SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.2 Original Publication: October 18, 2013 Last Updated: October 18, 2013 These release notes are valid for Version 5.2.0.2 of the Sourcefire 3D System. Even if you are familiar with the update process, make sure you thoroughly read and understand these release notes, which describe supported platforms, new and changed features and functionality, known and resolved issues, as well as product and web browser compatibility.
Updates to Sourcefire Documentation For more information, see the following sections: • Updates to Sourcefire Documentation on page 2 • Before You Begin: Important Update and Compatibility Notes on page 2 • Updating Your Appliances on page 5 • Uninstalling the Update on page 15 • Issues Resolved in Version 5.2.0.2 on page 20 • Known Issues on page 28 • Features Introduced in Previous Versions on page 31 • For Assistance on page 38 Updates to Sourcefire Documentation In Version 5.2.0.
Before You Begin: Important Update and Compatibility Notes Configuration and Event Backup Guidelines Before you begin the update, Sourcefire strongly recommends that you back up current event and configuration data to an external location. This data is not backed up as part of the update process. Use the Defense Center to back up event and configuration data for itself and the devices it manages. For more information on the backup and restore feature, see the Sourcefire 3D System User Guide.
Before You Begin: Important Update and Compatibility Notes regardless of how you configured any inline sets, switching, routing, NAT, and VPN are not performed during the update process. .
Updating Your Appliances Screen Resolution Compatibility Sourcefire recommends selecting a screen resolution that is at least 1280 pixels wide. The user interface is compatible with lower resolutions, but a higher resolution optimizes the display. Updating Your Appliances The following sections help you prepare for and install the Version 5.2.0.
Updating Your Appliances Virtual Appliance Operating System Requirements You can host 64-bit virtual Sourcefire appliances on the following hosting environments: • VMware ESX/ESXi 4.1 • VMware vSphere Hypervisor 5.0 • VMware vSphere Hypervisor 5.1 For more information, see the Sourcefire 3D System Virtual Installation Guide. Time and Disk Space Requirements The following table provides disk space and time guidelines for the Version 5.2.0.2 update.
Updating Your Appliances Configuration and Event Backup Guidelines Before you begin the update, Sourcefire strongly recommends that you back up current event and configuration data to an external location. This data is not backed up as part of the update process. You can use the Defense Center to back up event and configuration data for itself and the devices it manages. For more information on the backup and restore feature, see the Sourcefire 3D System User Guide.
Updating Your Appliances applies it to the secondary device, which goes into maintenance mode until any necessary processes restart and the device is processing traffic again. The system then applies the update to the primary device, which follows the same process. Installing the Update on Stacked Devices When you install an update on stacked devices, the system performs the updates simultaneously. Each device resumes normal operation when the update completes.
Updating Your Appliances Updating a Defense Center Use the procedure in this section to update your Defense Centers, including virtual Defense Centers. For the Version 5.2.0.2 update, Defense Centers reboot. WARNING! Before you update the Defense Center, reapply access control policies to any managed devices. Otherwise, the subsequent update of managed devices may fail. WARNING! Do not reboot or shut down your appliances during the update until after you see the login prompt.
Updating Your Appliances 6. Select System > Updates. The Product Updates tab appears. 7. Click the install icon next to the update you uploaded. The Install Update page appears. 8. Select the Defense Center and click Install. Confirm that you want to install the update and reboot the Defense Center. The update process begins. You can monitor the update's progress in the task queue (System > Monitoring > Task Status).
Updating Your Appliances 15. Reapply device configurations to all managed devices. TIP! To reactivate a grayed-out Apply button, edit any interface in the device configuration, then click Save without making changes. 16. Reapply access control policies to all managed devices. WARNING! Do not reapply intrusion policies individually; you must reapply all access control policies completely.
Updating Your Appliances 2. Update the Sourcefire software on the devices’ managing Defense Center; see Updating a Defense Center on page 9. 3. Download the appropriate update from the Sourcefire Support Site: • for Series 3 managed devices: Sourcefire_3D_Device_S3_Patch-5.2.0.2-45.sh • for the 3D9900 managed device: Sourcefire_3D_Device_9900_Patch-5.2.0.2-45.sh • for other physical managed devices: Sourcefire_3D_Device_Patch-5.2.0.2-45.
Updating Your Appliances 10. Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor. 11. Reapply device configurations to all managed devices. TIP! To reactivate a grayed-out Apply button, edit any interface in the device configuration, then click Save without making changes. 12. Reapply access control policies to all managed devices.
Updating Your Appliances 2. Download the appropriate update from the Sourcefire Support Site: • for Series 2 Defense Centers: Sourcefire_3D_DC_Patch-5.2.0.2-45.sh • for Series 3 and virtual Defense Centers: Sourcefire_3D_Defense_Center_S3_Patch-5.2.0.2-45.sh • for Series 3 managed devices: Sourcefire_3D_Device_S3_Patch-5.2.0.2-45.sh • for the 3D9900 managed device: Sourcefire_3D_Device_9900_Patch-5.2.0.2-45.sh • for other physical managed devices: Sourcefire_3D_Device_Patch-5.2.0.2-45.
Uninstalling the Update Uninstalling the Update The following sections help you uninstall the Version 5.2.0.2 update from your appliances: • Planning the Uninstallation on page 15 • Uninstalling the Update from a Managed Device on page 17 • Uninstalling the Update from a Virtual Managed Device on page 18 • Uninstalling the Update from a Defense Center on page 19 Planning the Uninstallation Before you uninstall the update, you must thoroughly read and understand the following sections.
Uninstalling the Update Uninstalling the Update from Stacked Devices All devices in a stack must run the same version of the Sourcefire 3D System. Uninstalling the update from any of the stacked devices causes the devices in that stack to enter a limited, mixed-version state. To minimize impact on your deployment, Sourcefire recommends that you uninstall an update from stacked devices simultaneously. The stack resumes normal operation when the uninstallation completes on all devices in the stack.
Uninstalling the Update Uninstalling the Update from a Managed Device The following procedure explains how to use the local web interface to uninstall the Version 5.2.0.2 update from managed devices. You cannot use a Defense Center to uninstall the update from a managed device. Uninstalling the Version 5.2.0.2 update results in a device running Version 5.2.0.1. For information on uninstalling a previous version, refer to the release notes for that version.
Uninstalling the Update 5. Click the install icon next to the uninstaller that matches the update you want to remove, then confirm that you want to uninstall the update and reboot the device. The uninstallation process begins. You can monitor the uninstallation progress in the task queue (System > Monitoring > Task Status). WARNING! Do not use the web interface to perform any other tasks until the uninstallation has completed and the device reboots.
Uninstalling the Update 3. At the CLI prompt, type expert to access the bash shell. 4. At the bash shell prompt, type sudo su -. 5. Type the admin password to continue the process with root privileges. 6. At the prompt, enter the following on a single line: install_update.pl /var/sf/updates/Sourcefire_3D_ Device_Virtual64_VMware_Patch_Uninstaller-5.2.0.2-45.sh The uninstallation process begins. WARNING! If you encounter issues with the uninstallation, do not restart the uninstallation.
Issues Resolved in Version 5.2.0.2 5. Click the install icon next to the uninstaller that matches the update you want to remove. The Install Update page appears. 6. Select the Defense Center and click Install, then confirm that you want to uninstall the update and reboot the device. The uninstallation process begins. You can monitor the uninstallation progress in the task queue (System > Monitoring > Task Status).
Issues Resolved in Version 5.2.0.2 • Resolved an issue where traffic matched an access control policy block rule and the system evaluated it against the access control policy default action configured as an intrusion policy. (124732) • Resolved a synchronization issue where, in rare cases, clusters lost their clustered status.
Issues Resolved in Version 5.2.0.2 • Resolved an issue where the intrusion policy comparison view stalled if the option to update the base policy with intrusion rule updates was disabled in the base intrusion policy. (123739) • Resolved an issue where, in some cases, adding two or more detection patterns to an application protocol detector drained system resources.
Issues Resolved in Version 5.2.0.2 Version 5.2.0.2 • When navigating from a Custom Analysis dashboard widget to an event viewer page, a message now appears to clarify any potential event count differences between the two pages. (106867) • Resolved an issue where, in some cases, the system generated errors on packets when an interface returned to a routed configuration after being temporarily configured as a switched interface.
Issues Resolved in Version 5.2.0.2 Version 5.2.0.2 • Resolved an issue where reports generated graphs and charts without labels for portscan events. (110828) • The audit log (System > Monitoring > Audit) now provides details about settings that changed during edits to the system policy. (110860) • Resolved an issue where managed devices continued to store user data purged from their managing Defense Center. (111234) • Resolved a display issue on the intrusion policy comparison page.
Issues Resolved in Version 5.2.0.2 Version 5.2.0.2 • If you use a Serial Over LAN (SOL) connection to restore a 3D7010, 3D7020, or 3D7030 managed device to factory settings, and a Lights-Out Management (LOM) user is logged in when you begin the restore, that LOM user is now correctly disconnected and deleted. (113706, 113824) • Resolved an issue where, in some cases, the system failed to email reports.
Issues Resolved in Version 5.2.0.2 Version 5.2.0.2 • Resolved an issue where the system truncated text in long syslog messages. (118816) • Resolved an issue where some TCP connections detected by virtual devices were not logged to the Defense Center. (118827) • Resolved an issue with the formatting of text files sent with email alerts by the Defense Center. (119267) • Improved the IP defragmentation preprocessor to avoid a possible evasion using packet fragments.
Issues Resolved in Version 5.2.0.2 Version 5.2.0.2 • Resolved an issue where the system did not log correlation rules that referenced user logins. (121129) • Resolved an issue where the system did not detect files transferred in HTTP POST requests. (121204) • Resolved an issue where, in some cases, intrusion email alerts did not associate events with the correct managed device. (121278) • Resolved an issue where, in rare cases, very large troubleshooting files did not download successfully.
Known Issues Known Issues The following known issues were reported in Version 5.2.0.2: • In some cases, the system generates impact flag alerts that contain incorrect intrusion event classifications. (125934) • If a managed device processes traffic only from the initiator of a TCP connection, the system does not log a connection event at the end of the connection. (126040) • If you create a custom saved search for intrusion events with the Generator (GID) field populated, the search returns empty.
Known Issues Known Issues Discovered in Previous Releases The following is a list of known issues that were discovered in previous releases of the Sourcefire 3D System: Version 5.2.0.2 • You must use the Defense Center’s web interface to unregister a managed device. If you unregister a device using either the device’s web interface or its command line interface (CLI), it is not removed from the Defense Center.
Known Issues Version 5.2.0.2 • In rare cases, the system may require up to 3 hours to complete an update or uninstall to Version 5.2 of the Sourcefire 3D System on a 3D7110 or 3D7120 managed device. Do not interrupt the update; allow the post-update reboot to finish completely. (124148) • If a device group contains an inactive managed device, you may be unable to edit the device group.
Features Introduced in Previous Versions Features Introduced in Previous Versions No new features were introduced in Version 5.2.0.2. Functionality described in previous versions may be superseded by other new functionality or updated through resolved issues. 5.2.x.x No new features were introduced in Version 5.2.0.1. 5.2 The following new features and functionality were introduced in Version 5.2: Advanced Malware Protection Version 5.
Features Introduced in Previous Versions You can perform AMP, which requires Protection and Malware licenses, using any Series 3 managed device or virtual device. You can manage an AMP deployment using any Series 3 or Series 2 Defense Center, except a DC500.
Features Introduced in Previous Versions sharing, a midstream pickup matches the existing connection and the connection continues to be allowed. Another advantage of state sharing is that while many connections are blocked on the first packet based on access control rules or other factors, there are cases where the system allows some number of packets through before determining that the connection should be blocked.
Features Introduced in Previous Versions Policy-Based NAT Version 5.2 introduces the ability to create a network address translation (NAT) policy. A NAT policy determines how the system performs routing with NAT. You can now create and use both static and dynamic NAT rules for further flexibility and granular control of NAT configuration.
Features Introduced in Previous Versions Drop BPDUs Support The drop Bridge Protocol Data Units (BPDUs) configuration added in Version 5.2 allows you to set up an inline configuration that operates over a single physical link. You can now configure a virtual switch with two logical interfaces; each interface must have a different configured VLAN tag.
Features Introduced in Previous Versions Network Discovery Two new areas of functionality have been added to network discovery for Version 5.2: IPv6 support for network discovery and support for user logoff events generated by Version 2.1 of the Sourcefire User Agent. IPv6 Support Version 5.2 introduces extensive support for IPv6 addresses in features that were previously limited (partially or completely) to IPv4 addresses.
Features Introduced in Previous Versions SSL Application Detection Version 5.2 adds many new application detectors for applications in SSL traffic, allowing you to identify, and optionally block, encrypted application sessions based on the common name from the SSL client certificate used in the session. URL Blocking based on SSL Common Name You can now block encrypted application traffic using a URL based on the common name in an SSL certificate. Updates to API Support Version 5.
For Assistance For Assistance If you are a new customer, thank you for choosing Sourcefire. Please visit https://support.sourcefire.com/ to download the Sourcefire Support Welcome Kit, a document to help you get started with Sourcefire Support and set up your Customer Center account. If you have any questions or require assistance with the Sourcefire Defense Center or managed devices, please contact Sourcefire Support: • Visit the Sourcefire Support Site at https://support.sourcefire.com/.