［製品情報］ TippingPoint Security Management System 5.5.2 / TippingPoint Threat Protection System 5.5.2 公開のお知らせ：サポート情報 : トレンドマイクロ＠各種機能追加、修正対応

[製品情報] TippingPoint Security Management System 5.5.2 / TippingPoint Threat Protection System 5.5.2 公開のお知らせ：サポート情報 : トレンドマイクロ

TippingPoint Security Management System 5.5.2 / TippingPoint Threat Protection System 5.5.2 が以下の通り公開されました。

■公開開始日
2022年1月12日 (水)
機能等の詳細につきましては以下のRelease Notes(英語)をご覧ください。

TippingPoint Security Management System 5.5.2 Release Note：サポート情報 : トレンドマイクロ

TippingPoint Threat Protection System 5.5.2 Release Note：サポート情報 : トレンドマイクロ

■入手方法
Trend Micro TippingPoint Threat Management Center(TMC)からアップグレード用のモジュールやドキュメントをダウンロード
することができます。
※ログインには TMC アカウントが必要です。
■導入手順
導入手順につきましてはOnline Help Centerからダウンロードできるインストールガイドやユーザーガイドをご参照ください。
※ドキュメントは全て英語です。
■製品サポート
ご不明な点がございましたら、弊社サポートセンターまでお問合せください。
お問合せ方法については、こちらをご確認ください。
サポート情報 : トレンドマイクロ

Security Management System Release Notes Version 5.5.2

Release contents

Description Reference

When a traffic management filter that includes both IPv4 and IPv6 addresses fails, the resulting error message now effectively communicates the reason for the failure. TIP-63627
SEG-103775

An issue preventing the SMS from closing SMB connections properly caused the SMB server to run out of connections so that the SMS could not connect to it. This issue has been fixed. TIP-65904
SEG-105326

When you use the SMS to configure SSL client or server inspection, adding ports to one of the decryption services (such as HTTP, IMAP, and POP3) sometimes resulted in the decryption service incorrectly being set to “other”. This issue has been fixed. TIP-69425

An issue that caused SMS nightly backups to inflate to a problematic size has been resolved. TIP-63629

The SMS can now reorder reputation filters that have inherited configurations with inconsistent ordering. TIP-70147
SEG-117303

This release resolves an issue with the DNS lookup of the hostname on the SMS server. TIP-69313
SEG-117012

When you import a profile that uses security filters with inconsistent DV toolkit mapping, an Unable to return filters error no longer occurs. TIP-70099
SEG-112749

An issue with DNS name validation prevented some items from being imported during a reputation user entry import. TIP-68168 SEG-107926

The SMS no longer hinders attempts to add new entries to the Host IP Filters table. TIP-68049
SEG-114809

You can now configure the thresholds that trigger a throughput alert. To configure the values, click the device and select Device Configuration > License Utilization Threshold Settings. TIP-39430

Known issues

Description Reference

1G fiber module does not support auto-negotiation. SMS will currently report auto-negotiation as enabled; however, any changes from SMS, LSM, or CLI will not take effect. TIP-66924

Attempts to upgrade from a release earlier than v5.3.0 result in an error message. If the error message is blank, check the SMS system log for the entire error message. TIP-47930

Performing a backup and restore of the SMS database will not preserve Filter Performance Correlation data. TIP-42709

SSL inspection cannot occur when web mode is enabled. By default, web mode is disabled. TIP-64243

The Edit Bulk action does not remove tag categories from user-provided Reputation entries.To remove tag categories from an entry, go to Profiles > Reputation Database > Search Entries, search for an entry, select entries in the search results, and click Edit. The search results display the first 10,000 entries. If you are modifying more than 10,000 entries, you must repeat this procedure. When searching for URL entries, the search results table will not automatically refresh. Click Search to refresh the table. TIP-37913

Certain naming configurations could trigger a condition that causes profile distributions to fail. To prevent failures, make sure that the names of your profiles, segments, virtual segments, and certificates are less than 55 characters. TIP-45073
TIP-38808

The SMS web management console shows the incorrect time zone only when set to GMT +/-00:30 time zones. For the correct time, refer to the SMS Client console. TIP-33377

The SMS does not activate a Digital Vaccine package when it contains a significant number of malware tags for a filter. TIP-33378

When you attempt to distribute too many TLS/SSL certificates to a device, the resulting error message incorrectly specifies CA certificates as the problem. TIP-44753

When you remove a CA certificate used for authentication from the SMS Authentication CA certificate list—for example, when you delete the authentication configuration from the SMS—the CA certificate is also deleted from the device. If this same CA certificate was distributed to a device as part of the SSL server certificate chain, the device would have an SSL server with a missing CA certificate in its SSL certificate chain. TIP-44645

https://docs.trendmicro.com/all/tip/sms/v5.5.2/en-us/SMS_552_Release_Notes.pdf

Description	Reference
When a traffic management filter that includes both IPv4 and IPv6 addresses fails, the resulting error message now effectively communicates the reason for the failure.	TIP-63627 SEG-103775
An issue preventing the SMS from closing SMB connections properly caused the SMB server to run out of connections so that the SMS could not connect to it. This issue has been fixed.	TIP-65904 SEG-105326
When you use the SMS to configure SSL client or server inspection, adding ports to one of the decryption services (such as HTTP, IMAP, and POP3) sometimes resulted in the decryption service incorrectly being set to “other”. This issue has been fixed.	TIP-69425
An issue that caused SMS nightly backups to inflate to a problematic size has been resolved.	TIP-63629
The SMS can now reorder reputation filters that have inherited configurations with inconsistent ordering.	TIP-70147 SEG-117303
This release resolves an issue with the DNS lookup of the hostname on the SMS server.	TIP-69313 SEG-117012
When you import a profile that uses security filters with inconsistent DV toolkit mapping, an Unable to return filters error no longer occurs.	TIP-70099 SEG-112749
An issue with DNS name validation prevented some items from being imported during a reputation user entry import. TIP-68168	SEG-107926
The SMS no longer hinders attempts to add new entries to the Host IP Filters table.	TIP-68049 SEG-114809
You can now configure the thresholds that trigger a throughput alert. To configure the values, click the device and select Device Configuration > License Utilization Threshold Settings.	TIP-39430

Description	Reference
1G fiber module does not support auto-negotiation. SMS will currently report auto-negotiation as enabled; however, any changes from SMS, LSM, or CLI will not take effect.	TIP-66924
Attempts to upgrade from a release earlier than v5.3.0 result in an error message. If the error message is blank, check the SMS system log for the entire error message.	TIP-47930
Performing a backup and restore of the SMS database will not preserve Filter Performance Correlation data.	TIP-42709
SSL inspection cannot occur when web mode is enabled. By default, web mode is disabled.	TIP-64243
The Edit Bulk action does not remove tag categories from user-provided Reputation entries.To remove tag categories from an entry, go to Profiles > Reputation Database > Search Entries, search for an entry, select entries in the search results, and click Edit. The search results display the first 10,000 entries. If you are modifying more than 10,000 entries, you must repeat this procedure. When searching for URL entries, the search results table will not automatically refresh. Click Search to refresh the table.	TIP-37913
Certain naming configurations could trigger a condition that causes profile distributions to fail. To prevent failures, make sure that the names of your profiles, segments, virtual segments, and certificates are less than 55 characters.	TIP-45073 TIP-38808
The SMS web management console shows the incorrect time zone only when set to GMT +/-00:30 time zones. For the correct time, refer to the SMS Client console.	TIP-33377
The SMS does not activate a Digital Vaccine package when it contains a significant number of malware tags for a filter.	TIP-33378
When you attempt to distribute too many TLS/SSL certificates to a device, the resulting error message incorrectly specifies CA certificates as the problem.	TIP-44753
When you remove a CA certificate used for authentication from the SMS Authentication CA certificate list—for example, when you delete the authentication configuration from the SMS—the CA certificate is also deleted from the device. If this same CA certificate was distributed to a device as part of the SSL server certificate chain, the device would have an SSL server with a missing CA certificate in its SSL certificate chain.	TIP-44645

Threat Protection System Release Notes Version 5.5.2

Release Contents

Description Reference

This release fixes an issue that caused an Unable to fetch ips-profile list to validate configuration system log message. TIP-67191
SEG-111905

After upgrading to v5.5.0, some customers experienced unexpected packet blocks for filter 7704, which triggered further transmissions. This issue is fixed in this release. TIP-70597
SEG-119519

This release fixes a rare task crash that some devices experienced during high traffic load while processing a TLS handshake. TIP-69516
SEG-116764

Some devices failed to provide any SNMP interface statistics, and SNMP statistics for 40 GB IOMs were not handling unpopulated interfaces in an IOM slot correctly. This issue is fixed in this release. TIP-65670
SEG-95791

This release fixes an issue that caused some customers to report unexplainable license utilization statistics. TIP-70454

The maximum transmission unit (MTU) increased from 9050 to 9234 bytes on the 1100TX,5500TX, 8200TX, and 8400TX models. TIP-70557

Known issues

Description Reference

Performing a system shutdown on a 2200T device using the SMS or the CLI causes the system to reboot instead of keeping the system powered down. SEG-115592

When you insert a 40 Gbps bypass module (BIOM) into a TX-Series TPS device that has not been upgraded to at least TOS v5.2.0, the module health status LED indicates that the module has experienced a fault (solid amber). To recover from this state:
1. Upgrade the device to TOS v5.2.0 or later.
2. After the upgrade, perform a full reboot of the device.
3. Disable bypass on all BIOMs by selecting the normal option:
• SMS: From the Device menu, click the device and select Device
Configuration -> HA (High Availability) -> Zero Power HA.
• LSM: Select System -> High Availability -> Zero-Power HA.
• CLI: high-availability zero-power (bypass｜normal)
(slot｜all) TIP-33655

SSL inspection cannot occur when web mode is enabled. By default, web mode is disabled. TIP-64243

1G fiber module does not support auto-negotiation. SMS will currently report auto-negotiation as enabled; however, any changes from SMS, LSM, or CLI will not take effect. TIP-66924

For optimal performance of URL filtering and other memory intensive features running on a vTPS in Normal mode, configure 16 GB of RAM. TIP-33876

In rare occurrences, the TPS does not decrypt sites and the connection will be blocked. If this occurs for sites that must be accessed, navigate to Profiles > Shared Settings > SSL > Client > Decryption Policies > Domains on your SMS and specify those sites in the do-notdecrypt list. TIP-45656
TIP-49103

Deploying a vTPS in Performance mode fails when using version 6.7 of the ESXi Hypervisor. Workaround: To successfully complete a deployment in Performance mode using ESXi 6.7,follow these steps:
1. Deploy the vTPS in Normal mode.
2. Shut down the vTPS virtual appliance. If the appliance is managed, you can also shut it down from the SMS client by right-clicking the device on the Devices page and selecting Edit > Device Configuration.
3. Configure the vTPS parameters to 6 vCPUs and 16 GB memory.
4. Reboot the vTPS virtual appliance. The SMS automatically recognizes the resource allocation and changes to Performance mode.
5. Examine the output of the show version command to confirm that the device is now running in Performance mode. SEG-76770

System logs do not indicate when the state of a transceiver changes. TIP-39167

The TPS presents an untrusted certificate warning for some websites because it cannot verify the certificate chain. Administrators of these websites might not be aware that their sites are not configured with a proper certificate chain, since most browsers have developed ways to automatically work around this issue. Consider the following options for accessing such a website:
• Use mechanisms specific to your browser to bypass the Untrusted certificate warning (for example, add an exception or proceed to the site anyway)
• Have your administrator manually download an intermediate certificate, upload it to your device, and add it the Trust Store on your SMS.
• Consider providing feedback to the website to inform its administrators that their site employs a misconfigured certificate chain. TIP-37062

https://docs.trendmicro.com/all/tip/tps/v5.5.2/en-us/TPS_552_Release_Notes.pdf

Description	Reference
This release fixes an issue that caused an Unable to fetch ips-profile list to validate configuration system log message.	TIP-67191 SEG-111905
After upgrading to v5.5.0, some customers experienced unexpected packet blocks for filter 7704, which triggered further transmissions. This issue is fixed in this release.	TIP-70597 SEG-119519
This release fixes a rare task crash that some devices experienced during high traffic load while processing a TLS handshake.	TIP-69516 SEG-116764
Some devices failed to provide any SNMP interface statistics, and SNMP statistics for 40 GB IOMs were not handling unpopulated interfaces in an IOM slot correctly. This issue is fixed in this release.	TIP-65670 SEG-95791
This release fixes an issue that caused some customers to report unexplainable license utilization statistics.	TIP-70454
The maximum transmission unit (MTU) increased from 9050 to 9234 bytes on the 1100TX,5500TX, 8200TX, and 8400TX models.	TIP-70557

Description	Reference
Performing a system shutdown on a 2200T device using the SMS or the CLI causes the system to reboot instead of keeping the system powered down.	SEG-115592
When you insert a 40 Gbps bypass module (BIOM) into a TX-Series TPS device that has not been upgraded to at least TOS v5.2.0, the module health status LED indicates that the module has experienced a fault (solid amber). To recover from this state: 1. Upgrade the device to TOS v5.2.0 or later. 2. After the upgrade, perform a full reboot of the device. 3. Disable bypass on all BIOMs by selecting the normal option: • SMS: From the Device menu, click the device and select Device Configuration -> HA (High Availability) -> Zero Power HA. • LSM: Select System -> High Availability -> Zero-Power HA. • CLI: high-availability zero-power (bypass｜normal) (slot｜all)	TIP-33655
SSL inspection cannot occur when web mode is enabled. By default, web mode is disabled.	TIP-64243
1G fiber module does not support auto-negotiation. SMS will currently report auto-negotiation as enabled; however, any changes from SMS, LSM, or CLI will not take effect.	TIP-66924
For optimal performance of URL filtering and other memory intensive features running on a vTPS in Normal mode, configure 16 GB of RAM. TIP-33876
In rare occurrences, the TPS does not decrypt sites and the connection will be blocked. If this occurs for sites that must be accessed, navigate to Profiles > Shared Settings > SSL > Client > Decryption Policies > Domains on your SMS and specify those sites in the do-notdecrypt list.	TIP-45656 TIP-49103
Deploying a vTPS in Performance mode fails when using version 6.7 of the ESXi Hypervisor. Workaround: To successfully complete a deployment in Performance mode using ESXi 6.7,follow these steps: 1. Deploy the vTPS in Normal mode. 2. Shut down the vTPS virtual appliance. If the appliance is managed, you can also shut it down from the SMS client by right-clicking the device on the Devices page and selecting Edit > Device Configuration. 3. Configure the vTPS parameters to 6 vCPUs and 16 GB memory. 4. Reboot the vTPS virtual appliance. The SMS automatically recognizes the resource allocation and changes to Performance mode. 5. Examine the output of the show version command to confirm that the device is now running in Performance mode.	SEG-76770
System logs do not indicate when the state of a transceiver changes.	TIP-39167
The TPS presents an untrusted certificate warning for some websites because it cannot verify the certificate chain. Administrators of these websites might not be aware that their sites are not configured with a proper certificate chain, since most browsers have developed ways to automatically work around this issue. Consider the following options for accessing such a website: • Use mechanisms specific to your browser to bypass the Untrusted certificate warning (for example, add an exception or proceed to the site anyway) • Have your administrator manually download an intermediate certificate, upload it to your device, and add it the Trust Store on your SMS. • Consider providing feedback to the website to inform its administrators that their site employs a misconfigured certificate chain.	TIP-37062