master Engine Cluster goes offline. If the Virtual
Resource is not associated with a Virtual Security Engine, the
interface is not up. However, the Link Status Test is active if
the Link Status test is set to run on all interfaces.
Workaround: Use URL category matches in the Inspection
Policy instead of Access rules.
Workaround: Install the policy only after adding the new
Virtual Resource and Virtual Security Engine to the
configuration.
Application reporting
might not be
detailed enough
(#105725)
FW
L2FW
IPS
Detected applications might not be reported in enough detail.
For example, an application like Facebook could be shown as
HTTP.
User Responses
configured in Access
rules might not work
(#108158)
FW
L2FW
IPS
User Responses do not work in all configurations if they are
configured using the Discard action in Access rules. The issue
affects configurations where the Access rules also contain rules
for application detection or URL filtering.
Using anti-virus and
TLS inspection might
cause inspection
process to restart
(#108533)
FW
Using anti-virus and TLS inspection at the same time might
cause the inspection process to restart.
ICMP application not
identified (#109041)
FW
L2FW
IPS
The ICMP application is not identified correctly.
Application detection
cannot be used
together with SIP
protocol agent
(#109058)
FW
L2FW
IPS
If application detection is enabled for traffic that also uses the
SIP protocol agent, related connections may not be recognized
correctly by the protocol agent.
4
Issue
Role
Description
DHCP packets might
not be correctly
balanced in a cluster
(#109421)
FW
DHCP packets might not be correctly balanced in a loadbalanced cluster immediately after a cluster node has been
rebooted.
UDP Service
protocol
identification may
cause sg-inspection
process to restart
(#109477)
FW
L2FW
IPS
A configuration that uses a custom UDP Service might cause
the sg-inspection process to restart. This happens in cases
where Protocol Identification is selected as the Protocol for
some UDP ports in the properties of the custom UDP Service.
Issues with
asymmetric routing
configurations
(#109920)
FW
L2FW
IPS
Asymmetric routing configurations with deep inspection
enabled might no longer work correctly after upgrading to
McAfee NGFW version 5.8.0, due to the updated traffic stream
handling logic. This applies to inspected traffic that potentially
needs to be modified, for example, if file filtering or user
responses are configured. Inspection configurations that do
not attempt to modify traffic work normally.
Static route
configuration might
fail with large
number of Tunnel
Interfaces
(#110024)
FW
When the Firewall engine configuration contains a large
number of Tunnel Interfaces, some static routes through these
interfaces might not be configured when the policy is
uploaded.
Policy installation
may fail on engines
that have interfaces
with dynamic IP
addresses
(#110165)
FW
Policy installation may fail on Single Firewall engines that have
interfaces with dynamic IP addresses.
SSL VPN tunnels
only work with RSAbased gateway
certificates
(#110543)
FW
SSL VPN tunnels for VPN Clients only work with RSA-based
gateway certificates.
Hardware
monitoring might
stop working
(#110990)
FW
L2FW
IPS
In rare cases, hardware monitoring might stop working. This
causes operations that depend on hardware monitoring, such
as sgInfo collection, to stop.
Communication
between User Agent
and NGFW might not
work (#111018)
FW
L2FW
IPS
The User Agent might stop forwarding user information to the
engine if the connectivity between the User Agent and the
engine is not working reliably.
Virtual IP address
(DHCP) restrictions
with VPN Clients
(#111146)
FW
If you only use the VPN Client with IPsec tunnels, DHCP works
the same way as in previous releases. If you only use the VPN
Client with SSL VPN tunnels, DHCP requests are sent as relay
messages, even when the DHCP server is in a directly
connected network. McAfee NGFW cannot act as a DHCP relay
or as a server when the VPN Client is used with SSL VPN
tunnels. If you use both IPsec and SSL VPN tunnels with the
VPN Client, the DHCP server must be located in a directly
connected network, and direct DHCP mode must be used.
Workaround: Refresh the policy on the cluster after rebooting
a node.
Workaround: Use a directly connected DHCP server and the
direct DHCP mode when using the VPN Client with SSL VPN
tunnels.
5
Issue
Role
Description
Engine might stop
sending ICMP
messages
(#111747)
FW
The engine might stop sending ICMP messages after an
arbitrary length of time.
Traffic that matches
Ethernet rules using
MAC addresses is
not inspected
(#111836)
L2FW
IPS
Inspected
connections might
fail when dynamic
source NAT is
applied (#111873)
FW
Inspected connections might fail when dynamic source NAT is
applied.
Engine might drop
SYN packets
(#111876)
FW
L2FW
IPS
The engine might prevent a new connection from being
established if the connection uses the same IP address and
port pairs as a previous connection.
User information
missing from SSL
VPN Portal logs
(#111981)
FW
When a user opens a connection through the SSL VPN Portal,
the generated log entries do not include User information.
Route-Based VPN
packets might be
dropped on Firewall
Clusters (#112070)
FW
Route-Based VPN packets might be dropped as spoofed on
Firewall Clusters.
SunRPC connections
might fail
(#112105)
FW
SunRCP connections through the engine might fail.
IPv6 traffic over
IPsec VPN with IPv4
endpoints does not
work (#112164)
FW
IPv6 traffic over an IPsec VPN with IPv4 endpoints does not
work. The IPsec tunnel is negotiated but traffic is not sent into
the tunnel.
Processing NATed
ICMPv6 packets can
cause engine to
restart (#112266)
FW
Processing NATed ICMPv6 packets can cause the engine to
restart.
Inspecting
compressed files can
lead to inspection
process restarting
(#112280)
FW
L2FW
IPS
Inspecting compressed files can cause the inspection process
to restart.
Virtual Engines
might not send NATT keepalive packets
correctly (#112294)
FW
Virtual Security Engines might not send NAT-T keepalive
packets correctly when Virtual Security Engines are in use.
Instead, the NAT-T keepalive packets are sent from the Master
Engine.
RPC connections can
cause engine to
restart (#112312)
FW
If RPC connections originated from a node are allowed in a
rule using the RPC protocol agent, the engine might restart.
VPN process might
restart in certain
circumstances
(#112344)
FW
Workaround: Reboot the engine.
If traffic matches an Ethernet rule that specifies MAC
addresses, the traffic might not be sent for deep inspection,
even if deep inspection is enabled in the policy.
Workaround: Edit the Ethernet rule so that MAC addresses are
not used for matching.
Workaround: Allow connections with a rule that uses a service
element without the protocol agent.
In rare cases, the VPN process might restart. This causes
established VPN connections to fail.
6
Issue
Role
Description
Engine sends more
log messages using
Syslog facility than
intended (#112357)
FW
L2FW
IPS
The engine sends more log messages using the Syslog facility
than intended.
Inspecting tunneled
traffic can lead to a
memory leak
(112397)
L2FW
IPS
Inspecting tunneled traffic can cause a memory leak.
LACP Actor System
ID might change on
Firewall Clusters
(#112408)
FW
On Firewall Clusters with aggregated links in load-balancing
mode, the LACP Actor System ID might change when the
packet dispatcher role between cluster nodes changes. This
can cause connectivity issues with some switches.
Engine might use
wrong certificate
fingerprint in SMC
connection
verification
(#112422)
FW
L2FW
IPS
If the management CA is changed from RSA to ECDSA or from
ECDSA to RSA, and the Management Server certificate
fingerprint has been defined in the engine, the engine tries to
verify the management connection using the previous
fingerprint.
Logs related to
inspected GRE traffic
might be missing
information
(#112463)
L2FW
IPS
Some information might be missing from logs related to
inspected GRE tunneled traffic.
Decryption of POP3S
or IMAPS traffic
might not work
(#112480)
FW
L2FW
IPS
Decryption of POP3S or IMAPS traffic might not work.
Engine might reboot
when refreshing the
policy (#112481)
FW
Using dynamic routing can cause the engine to reboot when
refreshing the policy.
Inspection accuracy
issues in NGFW
5.8.0 (#112525)
IPS
NGFW version 5.8.0 has inspection accuracy issues related to
protocol normalization. The issues were not present in earlier
versions.
VPN-related
information missing
from logs with
applications
(#112526)
FW
Application logs might not contain all VPN-related information.
Discarded
connections might
not be logged
(#112584)
FW
L2FW
IPS
Connections that match Access Rules with the Discard action
might not be logged if a previous rule with the Discard action
applies URL filtering or Application detection.
GTI can consume
excessive CPU
resources
(#112600)
FW
L2FW
IPS
Using Global Threat Intelligence (GTI) for file filtering can
consume excessive CPU resources in high-traffic
environments.
Master Engine might
restart when
deleting a Virtual
Security Engine
(#112783)
FW
L2FW
IPS
The Master Engine might restart when you delete a Virtual
Security Engine that still has a Virtual Resource attached to it.
SNMP agent does
not work when
engine has
Aggregrated Link
Interfaces
(#112821)
FW
If an engine has Aggregated Link Interfaces, the SNMP agent
on the engine might stop working.
Workaround: Delete the Virtual Resource first in the Virtual
Engine Properties and then the Virtual Security Engine element
itself.
7
Issue
Role
Description
Dynamic routing can
stop working if all
nodes rebooted at
the same time
(#112879)
FW
Dynamic routing can stop working if all nodes within a cluster
are rebooted at the same time.
Inspected TCP
connections might
be delayed or might
stop (#112988)
FW
L2FW
IPS
Due to TCP window handling issues, inspected TCP connections
might be delayed, or might stop.
Policy installation
can take a long time
when many new
interfaces
configured
(#112996)
FW
L2FW
IPS
Policy installation can take a long time on a Virtual Security
Engine when many new interfaces have been configured.
Master Engine might
reboot (#113059)
FW
The Master Engine might reboot when it is processing
connections that use the H323, Oracle, or RSH Protocol
Agents, and NAT is applied to the connections.
Engine might not
answer SNMP
queries sent to
Interfaces with
dynamic IP
addresses
(#113074)
FW
The engine might not answer SNMP queries that are sent to
interfaces that have dynamic IP addresses.
PPTP might not work
if Tunnel
Rematching is in use
(#113079)
L2FW
IPS
The Security Engine may not handle PPTP connections
correctly if Tunneled Traffic Rematching is in use.
Master Engine's
Control Interface
can stop working
(#113193)
L2FW
IPS
The Master Engine's Control Interface can stop working if it
has been configured on a VLAN interface.
Master Engine may
not handle traffic
correctly when MAC
addresses are used
for CVIs (#113281)
FW
L2FW
IPS
Master Engines may not handle traffic correctly when MAC
addresses are used for CVIs on the Virtual Firewalls.
Policy installation
can fail when
browser-based
authentication is in
use (#113287)
FW
Policy installation can fail when browser-based authentication
is in use.
Engine can become
unresponsive when
NAT is used
together with loose
connection tracking
(#113302)
FW
In rare situations where there is static source and destination
NAT for the same IP addresses, and the same connections use
loose connection tracking, the engine can become
unresponsive.
Backslash cannot be
used in user names
with RADIUS
authentication
(#113372)
FW
The engine prevents using the backslash character in user
names when querying a RADIUS server. As a result,
authentication using a user name that contains the "\"
character fails when using RADIUS authentication. The log
message is: "Login is not valid (test\user)".
Workaround: Do not configure MAC addresses for CVIs in the
Master Engine interface properties. This way the MAC
addresses of the Physical Interfaces will be used instead.
8
Issue
Role
Description
Applications
identified by SNI
might be
misidentified
(#113419)
FW
L2FW
IPS
If a client uses a spoofed Server Name Indication (SNI) in a
TLS connection, the Application might not be correctly
detected.
Extensive use of
blacklisting might
reduce engine
performance
(#113428)
FW
L2FW
IPS
Extensive use of blacklisting can significantly reduce the
performance of the engine. The issue is only likely to occur in
engines with multi-core CPUs, when there is a very high
number of blacklist actions from the Inspection rules and a
large amount of traffic. The following types of messages are
shown on the local console of the engine: "BUG: soft lockup"
Policy installation
can fail on engine
with dynamic
interfaces
(#113459)
FW
Policy installation can fail on an engine if it has dynamic
interfaces configured and destination NAT configured on those
interfaces.
Engine can hang
(#113568)
FW
L2FW
IPS
In some circumstances, the engine can hang with console
messages such as: "BUG: soft lockup - CPU#0 stuck for 23s!".
The issue can affect engine versions 5.7.6 and 5.8.0.
Engine can take a
long time to recover
from ADSL network
issues (#113614)
FW
The engine can take a long time to start processing traffic in
situations where the ADSL interface has recovered from a
network problem.
Authentication
process can restart
(#113661)
FW
The authentication process can restart, causing authentication
to fail on the engine.
9
System requirements
McAfee NGFW appliances
Appliance model
Supported roles
FW-315
Firewall/VPN
320X (MIL-320)
Firewall/VPN
FW-1030
Firewall/VPN
FW-1060
Firewall/VPN
FW-5000
Firewall/VPN
IPS-1030
IPS and Layer 2 Firewall
IPS-1060
IPS and Layer 2 Firewall
IPS-1205
IPS and Layer 2 Firewall
321
Firewall/VPN, IPS, and Layer 2 Firewall
325
Firewall/VPN, IPS, and Layer 2 Firewall
1035
Firewall/VPN, IPS, and Layer 2 Firewall
1065
Firewall/VPN, IPS, and Layer 2 Firewall
1301
Firewall/VPN, IPS, and Layer 2 Firewall
1302
Firewall/VPN, IPS, and Layer 2 Firewall
1401
Firewall/VPN, IPS, and Layer 2 Firewall
1402
Firewall/VPN, IPS, and Layer 2 Firewall
3201
Firewall/VPN, IPS, and Layer 2 Firewall
3202
Firewall/VPN, IPS, and Layer 2 Firewall
3205
Firewall/VPN, IPS, and Layer 2 Firewall
3206
Firewall/VPN, IPS, and Layer 2 Firewall
5201
Firewall/VPN, IPS, and Layer 2 Firewall
5205
Firewall/VPN, IPS, and Layer 2 Firewall
5206
Firewall/VPN, IPS, and Layer 2 Firewall
Some features in this release are not available for all appliance models. See
http://www.mcafee.com/us/support/support-eol-next-gen-firewall.aspx and
https://kc.mcafee.com/corporate/index?page=content&id=KB78906 for up-to-date appliance-specific
software compatibility information. McAfee appliances support only the software architecture version
(32-bit or 64-bit) that they are shipped with.
Certified Intel platforms
McAfee has certified specific Intel-based platforms for the Next Generation Firewall. The tested
platforms can be found in the McAfee Support Knowledge Center
(https://support.mcafee.com/ServicePortal/faces/knowledgecenter) under the Next Generation Firewall
product.
We strongly recommend using certified hardware or a pre-installed McAfee appliance as the hardware
solution for new McAfee NGFW installations. If it is not possible to use a certified platform, the NGFW
can also run on standard Intel-based hardware that fulfills the hardware requirements.
10
Basic NGFW hardware requirements
•
•
•
•
•
•
•
Intel®Core™2 / Intel® Xeon® based hardware
IDE hard disk (IDE RAID controllers are not supported) and CD-ROM drive
Memory:
•
2 GB RAM minimum for 32-bit (i386) installation
•
8 GB RAM minimum for 64-bit (x86-64) installation
VGA-compatible display and keyboard
One or more certified network interfaces for the Firewall/VPN role
2 or more certified network interfaces for IPS with IDS configuration
3 or more certified network interfaces for Inline IPS or Layer 2 Firewall
For more information on certified network interfaces, see
https://kc.mcafee.com/corporate/index?page=content&id=KB78844.
Requirements for Master Engines
•
Each Master Engine must run on a separate physical NGFW device. For more details, please
read the hardware requirements document at
http://www.stonesoft.com/en/customer_care/kb/.
•
All the Virtual Security Engines hosted by a Master Engine or Master Engine cluster must have
the same role and the same Failure Mode (“fail-open” or “fail-close”).
•
Master Engines can allocate VLANs or interfaces to Virtual Security Engines. If the Failure Mode
of the Virtual IPS engines or Virtual Layer 2 Firewalls is “Normal” (fail-close) and you want to
allocate VLANs to several engines, you must use the Master Engine cluster in standby mode.
•
Cabling requirements for Master Engine clusters that host Virtual IPS engines or Layer 2
Firewalls:
•
•
Failure Mode “Bypass” (fail-open) requires IPS serial cluster cabling.
Failure Mode “Normal” (fail-close) requires Layer 2 Firewall cluster cabling.
For more information on cabling, see the McAfee NGFW Reference Guide for IPS and Layer 2 Firewall
Roles.
Requirements for Virtual Appliance Nodes
•
•
•
•
•
Intel®Core™2 / Intel® Xeon®-based hardware
One of the following hypervisors

VMware ESXi versions 5.1 and 5.5

KVM (KVM is tested as shipped with Red Hat Enterprise Linux Server release 7.0)
•
Only 64-bit NGFW guest is supported on KVM
8 GB virtual disk
2 GB RAM minimum, 4 GB recommended if inspection is used
A minimum of one virtual network interface for the Firewall/VPN role, three for IPS or Layer 2
Firewall roles
The following limitations apply when a McAfee NGFW is run as a virtual appliance node in the
Firewall/VPN role:
•
•
•
Only Packet Dispatching CVI mode is supported.
Only Standby clustering mode is supported.
Heartbeat requires a dedicated non-VLAN-tagged interface.
The following limitations apply when a McAfee NGFW is run as a virtual appliance node in the IPS or
Layer 2 Firewall role:
•
Clustering is not supported.
11
Installation instructions
Note
The sgadmin user is reserved for McAfee use on Linux, so it must not exist before the McAfee Security
Management Center is installed for the first time.
The main installation steps for the McAfee Security Management Center (SMC) and the NGFW engines
are as follows:
1. Install the Management Server, the Log Server(s), and optionally the Web Portal Server(s) and
the Authentication Server(s).
2. Import the licenses for all components (you can generate licenses at
https://my.stonesoft.com/managelicense.do).
3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the
Security Engine Configuration view.
4. Generate initial configurations for the engines by right-clicking each Firewall, IPS, or Layer 2
Firewall element and selecting Save Initial Configuration.
5. Make the initial connection from the engines to the Management Server and enter the one-time
password provided during Step 4.
6. Create and upload a policy on the engines using the Management Client.
The detailed installation instructions can be found in the product-specific installation guides. For a more
thorough explanation of using the McAfee Security Management Center, refer to the Management Client
Online Help or the McAfee SMC Administrator’s Guide. For background information on how the system
works, consult the McAfee SMC Reference Guide. All guides are available for download at
https://www.stonesoft.com/en/customer_care/documentation/current/.
Upgrade instructions
McAfee NGFW version 5.8.1 requires an updated license if upgrading from version 5.7.x or lower. The
license upgrade can be requested at https://my.stonesoft.com/managelicense.do. Install the new
license using the Management Client before upgrading the software. The license is updated
automatically by the SMC if communication with McAfee servers is enabled and the maintenance
contract is valid.
To upgrade the engine, use the remote upgrade feature or reboot from the installation CD and follow
the instructions. Detailed instructions can be found in the McAfee NGFW Installation Guide for
Firewall/VPN Role and the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles.
Note
McAfee NGFW appliances support only the software architecture version that they are pre-installed with.
32-bit versions (i386) can only be upgraded to another 32-bit version and 64-bit versions (x86-64) can
only be upgraded to another 64-bit version. Clusters can only have online nodes that use the same
software architecture version. State synchronization between 32-bit and 64-bit versions is not supported.
Changing architecture for third-party server machines using software licenses requires full re-installation
using a CD.
Upgrading to any 5.8.x version is only supported from 5.7.x version. If you are running a lower version,
upgrade first to the highest 5.7.x version following the instructions in the release notes for that version.
12
Build version
McAfee Next Generation Firewall version 5.8.1 build version is 12053.
Product Binary Checksums
sg_engine_5.8.1.12053_i386.iso
SHA1SUM:
481109df8db318a3ddc0c2cffbf23a8b680d3a18
SHA512SUM:
83890a2d6a71dfba56cb4c2f7596eba2ecec5f8a1232ce456565d4fa7fd7eb96ee783f4529b0e2526d07a514
5f0e660aea0524bf3f002634a42a5e13162ad802
sg_engine_5.8.1.12053_i386.zip
SHA1SUM:
79e1021ed6e07a049d97b0026ad6b065b642d7b3
SHA512SUM:
27d23867e6bda78dffdac3b4d2e17fbeb94f21f1b0aceb876cafd59415bf6a4f4d6f2f1198a210d01cfab19cf7
e981c17d6ed1533c121144b29f9fd3667fbeb1
sg_engine_5.8.1.12053_x86-64.iso
SHA1SUM:
1f8969fb6abdeab5c89d49624df21c5f9444f7a9
SHA512SUM:
f49c8679adc51ede74ad9da8595b0769adf40b2292f81190ac0e15e6b1576357a8cd37768d11e5772fe4c29
355eaa7532605106ff31f34f8c9f559a56ef93317
sg_engine_5.8.1.12053_x86-64.zip
SHA1SUM:
ccf5bfea089cd2e409d14acc37f9869ceace41c7
SHA512SUM:
28e8c7e696e942abebfbafaa3dc577cef3782d02d3f152b72a3bb42086b4ffd36392dc85d22661f5a75db94f
eb53f8bce5f5a4c0196158968ee1f5f1ec4c36b8
sg_engine_5.8.1.12053_x86-64-small.iso
SHA1SUM:
147173530e1f394735b444355fff6dc2b6bd733e
SHA512SUM:
5ec503c7496022442edb33184cf2ecdbcf895b1bf23107a3055b2af305d334d154652ed983703be2416c4d5
58d58c5db7ecac061fdfe5120306213563aacc17d
sg_engine_5.8.1.12053_x86-64-small.zip
SHA1SUM:
f1e11d4795db056fd7746b1308ccb2a1984f366e
SHA512SUM:
2be59b082a1e0961f5ba832a982a4566ff3609ebf19e501b2c62ab503492242e3dbd5bd9168729b4b93cf07
d289ab736fbee2c62364873194ad1f75c2f833ab2
13
Compatibility
Minimum
McAfee NGFW version 5.8.1 is compatible with the following component versions:
•
McAfee Security Management Center 5.8.0 or higher
•
Dynamic Update 594 or higher
•
Stonesoft IPsec VPN Client 5.3.0 or higher
•
Server Pool Monitoring Agent 4.0.0 or higher
•
Stonesoft User Agent 1.1.0 or higher
•
McAfee Logon Collector (MLC) 2.1 and 2.2
•
McAfee Advanced Threat Defense (ATD) 3.0
Known issues
For a list of known issues in this product release, see this McAfee Knowledge Center article: KB82975.
Find product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the online Knowledge Center.
1. Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.
2. Enter a product name, select a version, then click Search to display a list of documents.
Copyright © 2015 McAfee, Inc. Do not copy without permission.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United
States and other countries. Other names and brands may be claimed as the property of others.
00-A
14