McAfee Firewall Enterprise, Release Notes, version 8.0.0

Release Notes ®

McAfee Firewall Enterprise version 8.0.0

This document provides information about McAfee Firewall Enterprise (hereinafter Firewall Enterprise) version 8.0.0, including download and installation instructions. ®

You can find additional information by using the resources listed in the following table. Table 1 Product resources Resource

Location

Online Help

Online Help is built into Firewall Enterprise. Click Help on the toolbar or from a specific window.

McAfee Technical Support ServicePortal

Visit mysupport.mcafee.com to find: •

Product documentation

•

KnowledgeBase

•

Product announcements

•

Technical support

Product updates

Visit go.mcafee.com/goto/updates to download the latest Firewall Enterprise patches.

Product installation files

1 Visit www.mcafee.com/us/downloads. 2 Provide your grant number, then navigate to the appropriate product and version.

In this document ... About this release New features Enhancements Known issues Installation

McAfee Firewall Enterprise 8.0.0 Release Notes

1

About this release

About this release McAfee is pleased to announce the next-generation release of Firewall Enterprise version 8.0.0. Firewall Enterprise includes many new features and enhancements, which are described further in this document and the McAfee Firewall Enterprise Product Guide. Firewall Enterprise version 8.0.0 will be supported for one year after the next feature release, version 8.0.1.

Supported firewall types Firewall Enterprise version 8.0.0 supports the following: • McAfee Firewall Enterprise appliances ®

• McAfee Firewall Enterprise, Virtual Appliance ®

• McAfee Firewall Enterprise on Riverbed Services Platform ®

Compatible McAfee products Firewall Enterprise version 8.0.0 is compatible with the following: • McAfee Firewall Enterprise ePolicy Orchestrator ®

(R)

Extension

• McAfee Firewall Enterprise Control Center ®

• McAfee Firewall Profiler ®

• McAfee Logon Collector ®

• McAfee Firewall Reporter ®

For more information, see the following resources: • To find the latest information on the McAfee firewall products and versions that Firewall Enterprise supports, refer to KnowledgeBase article KB67462. • To learn about these products and how they interoperate with Firewall Enterprise, refer to the Using McAfee Firewall Enterprise with Other McAfee Products application note.

2


New features

New features The following new features are included in this release.

Application discovery and control McAfee has an extensive list of applications that classify network flows based on function. You can use access control rules to specify which network applications are allowed or denied. Applications contain signatures and other properties, and they can provide: • Control — Application control identifies who in the organization is allowed to access certain applications. An access control rule matches a connection based on the specified applications, placing the burden of identifying application protocols and ports on the firewall instead of the administrator. • Discovery — The firewall can audit all observed applications from a given zone for later analysis using McAfee Firewall Profiler or McAfee Firewall Reporter. More information McAfee Firewall Enterprise Product Guide (version 8.0.0) • Policy in Action chapter • Access Control Rules chapter

User-based policy User-based policy allows you to tailor access rights to individual users and groups. Users and groups can be stored on the firewall, an Active Directory server, or an LDAP, RADIUS, or SafeWord authentication server. You can configure the firewall to validate user identity either passively or actively. • Passive identity validation — Leverages the users and groups that are already configured in your organization’s Microsoft Active Directory User status information is monitored by McAfee Logon Collector (hereinafter Logon Collector) software and communicated to the firewall. The user is not prompted for authentication by the firewall. • Active identity validation — Prompts a user to provide credentials You can also configure an Active Passport so that an authenticated user’s source IP address is cached; subsequent connection attempts are not prompted for authentication. More information McAfee Firewall Enterprise Product Guide (version 8.0.0) • Identity Validation chapter • Policy Overview chapter • Policy in Action chapter


3

New features

Encrypted content inspection Conventional firewalls allow encrypted connections to pass through without inspection. Firewall Enterprise can decrypt, inspect, and re-encrypt encrypted connections for both inbound and outbound traffic. • SSL content inspection — By decrypting SSL connections, the firewall can inspect their contents and enforce access control on SSL-encapsulated applications. For example, you can: • Allow only HTTPS while denying other SSL content • Enable virus scanning and other HTTP Application Defense enforcements on HTTPS connections • Inspect inbound HTTPS connections before they reach internal web servers • SSH content inspection — Use to control port forwarding, SFTP operations, and the encryption algorithm. More information McAfee Firewall Enterprise Product Guide (version 8.0.0) • SSL Rules chapter • Policy in Action chapter

IPv6 support Firewall Enterprise supports IPv6 addresses, allowing you to integrate with more networks. IPv6 support also gives you access to larger blocks of routable addresses. These connection types are supported: • IPv6-to-IPv6 • IPv4-to-IPv6 translation for non-transparent HTTP connections You can configure Firewall Enterprise to allow IPv4 clients to connect to IPv6 web servers. To successfully connect in this configuration, clients must be configured to use the firewall as a proxy server. Note: An IPv4 host cannot connect directly to an IPv6 host or vice versa under any circumstances. (For HTTP IPv4-to-IPv6 translation, the firewall is acting as a proxy server, so there is no direct connection between source and destination.)

More information McAfee Firewall Enterprise Product Guide (version 8.0.0) • Introduction chapter • Policy in Action chapter • Interfaces chapter

Audit viewing The audit viewing features expand filtering and provide new shortcut tools for use in viewing and refining audit data. Use the compare feature to analyze differences across multiple audit records. Geo-Location and user data are now available within audit records. More information McAfee Firewall Enterprise Product Guide (version 8.0.0): Auditing chapter

4


Enhancements

Link aggregation Link aggregation allows you to bundle multiple NICs into a group. Firewall Enterprise offers two types of NIC groups: • Aggregate — Use for increased bandwidth • Redundant — Use for failover purposes More information McAfee Firewall Enterprise Product Guide (version 8.0.0): Interfaces chapter

Integrated SmartFilter technology Firewall Enterprise now includes SmartFilter technology, which is integrated in the user interface. You can manage and configure SmartFilter from the Admin Console. ®

Note: If you have a D or E model, this license is not automatically bundled with version 8.0.0. To take full advantage of the SmartFilter technology (for example, enabling SmartFilter URL filtering and building SSL rules that match URL categories), consider purchasing SmartFilter separately.

More information McAfee Firewall Enterprise Product Guide (version 8.0.0): Content Inspection chapter

Enhancements The user interface includes a variety of new and updated enhancements: • New applications browser • New access control rule and SSL rule interface windows • Dashboard improvements: • System status • System resources • Messages from McAfee • Updates • Usage reports • Service updates consolidated in a single window • Relaxation of some default settings for HTTP and SNMP Application Defenses • New Remote Access Management window to control firewall administration methods • Renaming burb to zone


5

Known issues

Known issues For information about known issues for Firewall Enterprise: 1 Visit mysupport.mcafee.com. 2 Log on with your user ID and password. The ServicePortal homepage appears with a welcome message

at the top. • If you do not have an account but have received a grant number: • In the User Login section, click New User. • Complete the information and follow the prompts to set up your account. • If you do not have an account or grant number, contact Customer Service. 3 In the Self Service section, click Search the KnowledgeBase. The KnowledgeBase welcome page

appears. 4 In the Ask a Question section, type KB68730, then click Ask. The KnowledgeBase article appears with

any known issues.

Installation Use these procedures to install version 8.0.0 on the appropriate Firewall Enterprise platform: • Firewall Enterprise appliance • Firewall Enterprise, Virtual Appliance • Firewall Enterprise on Riverbed Services Platform

Requirements Before you begin, check the requirements for version 8.0.0.

Admin Console computer Make sure your components meet these Firewall Enterprise requirements. Component Operating system

6

Requirement •

Microsoft Windows Server 2003

•

Windows Server 2008

•

Windows XP Professional

•

Windows Vista

•

Windows 7

CPU

Intel (1 GHz minimum)

Memory

512 MB minimum

Drives

•

300 MB of available disk space

•

CD-RW drive

Monitor

1024 x 768 or higher

Network interface card

Access to network hosting your firewall

USB port

For USB drive

Browser

•

Microsoft Internet Explorer version 6 or later

•

Mozilla Firefox version 1.0 or later


Installation

Appliances Make sure you have the necessary equipment based on your Firewall Enterprise platform. Firewall Enterprise appliance

Firewall Enterprise, Virtual Appliance

•

CD drive

•

Hypervisor operating system — VMware ESX/ESXi, version 4.0 or higher

•

D model or later

•

Hardware resources:

•

Valid support

•

Hard drive — 28 gigabytes of drive space

•

Memory — 512 megabytes Note: If you plan to use features such as virus scanning or sendmail, increase the allocated memory to 1024 megabytes.

• •

CPU — Two virtual processors

Internet connectivity — The virtual firewall requires an Internet connection to perform automatic, weekly license activation.

Note: If your appliance does not have a CD drive, see KB69115 for instructions on creating and using a USB image.

Firewall Enterprise appliance Follow this procedure to re-image your firewall to version 8.0.0. 1 Create a configuration backup 2 Download Firewall Enterprise 3 Download the Product Guide 4 Install Firewall Enterprise 5 Install the Management Tools 6 Complete post-installation instructions

Note: At this time, there is no option to automatically migrate your existing policy from version 7.x to version 8.0.0. McAfee intends to provide an upgrade path in the future.

Create a configuration backup McAfee recommends that you create a configuration backup and save it off the firewall. Backing up the configuration files lets you quickly restore a firewall. For instructions on creating a configuration backup, refer to the McAfee Firewall Enterprise Product Guide—specifically the General Maintenance chapter, Backup and restore the firewall configuration section. Caution: When you perform this procedure on your firewall, all configuration and log information is removed. Back up any data you need to preserve, and move it off the firewall.


7

Installation

Download Firewall Enterprise Follow this procedure to download the version 8.0.0 files. 1 Visit www.mcafee.com/us/downloads. 2 Provide your grant number, then navigate to the appropriate product and version. 3 Download the appropriate files.

• Management Tools — Download the McAfee Firewall Enterprise Admin Console executable (.exe) file or CD image (.iso) file. Tip: Select the CD image file if you want to create a CD for use in installing the Management Tools.

• Version 8.0.0 image — Download the installation CD image (.iso) file or USB image (.zip) file. Tip: Select the USB image file if your appliance does not have a CD drive. 4 Create physical installation media using the downloaded installation files.

• Write the .iso file(s) to a CD. Note: If you downloaded multiple .iso files, use a separate CD for each file.

• If you downloaded the USB image file, write the image to a USB drive. Refer to KnowledgeBase article KB69115 for instructions.

Download the Product Guide Download the McAfee Firewall Enterprise Product Guide so you have it available during the planning and setup process. 1 Go to the McAfee Technical Support ServicePortal at mysupport.mcafee.com. 2 Under Self Service, click Product Documentation. 3 Select the appropriate product and version. 4 Download the version 8.0.0 Product Guide.

Install Firewall Enterprise Use this procedure to install version 8.0.0 from the CD. 1 Boot the firewall from the physical installation media that you created.

• Installation CD: • If the firewall is on, insert the CD and restart. • If the firewall is off, turn it on and quickly insert the CD. • Installation USB drive: • If the firewall is on, insert the USB drive and restart. • If the firewall is off, insert the USB drive and turn on the firewall. The firewall starts and displays standard boot-up information. 2 When the firewall starts, configure it to boot from the inserted installation media.

• Models without a CD drive — Enter the boot menu, and select the installation USB drive. • Models with a CD drive — By default, the boot order is set to check the CD drive first. If the boot order has been altered and does not check the CD drive first, restart and enter the BIOS to adjust the boot order accordingly. The firewall boots from the installation media.

8


Installation

3 At the McAfee Inc. menu, accept the default, which is the Operational System. The welcome menu

appears. 4 At the Welcome to McAfee Firewall Enterprise menu, select a Firewall Enterprise boot option.

• If you are using a locally attached terminal, press Enter to accept the default. • If you intend to use a serial console, type 4 and press Enter. 5 When the installation complete message appears, remove the installation media from the firewall. 6 Press R to restart the firewall, then press Enter. The firewall restarts and displays standard restart

information. Firewall Enterprise version 8.0.0 is now installed on your appliance.

Install the Management Tools Follow this procedure to install the Management Tools on a Windows-based computer. The Management Tools include: • Quick Start Wizard — Use to create the initial configuration • Admin Console — Use to manage the firewall Note: Firewall Enterprise management tools are version-specific. You cannot connect to a version 8.x firewall using an older version of the Admin Console. However, you can have multiple management tools that co-exist on the same Windows-based computer. 1 Launch the installation process:

• If you downloaded the admin.exe file, locate the file on your computer, and double-click it. • If you downloaded the admin.iso file, insert the CD into the appropriate drive. The welcome window appears. 2 Follow the on-screen instructions to complete the setup program.

Tip: McAfee recommends using the default settings. Note: Consider installing an SSH client on your computer. Use the SSH client to provide secure command line access to the firewall.

Complete post-installation instructions Now that you have installed Firewall Enterprise, you are ready to configure and start up the firewall. For complete setup instructions, refer to the following chapters in the McAfee Firewall Enterprise Product Guide, version 8.0.0: • Planning • Installation and Configuration • Startup


9

Installation

Firewall Enterprise, Virtual Appliance Use this procedure to install Firewall Enterprise, Virtual Appliance, version 8.0.0. 1 Create a configuration backup 2 Download Firewall Enterprise, Virtual Appliance software 3 Download the Installation Guide 4 Install the virtual firewall

Create a configuration backup McAfee recommends that you create a configuration backup. Backing up the configuration files lets you quickly restore a firewall. For instructions on creating a configuration backup, refer to the McAfee Firewall Enterprise Product Guide.

Download Firewall Enterprise, Virtual Appliance software Perform this procedure to download version 8.0.0 files. 1 Visit www.mcafee.com/us/downloads. 2 Provide your grant number, then navigate to the appropriate product and version. 3 Download the virtual image (.zip) file.

Download the Installation Guide You will use the McAfee Firewall Enterprise, Virtual Appliance Installation Guide during the planning and setup process. 1 Go to the McAfee Technical Support ServicePortal at mysupport.mcafee.com. 2 Under Self Service, click Product Documentation. 3 Select the appropriate product and version. 4 Download the version 8.0.0 Installation Guide.

Install the virtual firewall Refer to the McAfee Firewall Enterprise, Virtual Appliance Installation Guide, version 8.0.0, to install the virtual firewall.

10


Installation

Firewall Enterprise on Riverbed Services Platform To install Firewall Enterprise version 8.0.0 on Riverbed Services Platform, perform these tasks in order: 1 Create a configuration backup 2 Download the Installation Guide 3 Install Firewall Enterprise on your Riverbed Steelhead appliance

Create a configuration backup If you are replacing an existing Firewall Enterprise on Riverbed Services Platform, McAfee recommends that you create a configuration backup. Backing up the configuration files lets you quickly restore a firewall. For instructions on creating a configuration backup, refer to the McAfee Firewall Enterprise Product Guide.

Download the Installation Guide You will use the McAfee Firewall Enterprise on Riverbed Services Platform Installation Guide during the planning and setup process. 1 Go to the McAfee Technical Support ServicePortal at mysupport.mcafee.com. 2 Under Self Service, click Product Documentation. 3 Select the appropriate product and version. 4 Download the version 8.0.0 Installation Guide.

Install Firewall Enterprise on your Riverbed Steelhead appliance Refer to the McAfee Firewall Enterprise on Riverbed Services Platform Installation Guide, version 8.0.0, to install the firewall.


11

Installation

For support information, visit mysupport.mcafee.com. Copyright © 2012 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. C

12
