McAfee Web Gateway 7.4.2

Transcription

1 Release Notes Revision A McAfee Web Gateway Contents About this release New features and enhancements Resolved issues Installation instructions Known issues Additional information Find product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. McAfee Web Gateway (Web Gateway), version 7.4.2, is provided as a controlled release. It is a major version that includes new features and enhancements and resolves issues present in previous versions. New features and enhancements This release of the product includes these new features and enhancements. New hybrid solution for enforcing a web security policy A web security policy on Web Gateway that protects web usage of "on premise" users in a local network can be extended to users outside this network, working "in the cloud" with McAfee SaaS Web Protection. Rule sets can be selected on Web Gateway as policy elements that also apply on McAfee SaaS Web Protection. New features and enhancements in a new version of Web Gateway can immediately be included in the hybrid solution and made available for a policy that also applies on McAfee SaaS Web Protection. Scheduled or manual synchronization ensures that rule sets remain the same on both products. If you want to use the new hybrid solution, contact McAfee to have it enabled for you. For more information, see the disclaimer on the user interface of Web Gateway. Select Configuration Appliances, then expand Cluster and select Web Hybrid. 1

2 For more information on the solution as a whole, see the McAfee Web Protection Hybrid Deployment Guide, the Hybrid solution chapter of the McAfee Web Gateway Product Guide, and the Web Protection Services Setup Guide. New connectors for cloud single sign-on The single sign-on (SSO) service on Web Gateway supports 592 cloud applications and services with fully configured connectors or connector templates that can be selected and fully configured. The service now supports the SAML 1.1 and SAML 2.0 SSO protocols in addition to HTTP. It also provides a generic HTTP connector template that can be configured for any HTTP application not supported by Web Gateway. When the SSO catalog of supported connectors is updated, unsupported connectors are highlighted for the administrator in the user interface and hidden from the end user on the launch pad. Beginning with version 7.4.2, you need to purchase an additional Web Gateway license component to receive updates of the available SSO connectors and to be able to create generic connectors. For more information, see the Cloud single sign-on chapter of the McAfee Web Gateway Product Guide and the Additional information section of these release notes. A list of available SSO connectors is provided in a technical note. New workflow for Advanced Threat Defense integration Integrated use of the McAfee Advanced Threat Defense web security product provides additional scanning of objects that have already been scanned by Web Gateway. A new workflow avoids repeated scanning of an object by Advanced Threat Defense if it has been scanned by this product before. In this case, the results of the report that was produced after the first scanning are used to classify the object as safe or infected. For more information, see the Web filtering chapter of the McAfee Web Gateway Product Guide. Next-hop proxies for SOCKS traffic The range of next-hop proxies that can be set up to forward traffic from Web Gateway to destinations in the web has been extended to include next-hop proxies for traffic under the SOCKS protocol. For more information, see the Supporting functions chapter of the McAfee Web Gateway Product Guide. New options in rule set handling Handling rule sets on the user interface has been made more comfortable by adding new options, including an Unlock option that allows the administrator to use one procedure for switching multiple selected rules sets to the complete rules view. For more information, see the Rules chapter of the McAfee Web Gateway Product Guide. New hardware platforms The WBG-4500-C appliance model is now available to serve as a hardware platform for running the Web Gateway appliance software. For more information, see the Setting up Web Gateway chapter of the McAfee Web Gateway Installation Guide. 2

3 Volume limit for long-running connections A new setting is provided for configuring proxy communication that is going on over long-running connections. The proxy closes the connection when a configured amount of data has been transferred. For more information, see the Proxies chapter of the McAfee Web Gateway Product Guide. Configurable check for LDAP digest A check can be configured on the headers of requests that are submitted for digest authentication under the LDAP authentication method to prevent unallowed use of another URL path. For more information, see the Proxies chapter of the McAfee Web Gateway Product Guide. Extended monitoring and troubleshooting Monitoring and troubleshooting functions have been extended to include the following: Additional listener port for monitoring under the SNMP protocol Logging of port forwarding that is performed for web traffic using xinetd connections Rule tracing for rule sets with two hyphens in name For more information, see the Monitoring and Troubleshooting chapters of the McAfee Web Gateway Product Guide. Additional status information after High Availability failover When a Web Gateway appliance that runs as a High Availability backup node returns to backup status after substituting the director node in a failover situation, suitable information is distributed to the other nodes in the configuration. Improved processing of encrypted objects Processing of encrypted objects has been improved for password-protected PDF files that are embedded in.docx document files. List validation Lists are validated with regard to being available for use in a rule. If a list cannot be used due to some issue with a list entry, it is marked on the user interface, so the issue can be dealt with. The list entry or entries that cause a list to be unusable are marked individually. Default sending of certificate chain When Web Gateway sends a certificate to a web server as part of performing SSL-secured communication, the certificate chain is sent with it by default. New properties for recording filtering activities The URL.ForwardDNSLedToResult, URL.ReverseDNSLedToResult, and URL.CloudLookupLedToResult properties are provided to indicate whether a URL was categorized in a particular way due to a forward DNS lookup, a reverse DNS lookup, or an in-the-cloud lookup on the McAfee Global Threat Intelligence system. The Action.Names property is provided for recording Allow and Block actions that were executed on requests sent by users. If quota restrictions were imposed on web usage, suitable information about these restrictions is also recorded. 3

4 Resolved issues These issues are resolved in this release of the product. Bugzilla reference numbers are in parentheses. Network communication In a configuration where a Web Gateway appliance was running in transparent router mode and a second appliance in bridge mode, together with a Blue Coat device, a duplicate traffic issue occurred, which led to overload on the Blue Coat device. (934846) A request for downloading a data.pak file to a client was blocked, as the Dynamic Content Classifier failed to recognize status information indicating that the HTTP protocol did not apply to the filtered data. (938095) When Web Gateway was running as a reverse proxy under the HTTPS protocol, routing requests to next-hop proxies based on the path of their URLs failed and requests with different paths were routed to the same next-hop proxy. (939820) When Web Gateway was running as an ICAP client, the connection to the ICAP server was sometimes closed by Web Gateway immediately after sending a REQMOD request, which let rule processing fail. (941475) When a POST request was received under the HTTP protocol, the core process failed due to inadequate timeout handling. (945042) After the ICAP server became unavailable when Web Gateway was running as an ICAP client, messages about the server unavailability were still received for some time, which caused delays in processing client requests. (946654) When Web Gateway was running as a proxy in High Availability mode, web traffic was directed to the standby node even before the core process had fully begun to operate. (946872) When Web Gateway was running as a proxy in High Availability mode, traffic was not distributed properly to the scanning nodes, due to an unmotivated switch of the director role to the standby director node and failure to update the scanning nodes on the changed virtual IP address. (948320) When Web Gateway was running as a proxy in High Availability mode, approaching the limit of virtual IP addresses that can be configured under the VRRP protocol led to unexpected behavior, including spontaneous restarts. (950328, ) When web traffic was processed in FTP over HTTP mode, Web Gateway closed the control and data connections before any data had been received from the clients. (954805) Web Gateway failed to recognize that a new ICAP server had been configured and kept sending messages to an outdated server, due to a changed IP address of the server list, which had remained the same, but was not detected under the new address. (958349) Authentication When the Novell edirectory authentication method was configured, authentication failed, as it was not possible to connect to an LDAP server, due to a problem with a connection that was also used for performing updates. (936406) Numbers of pending requests for authentication under the NTLM authentication method were not reduced over time as expected, due to a problem with counting timed-out requests. (953220) When users sent requests for web access under the HTTPS protocol, they were unnecessarily prompted for authentication, due to inappropriate criteria in a rule of the library rule set that was implemented. (958594) 4

5 Web filtering An internal access violation occurred when filtering SSL-secured web traffic, which led to a failure of the core process. (931886) When an error message was sent to a client in response to an invalid request, use of a particular property inside the message template caused the core process to fail with term signal 11. (937186) When SSL-secured web traffic was filtered with the SSL Scanner enabled and the root certificate authority was not trusted by a client, the status code for the CONNECT request was set to zero. (941095) A.docx file that contained an executable file and was itself attached to a PDF file could not be opened properly by the composite opener, so the executable file was not detected and a rule for blocking this file type was not applied. (942952) Queries sent from an appliance under the SNMP protocol to retrieve Management Information Base (MIB) data worked for other appliances that were running as nodes in the local subnet, but failed when queries were sent to nodes in a remote subnet. (944011) An application video of the video/f4v type was not correctly recognized by media type filtering, but taken for the application/x-empty type, which rendered a blocking rule that had been set up ineffective. (944975) Processing requests for uploading files under the HTTPS protocol with content inspection enabled led to connection timeouts. (946562) An infinite loop occurred when preparing an error message for a POST request that had been filtered, which led to a connection timeout with heavy load on the core process until no further traffic could be processed. (946671) Two media types of Microsoft Office documents were unknown to the media type filter, which resulted in blocking access to documents of these types. ( ) The threads used in URL filtering were occupied and more requests from clients denied, due to a deadlock situation that developed when these threads were waiting for an update of URL category information and data saving at the same time. (948972) A URL was not checked for a match with regard to the URL.HostBelongsToDomains property when it ended with a dot. (950207) Using the rule engine for triggering URLs periodically in a next-hop proxy test failed, as a GET request to the web server was immediately followed by a request to close the connection. (950294) Access to a website was blocked, as this site had erroneously been classified as corrupted. (950305) When Web Gateway was running as a proxy in High Availability mode, approaching the limit of virtual IP addresses that can be configured under the VRRP protocol led to unexpected behavior, including spontaneous restarts. When SSL-secured traffic was filtered in a configuration that included the Hardware Security Module (HSM) Agent, the SSL Scanner did not send a certificate chain for the handshake at the beginning of the scanning process. (950850) Executable files and files of other types were not included in the filtering process when they were attached to PDF files, and, consequently, not blocked by the configured rules. (950879) A null pointer error involving the libfmtfilter component caused a failure of the core process. (955301) The Stream Detector did not recognize Google YouTube videos when the default threshold was configured, which lets an object be considered as streaming media if the probability for being this type of media is 60 percent or more. (959628) 5

6 Although a web page had its SSL certificate revoked under the Online Certificate Status Protocol (OCSP) and the certificate authority did not include the OCSP signer certificate in the response, access to the page was not blocked as configured. (962196) When a certificate for an SSL-secured connection to a server provided a Common Name and an alternative name, processing the rules for transparent handling of Common Names resulted in a Common Name mismatch. (963742) Upload and download progress When a file was uploaded from a client of Web Gateway to a web server under the FTP protocol, intervals for sending data chunks to the server increased, due to connection issues, and client progress indication was delayed until the client timed out. (913669) When a large file was uploaded from a client of Web Gateway to a web server under the FTP protocol, the web server timed out upon not receiving data chunks, due to a failure of the data trickling function, which occurred because FTP upload progress indication was enabled at the same time. (934797) Data trickling failed for downloads performed under the FTP protocol when the Body.Size property was used in a rule of the same rule set. (948725) When data trickling was performed for downloads under the FTP protocol, the same byte rate was always used, regardless of the amount of data received or the configured byte rate. (949074) When a download from an internal site was finished in an unusually short time, a problem with generating the download progress page caused a failure of the core process. (958282) Logging When the List.LastMatches property was part of an event in a rule that was not executed, the value <kempty variant: no value> was logged for this property, rather than not logging a value at all. (955019) When URLs were filtered based on their categories, a request for an object with a category that could only be retrieved through a cloud lookup was not recorded in the access log. (959630) The default log handler on Web Gateway could be deleted, although without this log handler, the rule engine cannot allot other log handlers when none is specified in a rule event. (964270) Miscellaneous Use of the core virtual memory increased gradually, due to a memory leak, which prevented updates from completing and led to a failure of the core process. (928368) Load on the core process increased extremely when an inefficient sort algorithm was used to search a very long string list. (929314) A scheduled job for creating a configuration backup was sometimes executed, but skipped at other times. (931749) An internal access violation occurred when filtering SSL-secured web traffic, which led to a failure of the core process. ( ) A backup file could not be imported into a newer version of Web Gateway, due to conflicting subscribed lists that went under the same name. (942466) The core process failed with term signal 11, due to an uncommon race condition that occurred when creating statistical values. (943662) A subscribed list that was maintained by McAfee could not be found on Web Gateway under its list number. (943970) 6

7 When quota management data was saved, case sensitivity was not observed correctly for user names, which led to unintentional overwriting of user names that had been retrieved from the local user database, which stores these names in lowercase format only. (946055) When an administrator saved changes in a large configuration of multiple appliances, it took longer than usual, while other administrators could not work with the user interface during this time. (949207) When the HTML opener was enabled, Google maps were not displayed correctly, due to an issue with processing HTML files that damaged HTML pages. (952404) When Web Gateway was running as a proxy under the IFP protocol, users could access the coaching page, but were not redirected to their requested destinations. (956047) When an administrator sent an internal request to Web Gateway, the response exposed user names and hash values of local users. (956819) Logon was denied and a Java error displayed when attempting to log on under an administrator role that had access rights for rules, lists, and the dashboard configured. (957049) When the primary next-hop proxy in a failover configuration was unavailable, Web Gateway denied a request for web access, instead of directing it to the substituting next-hop proxy. (961968) Rule tracing did not cover all rule sets that were configured and the left-out rule sets appeared nested in a rule within the trace file, due to a problem that occurred when processing complex rule criteria was interrupted by an activity such as a DNS lookup. (965503) Performance in processing requests for web access was extremely low on two appliances, as numbers of stacked and currently processed connections nearly reached their limits, due to an endless loop, which the composite opener performed when dealing with two files that used a rarely seen method of referencing the names of their embedded files. (965536) A Web Gateway appliance running in FIPS mode turned unresponsive frequently. (966343) Installation instructions The requirements for installing Web Gateway, version 7.4.2, on an appliance depend on the version you are currently running. When running version beta or an earlier 7.4.x version, you can immediately upgrade to the new version. See Upgrade from 7.4.x or 7.3.x. When running a 7.3.x version, you can upgrade to the new version after activating a repository. See Upgrade from 7.4.x or 7.3.x. When running a 7.2.x or any earlier 7.x version: Create a configuration backup. Use the options provided under Troubleshooting Backup/Restore on the user interface to create the backup. Upgrade to the new version. See Perform an upgrade. The upgrade process includes a major upgrade of the operating system. It will take several steps and more time than usual. If the upgrade process fails or is interrupted, you can re-image the appliance using an image of the new version and install the configuration backup. 7

8 Alternatively, you can: Create a configuration backup. Re-image the appliance using an image of the new version and install the configuration backup. When running a 6.8.x or 6.9.x version, you must re-image the appliance using an image of the new version. Download an image of the new version from the download page of the McAfee Content & Cloud Security Portal at For more information on re-imaging, see the McAfee Web Gateway Installation Guide. Upgrade from 7.4.x or 7.3.x When running a 7.4.x or 7.3.x version, you can upgrade to the new version on the user interface or from a system console. For a 7.3.x version, you need to activate a repository first. Activate the repository Activate the repository for the new version before upgrading from a 7.3.x version. You can activate the repository from a local system console, which is directly connected to an appliance, or work remotely, using SSH. Task 1 Log on to the appliance you want to perform the upgrade on. 2 Run the following command: mwg-switch-repo You can now upgrade to the new version on the user interface or using a system console again. Upgrade on the user interface You can work with the options of the user interface to perform the upgrade. Task 1 Select Configuration Appliances. 2 On the appliances tree, select the appliance you want to perform the upgrade on. The appliance toolbar appears on the upper right of the tab. 3 Click Update Appliance Software. The upgrade to the new version is performed. 4 When a message informs you that the upgrade has completed, click Reboot. When the restart has completed, a logon button appears. You can now log on to the user interface again and start working with the new version. 8

9 Upgrade from a system console You can upgrade from a local system console, which is directly connected to an appliance, or remotely, using SSH. Task 1 Log on to the appliance you want to perform the upgrade on. 2 Run the following two commands: yum upgrade yum yum upgrade The upgrade to the new version is performed. 3 When a message informs you that the upgrade has completed, run the following command: reboot When the restart has completed, a logon prompt appears. You can now log on to the user interface and start working with the new version. Upgrade from 7.2.x or earlier 7.x When running a 7.2.x version or any earlier 7.x version, use a system console to upgrade to the new version. You can use a local system console, which is immediately connected to an appliance, or work remotely, using SSH. Task 1 Log on to the appliance you want to perform the upgrade on. 2 Run the following two commands: yum upgrade yum yumconf\* mwg-dist-upgrade The upgrade to the new version is performed in two phases. After each phase, the appliance restarts automatically. 9

10 3 Proceed in one of the following ways to complete the installation: If you are using a local system console: When the second restart has completed, a logon prompt appears. You can now log on to the user interface and start working with the new version. If you are using SSH: When the appliance restarts after the first upgrade phase, you are disconnected and the second upgrade phase begins. After this phase has completed, including the automatic restart, you can log on to the user interface and start working with the new version. If you log on before the second upgrade phase has completed, you will see a message that this phase is still in progress. When the appliance restarts at the end of this phase, you are disconnected again. Then you need to log on again to be able to work with the new version. You can also run the following command to view messages about the upgrade progress: tail -F /opt/mwg/log/update/mlos2.upgrade.log When you see that the upgrade has completed, press Ctrl+C to stop the monitoring process. You can now log on to the user interface and start working with the new version. Known issues For a list of known issues in this product release, see this McAfee Knowledge Base article: KB Additional information When working with the cloud single sign-on (SSO) functions in McAfee Web Gateway, version 7.4.2, you need to reconfigure the elements of your web security policy that relate to these functions. Single Sign On rule set Remove the rule set that you worked with in version and import it again from the rule set library. When import conflicts arise, solve them by referring to existing objects. Single Sign On settings and SSO lists These policy elements are implemented in the usual way after importing the rule set. They have not changed compared to version SSO templates for user messages These templates are also known as error message templates. When the rule set is imported, the existing SSO templates are overwritten to account for the new cloud single sign-on functions. Then you need to reconfigure the SSO Launchpad template if you want it, for example, to show the same corporate names and information as in version Beginning with version 7.4.2, you need to purchase an additional Web Gateway license component to receive updates of the available SSO connectors and to be able to create generic connectors. 10

11 Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. Task 1 Go to the McAfee ServicePortal at and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. Product documentation Every McAfee product has a comprehensive set of documentation. For Web Gateway, this includes the following: McAfee Web Gateway Product Guide Describes the features and capabilities of Web Gateway, providing an overview of the product, as well as detailed instructions on how to configure and maintain it McAfee Web Gateway Installation Guide Describes how to set up Web Gateway, as well as several devices that can be run with the product. McAfee Web Gateway Quick Start Guide Describes high-level steps for setting up a Web Gateway version that is shipped as pre-installed appliance software on a hardware platform. This document is shipped in printed format with the pre-installed software and the hardware. Web Gateway, version 7.4.2, is not provided as pre-installed software. Copyright 2014 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. A00