F I R E E Y E
T E C H N I C A L
D O C U M E N T A T I O N
CENTRAL MANAGEMENT
RELEASE NOTES
RELEASE 8.7
CENTRAL MANAGEMENT / 2019
FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United
States and other countries. All other trademarks are the property of their respective
owners.
FireEye assumes no responsibility for any inaccuracies in this document. FireEye
reserves the right to change, modify, transfer, or otherwise revise this publication
without notice.
Copyright © 2019 FireEye, Inc. All rights reserved.
Central Management Release Notes
Software Release 8.7.0
Revision 2
FireEye Contact Information:
Website: www.fireeye.com/company/contact-us.html
Technical Support: https://csportal.fireeye.com
Phone (US):
1.408.321.6300
1.877.FIREEYE
Contents
Announcements
4
FireEye Customer Security Best Practices
4
Upgrade
5
Downloading Content from the DTI Offline Update Portal
5
Supported Appliance Versions
5
Upgrading IPMI 3.11 and BIOS 1.9 Firmware for Specific Platforms
5
Upgrading MVX Smart Grid and Private Grid Clusters
7
Enabling Access to Intel Context
8
What's New
9
URL Click Reporting
9
Search and Download Quarantined Emails Using the API
9
Service Health System Trends
10
2020 California Law Password Compliance
10
Display of Available Features
10
Artifacts Column with OS Graph Icons
11
New and Modified APIs
11
Fixed Central Management Issues
13
Known Central Management Issues
15
Technical Support
17
Documentation
© 2019 FireEye
17
3
Central Management Release Notes
Announcements
Announcements
This document provides an overview of the new features, resolved issues, and known
issues in the FireEye Central Management 8.7.0 release.
FireEye Customer Security Best Practices
Because our quality assurance process includes continuous security testing, FireEye
recommends updating all FireEye products with the latest releases as soon as possible. As
an overall strategy to reduce risk exposure, customers are also encouraged to follow best
practices, which include:
l
l
4
Always keep the product version up-to-date
Limit network access to the management interfaces of the appliance using firewalls
or similar measures
l
Only issue accounts to trusted administrators
l
Use strong passwords
l
Monitor logs
l
Restrict physical access to the appliance to trusted administrators
© 2019 FireEye
Release 8.7
Upgrade
Upgrade
The FireEye Central Management 8.7.0 release requires a reboot for the update to take effect.
You can upgrade your Central Management appliance to 8.7.0 from release 8.5.0 or later.
IPMI and BIOS firmware updates are required for the CM 4500 model. See the section
"Upgrading IPMI 3.11 and BIOS 1.9 Firmware for Specific Platforms" below.
Downloading Content from the DTI Offline Update Portal
If you download Central Management 8.7.0 security content from the DTI Offline Update
Portal, use the SCNET-1.0 channel of the portal.
CAUTION! Downloading security content from a different channel will result in
a loss of detection.
For details, see the FireEye DTI Offline Update Portal User Guide.
Supported Appliance Versions
A Central Management platform running release 8.7.0 can manage the following appliance
versions:
l
Network Security (NX Series): 8.3.x, 8.2.x, 8.1.x
l
Email Security — Server Edition (EX Series): 8.4.x, 8.3.x, 8.2.x
l
File Protect (FX Series): 8.2.x, 8.0.x
l
Malware Analysis (AX Series): 8.4.x, 8.3.x, 8.2.x
l
Endpoint Security (HX Series): 4.8.x, 4.7.x
l
VX Series: 8.3.x, 8.2.x (upgrade only)
Upgrading IPMI 3.11 and BIOS 1.9 Firmware for Specific
Platforms
The CM 4500 model requires upgrades to IPMI 3.11 and BIOS 1.9. You must install the
IPMI upgrade before you upgrade the BIOS. (COM-21016, COM-25601)
See the Administration Guide for the appliance for detailed instructions about upgrading
IPMI.
To upgrade IPMI to version 3.11:
© 2019 FireEye
5
Central Management Release Notes
Announcements
CAUTION: IPMI network and password settings revert to factory defaults after
this upgrade, and IPMI logs are deleted. Make a note of your settings and back up
your IPMI logs.
WARNING: Do not shut down or remove power from the appliance during the
upgrade.
1. Go to CLI configuration mode.
hostname> enable
hostname# configure terminal
2. Begin the upgrade:
hostname (config)# ipmi firmware update latest
3. Confirm the upgrade:
hostname (config)# show ipmi
If the upgrade fails, try the steps again.
If IPMI functions are not fully restored, perform a full power cycle (cold shutdown) on the
appliance:
1. Stop the reload process:
hostname (config)# reload halt
2. Disconnect all power cables for 2 minutes.
3. After 2 minutes, reconnect power cables and restart the appliance.
To upgrade the BIOS to version 1.9:
1. Go to CLI configuration mode.
hostname> enable
hostname# configure terminal
2. Begin the upgrade:
hostname (config)# system bios firmware update latest
WARNING: Do not shut down or remove power from the appliance
during the upgrade.
3. Confirm the upgrade:
hostname (config)# show system bios
4. Stop the reload process:
hostname (config)# reload halt
5. Disconnect all power cables for 2 minutes.
6. After 2 minutes, reconnect power cables and restart the appliance.
6
© 2019 FireEye
Release 8.7
Upgrade
Upgrading MVX Smart Grid and Private Grid Clusters
FireEye recommends that you upgrade and configure the cluster using the Central
Management appliance Web UI. Follow these upgrade guidelines.
l
l
l
Upgrade clusters when cluster utilization is low. Cluster utilization of less than 30%
is recommended.
You can upgrade cluster VX Series appliance nodes to VX 8.3.x from VX 8.2.0 and
later only. If you upgrade from an earlier version, you must upgrade to VX 8.2.x first
and then upgrade to 8.3.x.
Clusters should be upgraded using the Central Management Web UI only. VX Series
nodes that are part of a cluster should not be upgraded individually.
FireEye recommends the following upgrade path:
l
Upgrade the Central Management appliance to 8.7.0.
l
Upgrade the cluster to version 8.3.x using the Central Management 8.7.0 Web UI.
l
If there are available VX nodes that are not part of the cluster and are running a
version earlier than 8.3.0, upgrade the individual VX nodes to 8.3.0 or later before
you add them to a cluster.
Keep the following things in mind when you upgrade to this release.
l
l
l
l
l
l
Do not create a new cluster on CM 8.7.0 with VX nodes with versions earlier than
8.3.0.
If your cluster has different IP addresses configured for submission and cluster
interfaces, you cannot upgrade the cluster to 8.3.0 or later. To upgrade, you must
delete the cluster, upgrade the VX nodes to 8.3.0 or later, and then create a new
cluster with VX 8.3.0 or later nodes.
The VX node hostname on the CM must match the VX hostname on the appliance.
If they are different, you must change the hostnames to match before upgrading to
8.3.0 or later. When you create a cluster, ensure the VX hostname on the VX series
appliance is same as the node hostname in the Central Management Web UI.
To ensure that a sensor enrolls with a broker node within the same cluster, you
must configure the preferred cluster setting on the sensor. Otherwise, if a broker
node fails, the sensor can attach to another cluster managed by the same Central
Management appliance. To configure a preferred cluster, use the command mvx
cluster enrollment-service preferred name <clusterName>.
The Upgrade Cluster option is available only if the cluster is in Ready status.
The Abort option is grayed out in the Web UI. To abort a cluster operation, you must
use the command cmc mvx cluster <cluster-name> task abort.
© 2019 FireEye
7
Central Management Release Notes
l
l
l
Announcements
If the Central Management Web UI displays that cluster settings do not match, you
must synchronize the configuration on the Central Management appliance. Use the
command cmc mvx cluster <cluster-name> sync-config.
There are no longer master nodes in the VX Series releases 8.3.0 and later. There are
broker and compute nodes only.
When you configure clusters using the CLI, you can check cluster status using the
command show cmc mvx cluster <cluster-name>. You must wait for the cluster
to be in Ready status before executing the next cluster management command.
After the upgrade, the cluster status will be Busy-Updating for several minutes and then
will change to Ready. If the status does not return to Ready within 15-20 minutes, follow
these steps to detach and then re-attach the busy VX node.
1. On the Central Management appliance, stop the cluster:
cm-hostname (config) # cmc mvx cluster <cluster-name> task abort
2. On the busy VX node, enter the following command:
vx1-hostname (config) # mvx node detach force
3. If the cluster contains other VX nodes, enter the following command on each one.
(This is not necessary if there are no other nodes in the cluster.)
vx2-hostname (config) # mvx node <name-of-busy-VX-node> detach force
The cluster status will be degraded for a few minutes and then will return to the
Ready state. Wait until the busy VX node is shown as "available" on the Nodes
page.
4. When the busy node becomes available, add it to the cluster again:
cm-hostname (config) # cmc mvx cluster <cluster-name> node <node-name>
NOTE: During cluster upgrade, you may see duplicate clusters appearing on
cluster page. This is temporary and a single cluster will be seen after cluster
upgrade is completed.
See the MVX Smart Grid Administration Guide for detailed cluster upgrade and
configuration instructions.
Enabling Access to Intel Context
Appliances now need access to the Amazon Web Services (AWS) cloud for ATI
communication. The intel context service is hosted in multiple AWS regions and resolves
to multiple IP addresses based on geographic location. To determine the IP addresses for
your location, go to https://dnschecker.org/#A/context.fireeye.com. See the AWS IP address
range documentation for information about whitelisting the IP addresses.
8
© 2019 FireEye
Release 8.7
URL Click Reporting
What's New
This section describes new features in the FireEye Central Management release 8.7.0.
URL Click Reporting
The URL Click Reporting feature on a managed Email Security — Server Edition appliance
generates a URL click event when a rewritten URL within an email message body is
clicked by the recipient. The click event data (such as click count, time stamp, recipient,
and type) is gathered and analyzed using FireEye Helix and third-party software.
URL click event types are missed or blocked click events. A missed click event is generated
when FireEye Advanced URL Detection Engine (FAUDE) did not analyze the URL as
malicious before it was clicked. A blocked click event is generated when FAUDE returned a
malicious verdict for the URL and it was blocked.
When a missed URL click event is created retroactively, the retroactive alert is updated
with that URL click event. The alert details are displayed on the eAlerts > Alerts page.
The URL Click Reporting feature is enabled by default and displayed in the Central
Management and Email Security — Server Edition appliance Dashboard and eAlerts
pages.
For more information, see the "URL Click Reporting" section of the Central Management
Administration Guide.
Search and Download Quarantined
Emails Using the API
Use the following APIs for managing quarantined emails:
l
List quarantined emails
GET https://<address>/wsapis/v2.0.0/emailmgmt/quarantine
l
Release a list of emails by ID from the quarantine
POST https://<address>/wsapis/v2.0.0/emailmgmt/quarantine/release
l
Delete a list of emails by ID from the quarantine
POST https://<address>/wsapis/v2.0.0/emailmgmt/quarantine/delete
© 2019 FireEye
9
Central Management Release Notes
l
What's New
Download email by ID from the quarantine
GET https://<address>/wsapis/v2.0.0/emailmgmt/quarantine/<queue_id>
For more information, see the FireEye API Reference Guide.
Service Health System Trends
You can view a service health statistics trend graph for the Central Management appliance
from the Dashboard page.
2020 California Law Password
Compliance
In Release 8.7.0, the IPMI interface cannot be enabled if the password admin or ADMIN is
configured.
A full factory reset of an appliance that uses a prohibited password will reset the IPMI
password and require a password change before the IPMI interface can be reenabled. Other
configured passwords will not be changed.
Version 8.4.0 is compliant with Civil Code TITLE 1.81.26. Security of Connected Devices,
commencing with 1798.91.04.
“(a) A manufacturer of a connected device shall equip the device with a reasonable
security feature or features …”
“… it shall be deemed a reasonable security feature if either of the following requirements
are met:
(1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user to generate a new means of
authentication before access is granted to the device for the first time.”
Display of Available Features
The Web UI Features page shows tiles for the features available for this appliance. Tiles for
enabled features are marked with a checkmark and are outlined in green. Features
introduced in the release of Central Management that you are viewing are labeled New.
10
© 2019 FireEye
Release 8.7
Artifacts Column with OS Graph Icons
Click i in a tile to view additional information about the feature, including the version in
which it was released, the category of security it provides, and any additional
requirements.
Artifacts Column with OS Graph Icons
When you download the current Security Content to your Central Management appliance,
icons are displayed in the Artifacts column on the Alerts page. Click an icon to see the
associated section, such as Malicious Alerts, OS Change Graph, or OS Change Table.
New and Modified APIs
l
l
The System Health API is now supported on Central Management.
Use the IOC for an Alert request to retrieve the IOC in XML format for a specific
alert.
GET https://<address>/wsapis/v2.0.0/openioc?{alert_id=<alert_id> |
alert_uuid=<alert_uuid>}
For more information, see the FireEye API Reference Guide.
© 2019 FireEye
11
Central Management Release Notes
12
What's New
© 2019 FireEye
Release 8.7
New and Modified APIs
Fixed Central Management Issues
The following issues were resolved in the Central Management 8.7.0 Release.
The relevant issue tracking numbers for each item are included in parentheses.
l
l
l
l
l
l
l
l
l
When alerts were purged from a managed FX Series appliance, the Central
Management Web UI displayed an empty alerts page after a scan page containing
those old alerts were clicked. This issue has been resolved. (CMS-13684)
When the analyst user selected a cluster from the Dashboard group drop-down
menu, the Web UI page displayed empty. This issue has been resolved. (CMS14731)
When the Central Management HA appliance running release 8.6.0 was
downgraded to release 8.5.0, the cluster went into a degraded state and node
configuration was not synchronized. This issue has been resolved. (CMSHA-1218)
A FireEye appliance, with product_type set to Null was added to the Central
Management appliance for management. When the appliance was selected from the
Alerts page, the error message "500: Server Error Oops! Something went wrong!"
occurred. This issue has been resolved. (CMS-13430)
When the System Health Request API call was issued, the error message "Your
privileges do not allow calling the API code:AUTH004" was displayed. This issue
has been resolved. (CMS-13573)
In the Search Emails > Processed Emails section of the Central Management Web
UI, when a wildcard was used in the Attachment and URL field for the managed
Email Security — Server Edition appliance, some search combinations did not work
correctly. This issue has been resolved. (CMS-13627)
When fenet proxy was configured on the Central Management appliance and then
the URL Screenshot link was clicked in the Web UI Alerts page, the error message
"Error in processing API request" was displayed. This issue has been resolved.
(CMS-14344)
On the Central Management appliance, attempts to open a Malware Analysis
appliance alert resulted in a fatal error. This issue has been resolved. (CMS-14356)
The IOC feed sent to a managed Endpoint Security appliance from the Central
Management appliance did not contain the URLs for PHISH.LIVE.DTI.URL. This
issue has been resolved. (CMS-14417)
© 2019 FireEye
13
Central Management Release Notes
l
l
14
Fixed Central Management Issues
When the managed defense feature was enabled on the Central Management HA
cluster, the CMSAPI service was disabled as an unexpected side effect. This issue
has been resolved. (CMS-14468)
When managed appliance alerts were aggregated, the Central Management
appliance displayed an aggregation error : "ERROR: nextval: reached maximum
value of sequence signature_attr_details_id_seq." This issue has been resolved.
(CMS-14556)
© 2019 FireEye
Release 8.7
New and Modified APIs
Known Central Management
Issues
The following issues are known in Central Management release 8.7.0.
NOTE: The relevant issue tracking numbers for each item are included in
parentheses.
l
l
l
l
l
l
l
l
l
When the Category drop-down menu is clicked, the Central Management appliance
Web UI begins processing for the Supported Feature tab before a category is selected
from the menu. (CMS-14725)
When an operator logs into the Central Management appliance, the CMS load
status is missing from the About > Health Check > System Information section of
the Web UI. (CMS-14733)
When a user in the Monitor role logs into the Central Management appliance Web
UI and clicks the notification (bell) menu, the What to improve detection?
notification is missing. (CMS-14751)
The Central Management appliance Web UI log intermittently displays a "Failed to
load master manifest" warning and an "Error code 14403" error message for
managed Network Security and Email Security — Server Edition appliances. (CMS14763)
When an analyst logs into the Central Management appliance Web UI, attempts to
view the OS Change Details from the Alert > Email > Alert tab result in the log
message: "action failed Insufficient authorization to perform action". (CMS-14779)
When an analyst logs into the Central Management appliance Web UI, the Clusters
with Critically High Utilization widget should not be displayed on the dashboard.
(CMS-14798)
A Central Management appliance cluster upgrade from release 8.2.0.782612 to
release 8.3.1.871507 results in exception 2025 errors. (CMS-14799)
When you remove a node from the Central Management appliance Web UI Clusters
tab, the node IP address appears twice under the NODE IP. (CMS-14800)
When the metadata streaming feaure is enabled on the Web UI, an "Invalid set_
request" message is displayed for a managed Email Security — Server Edition
appliance running a release earlier than 8.4.0. (CMS-14801)
© 2019 FireEye
15
Central Management Release Notes
l
l
16
Known Central Management Issues
When an alert detail is clicked for a managed Network Security appliance, an MD5
checksum Web infection erroneously appears in the OS Change Graph. (CMS14814)
From the Central Management Web UI, when an object or file is submitted for
analysis on the managed Malware Analysis appliance, the submission must time
out before the user can view the Malware Appliance alert details. (CMS-14821)
© 2019 FireEye
Technical Support
For technical support, contact FireEye through the Support portal:
https://csportal.fireeye.com
Documentation
Documentation for all FireEye products is available on the FireEye Documentation Portal
(login required):
https://docs.fireeye.com/
© 2019 FireEye
17
FireEye, Inc. | 601 McCarthy Blvd. | Milpitas, CA | 1.408.321.6300 | 1.877.FIREEYE | www.fireeye.com/company/contact-us.html
© 2019 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or
service names are or may be trademarks or service marks of their respective owners.