TippingPoint Security Management System 5.4.1 / Threat Protection System 5.4.1 公開のお知らせ：サポート情報 : トレンドマイクロ＠累積修正等

TippingPoint Security Management System 5.4.1 / Threat Protection System 5.4.1 公開のお知らせ：サポート情報 : トレンドマイクロ

TippingPoint Security Management System 5.4.1 / TippingPoint Threat Protection System 5.4.1 が以下の通り公開されました。

■公開開始日
2020年12月16日 (水)
機能等の詳細につきましては以下のアナウンス、および Release Notes(英語)をご覧ください。

TippingPoint Software Release Announcement
Security Management System 5.4.1 Release Notes
Threat Protection System 5.4.1 Release Notes
■アップグレード時の注意点
・TippingPoint SMS を v5.4.1 にアップグレードする場合には、事前に SMS のバージョンを v5.3.0 以降にアップグレードする必要があります。
What is the upgrade path for my TippingPoint SMS device?

・TippingPoint TPS を TOS 5.4.1 にアップグレードする場合には、事前に TPS の TOS バージョンを 5.4.0 にアップグレードする必要があります。
What is the upgrade path for my TippingPoint IPS/TPS device?
■入手方法
Trend Micro TippingPoint Threat Management Center(TMC)からアップグレード用のモジュールやドキュメントをダウンロード
することができます。
※ログインには TMC アカウントが必要です。
■導入手順
導入手順につきましてはOnline Help Centerからダウンロードできるインストールガイドやユーザーガイドをご参照ください。
※ドキュメントは全て英語です。
サポート情報 : トレンドマイクロ

TippingPoint Software Release Announcement

Trend Micro™ TippingPoint has released Security Management System (SMS) v5.4.1 and Threat Protection System (TPS) v5.4.1; this is a maintenance release that addresses the following issues:

• SMB flow issue related to Trust actions on the 8x00TX platforms
• TLS Inspection connections persisting when the connection becomes idle/inactive or were
closed incorrectly by up/downstream devices
• Additional diagnostic commands added for TLS Inspection related items
• Profile distribution errors when using TLS Inspection on TPS 2200T platforms
• Default CA package errors causing distribution errors for TLS Inspection profiles
• Various UI event and log data display errors

Important Notes:

• If you are upgrading from an earlier, nonsequential TOS, refer to the release notes of any interim
releases for additional enhancements.
• Before you upgrade your device to the latest TOS, maximize the space on your device by
removing outdated TOS versions and packet traces that are no longer required. This ensures a
successful upgrade and allows for a TOS rollback, if necessary. You can remove previous TOS
versions using the SMS, the LSM, or the CLI.
• All SMS devices must be running a minimum of v5.3.0 before installing this version.
• All TPS devices must be running a minimum of v5.4.0 before installing this version.
• Use SMS v5.4.1 and later to manage a TPS device with this release.
• SMS v5.4.1 and TPS v5.4.1 will be released into manufacturing after 90 days and will include new
devices and any RMA replacements

https://tmc.tippingpoint.com/TMC/ShowDocuments?parentFolderId=announcements&contentId=TPS_SMS_v5.4.1.pdf

Security Management System Release Notes Version 5.4.1

Release contents

Description Reference

IPs that are quarantined more than once are now cleared out after automatic timeout. TIP-49739

SMS backups to Windows using SCP or SFTP now succeed when you place a colon (:) after the drive letter in the path. TIP-56663

The net.auto, net.speed and net.duplex CLI command scripts no longer fail, which caused SMS networking to break after a reboot. TIP-56392

The Advanced Threat API Guide has been updated with commands that have replaced deprecated commands. TIP-56799

The AuxDV automatic download popup now correctly honors the Don't show this message again setting when it is selected. TIP-44853

Profiles with an SSL inspection policy no longer fail to distribute to TPS 2200T devices. TIP-57436

SSL inspection profiles associated with the POP3/IMAP3 protocol no longer fail to send the full certificate chain. TIP-57165
TIP-57163

Some users noticed that a generated event did not display an associated Action Set Name in the Events panel. This issue has been resolved. TIP-45348

TPS devices that used a certificate from the default CA package for the inbound SSL proxy would not be able to receive profile distributions. This release relaxes the restriction that required users to remove any previously imported CAs before importing another default package that had overlapping CAs. TIP-56688
TIP-56761

An issue has been repaired that caused the SMS to display the System Health and Performance graphics with a different power supply status for 440T devices, depending on which TOS the SMS is running. SMS v5.0.1 displays n/a, and SMS v5.1.0 displays 50%. TIP-36468

The SMS now re-enables auto-negotiation of device port capabilities after it has been turned off. TIP-56607

If you navigated to Admin > General > System Software to upgrade your v5.3.x TOS, no packages would be displayed as available upgrade options. This issue has been repaired. TIP-58790

The SMS File system: System health statistic no longer swells to maximum capacity. TIP-59562

Description	Reference
IPs that are quarantined more than once are now cleared out after automatic timeout.	TIP-49739
SMS backups to Windows using SCP or SFTP now succeed when you place a colon (:) after the drive letter in the path.	TIP-56663
The net.auto, net.speed and net.duplex CLI command scripts no longer fail, which caused SMS networking to break after a reboot.	TIP-56392
The Advanced Threat API Guide has been updated with commands that have replaced deprecated commands.	TIP-56799
The AuxDV automatic download popup now correctly honors the Don't show this message again setting when it is selected.	TIP-44853
Profiles with an SSL inspection policy no longer fail to distribute to TPS 2200T devices.	TIP-57436
SSL inspection profiles associated with the POP3/IMAP3 protocol no longer fail to send the full certificate chain.	TIP-57165 TIP-57163
Some users noticed that a generated event did not display an associated Action Set Name in the Events panel. This issue has been resolved.	TIP-45348
TPS devices that used a certificate from the default CA package for the inbound SSL proxy would not be able to receive profile distributions. This release relaxes the restriction that required users to remove any previously imported CAs before importing another default package that had overlapping CAs.	TIP-56688 TIP-56761
An issue has been repaired that caused the SMS to display the System Health and Performance graphics with a different power supply status for 440T devices, depending on which TOS the SMS is running. SMS v5.0.1 displays n/a, and SMS v5.1.0 displays 50%.	TIP-36468
The SMS now re-enables auto-negotiation of device port capabilities after it has been turned off.	TIP-56607
If you navigated to Admin > General > System Software to upgrade your v5.3.x TOS, no packages would be displayed as available upgrade options. This issue has been repaired.	TIP-58790
The SMS File system: System health statistic no longer swells to maximum capacity.	TIP-59562

Known issues

Description Reference

Attempts to upgrade from a release earlier than v5.3.0 result in an error message. If the error message is blank, check the SMS system log for the entire error message. TIP-47930

Performing a backup and restore of the SMS database will not preserve Filter Performance Correlation data. TIP-42709

After you increase the vSMS disk size, you must turn on and then reboot the vSMS again before the extra disk space is achieved. If you originally deployed the vSMS using TOS v5.2.0 or earlier, the increased disk space cannot be fully achieved. TIP-54547
TIP-54548

The Edit Bulk action does not remove tag categories from user-provided Reputation entries. To remove tag categories from an entry, go to Profiles > Reputation Database > Search Entries, search for an entry, select entries in the search results, and click Edit.
The search results display the first 10,000 entries. If you are modifying more than 10,000entries, you must repeat this procedure. When searching for URL entries, the search results table will not automatically refresh. Click Search to refresh the table. TIP-37913

Certain naming configurations could trigger a condition that causes profile distributions to fail. To prevent failures, make sure that the names of your profiles, segments, virtual segments,and certificates are less than 55 characters. TIP-45073
TIP-38808

The SMS web management console shows the incorrect time zone only when set to GMT +/-00:30 time zones.For the correct time, refer to the SMS Client console. TIP-33377

The SMS does not activate a Digital Vaccine package when it contains a significant number of malware tags for a filter. TIP-33378

When you attempt to distribute too many TLS/SSL certificates to a device, the resulting error message incorrectly specifies CA certificates as the problem. TIP-44753

When you remove a CA certificate used for authentication from the SMS Authentication CA certificate list—for example, when you delete the authentication configuration from the SMS—the CA certificate is also deleted from the device. If this same CA certificate was distributed to a device as part of the SSL server certificate chain, the device would have an SSL server with a missing CA　certificate in its SSL certificate chain. TIP-44645

Exporting the hourly report to the SMB share does not work on systems upgraded to SMS 5.3.0.1. SEG-77932

Description	Reference
Attempts to upgrade from a release earlier than v5.3.0 result in an error message. If the error message is blank, check the SMS system log for the entire error message.	TIP-47930
Performing a backup and restore of the SMS database will not preserve Filter Performance Correlation data.	TIP-42709
After you increase the vSMS disk size, you must turn on and then reboot the vSMS again before the extra disk space is achieved. If you originally deployed the vSMS using TOS v5.2.0 or earlier, the increased disk space cannot be fully achieved.	TIP-54547 TIP-54548
The Edit Bulk action does not remove tag categories from user-provided Reputation entries. To remove tag categories from an entry, go to Profiles > Reputation Database > Search Entries, search for an entry, select entries in the search results, and click Edit. The search results display the first 10,000 entries. If you are modifying more than 10,000entries, you must repeat this procedure. When searching for URL entries, the search results table will not automatically refresh. Click Search to refresh the table.	TIP-37913
Certain naming configurations could trigger a condition that causes profile distributions to fail. To prevent failures, make sure that the names of your profiles, segments, virtual segments,and certificates are less than 55 characters.	TIP-45073 TIP-38808
The SMS web management console shows the incorrect time zone only when set to GMT +/-00:30 time zones.For the correct time, refer to the SMS Client console.	TIP-33377
The SMS does not activate a Digital Vaccine package when it contains a significant number of malware tags for a filter.	TIP-33378
When you attempt to distribute too many TLS/SSL certificates to a device, the resulting error message incorrectly specifies CA certificates as the problem.	TIP-44753
When you remove a CA certificate used for authentication from the SMS Authentication CA certificate list—for example, when you delete the authentication configuration from the SMS—the CA certificate is also deleted from the device. If this same CA certificate was distributed to a device as part of the SSL server certificate chain, the device would have an SSL server with a missing CA　certificate in its SSL certificate chain.	TIP-44645
Exporting the hourly report to the SMB share does not work on systems upgraded to SMS 5.3.0.1.	SEG-77932

Threat Protection System Release Notes Version 5.4.1

Release Contents

Description Reference

The following error no longer occurs during DNS Reputation filtering:Error TOSPORT NP: DNS Decoder: Parse of generated NXDOMAIN PDU failed; disposition is npDispositionEthTypeUnknown TIP-39422

A filter targeted to be disabled through adaptive filtering configuration (AFC) is no longer reenabled after a Reputation distribution. TIP-35279

Attempts to contact the peer device during TRHA no longer cause the system to freeze. TIP-56762

Profiles with an SSL inspection policy no longer fail to distribute to TPS 2200T devices. TIP-57436

This release repairs an SMB flow issue in which Trust actions were slow to complete on 8200TX and 8400TX devices. TIP-56512

An issue with the heartbeat from healthcheckd to tosportd that would generate a TosPort process hang message in the TSR log has been resolved. TIP-47425

Statistics from the following commands are now included in TSRs to help diagnose SSL issues:
• show ssl-inspection congestion – includes the average number of SSL connections per second, the number of current SSL connections (and the device limit),and whether SSL sessions that exceed the device limit are not inspected or blocked.
• show system statistics fast-path TIP-56125

TPS devices that used a certificate from the default CA package for the inbound SSL proxy would not be able to receive profile distributions. This release relaxes the restriction that required users to remove any previously imported CAs before importing another default package that had overlapping CAs. TIP-56688
TIP-56761

SSL connections that were not closed properly and did not give any notification would persist indefinitely. With this release, the connection will be dropped after a specified interval (60 seconds is the default). To configure this interval, use the following commands:
To keep the default value:
debug ini-cfg modify netpal.ini.handle [fastPath] so-netconfig ""
To change the interval value to a specified number of seconds:
debug ini-cfg modify netpal.ini.handle [fastPath] so-netconfig
tcp.fintimeout=
To turn off the interval setting and revert to the previous behavior:
debug ini-cfg modify netpal.ini.handle [fastPath] so-netconfig
tcp.fintimeout=0
Reboot your device after making any of these changes.
Note: Use debug commands only when you are instructed to do so by TippingPoint product support. TIP-56189

Users who previously encountered an SSL Inspection reached Critical threshold notice in the system log, and who could not effectively modify their topology or application to close the connections, can now configure an SSL proxy idle timeout feature.
After upgrading to TOS v5.4.1 or later, you can activate the timeout, which is disabled by default, using a debug command that includes a time value that you specify (in milliseconds).
For example, to close SSL-proxied connections that have not forwarded application data for 10 minutes (600000 milliseconds), and thereby freeing appliance resources, enter the following command:
debug ini-cfg modify netpal.ini.handle [SslInsp] npSslIdleTimeoutMs 600000 create
Configure a value of 0 to disable the timeout and return to the default behavior.
Reboot your device after making any of these changes.
Note: Use debug commands only when you are instructed to do so by TippingPoint product support. TIP-56250

When you configure outbound client SSL inspection, the following settings no longer cause server traffic to the client proxy to drop:
• Client proxy’s decrypted service is set to ‘other,’ and
• IPS deployment type is set to 'Performance-optimize' or 'Security optimized' TIP-53731

https://docs.trendmicro.com/all/tip/tps/v5.4.1/en-us/TPS_541_Release_Notes.pdf

Description	Reference
The following error no longer occurs during DNS Reputation filtering:Error TOSPORT NP: DNS Decoder: Parse of generated NXDOMAIN PDU failed; disposition is npDispositionEthTypeUnknown	TIP-39422
A filter targeted to be disabled through adaptive filtering configuration (AFC) is no longer reenabled after a Reputation distribution.	TIP-35279
Attempts to contact the peer device during TRHA no longer cause the system to freeze.	TIP-56762
Profiles with an SSL inspection policy no longer fail to distribute to TPS 2200T devices.	TIP-57436
This release repairs an SMB flow issue in which Trust actions were slow to complete on 8200TX and 8400TX devices.	TIP-56512
An issue with the heartbeat from healthcheckd to tosportd that would generate a TosPort process hang message in the TSR log has been resolved.	TIP-47425
Statistics from the following commands are now included in TSRs to help diagnose SSL issues: • show ssl-inspection congestion – includes the average number of SSL connections per second, the number of current SSL connections (and the device limit),and whether SSL sessions that exceed the device limit are not inspected or blocked. • show system statistics fast-path	TIP-56125
TPS devices that used a certificate from the default CA package for the inbound SSL proxy would not be able to receive profile distributions. This release relaxes the restriction that required users to remove any previously imported CAs before importing another default package that had overlapping CAs.	TIP-56688 TIP-56761
SSL connections that were not closed properly and did not give any notification would persist indefinitely. With this release, the connection will be dropped after a specified interval (60 seconds is the default). To configure this interval, use the following commands: To keep the default value: debug ini-cfg modify netpal.ini.handle [fastPath] so-netconfig "" To change the interval value to a specified number of seconds: debug ini-cfg modify netpal.ini.handle [fastPath] so-netconfig tcp.fintimeout= To turn off the interval setting and revert to the previous behavior: debug ini-cfg modify netpal.ini.handle [fastPath] so-netconfig tcp.fintimeout=0 Reboot your device after making any of these changes. Note: Use debug commands only when you are instructed to do so by TippingPoint product support.	TIP-56189
Users who previously encountered an SSL Inspection reached Critical threshold notice in the system log, and who could not effectively modify their topology or application to close the connections, can now configure an SSL proxy idle timeout feature. After upgrading to TOS v5.4.1 or later, you can activate the timeout, which is disabled by default, using a debug command that includes a time value that you specify (in milliseconds). For example, to close SSL-proxied connections that have not forwarded application data for 10 minutes (600000 milliseconds), and thereby freeing appliance resources, enter the following command: debug ini-cfg modify netpal.ini.handle [SslInsp] npSslIdleTimeoutMs 600000 create Configure a value of 0 to disable the timeout and return to the default behavior. Reboot your device after making any of these changes. Note: Use debug commands only when you are instructed to do so by TippingPoint product support.	TIP-56250
When you configure outbound client SSL inspection, the following settings no longer cause server traffic to the client proxy to drop: • Client proxy’s decrypted service is set to ‘other,’ and • IPS deployment type is set to 'Performance-optimize' or 'Security optimized'	TIP-53731

Known issues

Description Reference

When you insert a 40 Gbps bypass module (BIOM) into a TX-Series TPS device that has not been upgraded to at least TOS v5.2.0, the module health status LED indicates that the module has experienced a fault (solid amber). To recover from this state:
1. Upgrade the device to TOS v5.2.0 or later.
2. After the upgrade, perform a full reboot of the device.
3. Disable bypass on all BIOMs by selecting the normal option:
• SMS: From the Device menu, click the device and select Device
Configuration -> HA (High Availability) -> Zero Power HA.
• LSM: Select System -> High Availability -> Zero-Power HA.
• CLI: high-availability zero-power (bypass｜normal)(slot｜all) TIP-33655

For optimal performance of URL filtering and other memory intensive features running on a vTPS in Normal mode, configure 16 GB of RAM. TIP-33876

In rare occurrences, the TPS does not decrypt sites and the connection will be blocked. If this occurs for sites that must be accessed, navigate to Profiles > Shared Settings > SSL > Client > Decryption Policies > Domains on your SMS and specify those sites in the do-not-decrypt list. TIP-45656
TIP-49103

Deploying a vTPS in Performance mode fails when using version 6.7 of the ESXi Hypervisor. Workaround: To successfully complete a deployment in Performance mode using ESXi 6.7,follow these steps:
1. Deploy the vTPS in Normal mode.
2. Shut down the vTPS virtual appliance. If the appliance is managed, you can also shut it down from the SMS client by right-clicking the device on the Devices page and selecting
Edit > Device Configuration.
3. Configure the vTPS parameters to 6 vCPUs and 16 GB memory.
4. Reboot the vTPS virtual appliance. The SMS automatically recognizes the resource allocation and changes to Performance mode.
5. Examine the output of the show version command to confirm that the device is now running in Performance mode. SEG-76770

The TPS presents an untrusted certificate warning for some websites because it cannot verify the certificate chain. Administrators of these websites might not be aware that their sites are not configured with a proper certificate chain, since most browsers have developed ways to automatically work around this issue. Consider the following options for accessing such a website:
• Use mechanisms specific to your browser to bypass the Untrusted certificate warning (for example, add an exception or proceed to the site anyway)
• Have your administrator manually download an intermediate certificate, upload it toyour device, and add it the Trust Store on your SMS.
• Consider providing feedback to the website to inform its administrators that their site TIP-37062

https://docs.trendmicro.com/all/tip/tps/v5.4.1/en-us/TPS_541_Release_Notes.pdf

Description	Reference
When you insert a 40 Gbps bypass module (BIOM) into a TX-Series TPS device that has not been upgraded to at least TOS v5.2.0, the module health status LED indicates that the module has experienced a fault (solid amber). To recover from this state: 1. Upgrade the device to TOS v5.2.0 or later. 2. After the upgrade, perform a full reboot of the device. 3. Disable bypass on all BIOMs by selecting the normal option: • SMS: From the Device menu, click the device and select Device Configuration -> HA (High Availability) -> Zero Power HA. • LSM: Select System -> High Availability -> Zero-Power HA. • CLI: high-availability zero-power (bypass｜normal)(slot｜all)	TIP-33655
For optimal performance of URL filtering and other memory intensive features running on a vTPS in Normal mode, configure 16 GB of RAM.	TIP-33876
In rare occurrences, the TPS does not decrypt sites and the connection will be blocked. If this occurs for sites that must be accessed, navigate to Profiles > Shared Settings > SSL > Client > Decryption Policies > Domains on your SMS and specify those sites in the do-not-decrypt list.	TIP-45656 TIP-49103
Deploying a vTPS in Performance mode fails when using version 6.7 of the ESXi Hypervisor. Workaround: To successfully complete a deployment in Performance mode using ESXi 6.7,follow these steps: 1. Deploy the vTPS in Normal mode. 2. Shut down the vTPS virtual appliance. If the appliance is managed, you can also shut it down from the SMS client by right-clicking the device on the Devices page and selecting Edit > Device Configuration. 3. Configure the vTPS parameters to 6 vCPUs and 16 GB memory. 4. Reboot the vTPS virtual appliance. The SMS automatically recognizes the resource allocation and changes to Performance mode. 5. Examine the output of the show version command to confirm that the device is now running in Performance mode.	SEG-76770
The TPS presents an untrusted certificate warning for some websites because it cannot verify the certificate chain. Administrators of these websites might not be aware that their sites are not configured with a proper certificate chain, since most browsers have developed ways to automatically work around this issue. Consider the following options for accessing such a website: • Use mechanisms specific to your browser to bypass the Untrusted certificate warning (for example, add an exception or proceed to the site anyway) • Have your administrator manually download an intermediate certificate, upload it toyour device, and add it the Trust Store on your SMS. • Consider providing feedback to the website to inform its administrators that their site	TIP-37062