Trellix Network Security (NX) 10.0.2 Release Notes - August 2024 – CSP Global Technologies Sdn Bhd

New features and changes

This section describes new features or enhancements in the Network Security 10.0.2 release.

Support file IOC inspection of file upload (HTTP Post)
- File IOC inspection is supported for HTTP/HTTPS POST file uploads.
- File Inspection is supported for multipart or form-data upload.
Note

This feature is supported for HTTP1.x only.

In case, when multiple files are uploaded during a single session, NX appliances inspect and analyze only the first file in the upload session. If the first file is identified as malicious, the NX appliance stops the upload process for all files in that session if the appliance is configured for blocking.
Support Gigamon Azure-GigaVUE V Series VMs

Use the Gigamon Azure-GigaVUE V Series VMs and NX virtual machines in TAP mode. All traffic is mirrored from the G-vTAP Agent to the Trellix Network Security virtual machine.
Support for NVGRE inspection

The NX appliance now inspects and processes NVGRE packets. It increments the GRE packet counter instead of maintaining a separate counter for NVGRE packets. In addition, when the GRE whitelist feature is enabled, NVGRE packets are also whitelisted.
Support Azure Gateway load balancer on virtual NX

You can now deploy a virtual NX appliance in inline mode with the new Azure gateway load balancer (GWLB). The GWLB intercepts network traffic flow between the Instance Level Public IP (ILPIP) or the front-ends of public load balancer, and the Network Virtual Appliance (NVA) deployed in another virtual network.
Adding/adjusting configurable parameters for health services

The health monitoring framework now allows you to set the custom threshold parameter for health services using CLI or WebUI. Currently, it is supported for the following services:
- Submission rate
- System load
- System memory
- Throughput monitor
The threshold configuration is appliance specific, as the health framework services use different metrics to determine service health.
Data streaming functionality in sensors

You can now stream submission metadata from the NX running in sensor mode to the external servers such as, Splunk or Helix.

You can configure the NX sensor to send the submission to MVX for initial analysis. Post-analysis, MVX will send back the submission details to the NX sensor. The NX sensor can then stream the required data to the third-party servers.
Support script file extraction and blocking

File inspection is supported for all script/unknown file types (example : text or html, .hta, bat, and so on.) in NXappliance. The feature is disabled by default and should be enabled along with the File IOC enable feature.
Support Inbound SSL functionality

NX appliances now support Inbound SSL functionality using a reverse proxy approach. This feature allows the NX appliance to maintain the original server’s SSL certificate rather than emulating it. The certificate's private key is imported in NX and selected during SSL settings.

In addition, CIDR rules have been enhanced to support advanced Inbound SSL feature. These enhancements offer the flexibility to specify "Match" conditions for how to handle traffic. You can specify "Match" conditions as 'match-source', 'match-destination' or 'either'.

Notice

Trellix strongly recommends you to perform SSL Intercept configuration changes directly on the NX Web UI instead of using the Central Management System interface due to a known issue in the current release of Central Management System.

In the Central Management System release 10.0.2, the SSL Settings page may experience intermittent loading issues and may display incorrect data.

General Enhancements

Mira Security ETO support for AWS GWLB

The SSL traffic from the AWS gateway load balancer can now be decrypted using Mira Security's Encrypted Traffic Orchestrator (ETO) appliance. Also, the traffic will be mirrored to NX appliance configured in TAP mode. However, currently the NX appliance does not support Inline mode for decrypted mirrored traffic.
The links on the deployment check page in the Network Security Web UI now point to the host "fedeploycheck.fireeye.com", which is now IPv6 capable. A secondary link also enables IPv6 communication.
Triage bundle and Log archive password has been changed to "Trellix Customer Support Archive".
VMware ESXi host version 7.0 and 8.0 are supported. Versions 6.7 and below are no longer supported.

New, modified and deprecated CLI commands

The CLI commands in this section were added in this release.

New CLIs
- The following CLI configures the ports and identifiers for Azure gateway load balancer for inline deployment in virtual Network Security appliances:
```
[no] fe-fastpath vxlan in-port <inPort> in-vni <inVni> ex-port <exPort> 
ex-vni <exVni>
```
- The following CLI displays the current configuration for Azure Gateway Load Balancer for inline deployment in virtual Network Security appliances:
```
show fe-fastpath vxlan config
```
- The following CLI enable/disable script-file extraction.
```
(no)  bottracker file-inspect script-file enable
```
- The following displays the statistics of the file inspection feature(enabled or disabled).
```
show bottracker file-inspect stats
```
CLIs to search details of intel feeds

Use the following CLIs to search the details of the corresponding intel feeds.
- show analysis intel url <URL> : Displays intel information for the mentioned URL.
- show analysis intel sha256 <sha256> : Displays intel information for the mentioned sha256.
- show analysis intel md5 <md5> : Displays intel information for the mentioned md5.
Alert retention period and deletion cron execution time CLIs:
- fedb data-retention alert duration-days <1 - 3650> — Configures Fedb data retention duration (in days).
- fedb data-retention alert schedule-time <00-23:00-59>— Configures Fedb data retention schedule time (HH:MM).
- show fedb data-retention alert configuration — View the data retention duration and purge schedule.
Inbound SSL-interface CLIs:
- policymgr ssl-intercept config reverse-proxy enable — Enable/disable reverse-proxy mode.
- policymgr ssl-intercept config certificate server <name> — Adds imported certificate(s) to ssl-intercept server certificates.
- policymgr ssl-intercept network ip <IPv4>/<prefix>|any vlan <vlan-id> interface <interface> decrypt|pass-through [match-source|match-destination] — Adds a rule to a network policy that decrypts HTTPS traffic based on the specified IPv4 address, mask and matches based on the Source IP address/destination IP address/either of the traffic.
Upgrade support

The Trellix Network Security 10.0.2 release requires a reboot for the update to take effect. You can upgrade your NX appliance to 10.0.2 from release 9.0.0 or later.

IPMI and BIOS firmware updates are required for the Network Security 2550 model. See the section "Upgrading IPMI 3.11 and BIOS 1.9 Firmware for Specific Platforms" below.

Note

After an upgrade to version 10.0.2, certain processes will be in a pending state until new security content is downloaded and installed. See the following section, "Download the security content bundle".

Caution

If your Network Security appliance is running in CC-NDcPP compliance mode and the Web Server CA certificate (or one of the supplemental CA trust certificates added to the configuration) expires, the configuration database will fail to commit when the appliance is rebooted, resulting in a nonrecoverable error. If this happens, reset the appliance to factory default settings.
Note
- Submissions from Network Security configured in hybrid mode will no longer be sent to Cloud MVX.
- Network Security appliances configured in hybrid mode will offload overflow submissions to the connected on-prem cluster.
Migrating inline policy exceptions and IPS policy exceptions

For Network Security appliances configured with inline policy exceptions or IPS policy exceptions, the upgrade process automatically migrates the existing policy exceptions to the alert policy exceptions format introduced in release 9.0.2.

Download the security content bundle

After the upgrade, certain processes will be in a pending state until new security content is downloaded and installed. The security content is downloaded and installed automatically for online customers. Offline customers must manually download and install the new security content after upgrading appliances to release 10.0.2.

Downloading content from the DTI offline update portal

If you download Network Security 10.0 security content from the DTI Offline Update Portal, use the SCNET-8.0 channel of the portal.

Caution

Downloading security content from a different channel will result in a loss of detection.

For details, see the Trellix DTI Offline Update Portal User Guide.
Upgrading IPMI 3.11 and BIOS 1.9 firmware for specific platforms
The NX 2550 model requires an upgrade to IPMI 3.11 and BIOS 1.9. You must install the IPMI upgrade before you upgrade the BIOS. (COM-21016, COM-25601)

For detailed instructions about upgrading IPMI, see the System Administration Guide.
To upgrade IPMI to version 3.11:

Note

IPMI network and password settings revert to factory defaults after this upgrade, and IPMI logs are deleted. Make a note of your settings and back up your IPMI logs.

Do not shut down or remove power from the appliance during the upgrade.

Go to CLI configuration mode.

hostname > enable

hostname # configure terminal

Begin the upgrade:

hostname (config) # ipmi firmware update latest

Confirm the upgrade:

hostname (config) # show ipmi
If the upgrade fails, try the steps again.

If IPMI functions are not fully restored, perform a full power cycle (cold shutdown) on the appliance:
Stop the reload process:

hostname (config) # reload halt

Disconnect all power cables for 2 minutes.

After 2 minutes, reconnect power cables and restart the appliance.
To upgrade the BIOS to version 1.9:

Go to CLI configuration mode.

hostname > enable

hostname # configure terminal

Begin the upgrade:

hostname (config) # system bios firmware update latest

Note

Do not shut down or remove power from the appliance during the upgrade.

Confirm the upgrade:

hostname (config) # show system bios

Stop the reload process:

hostname (config) # reload halt

Disconnect all power cables for 2 minutes.

After 2 minutes, reconnect power cables and restart the appliance.
YARA rules supported versions

YARA rules support version 4.3.2.

Important

Before you upgrade an Network Security appliance to the 10.0.0 release, modify any custom YARA rules to YARA 4.3.2. For details about YARA 4.3.2, see YARA's Documentation, Release 4.3.2 by Victor Alvarez.

Enabling access to intel content

Advanced Threat Intelligence (ATI) is a cloud-based data collection and threat intelligence distribution feature that provides actionable information about MVX-verified events on appliances. The threat intelligence tells you who is the threat actor behind an attack, what has been targeted or breached, and (if known) how to mitigate the threat. The Trellix Research Labs team continually uploads the latest threat intelligence to the Trellix Dynamic Threat Intelligence (DTI) cloud. When an MVX-verified event triggers an alert, the appliance queries the DTI server for threat intelligence and stores the additional information in its database. When you display an ATI alert, the alert details include the threat intelligence.

New features and changes

Note

Notice

General Enhancements

New, modified and deprecated CLI commands

Upgrade support

Note

Caution

Note

Migrating inline policy exceptions and IPS policy exceptions

Download the security content bundle

Downloading content from the DTI offline update portal

Caution

Upgrading IPMI 3.11 and BIOS 1.9 firmware for specific platforms

Note

Note

YARA rules supported versions

Important

Enabling access to intel content