Resolved issues

The current release of the product resolves these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release.

For a list of current known issues, see Network Security Platform 9.1 Known Issues (KB88813).

Reference # Resolution
1272036 The signature set push fails in older Sensor models and Sensor models running older software versions.

Starting with this release, the Manager dynamically compiles signature set based on priority attribute. The signatures are pushed based on the signature set attack priorities configured for the Sensor model. The attack definitions in a signature set are categorized as high, medium, and low using the priority attribute. This can be used to exclude the attack definitions from the signature set for Sensors that do not have enough resources to support all attack definitions.

To configure the signature set attack priority for the Sensors, go to Devices<Admin Domain Name> Devices<Device Name>SetupAttack Compilation. On selecting Signature Set Attack, the Signature Set Attack Priorities option appears where you can configure the signature set to be pushed to the Sensors.

Note: Previously, the Attack Compilation page was available at Devices <Admin Domain Name> Devices<Device Name>TroubleshootingAttack Compilation. Starting from this release, the Attack Compilation page is available under Devices<Admin Domain Name> Devices<Device Name>SetupAttack Compilation.

The signature set attack priorities are as follows:

  • All: Includes the full set of signatures, which comprises of high, medium, and low priority signature set attacks.
    Note: The All signature set attack priority is available only for the latest NS-series and Virtual IPS Sensor software versions.
  • High and Medium only: Includes the partial signature set, which comprises of high and medium priority signature set attacks only. This is the default signature set attack priority selected for M-series Sensors and provides partial attack coverage.
  • High only: Includes a smaller signature set which comprises of high priority signature set attacks only. You can use this option to optimize Sensor resources on M-series Sensors or Sensor models running older Sensor software versions to support the latest signatures against most critical attacks.

To view the priority of an attack definition in the signature set, go to Policy<Admin Domain Name>Intrusion PreventionPolicy TypesIPS Policies. Double-click on a policy, the Attack Definition tab opens. The Priority column displays the predefined priority of an attack definition in the signature set.

Note: If you are running older software versions of NS-series or Virtual IPS, McAfee recommends you to upgrade to the latest NS-series or Virtual IPS Sensor software versions.
Note: To accommodate complete attack coverage using All signature set attack priority, McAfee recommends you to migrate your M-series Sensors to the latest NS-series or Virtual IPS Sensors.


The Manager shell in Linux based Manager restricts the users from accessing the complete Manager directory when compared to Windows based Manager.

Starting with this release, the following commands have been included to the Manager shell to overcome the above restriction:

  • cat: Displays content of a text file.
  • df: Displays disk space summary.
  • du: Displays disk usage of files and directories.
  • delete temp files: Deletes files in the temp directory.
  • edit: Allows user to edit a file in vi editor.
  • env: Displays environment information of the Linux based Manager.
  • fdisk: Helps in disk partitioning operations in the Linux based Manager.
  • free: Gives information about memory and swap memory usage.
  • head: Displays first ten lines of a text file.
  • iptables: Performs iptables operations.
  • journalctl: Displays informational logs related to systemd service in the Linux based Manager.
  • kill: Forcefully kills a process.
  • last: Displays a list of users logged into the system from the time of it's creation.
  • lvextend: Helps in extending the logical volume of directories in the Linux based Manager.
  • ps: Displays process status.
  • resize2fs: Resizes the Linux based Manager file system.
  • show editables: Enlists all editable files in the Linux based Manager.
  • show tmpFiles: Displays temporary files in the Linux based Manager.
  • ssh: Performs Secure Shell operations.
  • tail: Displays last ten lines of a text file.
  • top: Displays processor activity.
  • unzip: Allows user to unzip a file.
  • vgextend: Extends volume group of the Linux based Manager.
1271968 Database backup cannot be performed from the Manager shell in a Linux based Manager.
1271967 Non-root user permission issue crashes the Linux based Manager.
1271965 Logs cannot be collected using the InfoCollector utility in a Linux based Manager.

The run command in the Manager shell can be used to run InfoCollector utility. The diag scripts listed under show executables command can be executed using run to perform various operations in the Linux based Manager.

1271964 Logging into database was not available in the Linux based Manager.
1269367 Incorrect active Gateway Anti-Malware DAT version is displayed under Devices<Admin Domain Name>DevicesSetupGAM Updating.
1268244 The source IP address and destination IP address are displayed with a country for suppressed alerts in the alert details panel in the Attack Log page.
1267624 A user with Dashboard and Analysis - View Only access is able to edit the monitors in the Dashboard tab.
1266336 SSL certificate import fails in the Manager.


Deployment pending appears in the Deploy Pending Changes page for the Gateway Anti-Malware engine even after deploying the update to the Sensor.


In the Global Threat Intelligence page, Lookup under Test GTI Lookup window fails with Invalid IP Address error.
1265432 The alert generation in the Manager is delayed after upgrade.
1265376 The child domains fail to inherit the Gateway Anti-Malware settings from the parent domain for new Sensors added in the Manager.
1265290 In the Attack Log page, the C&C Domain column under Callback Activity does not display any information.


In the Linux based Manager, the Manager service crashes for various reasons.



After upgrading the Manager, the Next button in Default Port Settings page does not work under Manager<Admin Domain Name>IPS Device SettingsQuarantine Default Port Settings.





In the Attack Log page, Group by this field option for Attacker and Target column displays NSP ID instead of the IP address.
1262044 The SDK-API does not function properly.
1261382 The watchdog stop command in the Manager shell fails to stop the Linux based Manager Watchdog service.
1261346 The Manager shell accepts invalid IP addresses while configuring the network parameters for the Linux based Manager using set network configuration command.
1261122 The user can run tcpdump utility by executing tcpdump command in the Manager shell.
1260914 The Manager shell displays a warning message instead of the actual output on executing collect logs command.
1260195 The Custom Attacks health check displays incorrect number of custom attacks.
1260194 Health checks cannot be performed on the Secondary Manager.
1259380 The drop-down list for tagged endpoints is not displayed in the Threat Explorer page.
1259362 Manual removal of quarantined IP addresses does not remove the IP address from the quarantine list.
1255919 The XFF proxy IP address is not available as part of the syslog alert notification.
1244542 The health check for Database Initialization and Signature Set Update Server Connectivity fails under Manager<Admin Domain Name>TroubleshootingHealth Check.
1236504 By default, the parameters for layer 7 data collection detected for an attack by the Sensor are not completely displayed in the Manager.
1170840 The attack details panel for Callback Detectors in the Attack Log page does not display the Consulted DNS server IP and Resolved C&C Domain IPs as part of the layer 7 data.

Resolved Sensor software issues

The following table lists the medium-severity Sensor software issues:

Reference # Resolution


The Sensor interface link goes down suddenly.
1263349 An internal buffer overflow abruptly causes exception to GTI file reputation process triggering auto-recovery or Sensor reboot.
1262456 The Sensor fails to return values for the SNMP query.
1260586 The packet log size for Virtual IPS Sensors is enhanced from 6 MB to 128 MB.
1260475 Post datapath exception, when the Sensor attempts autorecovery, the UDS or Snort rules processing can cause another process exception.