What's new

New features

Integration with MVISION Insights

This release of 10.1 adds a registration workflow that enables Network Security Platform as an additional source of threat information for MVISION Insights.

MVISION Insights is a cloud-based solution that provides predictive analysis using the threat information from your organization. The MVISION ePO web console hosts the MVISION Insights pre-processed data in a feasible graphical format based on geo-location, and widespread data about targeted campaigns and security threats that may impact your organization.

To enable MVISION Insights integration, go to Manager<Admin Domain Name> IntegrationMVISION.

On integrating with MVISION Insights, the attack information is collected from the GTI server. MVISION Insights identifies the attack data from your network in the GTI server using the Tenant ID and Network Security Manager GUID. The attack information includes the alert data, general setup, and feature usage details from the telemetry data sent from the Manager.

You can view the analyzed data in MVISION Insights that are categorized as security posture score, global campaigns trends, campaigns by severity, detections, threats, and devices.

To view the data shared to MVISION Insights, go to Analysis<Admin Domain Name>Event ReportingNext Generation Reports and run the Telemetry (NSP/Insights) report. The Alert Data Details, General Setup, and Feature Usage sections in the Telemetry (NSP/Insights) report lists the Network Security Platform data shared with the MVISION Insights.

For more information, see Integration with McAfee MVISION Insights in McAfee Network security Platform 10.1.x Integration Guide and McAfee MVISION Insights for MVISION ePO Product Guide.

Big Movers monitor in Dashboard

Starting with this release of 10.1, the new Big Movers monitor in the Dashboard tab enables you to view the attacks whose frequency has increased during a selected time period. For example, if you select the time period as Last 7 days in the Dashboard tab and the current date is 27, the trend is calculated by comparing attacks in the last 7 days (dates 21 to 27) with attacks in the previous 7 days (dates 14 to 20). Each bar in the monitor represents the percentage increase in the attack count.

For more information, see Dashboard tab in McAfee Network Security Platform 10.1.x Product Guide.

Enhancements

This release of Network Security Platform includes the following enhancements:

New counters for dropped packets

Starting with this release, the Devices<Admin Domain Name>Devices<Device Name>TroubleshootingTraffic StatisticsDropped Packets tab displays the following new counters:

  • Backend - Total number of miscellaneous packets dropped at back-end.
  • Backplane - Total number of miscellaneous packets dropped at BMC switch.
  • Frontend - Total number of miscellaneous packets dropped at front-end.
  • Layer 2 Non-Errors - Total number of layer 2 packets dropped due to other reasons.
  • NIC - Total number of miscellaneous packets dropped at NIC.

Additionally, the following counters are renamed:

Prior 10.1.7.35 10.1.7.35 and above
Other Layer 2 Errors Layer 2 Errors
Policy Response Actions - Firewall Policy Response - Stateful Firewall
Policy Response Actions - IPS Policy Response - IPS Attack
Policy Response Actions - IPv4 Quarantine Policy Response - IPv4 Quarantine
Policy Response Actions - IPv6 Quarantine Policy Response - IPv6 Quarantine

For more information, see Device performance statistics in McAfee Network Security Platform 10.1.x Product Guide.

Callback detector enhancements

With this release of 10.1, the callback detector files are available in the McAfee Update Server. Going forward, you must download the latest callback detectors from the McAfee Network Security Update Server to the Manager. The Download Callback Detectors page displays the latest 10 versions of the callback detectors.

To view the Download Callback Detectors page, go to Manager <Admin Domain Name>UpdatingDownload Callback Detectors.

For more information on callback detectors, see Download Callback Detectors in McAfee Network Security Platform 10.1.x Product Guide.

Removal of alert processing scripts

After a Manager upgrade, all new alerts are populated in the updated schema tables. The alerts and packet logs available in the Manager prior to the upgrade are still available in the database with a ' tmp_' prefixed to it. These alerts and packet logs were not accessible and had to be manually converted to the new schema before adding it back to the Manager. This was accomplished by running the Alertproc_offline_1.sql and Alertproc_offline_2.sql scripts.

Starting with this release, the Manager installer will automatically merge the older alerts and packet logs to the updated schema. Therefore, manual conversion of the older alerts and packet logs using Alertproc_offline_1.sql and Alertproc_offline_2.sql scripts is no longer required.

McAfee Documentation Portal links in Online Help pages

With this release of 10.1, the Online Help pages in the Manager user interface are now provided with a link to view the latest version of the topic on McAfee Documentation Portal. This provides enhanced user experience where you will be able to access the latest content for the topic directly from the Manager user interface.

Terminology update in UI

This release contains the following terminology update in the UI to keep up with the global standard:

Navigation Path Prior 10.1.7.35 10.1.7.35 and later
AnalysisThreat Explorer Blacklisted/Whitelisted under the Executable Classification column in the Top Executables table Blocked/Allowed under the Executable Classification column in the Top Executables table
AnalysisMalware Files Blacklist column under Individual Engine Confidence column Block column under Individual Engine Confidence column
Manage Whitelist and Blacklist Manage allow and block lists
AnalysisNetwork Forensics Under Suspicious Flows PanelSuspicious activity indicatorsBlacklisted executable Under Suspicious Flows PanelSuspicious activity indicatorsBlocked executable
AnalysisEndpoint Executables Manage Whitelist and Blacklist Manage allow and block lists
Blacklisted/Whitelisted under the Classification column Blocked/Allowed under the Classification column
Double-click on an alert and go to EIA Details tab. Local Classification: Blacklisted/Whitelisted. Double-click on an alert and go to EIA Details tab. Local Classification: Blocked/Allowed.
AnalysisAttack Log
Note: Only for alerts with files and domains in them.
Click Other ActionsCreate ExceptionBlacklist File Hash: < hash file> or double-click on an alert and go to Details tab. Select Blacklist. Click Other ActionsCreate ExceptionBlock File Hash: < hash file> or double-click on an alert and go to Details tab. Select Block.
Click Other ActionsCreate ExceptionWhitelist File Hash: <hash file> or double-click on an alert and go to Details tab. Select Whitelist. Click Other ActionsCreate ExceptionAllow File Hash: < hash file> or double-click on an alert and go to Details tab. Select Allow.
PolicyIntrusion PreventionExceptions File Hashes Whitelisted Hashes Allowed Hashes
Take Action -

  • Move selected hashes to blacklist
  • Move all hashes to blacklist

Take Action -

  • Move selected hashes to block list
  • Move all hashes to block list

Import - On selecting, Import Whitelisted Hashes dialog is displayed. Import - On selecting, Import Allowed Hashes dialog is displayed.
Export Whitelist Export Allowed
Blacklisted Hashes Blocked Hashes
Take Action -

  • Move selected hashes to whitelist
  • Move all hashes to whitelist

Take Action -

  • Move selected hashes to allow list
  • Move all hashes to allow list

Import- On selecting, Import Blacklisted Hashes is displayed. Import- On selecting, Import Blocked Hashes is displayed.
Export Blacklist Export Block List
PolicyIntrusion PreventionExceptions Domain Names Callback Detection Whitelist Callback Detection Exclusions
Import - On selecting, Import Whitelisted Domains dialog is displayed. Import - On selecting, Import Allowed Domains dialog is displayed.
IPS Inspection Whitelist IPS Inspection Exclusions
PolicyIntrusion PreventionExceptions SSL Decryption Exceptions SSL Decryption Exclusions
Policy Intrusion PreventionPolicy TypesAdvanced Malware Policies New or an existing policy - Blacklist and Whitelist column under the Scanning Options section. New or an existing policy - Allow and Block Lists column under the Scanning Options section.
Policy Intrusion PreventionPolicy TypesInspection Option Policies Domain Name Whitelist Processing under tab Inspection OptionsAdvanced Callback Detection Domain Name Exclusion List Processing under tab Inspection OptionsAdvanced Callback Detection
Blacklisted Text under tab Inspection OptionsWeb Server - Heuristic Analysis Blocked Text under tab Inspection OptionsWeb Server - Heuristic Analysis

For more information on allow and block lists, see McAfee Network Security Platform 10.1.x Product Guide.

Updated platform, environment, or operating system support

This release extends support to the following additional platforms, environments, or operating systems.

MariaDB database upgrade

Previously, the Network Security Manager used MariaDB version 10.3.23 and lower as the database. Starting with this release of 10.1, the Network Security Manager uses MariaDB version 10.3.24 that includes new vulnerability and bug fixes.

Azul Zulu java upgrade

Previously, the Network Security Manager used Azul Zulu java version 1.8.0_252 and lower. Starting with this release of 10.1, the Network Security Manager uses Azul Zulu java version 1.8.0_265. The Azul Zulu java version 1.8.0_265 consists of fixes for previously known issues and security fixes.

Apache Tomcat server upgrade

Starting with this release of 10.1, tomcat server used in the Network Security Manager is upgraded. This server update provides a collection of security fixes.