Embed Size (px)
Citation preview
Release NotesRevision B
McAfee Web Gateway 7.5.1
Contents About this release New features and enhancements Resolved issues Installation instructions Known issues Find product documentation
About this releaseThis document contains important information about the current release. We strongly recommend thatyou read the entire document.
McAfee®
Web Gateway (Web Gateway), version 7.5.1, is provided as a controlled release. It is a majorversion that includes new features and enhancements and resolves issues present in previousversions.
New features and enhancementsThis release of the product includes these new features and enhancements.
To account for the introduction of new features and enhancements in recent productreleases, we recommend a memory upgrade on the physical or virtual platform for a WebGateway appliance.
For more information about this upgrade, see the Setting up Web Gateway chapter of theMcAfee Web Gateway Installation Guide.
1
New authentication method using SAML
Web Gateway now supports authentication using a trusted, external Identity Provider by performingthe SAML Service Provider role. Web Gateway implements the Service Provider role through the proxyand the authentication server. The authentication server consumes the SAML assertion and sets acookie for the authenticated user.
For more information about configuring the SAML authentication method, see the Cloud single sign-onchapter of the McAfee Web Gateway Product Guide.
New configuration option for cloud SSO authentication
When configuring a generic SAML2 connector for cloud single sign-on (cloud SSO), the administratorcan use a new time stamp option.
For more information about configuring cloud SSO functions, see the Cloud single sign-on chapter ofthe McAfee Web Gateway Product Guide.
Extended cloud SSO logging
Web Gateway provides a new property that stores information about single sign-on requests and anew rule set that generates an SSO access log and, optionally, an SSO trace log from the storedinformation.
For more information about configuring cloud SSO functions, see the Cloud single sign-on chapter ofthe McAfee Web Gateway Product Guide.
New cloud SSO connectors
85 new connectors are available for use in configuring cloud single sign-on (cloud SSO).
For more information about cloud SSO connectors, see the Cloud single sign-on chapter of the McAfeeWeb Gateway Product Guide and the McAfee Web GatewaySSO Catalog.
New properties for controlling outbound IP addresses
New properties are available for logging data about outbound connections that Web Gateway uses forcommunication with web servers or next-hop proxies.
The new properties are for logging:
• The source IP address that Web Gateway uses for outbound connections
• The source port that Web Gateway uses for these connections
• The list of source IP addresses that Web Gateway can select an address from
For more information about controlling outbound IP addresses, see the Proxies chapter of the McAfeeWeb Gateway Product Guide.
Extended use of network interfaces for VLAN traffic
The network interfaces of a Web Gateway appliance can be configured to handle VLAN traffic.
Use of these interfaces has been extended to also handle VLAN traffic that is going on under IPv6.
For more information about configuring network interfaces, see the System configuration chapter ofthe McAfee Web Gateway Product Guide.
2
New option for forwarding web traffic in explicit proxy mode
Web traffic that is received on Web Gateway, for example, from a load balancer and used to beforwarded to its destination in transparent mode, can now be forwarded in explicit proxy mode.
For more information about proxy configuration, see the Proxies chapter of the McAfee Web GatewayProduct Guide.
Modified handling of user name in authentication process
When using the SWPS (McAfee Client Proxy) authentication method, the value of the propertyAuthentication.RawUserName is now the user name as provided by McAfee
®
Client Proxy, for example,domain\user. As in earlier versions, the Authentication.UserName property still contains the username without domain or realm information.
For more information about configuring authentication, see the Authentication chapter of the McAfeeWeb Gateway Product Guide.
New item for monitoring memory usage under SNMP
Capacity management and alerting on high memory usage using the SNMP protocol has beenimproved by creating a new item within the Management Information Base (MIB).
The new item monitors the usage of the virtual memories for the Anti-Malware and some systemfunctions on an appliance in relation to the available physical memory and the reserved swap space.
For more information about SNMP monitoring, see the Monitoring chapter of the McAfee Web GatewayProduct Guide.
Additional information for certificate download
The content type is additionally sent now in headers of requests for accessing certificate files that arestored in the templates folder on Web Gateway.
Including this information enables users to download certificates using links on pages that aredisplayed to them, for example block pages.
For more information about certificate handling, see the Web filtering chapter of the McAfee WebGateway Product Guide.
Improved HTTP request handling
The following improvements were implemented regarding the use of request headers in HTTPcommunication.
• If the content length is sent repeatedly in HTTP requests, Web Gateway ignores the redundantinformation and continues processing the requests.
• Use of a relative URL is allowed to specify the location in headers of HTTP requests for updatingfiltering information.
For more information about handling HTTP requests, see the Proxies chapter of the McAfee WebGateway Product Guide.
3
Resolved issuesThese issues are resolved in this release of the product.
Bugzilla reference numbers are in parentheses.
Network communication
• In communication with an ICAP server, the server was still available, but reported as unavailable onWeb Gateway, although only a single request had failed. (992815)
• When Web Gateway was running as an XMPP proxy, traffic not exactly meeting the protocolregulations was received and an attempt was made to forward data to the web server over a notinitialized connection, which caused the core process to fail. (993448)
• When sending requests in SSL-secured ICAP communication, Web Gateway specified the protocolas icaps, which led to a connection error, as a Symantec network component followed the widelyused convention to use icap even if a connection is SSL-secured. (1011054)
• When Web Gateway was running as an IFP proxy, processing requests failed several times, ascomplete request headers were submitted, instead of only the requested URLs, which would havebeen compliant with the IFP protocol. (1012953)
• The core process failed with term signal 11 due to a problem with a flag that had incorrectly notbeen reset after handling a long-running connections error. (1013944)
• After receiving an ICAP request without a host header on Web Gateway, an internal URL filteringerror occurred when the URL.Categories property was processed. (1016815)
• Port 8443 was no longer available for listening to incoming requests because it was occupied by aninternal Web Gateway service. (1016903)
• An authentication request was blocked when the $ character in a password was encoded instead ofbeing forwarded to the web server unencoded, which was done using a next-hop proxy. (1028038)
• When downloading regular update files over an SSL-secured connection to update filteringinformation, Web Gateway failed, although connecting to the update server worked. (1030275)
• When Web Gateway was running as a SOCKS proxy to enable access to a particular software on aweb server, the data stream was repeatedly interrupted. (1030881)
• Web sites with a particular domain suffix could not be accessed, as this suffix was missing from thedomain suffixes list that was in use on Web Gateway. (1031803)
• When Web Gateway was running as a SOCKS proxy, the number of connections and CPU usageincreased until the appliance could not be accessed anymore. (1034278)
Web filtering
• The format of a file that was embedded in a PDF file was not supported by the openers on WebGateway and the file was incorrectly classified as a video.mpg file. (625502)
• When quota rules were synchronized in a Central Management cluster of appliances that differentversions of Web Gateway were running on, the core process failed with term signal 6. (965782)
• Real-time streaming data could not be processed due to a problem with the Helix proxy that hadbeen enabled on Web Gateway for this purpose. (968670)
• Three new URL-related properties could not be saved and used in rules, as they worked only whenembedded in error templates. (1003353)
4
• When URL filtering included evaluating geolocation, requests were processed with some delay, as acloud lookup using the McAfee® Global Threat Intelligence™ service was performed for each requestwhile cached information was disregarded. (1005068)
• The dashboard did not show the update status of the McAfee Anti-Malware engine on the SystemSummary table. (1009924)
• The user interface was not accessible and an error message stated that the internal configuratorcould not be started, which was caused by a problem with an invalid list entry. (1011579)
• Error messages about the state of the Reporting.URL.Categories property were created, althoughthe value of the URL.Categories property was already known and should have been used todetermine the value of the former property. (1012372)
• When the URL.SmartMatch property was used to find out whether entries in a list matched parts ofrequested URLs, a list entry beginning with a dash would match any URL. (1016043)
• The URL filtering module sent a query to a DNS server that included a port number, which causedthe lookup to fail. (1017961)
• A file opener mistakenly classified an archive file of the LZMA type as corrupted, which led to afailure of the core process with term signal 6. (1020861)
• Disabling cloud lookups led to an empty URL category list when the URL.Geolocation property wasused in a rule, which prevented URLs belonging to the categories in that list from being blocked bylater rules. (1021852)
• Requests that should have been allowed to pass on were blocked when they included file ordirectory names with spaces in between. (1023366)
• Queries in anti-malware filtering using the McAfee Global Threat Intelligence service wereunnecessarily repeated for individual URLs, as responses were not cached. (1023834)
• Download of an Adobe Acrobat archive file was blocked because it was falsely suspected to bemalware after scanning. (1023940)
• A particular XML archive file was blocked as being of a type that no opener existed for on WebGateway, while other files of the same type were processed properly. (1028174)
SSL-secured communication
• After importing a certificate for a certificate authority, no new certificate could be created using theoptions that are provided within the SSL Client Context settings, as an attempt to save thecertificate led to a Java error. (997033)
• Data for an update could not be downloaded from the web over a next-hop proxy when the VerifySSL Tunnel setting was enabled, as this setting triggered some requests that could not be sentover a next-hop proxy. (1014413)
• A request was blocked in SSL-secured communication when the certificate chain was erroneouslytaken to contain an expired certificate, as an intermediate certificate authority used a time formatthat could not be processed correctly. (1019470)
• SSL-secured access to several websites failed, as the SSL CONNECT call could not be executedsuccessfully. (1027169)
• A certificate revocation list that had been removed was still in use on Web Gateway and producederror messages when certificates from this list were processed. (1027981)
• Attempting to access a particular website resulted in an SSL scanning error. (1031636)
5
User interface
• The table for configuring static routes disappeared and connections were dissolved after 208entries had been inserted. (1010222)
• The explaining text for SNMP monitoring that is provided on Web Gateway did not mention aseverity level 6, although an SNMP trap with this level was shown on the managing system.(1012051)
• After upgrading to a new version of Web Gateway, some alerts were incorrectly repeated on thedashboard many times. (1012254)
• Wrong incident IDs were shown on the dashboard for successful and failed scheduled jobs.(1013435)
• When configuring an additional node for Central Management, the port could not be specified in thedialog box. (1030779)
• During an upgrade of Web Gateway migration code was not triggered, resulting in the userinterface not being accessible. (1031212)
Miscellaneous
• When text was searched to process rules for data loss prevention (DLP), words containingparticular Russian letters were not supported due to an issue with character conversion. (985776)
• Memory use increased when multiple instances of a policy were loaded and stored, causing thecore process to fail with term signal 6. (985923)
• Entries in the PDStorage user map were not correctly removed when their lifetime was exceeded,nor when the PDStorage.Cleanup event was used in a rule. (1003320)
• Web Gateway was affected by the CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, andCVE-2014-7187 bash shell vulnerabilities. These vulnerabilities allowed execution of arbitrary codedefined in the values of environment variables. (1009816)
• The core process failed with term signal 11 due to a file reading problem. (1010432)
• The core process failed on an appliance and stopped processing web traffic due to a licensingproblem, while other appliances continued to process web traffic even after the failure. (1014292)
• When a scheduled job could not download a new version of a proxy.pac file due to a connectionissue, the existing version of the file was overwritten with an empty file. (1015284)
• Power limit notifications that did not indicate a critical situation appeared many times on thesystem console and were entered in syslog. (1018504)
• Downloading a PDF file caused a child process of the core process to fail with term signal 11.(1020267)
• The library rule set for removing via headers from requests before further processing to protectprivacy only removed external headers. (1020446)
• The core process failed with term signal 11 due to an internal problem, which occurred when mapswere written for rule tracing. (1020521)
• When an initially empty list had been created for use in a rule as a User-Defined property, it couldnot be processed correctly and an attempt to save the rule failed. (1027711)
• Shutting down Web Gateway when a version upgrade was going on caused the core process to failwith term signal 11. (1029828)
6
• Compressing log files with GZIP after rotating them blocked other working threads, which werewaiting for the zipping thread to finish. (1030598)
• Web Gateway was affected by the CVE-2015-0235 vulnerability, which existed in the DNSresolution of glibc. (1037024)
Even if investigation showed that there is no attack vector for Web Gateway due to the fact that WebGateway uses a different implementation for DNS lookups, we implemented a fix since Web Gatewayis shipped with several third-party products, such as the Helix Streaming Proxy, that might beaffected by the vulnerability.
Installation instructionsThe requirements for installing Web Gateway, version 7.5.1, on an appliance depend on the versionyou are currently running.
• When running an earlier 7.5.x version, you can immediately upgrade to the new version. SeeUpgrade from 7.3.x or later.
• When running a 7.4.x or a 7.3.x version, you can upgrade to the new version after activating arepository. See Upgrade from 7.3.x or later.
• When running a 7.2.x or any earlier 7.x version:
• Create a configuration backup.
Use the options provided under Troubleshooting | Backup/Restore on the user interface to create thebackup.
• Upgrade to the new version. See Upgrade from 7.2.x or earlier 7.x..
The upgrade process includes a major upgrade of the operating system. It will take severalsteps and more time than usual.
If the upgrade process fails or is interrupted, you can re-image the appliance using an image ofthe new version and install the configuration backup.
Alternatively, you can:
• Create a configuration backup.
• Re-image the appliance using an image of the new version and install the configuration backup.
• When running a 6.8.x or 6.9.x version, you must re-image the appliance using an image of the newversion.
Download an image of the new version from the download page of the McAfee Content & CloudSecurity Portal at https://contentsecurity.mcafee.com/software_mwg7_download.
For more information on re-imaging, see the McAfee Web Gateway Installation Guide.
Upgrade from 7.3.x or laterWhen running a 7.5.x version, you can upgrade to the new version immediately. For a 7.4.x or 7.3.xversion, you must activate a repository before upgrading.
You can perform the upgrade on the user interface or from a system console.
7
Activate the repositoryActivate the repository for the new version before upgrading from a 7.4.x or 7.3.x version.You can activate the repository from a local system console, which is directly connected to anappliance, or work remotely, using SSH.
Task1 Log on to the appliance you want to perform the upgrade on.
2 Run the following command:
mwg-switch-repo 7.5.1
You can now upgrade to the new version on the user interface or from a system console.
Upgrade on the user interfaceYou can work with the options of the user interface to perform the upgrade.
Task1 Select Configuration | Appliances.
2 On the appliances tree, select the appliance you want to perform the upgrade on.
The appliance toolbar appears on the upper right of the tab.
3 Click Update Appliance Software.
The upgrade to the new version is performed. The upgrade process also logs you off from the userinterface.
4 When a message informs you that the upgrade has completed, proceed as follows:
a Log on to the user interface again.
b Select Configuration | Appliances, then select your appliance.
c On the appliance toolbar, click Reboot.
When the restart has completed, you can log on to the user interface again and start working with thenew version.
Upgrade from a system consoleYou can upgrade from a local system console, which is directly connected to an appliance, or remotely,using SSH.
Task1 Log on to the appliance you want to perform the upgrade on.
2 Run the following two commands:
yum upgrade yum
yum upgrade
The upgrade to the new version is performed.
3 When a message informs you that the upgrade has completed, run the following command:
reboot
8
When the restart has completed, a logon prompt appears. You can now log on to the user interfaceand start working with the new version.
Upgrade from 7.2.x or earlier 7.xWhen running a 7.2.x version or any earlier 7.x version, use a system console to upgrade to the newversion.
You can use a local system console, which is immediately connected to an appliance, or workremotely, using SSH.
Task1 Log on to the appliance you want to perform the upgrade on.
2 Run the following two commands:
yum upgrade yum yumconf\*
mwg-dist-upgrade 7.5.1
The upgrade to the new version is performed in two phases. After each phase, the appliancerestarts automatically.
3 Proceed in one of the following ways to complete the installation:
• If you are using a local system console:
When the second restart has completed, a logon prompt appears. You can now log on to theuser interface and start working with the new version.
• If you are using SSH:
When the appliance restarts after the first upgrade phase, you are disconnected and the secondupgrade phase begins. After this phase has completed, including the automatic restart, you canlog on to the user interface and start working with the new version.
If you log on before the second upgrade phase has completed, a message states that this phaseis still in progress. When the appliance restarts at the end of this phase, you are disconnectedagain. Then you need to log on again to be able to work with the new version.
You can also run the following command to view messages about the upgrade progress:
tail -F /opt/mwg/log/update/mlos2.upgrade.log
When you see that the upgrade has completed, press Ctrl+C to stop the monitoring process.You can now log on to the user interface and start working with the new version.
Known issuesFor a list of known issues in this product release, see this McAfee Knowledge Center article: KB82983.
9
Find product documentationAfter a product is released, information about the product is entered into the McAfee online KnowledgeCenter.
Task1 Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.
2 In the Knowledge Base pane, click a content source:
• Product Documentation to find user documentation
• Technical Articles to find KnowledgeBase articles
3 Select Do not clear my filters.
4 Enter a product, select a version, then click Search to display a list of documents.
Product documentationEvery McAfee product has a comprehensive set of documentation. For Web Gateway, this includes thefollowing:
• McAfee Web Gateway Product Guide — Describes the features and capabilities of Web Gateway,providing an overview of the product, as well as detailed instructions on how to configure andmaintain it
• McAfee Web Gateway Installation Guide — Describes how to set up Web Gateway, as well asseveral devices that can be run with the product
• McAfee Web Gateway Quick Start Guide — Describes high-level steps for setting up a Web Gatewayversion that is shipped as pre-installed appliance software on a hardware platform
This document is shipped in printed format with the pre-installed software and the hardware.
Web Gateway, version 7.5.1, is not provided as pre-installed software.
Copyright © 2015 McAfee, Inc. www.intelsecurity.com
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
B00
