Next Generation Firewall 5.8.1 Release Notes
Transcription
Next Generation Firewall 5.8.1 Release Notes
Release Notes Revision A McAfee Next Generation Firewall 5.8.1 Contents About this release New features Enhancements Changes Known limitations Resolved issues System requirements Installation instructions Upgrade instructions Build version Compatibility Known issues Find product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. The Security Engine product name has changed in this release. The Security Engine is now known as the “McAfee Next Generation Firewall” or “NGFW”. NGFW engines are still represented by Security Engine elements in the Management Client. New features This release of the product includes these new features that have been added since NGFW 5.7. New features introduced in NGFW 5.8 New SSL VPN The 5.8 version provides a new SSL VPN feature that is built-in into the Next Generation Firewall (NGFW). The same Firewall can host multiple SSL VPN Portals that each can have their own SSL VPN Portal Policy. Outlook Web Access (OWA) and intranet browsing are among the assumed key use cases the portal supports. The SSL VPN Portal Services can be based either on URL rewrites or DNS mapping capabilities. The new SSL VPN will eventually replace the separate Stonesoft legacy SSL VPN appliance. File Filtering Policy (including McAfee ATD and McAfee GTI integration) A new policy type has been introduced for File Filtering. Currently this policy type is selected on the Inspection tab of the main policy that you upload on the NGFW engine. The matching criteria for the File Type Policy rule include the source and destination of the file stream and the File Type. The NGFW can be configured to allow or discard the traffic that matches the File Type Policy rule directly or allow it only after additional checks have been performed. These checks include the File Reputation (McAfee GTI) check, the McAfee Anti-Virus check, and the McAfee Advanced Threat Defense (ATD) check. 1 Enhancements This release of the product includes these enhancements added since NGFW 5.7. Enhancements introduced in NGFW 5.8.1 SIP protocol handling improved SIP protocol handling has been improved. Botnet detection improved Botnet detection coverage has been expanded. SNMP support for Virtual Engines SNMP agent in Master Engine now shows also Virtual Engine Interfaces. HTTPS based Application Identification improved HTTPS based Application Identification has been improved. glibc library upgrade in regards CVE-2015-0235 This release updates NGFW engine to use glibc library that is not vulnerable to GHOST vulnerability. Note: Only hostnames that NGFW engine may look up come as part of the configuration from the administrator, so there exists no attack vector for other entities than NGFW administrator themselves. Enhancements introduced in NGFW 5.8 TCP inspection The internal TCP inspection engine has been improved for performance and functionality. The functionality enhancements include: • • • • • • Anti-virus support in a Virtual Context Anti-virus and anti-spam support on Inline Interfaces and Capture Interfaces on IPS and Layer 2 Firewalls URL filtering support on Capture Interfaces Enhanced NAT support with Anti-virus and Anti-spam User Response support in Layer 2 Firewall role TLS inspection for server protection on Capture Interfaces in IPS and Layer 2 Firewall roles. McAfee Logon Collector (MLC) will replace the Stonesoft User Agent McAfee Logon Collector (MLC) is a software component that is very similar to the Stonesoft User Agent. Eventually, support for the legacy Stonesoft User Agent will end and MLC will replace it. In NGFW 5.8, you can use either MLC or the Stonesoft User Agent to provide user information for Access rules, logs, and reporting. MLC introduces some benefits and new features that do not exist in the Stonesoft User Agent. It supports High Availability, multiple Domains, and multiple AD forests. It can also monitor MS Exchange Servers (in addition to Domain Controllers) for login information, which means that it provides better coverage for user identification. Interface link aggregation Interface link aggregation has been enhanced to support up to 8 interfaces in load balancing mode. Feature stability has been enhanced and Link Status test for aggregated interfaces is improved. 2 Changes Strict TCP Mode for Deep Inspection The Strict TCP Mode for Deep Inspection option in engine properties is now only for backward compatibility. The new engine switches automatically between active stream processing and transparent packet forwarding, depending on the configured features and received packets. Anti-virus option moved under File Filtering Policy The Anti-virus option, which was previously part of Access rule Allow Action Options, have been moved to the new File Filtering Policy. TCP Situations available for logging only TCP Situation elements that previously contained options for controlling TCP inspection can now be used only for logging. The TCP Situations now have no configurable options. Anti-virus logging The Anti-Virus_Virus-Found Situation has been replaced by the File_Malware-Blocked Situation. Packet validity checking McAfee NGFW in all roles checks the validity of packets to protect the engine from processing invalid packets, which can be harmful to the McAfee NGFW. Depending on the action in the Inspection Policy, McAfee NGFW in the IPS and Layer 2 Firewall roles can either terminate invalid packets or bypass the traffic without processing the invalid packets. For self-protection reasons, McAfee NGFW in the Firewall/VPN role always terminates invalid packets without establishing a connection. Invalid Packet Situation logging Configuring logging options for the “Invalid Packet” Situation Type in the Inspection Policy now enables logging for all McAfee NGFW roles. Logging for the Firewall/VPN role could previously only be enabled by selecting the Packet Filter diagnostic mode in the Firewall/VPN diagnostics for the engine. More detailed information is now available in the Firewall logs when invalid packets are detected and terminated. Note! Invalid Packet Situations are always log rate limited. Known limitations Inspection in asymmetrically routed networks In asymmetrically routed networks, using the stream modifying features (TLS Inspection, URL filtering, and file filtering) may make connections stall. Even if these features are not configured, the engine may report false positive out-of-window situations and drop those packets after a while. SSL/TLS inspection in capture (IDS) mode Due to SSL/TLS protocol security features, SSL/TLS decryption in capture (IDS) mode can only be applied in a server protection scenario when RSA key exchange negotiation is used between the client and the server. Inline Interface disconnect mode in the IPS role The “disconnect mode” for Inline Interfaces is not supported on IPS Virtual Appliances, IPS software installations, IPS appliance models other than IPS-6xxx, or modular appliance models that have bypass interface modules. 3 Resolved issues These issues have been resolved since version NGFW 5.8.0. For a list of issues that have been fixed in earlier releases, see the Release Notes for the specific release. Issue Role Description IPv6 ICMP Packet Too Big messages not allowed by default (#87542) FW ICMPv6 Packet Too Big messages generated for VPN path MTU discovery originate from cluster CVI addresses instead of NDI addresses. By default, these messages are not allowed from cluster CVI addresses. Workaround: Add a rule to allow ICMPv6 Packet Too Big messages from the cluster CVI addresses. Inspection process might restart (#90139) FW L2FW IPS The inspection process might restart when some types of HTTP traffic are inspected. Policy installation might pause traffic flow through engine (#98892) FW L2FW IPS The handling of policy installations on engines is not optimal. This leads to unnecessarily long pauses in traffic flow during the installation process. HTTP redirection in Access rules does not work if Access rules earlier have used URL category match (#101363) FW L2FW IPS HTTP redirection in Access rules does not work if Access rules earlier have used URL category match. Link Status test fails after configuring new interface for new Virtual Resource (#101522) FW L2FW IPS After adding an interface to a new Virtual Resource and installing the policy, the Link Status test fails and one of the nodes in the Master Engine Cluster goes offline. If the Virtual Resource is not associated with a Virtual Security Engine, the interface is not up. However, the Link Status Test is active if the Link Status test is set to run on all interfaces. Workaround: Use URL category matches in the Inspection Policy instead of Access rules. Workaround: Install the policy only after adding the new Virtual Resource and Virtual Security Engine to the configuration. Application reporting might not be detailed enough (#105725) FW L2FW IPS Detected applications might not be reported in enough detail. For example, an application like Facebook could be shown as HTTP. User Responses configured in Access rules might not work (#108158) FW L2FW IPS User Responses do not work in all configurations if they are configured using the Discard action in Access rules. The issue affects configurations where the Access rules also contain rules for application detection or URL filtering. Using anti-virus and TLS inspection might cause inspection process to restart (#108533) FW Using anti-virus and TLS inspection at the same time might cause the inspection process to restart. ICMP application not identified (#109041) FW L2FW IPS The ICMP application is not identified correctly. Application detection cannot be used together with SIP protocol agent (#109058) FW L2FW IPS If application detection is enabled for traffic that also uses the SIP protocol agent, related connections may not be recognized correctly by the protocol agent. 4 Issue Role Description DHCP packets might not be correctly balanced in a cluster (#109421) FW DHCP packets might not be correctly balanced in a loadbalanced cluster immediately after a cluster node has been rebooted. UDP Service protocol identification may cause sg-inspection process to restart (#109477) FW L2FW IPS A configuration that uses a custom UDP Service might cause the sg-inspection process to restart. This happens in cases where Protocol Identification is selected as the Protocol for some UDP ports in the properties of the custom UDP Service. Issues with asymmetric routing configurations (#109920) FW L2FW IPS Asymmetric routing configurations with deep inspection enabled might no longer work correctly after upgrading to McAfee NGFW version 5.8.0, due to the updated traffic stream handling logic. This applies to inspected traffic that potentially needs to be modified, for example, if file filtering or user responses are configured. Inspection configurations that do not attempt to modify traffic work normally. Static route configuration might fail with large number of Tunnel Interfaces (#110024) FW When the Firewall engine configuration contains a large number of Tunnel Interfaces, some static routes through these interfaces might not be configured when the policy is uploaded. Policy installation may fail on engines that have interfaces with dynamic IP addresses (#110165) FW Policy installation may fail on Single Firewall engines that have interfaces with dynamic IP addresses. SSL VPN tunnels only work with RSAbased gateway certificates (#110543) FW SSL VPN tunnels for VPN Clients only work with RSA-based gateway certificates. Hardware monitoring might stop working (#110990) FW L2FW IPS In rare cases, hardware monitoring might stop working. This causes operations that depend on hardware monitoring, such as sgInfo collection, to stop. Communication between User Agent and NGFW might not work (#111018) FW L2FW IPS The User Agent might stop forwarding user information to the engine if the connectivity between the User Agent and the engine is not working reliably. Virtual IP address (DHCP) restrictions with VPN Clients (#111146) FW If you only use the VPN Client with IPsec tunnels, DHCP works the same way as in previous releases. If you only use the VPN Client with SSL VPN tunnels, DHCP requests are sent as relay messages, even when the DHCP server is in a directly connected network. McAfee NGFW cannot act as a DHCP relay or as a server when the VPN Client is used with SSL VPN tunnels. If you use both IPsec and SSL VPN tunnels with the VPN Client, the DHCP server must be located in a directly connected network, and direct DHCP mode must be used. Workaround: Refresh the policy on the cluster after rebooting a node. Workaround: Use a directly connected DHCP server and the direct DHCP mode when using the VPN Client with SSL VPN tunnels. 5 Issue Role Description Engine might stop sending ICMP messages (#111747) FW The engine might stop sending ICMP messages after an arbitrary length of time. Traffic that matches Ethernet rules using MAC addresses is not inspected (#111836) L2FW IPS Inspected connections might fail when dynamic source NAT is applied (#111873) FW Inspected connections might fail when dynamic source NAT is applied. Engine might drop SYN packets (#111876) FW L2FW IPS The engine might prevent a new connection from being established if the connection uses the same IP address and port pairs as a previous connection. User information missing from SSL VPN Portal logs (#111981) FW When a user opens a connection through the SSL VPN Portal, the generated log entries do not include User information. Route-Based VPN packets might be dropped on Firewall Clusters (#112070) FW Route-Based VPN packets might be dropped as spoofed on Firewall Clusters. SunRPC connections might fail (#112105) FW SunRCP connections through the engine might fail. IPv6 traffic over IPsec VPN with IPv4 endpoints does not work (#112164) FW IPv6 traffic over an IPsec VPN with IPv4 endpoints does not work. The IPsec tunnel is negotiated but traffic is not sent into the tunnel. Processing NATed ICMPv6 packets can cause engine to restart (#112266) FW Processing NATed ICMPv6 packets can cause the engine to restart. Inspecting compressed files can lead to inspection process restarting (#112280) FW L2FW IPS Inspecting compressed files can cause the inspection process to restart. Virtual Engines might not send NATT keepalive packets correctly (#112294) FW Virtual Security Engines might not send NAT-T keepalive packets correctly when Virtual Security Engines are in use. Instead, the NAT-T keepalive packets are sent from the Master Engine. RPC connections can cause engine to restart (#112312) FW If RPC connections originated from a node are allowed in a rule using the RPC protocol agent, the engine might restart. VPN process might restart in certain circumstances (#112344) FW Workaround: Reboot the engine. If traffic matches an Ethernet rule that specifies MAC addresses, the traffic might not be sent for deep inspection, even if deep inspection is enabled in the policy. Workaround: Edit the Ethernet rule so that MAC addresses are not used for matching. Workaround: Allow connections with a rule that uses a service element without the protocol agent. In rare cases, the VPN process might restart. This causes established VPN connections to fail. 6 Issue Role Description Engine sends more log messages using Syslog facility than intended (#112357) FW L2FW IPS The engine sends more log messages using the Syslog facility than intended. Inspecting tunneled traffic can lead to a memory leak (112397) L2FW IPS Inspecting tunneled traffic can cause a memory leak. LACP Actor System ID might change on Firewall Clusters (#112408) FW On Firewall Clusters with aggregated links in load-balancing mode, the LACP Actor System ID might change when the packet dispatcher role between cluster nodes changes. This can cause connectivity issues with some switches. Engine might use wrong certificate fingerprint in SMC connection verification (#112422) FW L2FW IPS If the management CA is changed from RSA to ECDSA or from ECDSA to RSA, and the Management Server certificate fingerprint has been defined in the engine, the engine tries to verify the management connection using the previous fingerprint. Logs related to inspected GRE traffic might be missing information (#112463) L2FW IPS Some information might be missing from logs related to inspected GRE tunneled traffic. Decryption of POP3S or IMAPS traffic might not work (#112480) FW L2FW IPS Decryption of POP3S or IMAPS traffic might not work. Engine might reboot when refreshing the policy (#112481) FW Using dynamic routing can cause the engine to reboot when refreshing the policy. Inspection accuracy issues in NGFW 5.8.0 (#112525) IPS NGFW version 5.8.0 has inspection accuracy issues related to protocol normalization. The issues were not present in earlier versions. VPN-related information missing from logs with applications (#112526) FW Application logs might not contain all VPN-related information. Discarded connections might not be logged (#112584) FW L2FW IPS Connections that match Access Rules with the Discard action might not be logged if a previous rule with the Discard action applies URL filtering or Application detection. GTI can consume excessive CPU resources (#112600) FW L2FW IPS Using Global Threat Intelligence (GTI) for file filtering can consume excessive CPU resources in high-traffic environments. Master Engine might restart when deleting a Virtual Security Engine (#112783) FW L2FW IPS The Master Engine might restart when you delete a Virtual Security Engine that still has a Virtual Resource attached to it. SNMP agent does not work when engine has Aggregrated Link Interfaces (#112821) FW If an engine has Aggregated Link Interfaces, the SNMP agent on the engine might stop working. Workaround: Delete the Virtual Resource first in the Virtual Engine Properties and then the Virtual Security Engine element itself. 7 Issue Role Description Dynamic routing can stop working if all nodes rebooted at the same time (#112879) FW Dynamic routing can stop working if all nodes within a cluster are rebooted at the same time. Inspected TCP connections might be delayed or might stop (#112988) FW L2FW IPS Due to TCP window handling issues, inspected TCP connections might be delayed, or might stop. Policy installation can take a long time when many new interfaces configured (#112996) FW L2FW IPS Policy installation can take a long time on a Virtual Security Engine when many new interfaces have been configured. Master Engine might reboot (#113059) FW The Master Engine might reboot when it is processing connections that use the H323, Oracle, or RSH Protocol Agents, and NAT is applied to the connections. Engine might not answer SNMP queries sent to Interfaces with dynamic IP addresses (#113074) FW The engine might not answer SNMP queries that are sent to interfaces that have dynamic IP addresses. PPTP might not work if Tunnel Rematching is in use (#113079) L2FW IPS The Security Engine may not handle PPTP connections correctly if Tunneled Traffic Rematching is in use. Master Engine's Control Interface can stop working (#113193) L2FW IPS The Master Engine's Control Interface can stop working if it has been configured on a VLAN interface. Master Engine may not handle traffic correctly when MAC addresses are used for CVIs (#113281) FW L2FW IPS Master Engines may not handle traffic correctly when MAC addresses are used for CVIs on the Virtual Firewalls. Policy installation can fail when browser-based authentication is in use (#113287) FW Policy installation can fail when browser-based authentication is in use. Engine can become unresponsive when NAT is used together with loose connection tracking (#113302) FW In rare situations where there is static source and destination NAT for the same IP addresses, and the same connections use loose connection tracking, the engine can become unresponsive. Backslash cannot be used in user names with RADIUS authentication (#113372) FW The engine prevents using the backslash character in user names when querying a RADIUS server. As a result, authentication using a user name that contains the "\" character fails when using RADIUS authentication. The log message is: "Login is not valid (test\user)". Workaround: Do not configure MAC addresses for CVIs in the Master Engine interface properties. This way the MAC addresses of the Physical Interfaces will be used instead. 8 Issue Role Description Applications identified by SNI might be misidentified (#113419) FW L2FW IPS If a client uses a spoofed Server Name Indication (SNI) in a TLS connection, the Application might not be correctly detected. Extensive use of blacklisting might reduce engine performance (#113428) FW L2FW IPS Extensive use of blacklisting can significantly reduce the performance of the engine. The issue is only likely to occur in engines with multi-core CPUs, when there is a very high number of blacklist actions from the Inspection rules and a large amount of traffic. The following types of messages are shown on the local console of the engine: "BUG: soft lockup" Policy installation can fail on engine with dynamic interfaces (#113459) FW Policy installation can fail on an engine if it has dynamic interfaces configured and destination NAT configured on those interfaces. Engine can hang (#113568) FW L2FW IPS In some circumstances, the engine can hang with console messages such as: "BUG: soft lockup - CPU#0 stuck for 23s!". The issue can affect engine versions 5.7.6 and 5.8.0. Engine can take a long time to recover from ADSL network issues (#113614) FW The engine can take a long time to start processing traffic in situations where the ADSL interface has recovered from a network problem. Authentication process can restart (#113661) FW The authentication process can restart, causing authentication to fail on the engine. 9 System requirements McAfee NGFW appliances Appliance model Supported roles FW-315 Firewall/VPN 320X (MIL-320) Firewall/VPN FW-1030 Firewall/VPN FW-1060 Firewall/VPN FW-5000 Firewall/VPN IPS-1030 IPS and Layer 2 Firewall IPS-1060 IPS and Layer 2 Firewall IPS-1205 IPS and Layer 2 Firewall 321 Firewall/VPN, IPS, and Layer 2 Firewall 325 Firewall/VPN, IPS, and Layer 2 Firewall 1035 Firewall/VPN, IPS, and Layer 2 Firewall 1065 Firewall/VPN, IPS, and Layer 2 Firewall 1301 Firewall/VPN, IPS, and Layer 2 Firewall 1302 Firewall/VPN, IPS, and Layer 2 Firewall 1401 Firewall/VPN, IPS, and Layer 2 Firewall 1402 Firewall/VPN, IPS, and Layer 2 Firewall 3201 Firewall/VPN, IPS, and Layer 2 Firewall 3202 Firewall/VPN, IPS, and Layer 2 Firewall 3205 Firewall/VPN, IPS, and Layer 2 Firewall 3206 Firewall/VPN, IPS, and Layer 2 Firewall 5201 Firewall/VPN, IPS, and Layer 2 Firewall 5205 Firewall/VPN, IPS, and Layer 2 Firewall 5206 Firewall/VPN, IPS, and Layer 2 Firewall Some features in this release are not available for all appliance models. See http://www.mcafee.com/us/support/support-eol-next-gen-firewall.aspx and https://kc.mcafee.com/corporate/index?page=content&id=KB78906 for up-to-date appliance-specific software compatibility information. McAfee appliances support only the software architecture version (32-bit or 64-bit) that they are shipped with. Certified Intel platforms McAfee has certified specific Intel-based platforms for the Next Generation Firewall. The tested platforms can be found in the McAfee Support Knowledge Center (https://support.mcafee.com/ServicePortal/faces/knowledgecenter) under the Next Generation Firewall product. We strongly recommend using certified hardware or a pre-installed McAfee appliance as the hardware solution for new McAfee NGFW installations. If it is not possible to use a certified platform, the NGFW can also run on standard Intel-based hardware that fulfills the hardware requirements. 10 Basic NGFW hardware requirements • • • • • • • Intel®Core™2 / Intel® Xeon® based hardware IDE hard disk (IDE RAID controllers are not supported) and CD-ROM drive Memory: • 2 GB RAM minimum for 32-bit (i386) installation • 8 GB RAM minimum for 64-bit (x86-64) installation VGA-compatible display and keyboard One or more certified network interfaces for the Firewall/VPN role 2 or more certified network interfaces for IPS with IDS configuration 3 or more certified network interfaces for Inline IPS or Layer 2 Firewall For more information on certified network interfaces, see https://kc.mcafee.com/corporate/index?page=content&id=KB78844. Requirements for Master Engines • Each Master Engine must run on a separate physical NGFW device. For more details, please read the hardware requirements document at http://www.stonesoft.com/en/customer_care/kb/. • All the Virtual Security Engines hosted by a Master Engine or Master Engine cluster must have the same role and the same Failure Mode (“fail-open” or “fail-close”). • Master Engines can allocate VLANs or interfaces to Virtual Security Engines. If the Failure Mode of the Virtual IPS engines or Virtual Layer 2 Firewalls is “Normal” (fail-close) and you want to allocate VLANs to several engines, you must use the Master Engine cluster in standby mode. • Cabling requirements for Master Engine clusters that host Virtual IPS engines or Layer 2 Firewalls: • • Failure Mode “Bypass” (fail-open) requires IPS serial cluster cabling. Failure Mode “Normal” (fail-close) requires Layer 2 Firewall cluster cabling. For more information on cabling, see the McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles. Requirements for Virtual Appliance Nodes • • • • • Intel®Core™2 / Intel® Xeon®-based hardware One of the following hypervisors VMware ESXi versions 5.1 and 5.5 KVM (KVM is tested as shipped with Red Hat Enterprise Linux Server release 7.0) • Only 64-bit NGFW guest is supported on KVM 8 GB virtual disk 2 GB RAM minimum, 4 GB recommended if inspection is used A minimum of one virtual network interface for the Firewall/VPN role, three for IPS or Layer 2 Firewall roles The following limitations apply when a McAfee NGFW is run as a virtual appliance node in the Firewall/VPN role: • • • Only Packet Dispatching CVI mode is supported. Only Standby clustering mode is supported. Heartbeat requires a dedicated non-VLAN-tagged interface. The following limitations apply when a McAfee NGFW is run as a virtual appliance node in the IPS or Layer 2 Firewall role: • Clustering is not supported. 11 Installation instructions Note The sgadmin user is reserved for McAfee use on Linux, so it must not exist before the McAfee Security Management Center is installed for the first time. The main installation steps for the McAfee Security Management Center (SMC) and the NGFW engines are as follows: 1. Install the Management Server, the Log Server(s), and optionally the Web Portal Server(s) and the Authentication Server(s). 2. Import the licenses for all components (you can generate licenses at https://my.stonesoft.com/managelicense.do). 3. Configure the Firewall, IPS, or Layer 2 Firewall elements with the Management Client using the Security Engine Configuration view. 4. Generate initial configurations for the engines by right-clicking each Firewall, IPS, or Layer 2 Firewall element and selecting Save Initial Configuration. 5. Make the initial connection from the engines to the Management Server and enter the one-time password provided during Step 4. 6. Create and upload a policy on the engines using the Management Client. The detailed installation instructions can be found in the product-specific installation guides. For a more thorough explanation of using the McAfee Security Management Center, refer to the Management Client Online Help or the McAfee SMC Administrator’s Guide. For background information on how the system works, consult the McAfee SMC Reference Guide. All guides are available for download at https://www.stonesoft.com/en/customer_care/documentation/current/. Upgrade instructions McAfee NGFW version 5.8.1 requires an updated license if upgrading from version 5.7.x or lower. The license upgrade can be requested at https://my.stonesoft.com/managelicense.do. Install the new license using the Management Client before upgrading the software. The license is updated automatically by the SMC if communication with McAfee servers is enabled and the maintenance contract is valid. To upgrade the engine, use the remote upgrade feature or reboot from the installation CD and follow the instructions. Detailed instructions can be found in the McAfee NGFW Installation Guide for Firewall/VPN Role and the McAfee NGFW Installation Guide for IPS and Layer 2 Firewall Roles. Note McAfee NGFW appliances support only the software architecture version that they are pre-installed with. 32-bit versions (i386) can only be upgraded to another 32-bit version and 64-bit versions (x86-64) can only be upgraded to another 64-bit version. Clusters can only have online nodes that use the same software architecture version. State synchronization between 32-bit and 64-bit versions is not supported. Changing architecture for third-party server machines using software licenses requires full re-installation using a CD. Upgrading to any 5.8.x version is only supported from 5.7.x version. If you are running a lower version, upgrade first to the highest 5.7.x version following the instructions in the release notes for that version. 12 Build version McAfee Next Generation Firewall version 5.8.1 build version is 12053. Product Binary Checksums sg_engine_5.8.1.12053_i386.iso SHA1SUM: 481109df8db318a3ddc0c2cffbf23a8b680d3a18 SHA512SUM: 83890a2d6a71dfba56cb4c2f7596eba2ecec5f8a1232ce456565d4fa7fd7eb96ee783f4529b0e2526d07a514 5f0e660aea0524bf3f002634a42a5e13162ad802 sg_engine_5.8.1.12053_i386.zip SHA1SUM: 79e1021ed6e07a049d97b0026ad6b065b642d7b3 SHA512SUM: 27d23867e6bda78dffdac3b4d2e17fbeb94f21f1b0aceb876cafd59415bf6a4f4d6f2f1198a210d01cfab19cf7 e981c17d6ed1533c121144b29f9fd3667fbeb1 sg_engine_5.8.1.12053_x86-64.iso SHA1SUM: 1f8969fb6abdeab5c89d49624df21c5f9444f7a9 SHA512SUM: f49c8679adc51ede74ad9da8595b0769adf40b2292f81190ac0e15e6b1576357a8cd37768d11e5772fe4c29 355eaa7532605106ff31f34f8c9f559a56ef93317 sg_engine_5.8.1.12053_x86-64.zip SHA1SUM: ccf5bfea089cd2e409d14acc37f9869ceace41c7 SHA512SUM: 28e8c7e696e942abebfbafaa3dc577cef3782d02d3f152b72a3bb42086b4ffd36392dc85d22661f5a75db94f eb53f8bce5f5a4c0196158968ee1f5f1ec4c36b8 sg_engine_5.8.1.12053_x86-64-small.iso SHA1SUM: 147173530e1f394735b444355fff6dc2b6bd733e SHA512SUM: 5ec503c7496022442edb33184cf2ecdbcf895b1bf23107a3055b2af305d334d154652ed983703be2416c4d5 58d58c5db7ecac061fdfe5120306213563aacc17d sg_engine_5.8.1.12053_x86-64-small.zip SHA1SUM: f1e11d4795db056fd7746b1308ccb2a1984f366e SHA512SUM: 2be59b082a1e0961f5ba832a982a4566ff3609ebf19e501b2c62ab503492242e3dbd5bd9168729b4b93cf07 d289ab736fbee2c62364873194ad1f75c2f833ab2 13 Compatibility Minimum McAfee NGFW version 5.8.1 is compatible with the following component versions: • McAfee Security Management Center 5.8.0 or higher • Dynamic Update 594 or higher • Stonesoft IPsec VPN Client 5.3.0 or higher • Server Pool Monitoring Agent 4.0.0 or higher • Stonesoft User Agent 1.1.0 or higher • McAfee Logon Collector (MLC) 2.1 and 2.2 • McAfee Advanced Threat Defense (ATD) 3.0 Known issues For a list of known issues in this product release, see this McAfee Knowledge Center article: KB82975. Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the online Knowledge Center. 1. Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center. 2. Enter a product name, select a version, then click Search to display a list of documents. Copyright © 2015 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. 00-A 14