What's new

New features

This release of Network Security Platform does not include any new features.

Enhancements

Enhancements for NS9500

  • Port clustering for proxy-based SSL decryption in NS9500 standalone Sensor: Previously, port clustering was not supported for proxy-based inbound and outbound SSL decryption in NS9500 standalone Sensors. Starting with this release of 10.1, port clustering is supported in inline mode for both, symmetric and asymmetric traffic for proxy-based SSL decryption. Multiple monitoring port pairs in inline mode can be grouped to create a port cluster. The same IPS policy will apply for traffic arriving on any of the inline pairs in the port cluster.
    Note: Port clustering for proxy-based SSL decryption is supported in NS9500 standalone Sensors only.

    The following are the considerations for using port clusters for proxy-based SSL decryption:

    • Port cluster for proxy-based SSL decryption is supported only for inline port pairs.
    • All paths in the network formed by the inline port pairs must be active paths (should not be blocked by any link-layer protocols) on which packets can be forwarded.
    • Packets on the egress path (from the Sensor towards the client or server) may not follow the same path on which they arrived.
    • SSL sessions will always be reported against the least index port of the port cluster even when the traffic is received on other ports in the port cluster.

    You can create a port cluster under Devices<Admin Domain Name>Devices<Devices Name>SetupAdvancedPort Cluster.

    For more information, see SSL decryption using proxy method in McAfee Network Security Platform 10.1.x Product Guide.

  • Packet capture in NS9500 Sensors: Previously, you could capture incoming and outgoing packets for NS9500 Sensors only from the Manager under Devices<Admin Domain Name><Sensor Name>TroubleshootingPacket CapturingCapture Now.

    Starting with this release, you can now capture incoming and outgoing packets for NS9500 Sensors (standalone and stack) in the Sensor. The captured packets are saved in the /tftpboot/capture.pcap file on the Sensor. The file is sent to the Manager or a SCP server based on the configuration made in the Manager.

    Note: If the Manager is in the process of capturing packets and at the same time you run this command from the Sensor CLI, the Sensor will display a message that a packet capture process is already running. Similarly, if you have started packet capture from the CLI, the Manager displays the packet capture Status as Running. In the Manager, you cannot stop a packet capture session that is started in the CLI and vice-versa. As a best practice, you should start and stop a packet capture session from the same place; either from the CLI or from the Manager.

    The following new CLI commands are available in the NS9500 Sensor that allow you to capture packets and upload the packet capture file to an SCP server:

    • pktcapture intfport - Captures incoming and outgoing packets on a single monitoring port.
    • pktcapture intfport-pair - Captures incoming and outgoing packets on two different monitoring ports.
    • pktcapture stack-node - Captures packets of Sensors configured in stack mode. You can capture packets on a single monitoring port or on a port-pair.
    • pktcapturefile - Uploads packet capture file to the SCP server or deletes a packet capture file in the Sensor.

    The show pktcapture status CLI command will now display the following additional counters in debug mode:

    • l7ae Egress matched pkt sent cnt
    • l7ae Egress pkt clone err cnt
    • l7ae Egress pkt chain err cnt
    • l7ae Egress pkt capture enable cnt
    • l7ae Egress pkt capture disable cnt
    • Frontend Ingress Matched Pkt Sent Cnt
    • Frontend Egress Matched Pkt Sent Cnt
    • Frontend Packet Capture Mbuf Clone Error Cnt
    • Frontend Packet Capture Mbuf Chain Error Cnt
    • Frontend Packet Capture Enable Count
    • Frontend Packet Capture Disable Count

    For more information, see the CLI commands section in McAfee Network Security Platform 10.1.x Product Guide.

  • Decryption of VLAN tagged packets in NS9500 standalone Sensor: Previously, decryption of VLAN tagged packets was not supported with proxy-based inbound and outbound SSL features. Starting with this release of 10.1, decryption of VLAN tagged packets is supported for proxy-based inbound and outbound SSL decryption in NS9500 standalone Sensors.
    Note: SSL decryption of VLAN tagged packets is supported in NS9500 standalone Sensor only.
    Note: Decryption of double VLAN tagged packets is not supported in SSL decryption.

    For more information, see Inspection of SSL traffic in McAfee Network Security Platform 10.1.x Product Guide.

  • Multiprotocol Label Switching (MPLS) traffic load balancing in NS9500 Sensors: The NS9500 (standalone and stack) Sensor software is enhanced to perform switch hardware hashing for Multiprotocol Label Switching (MPLS) Wide Area Network (WAN) traffic. With this enhancement, the NS9500 Sensors are capable of balancing high MPLS traffic load which increases the performance. This feature is enabled in the Sensor software by default and cannot be disabled manually.
  • Reports enhancement for NS9500 Sensor stack: In earlier releases, the NS9500 stack information was not included in the Traditional, Configuration, and Next Generation reports available in the Manager. Staring with the release of 10.1, the Traditional, Configuration, and Next Generation reports generated from the Manager will include information regarding NS9500 Sensor stack.
    Note: The NS9500 Sensors in a stack are listed individually in the Default - Telemetry (NSP) report under the General Setup section.

    For more information, see Report Generation in McAfee Network Security Platform 10.1.x Product Guide.

Gateway Anti-Malware enhancements

  • Gateway Anti-Malware for airgap network: Previously, the Gateway Anti-Malware software initialization in the Sensors required an active connection to a public or private GTI server. Hence, the Gateway Anti-Malware engine could not be updated in airgap network. Starting with this release of 10.1, the Sensor software is enhanced to initialize the Gateway Anti-Malware updates in an airgap network without an active connection to the GTI server.

    You can enable Gateway Anti-Malware update in an airgap network by executing the set gam-airgap-network enable command in the Sensor CLI and reboot the Sensor for the changes to take effect.

    Note: The Gateway Anti-Malware update for an airgap network must be enabled before pushing Gateway Anti-Malware updates from the Manager to the Sensor.

    To view the status of the Gateway Anti-Malware update in an airgap network, execute the show gam-airgap-network status command in the Sensor CLI.

    You can view the Gateway Anti-Malware version in the Manager under Devices<Admin Domain Name>Devices<Devices Name>SetupGAM Updating.

    For more information about Gateway Anti-Malware for airgap network, see Malware engine updates in McAfee Network Security Platform 10.1.x Product Guide.

  • Gateway Anti-Malware version 2019: With this release of 10.1, Gateway Anti-Malware version 2019 is supported for both automatic and manual import. Gateway Anti-Malware version 2019 version 0 is supported on Manager version 10.1.7.7 or later and Sensor version 10.1.5.41 or later.

    You can view the Gateway Anti-Malware version in the Manager under Devices<Admin Domain Name>Devices<Devices Name>SetupGAM Updating.

    For more information, see Gateway Anti-Malware update in McAfee Network Security Platform 10.1.x Product Guide.

  • Proxy server for Gateway Anti-Malware Engine: Currently, if the proxy settings are configured in your network, the Gateway Anti-Malware engine cannot query the GTI server through the proxy server.

    With this release of 10.1, if the proxy settings are configured in your network, the Gateway Anti-Malware engine is able to query the GTI server through the proxy server. To configure proxy settings in the Manager, go to Manager<Admin Domain Name>SetupProxy Server.

    For more information, see Specify a proxy server for Internet connectivity in McAfee Network Security Platform 10.1.x Product Guide.

Port Clustering for an NS9300 Sensor in Tap Mode

In earlier releases, for an NS9300 Sensor connected in tap mode, due to the existing design of traffic distribution, some attacks were not detected. The TCP handshake may come out of order due to which the complete flow is not created for parsing in the Sensor.

With this release of 10.1, to improve attack detection, the traffic distribution between the monitoring ports is redesigned. The monitoring ports are paired such that the traffic from the odd port pairs is directed to the local front end of the Sensor, and the traffic from the even port pairs is directed to the remote front end of the Sensor.

For more information about port cluster configuration for an NS9300 Sensor in tap mode, see McAfee Network Security Platform NS9x00 Sensor Product Guide and McAfee Network Security Platform 10.1.x Installation Guide.

Log enhancements

  • Consolidated log files in the Manager: Previously, there were multiple log files (ems.log, emsout.log, dbtuing.log, etc..) available in the App folder of the Manager.

    With this release of 10.1, a separate folder, logs is created in the App folder where all the logs are consolidated in a single folder. When you do a fresh install of the Manager or upgrade the Manager from 9.1 or 9.2 to 10.1, all the log files will be available in the logs folder. The navigation path for the logs folder in a Linux based Manager and Windows based Manager are as follows:

    • Linux machine: /opt/NetworkSecurityManager/App/logs
    • Windows machine: C:\Program Files\McAfee\Network Security Manager\App\logs

    For more information about log files, see System Log Files in McAfee Network Security Platform 10.1.x Product Guide.

  • Performance log for signature set deployment: Starting with this release of 10.1, sigperf.log is introduced in the system log files. The sigperf.log file contains logs related to the signature set deployment and compilation duration.

    You can view the sigperf.log in the System Files tab under Manager<Admin Domain Name>TroubleshootingLogs.

    For more information about sigperf.log, see System Log Files in McAfee Network Security Platform 10.1.x Product Guide.

  • Enhanced information in log files for troubleshooting: Previously, the initdb.log and initdbSolr.log files contained minimum information for database initialization for troubleshooting.

    With this release of 10.1, information regarding the timestamp and log level are available in the initdb.log and initdbSolr.log files. This helps in troubleshooting by providing information about the time when the database initialization failure occurred and the log level at which it occurred.

    To view the initdb.log and initdbSolr.log, go to Manager<Admin Domain Name>TroubleshootingLogs. Under System Files tab, select initdb.log or initdbSolr.log from the file drop-down list.

    For more information about log files, see System Log Files in McAfee Network Security Platform 10.1.x Product Guide.

  • Grouping options for logs based on specific fields: Previously, on selecting the Group by this field option from the drop-down for a column in any tab of the Logs page, the logs automatically categorized based on the fields available for that particular column.

    With this release of 10.1, on selecting the Group by this field option from the drop-down for a column, a new window, Group by this field is displayed with specific filter options for all the fields present in that particular column. You can select a specific field, and all the logs related to that field is filtered. You can further sort the logs in Group By <field name> window by sorting the columns in ascending or descending order. To group the logs based on a specific field, go to Manager<Admin Domain Name>TroubleshootingLogs.

    For more information about grouping the logs, see View grouped logs in McAfee Network Security Platform 10.1.x Product Guide.

Fault enhancements

  • Recommended actions for faults: The Faults tab in the Logs page displays messages that are generated for system faults experienced by McAfee Network Security Platform. At times, troubleshooting is tiresome due to insufficient knowledge about the fault. Starting with this release of 10.1, the Recommended Actions column is introduced in the Faults tab to overcome the difficulties in troubleshooting. This column displays the action to be performed on the fault to remediate it.

    You can view the Recommended Actions column in the Faults tab under Manager<Admin Domain Name>TroubleshootingLogs.

    For more information about recommended actions for faults, see Faults in McAfee Network Security Platform 10.1.x Product Guide.

  • System fault messages for Sensor process crash: You can now configure to log system fault messages in the Manager for process crash in Sensors. You can view the system faults in the Manager under Manager<Admin Domain Name>TroubleshootingLogsFaults.

    To enable logging of fault messages for process crash, set the iv.core.device.processFailure property to true in the ems.properties file and restart the Manager. For example:

    iv.core.device.processFailure=true
    Note: By default, the iv.core.device.processFailure property is not present in the ems.properties file. You have to enable it manually only if you want to view the fault messages for Sensor process crash.

    The following types of process crash are logged:

    • Datapath process failure
    • Device software error
    • Front end process failure
    • Gateway Anti-Malware engine process failure
    • GTI malware file reputation lookup process failure
    • Malware server process failure

    For more information, see Sensor error faults in McAfee Network Security Platform 10.1.x Product Guide.

  • Acknowledging faults in Secondary Manager/Central Manager: Previously, in an MDR setup, the option to acknowledge and unacknowledge faults was available only in the Primary Manager/Central Manager.

    With this release of 10.1, in the Secondary Manager/Central Manager, under Manager<Admin Domain Name>TroubleshootingLogsFaults, the following action buttons are available:

    • Acknowledge - Marks the fault as acknowledged/read. Acknowledging a fault means that you are aware of its existence and plan to take appropriate action.
    • Unacknowledge - Marks the fault as unrecognized. By default, all faults are unacknowledged. You can unacknowledge an acknowledged fault.
    • Delete - Deletes the selected faults from the Manager.

    For more information, see Faults in McAfee Network Security Platform 10.1.x Product Guide.

  • Device details for faults in Central Manager: Previously, the Device column in the Central Manager under Manager<Admin Domain Name>TroubleshootingLogsFaults, displayed only the device name that generated the alert.

    Starting with this release of 10.1, the Device column now displays two additional columns:

    • Generated By - Specifies the device that generated the fault. The device can be the Central Manager or a Manager.
    • Forwarded By - Provides more information about the device that generated the fault. For example, if a Manager generates the fault, this column specifies if the device is a primary Manager, secondary Manager, or a Sensor attached to the Manger.

    For more information, see Faults in McAfee Network Security Platform 10.1.x Product Guide.

Exclusion of internal IP address for IP reputation lookup

Previously, the Sensor requested reputation scores for hosts having internal IP addresses.

Starting with this release of 10.1, the Sensor does not request reputation scores for hosts that have internal IP addresses. The following private IP address blocks are considered as internal IP addresses by the Sensor:

  • 0.0.0.0/8
  • 10.0.0.0/8
  • 100.64.0.0/10
  • 127.0.0.0/8
  • 169.254.0.0/16
  • 172.16.0.0/12
  • 192.0.2.0/24
  • 192.168.0.0/16
  • 192.88.99.0/24
  • 198.18.0.0/15
  • 198.51.100.0/24
  • 203.0.113.0/24
  • 224.0.0.0/3

For more information, see How Network Security Platform-GTI integration for IP Reputation works in McAfee Network Security Platform 10.1.x Integration Guide.

Password control enhancements

With this release of 10.1, the minimum value for the following fields of password control are updated for enhanced security of the Manager:

Field Current Enhancement
Number of Characters that must be Changed While setting a new password, a minimum of 3 characters should be changed from the old password. A minimum of 1 character should be changed from the old password to set the new password.
Duration of Lock Out The lock out duration could be set to a minimum of 30 minutes when a wrong password was entered. The lock out duration can be set to a minimum of 1 minute when a wrong password is entered.
Time to Wait Before New Passwords Can Be Changed You could set the minimum number of hours to wait before a new password could be changed to 24 hours. There is no minimum time to wait to change the new password.
Passwords Expire After You could set the minimum number of days for the password to expire after 45 days. You can set the minimum number of days for the password to expire after 1 day.

To configure password control settings, go to Manager<Admin Domain Name>SetupGUI Access Password Control.

For more information, see Configure password complexity settings in McAfee Network Security Platform 10.1.x Product Guide.

Advanced malware analysis counters enhancement

With this release, the Traffic Statistics for Advanced Malware Analysis is enhanced to include the following new counters:

  • Files Ignored by Engine - Number of malware files ignored by the specific malware engine.
  • Files Processed by Engine - Number of malware files processed by the specific malware engine.
  • ATD Files Drop Under Load - Number of malware files dropped by the Advanced Threat Defense engine due to excessive load.
  • ATD Static Analysis - Number of malware files processed by the Advanced Threat Defense engine based on static analysis using Blacklist and Whitelist, GTI File Reputation, and Gateway Anti-Malware (GAM).
  • ATD Dynamic Analysis - Number of malware files processed by the Advanced Threat Defense engine based on dynamic analysis using Sandbox and Machine Learning
  • ATD Cache References - Number of malware results obtained from the Advanced Threat Defense cache.

You can view the traffic statistics for Advanced Malware Analysis under Devices<Admin Domain Name>Devices<Devices Name>Traffic Statistics.

For more information, see Device performance statistics in McAfee Network Security Platform 10.1.x Product Guide.

Encryption of malware communication channel between Network Security Platform and Advanced Thread Defense

Starting with Advanced Threat Defense version 4.10.0 and Sensor software version 10.1.5.41, the SSL malware communication channel between Advanced Threat Defense and the Sensor is encrypted by default. If the SSL malware communication channel is not encrypted, Advanced Threat Defense and Sensor cannot communicate with each other after upgrade.

For more information on upgrade notes for Advanced Threat Defense and Sensor communication, see Encryption of malware communication channel between Network Security Platform and Advanced Thread Defense in McAfee Network Security Platform 10.1.x Installation Guide.

Information icon in Dashboard monitors

Starting with this release, a new information icon is displayed for each of the monitors in the Dashboard. Hovering over the icon displays more information about the monitor.

For more information, see McAfee Network Security Platform 10.1.x Product Guide.

Integration with Data Exchange Layer and McAfee Agent

With this release of 10.1, Network Security Platform supports integration with Data Exchange Layer client version 5.0.2.130 and McAfee Agent version 5.6.2.209.

For more information, see McAfee Network Security Platform 10.1.x Integration Guide.

IPS CLI enhancements

Th following new Sensor CLI commands are available:

Normal Mode
CLI Command Description
pktcapturefile This command uploads the packet capture file to a SCP server or deletes a packet capture file from the Sensor.
pktcapture intfport This command captures both incoming and outgoing packets of a monitoring port that match the specified criteria. If you have configured the Sensor to receive and send traffic on a single port, you can use this command to capture packets.
pktcapture intfport-pair This command captures incoming and outgoing packets on different monitoring ports that match the specified criteria. If you have configured the Sensor to receive and send traffic on different ports, you can use this command to capture packets.
pktcapture stack-node This command captures packets of a NS9500 Sensor configured in stack mode. Based on the Sensor configuration, you can capture packets on a single port or in port pair.
set gam-airgap-network This command allows configuring Gateway Anti-Malware updates initialization in the Sensor within an airgap network. After executing this command, a Sensor reboot is required for the changes to take effect.
show gam-airgap-network status Displays availability of Gateway Anti-Malware update initialization for the Sensor in airgap network.
Debug Mode
CLI Command Description
reset-gam-update This command deletes the Gateway Anti-Malware engine related data in the Sensors.

The following Sensor CLI commands are updated:

Normal Mode
CLI Command Description
show malwareenginestats This command now displays the malware engine statistics for NSP Analysis (office) Engine. The output format of the command is updated.
Debug Mode
CLI Command Description
show pktcapture status This command now displays additional counters related to the packet capturing process.

The following Sensor CLI command is not available:

Debug Mode
CLI Command
set amchannelencryption

For more information, see CLI commands in McAfee Network Security Platform 10.1.x Product Guide.

Updated platform, environment, or operating system support

This release extends support to the following additional platforms, environments, or operating systems.

MariaDB database upgrade

Previously, the Network Security Manager used MariaDB version 10.3.20 or lower as the database. Starting with this release of 10.1, the Network Security Manager uses MariaDB version 10.3.23 with a collection of vulnerability fixes and bug fixes.

Azul Zulu java upgrade

Previously, the Network Security Manager used Azul Zulu java version 1.8.0_202 or lower. Starting with this release of 10.1, the Network Security Manager uses Azul Zulu java version 1.8.0_252. The Azul Zulu java version 1.8.0_252 consists of fixes for previously known issues and security fixes.

Apache Tomcat server upgrade

Starting with this release of 10.1, tomcat server used in the Network Security Manager is upgraded. This server update provides a collection of security fixes.