Network Security 10.

x Release
Notes
Contents

10.0.2 Release Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

10.0.1 Release Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

10.0.0 Release Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

New features and changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

New, modified, or deprecated CLI commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Resolved issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Known issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Disable SAML in a Helix environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Upgrade support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Migrating inline policy exceptions and IPS policy exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Download the security content bundle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Downloading content from the DTI offline update portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Upgrading IPMI 3.11 and BIOS 1.9 firmware for specific platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

YARA rules supported versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Enabling access to intel context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

1| 10.0.2 Release Notes

10.0.2 Release Notes

New features and changes

This section describes new features or enhancements in the Network Security 10.0.2 release.

• Support file IOC inspection of file upload (HTTP Post)

File IOC inspection is supported for HTTP/HTTPS POST file uploads.
File Inspection is supported for multipart or form-data upload.

Note

This feature is supported for HTTP1.x only.

In case, when multiple files are uploaded during a single session, NX appliances inspect and analyze only the first file in
the upload session. If the first file is identified as malicious, the NX appliance stops the upload process for all files in that
session if the appliance is configured for blocking.
• Support Gigamon Azure-GigaVUE V Series VMs
Use the Gigamon Azure-GigaVUE V Series VMs and NX virtual machines in TAP mode. All traffic is mirrored from the
G-vTAP Agent to the Trellix Network Security virtual machine.
• Support for NVGRE inspection
The NX appliance now inspects and processes NVGRE packets. It increments the GRE packet counter instead of
maintaining a separate counter for NVGRE packets. In addition, when the GRE whitelist feature is enabled, NVGRE
packets are also whitelisted.
• Support Azure Gateway load balancer on virtual NX
You can now deploy a virtual NX appliance in inline mode with the new Azure gateway load balancer (GWLB). The GWLB
intercepts network traffic flow between the Instance Level Public IP (ILPIP) or the front-ends of public load balancer, and
the Network Virtual Appliance (NVA) deployed in another virtual network.
• Adding/adjusting configurable parameters for health services
The health monitoring framework now allows you to set the custom threshold parameter for health services using CLI or
WebUI. Currently, it is supported for the following services:

Submission rate
System load
System memory
Throughput monitor

The threshold configuration is appliance specific, as the health framework services use different metrics to determine
service health.

Network Security 10.x Release Notes 3

1| 10.0.2 Release Notes

• Data streaming functionality in sensors

You can now stream submission metadata from the NX running in sensor mode to the external servers such as, Splunk
or Helix.
You can configure the NX sensor to send the submission to MVX for initial analysis. Post-analysis, MVX will send back the
submission details to the NX sensor. The NX sensor can then stream the required data to the third-party servers.
• Support script file extraction and blocking
File inspection is supported for all script/unknown file types (example : text or html, .hta, bat, and so on.) in NXappliance.
The feature is disabled by default and should be enabled along with the File IOC enable feature.
• Support Inbound SSL functionality
NX appliances now support Inbound SSL functionality using a reverse proxy approach. This feature allows the NX
appliance to maintain the original server’s SSL certificate rather than emulating it. The certificate's private key is imported
in NX and selected during SSL settings.
In addition, CIDR rules have been enhanced to support advanced Inbound SSL feature. These enhancements offer the
flexibility to specify "Match" conditions for how to handle traffic. You can specify "Match" conditions as 'match-source',
'match-destination' or 'either'.

Note

Trellix strongly recommends you to perform SSL Intercept configuration changes directly on the NX Web UI instead of
using the Central Management System interface due to a known issue in the current release of Central Management
System.
In the Central Management System release 10.0.2, the SSL Settings page may experience intermittent loading issues
and may display incorrect data.

General Enhancements

• Mira Security ETO support for AWS GWLB

The SSL traffic from the AWS gateway load balancer can now be decrypted using Mira Security's Encrypted Traffic
Orchestrator (ETO) appliance. Also, the traffic will be mirrored to NX appliance configured in TAP mode. However,
currently the NX appliance does not support Inline mode for decrypted mirrored traffic.
• The links on the deployment check page in the Network Security Web UI now point to the host
"fedeploycheck.fireeye.com", which is now IPv6 capable. A secondary link also enables IPv6 communication.
• Triage bundle and Log archive password has been changed to "Trellix Customer Support Archive".
• VMware ESXi host version 7.0 and 8.0 are supported. Versions 6.7 and below are no longer supported.

New, modified and deprecated CLI commands

The CLI commands in this section were added in this release.

• New CLIs

4 Network Security 10.x Release Notes

1| 10.0.2 Release Notes

The following CLI configures the ports and identifiers for Azure gateway load balancer for inline deployment in
virtual Network Security appliances:

[no] fe-fastpath vxlan in-port <inPort> in-vni <inVni> ex-port <exPort>

ex-vni <exVni>

The following CLI displays the current configuration for Azure Gateway Load Balancer for inline deployment in
virtual Network Security appliances:

show fe-fastpath vxlan config

The following CLI enable/disable script-file extraction.

(no) bottracker file-inspect script-file enable

The following displays the statistics of the file inspection feature(enabled or disabled).

show bottracker file-inspect stats

CLIs to search details of intel feeds

Use the following CLIs to search the details of the corresponding intel feeds.

show analysis intel url <URL> : Displays intel information for the mentioned URL.

show analysis intel sha256 <sha256> : Displays intel information for the mentioned sha256.

show analysis intel md5 <md5> : Displays intel information for the mentioned md5.

• Alert retention period and deletion cron execution time CLIs:

fedb data-retention alert duration-days <1 - 3650> — Configures Fedb data retention duration (in days).

fedb data-retention alert schedule-time <00-23:00-59>— Configures Fedb data retention schedule time
(HH:MM).
show fedb data-retention alert configuration — View the data retention duration and purge schedule.

• Inbound SSL-interface CLIs:

policymgr ssl-intercept config reverse-proxy enable — Enable/disable reverse-proxy mode.

policymgr ssl-intercept config certificate server <name> — Adds imported certificate(s) to ssl-intercept
server certificates.
policymgr ssl-intercept network ip <IPv4>/<prefix>|any vlan <vlan-id> interface <interface>
decrypt|pass-through [match-source|match-destination] — Adds a rule to a network policy that decrypts
HTTPS traffic based on the specified IPv4 address, mask and matches based on the Source IP address/
destination IP address/either of the traffic.

Resolved issues

The following issues were resolved in the Trellix Network Security 10.0.2 release.

Network Security 10.x Release Notes 5

1| 10.0.2 Release Notes

Tracking number Summary

CMS-17212 Fixes an issue where a managed appliance, such

as NX, could not reconnect to CMS after a client-
initiated connection was interrupted.

COM-62368 Fixes an issue where adding a root CA was failing in

rare cases.

COM-62263 Fixes an issue where enabling NTP affects backup,

reset, and restore functionality due to restrictions on
the timezone changes.

COM-62194 Fixes an issue with custom whitelist functionality

failing when SHA256 hash were added that
contained uppercase characters.

COM-62177 Fixes an issue where the NX appliance was trying

to reach 8.8.8.8 through the IP which was not
configured as DNS Server.

COM-62262 Fixes an issue where DUED was still using a proxy

for container downloads when connected to Central
Management System.

COM-62213 Fixes an issue in the localsig service that was

generating local signatures when custom configured
riskware file types were observed by the file analysis
engine.

COM-62169 Fixes an issue where the user was not able to include
additional custom sha256 hashes to their blacklist
after reaching 300 entries approx.

COM-31551 Fixes an issue with log archives creation.

WEBMPS-53755 Fixes an issue where NX as ICAP server was not

returning any response code for new connections

6 Network Security 10.x Release Notes

1| 10.0.2 Release Notes

Tracking number Summary

when maximum connections was reached. The issue

is addressed by adding 503 response code.

WEBMPS-53753 Fixes an issue where the third-party feeds hash

count was not getting incrementing after the
appliance was upgraded to release 10.0.1.

WEBMPS-53748 Fixes an issue where the messages log file in the

NX appliance was storing an excessive number of
domain whitelist logs.

WEBMPS-53737 Fixes an issue with IPS event filter displaying warning

message with non ips signature.

WEBMPS-53734 In a malware object event, Dynamic: Malicious Alert

did not expand to its tree view, This issue is resolved.

WEBMPS-53721 Fixes an issue where fp-rte was crashing due to

zvelo, further causing corruption to frequent fp-rte
crashes on the NX appliance.

WEBMPS-53663 Fixes an issue where the Rest API returns 500 due to
the client encoding error "UTF8": 0x89.

WEBMPS-27219 Fixes an issue where the monitored traffic graph was

flat after NX was upgraded to release 10.0.1.

WEBMPS-27201 Fixes an issues where TLS connections were

bypassed by the NX appliance due to therecent
updates in Chrome and Edge browsers.

WEBMPS-27195 Fixes an issue with IPS events notification

performance.

WEBMPS-27156 Fixes an issue where where the appliance observed

an unexpected failure of process fp-rte..

Network Security 10.x Release Notes 7

1| 10.0.2 Release Notes

Tracking number Summary

WEBMPS-27149 Fixes an issue where the custom IOC changes

supports a maximum of 128 feed, per feed type
including SC feeds.

WEBMPS-27081 Fixes an issue where NX restarting when the serial

console was connected.

WEBMPS-27076 Fixes an issue with Localsig detection for Host IP:Port

WEBMPS-26984 Fixes an issue where a mismatch in the interface

info, in IPS event details was observed when "IPS
Blockmode All" was enabled.

WEBMPS-26969 Fixes an issue where the port negation was not

working for IPS rules.

Known Issues

The following issues are known in the Trellix Network Security 10.0.2 release.

Tracking number Summary

CMS-32420 The WebUI changes for SSL Inbound settings is not

supported on 10.0.2 Central Management System.
This will be addressed in next release.

COM-30656 Negation symbol '!' is not working before the

hostname or the username in deny user list.

COM-31165 gisettings API is not restricting the maximum

number of inputs for a field as 10.

WEBMPS-24391 In a virtual Network Security appliance on Hyper-

V, modifying the MTU value affects inline traffic.

8 Network Security 10.x Release Notes

1| 10.0.2 Release Notes

Tracking number Summary

The traffic is reinstated when fe_fastpath_mgr is

restarted.

WEBMPS-24484 IPS alerts for brute force login attempts do not

include the appID, although the appID is detected.

WEBMPS-24541 The CLI does not return any errors when you add
a duplicate of an existing configuration for Whitelist
and Homenet IP, or when you delete a configuration
that does not exist.

WEBMPS-26159 The Network Security appliance cannot stream data

to the Splunk server via a proxy when SSL is enabled
on the Splunk server.

Disable SAML in a Helix environment

SAML and HelixConnect are mutually exclusive. If the HelixConnect client is enabled on the Network Security appliance, you must
disable SAML authentication and authorization. Otherwise, the appliance will not come up after a system reboot.

For more information, see the Helix Integration Guide for Trellix devices.

• In the Software Requirements section, see “HelixConnect Client Software Requirements”.

• In the HelixConnect Troubleshooting section, see “Disabling SAML Authentication and Authorization”.

Upgrade support

The Trellix Network Security 10.0.2 release requires a reboot for the update to take effect. You can upgrade your NX appliance to
10.0.2 from release 9.0.0 or later.

IPMI and BIOS firmware updates are required for the Network Security 2550 model. See the section "Upgrading IPMI 3.11 and
BIOS 1.9 Firmware for Specific Platforms" below.

Note

After an upgrade to version 10.0.2, certain processes will be in a pending state until new security content is downloaded and
installed. See the following section, "Download the security content bundle".

Network Security 10.x Release Notes 9

1| 10.0.2 Release Notes

Caution

If your Network Security appliance is running in CC-NDcPP compliance mode and the Web Server CA certificate (or one of the
supplemental CA trust certificates added to the configuration) expires, the configuration database will fail to commit when
the appliance is rebooted, resulting in a nonrecoverable error. If this happens, reset the appliance to factory default settings.

Note

• Submissions from Network Security configured in hybrid mode will no longer be sent to Cloud MVX.
• Network Security appliances configured in hybrid mode will offload overflow submissions to the connected on-prem
cluster.

Migrating inline policy exceptions and IPS policy exceptions

For Network Security appliances configured with inline policy exceptions or IPS policy exceptions, the upgrade process automatically
migrates the existing policy exceptions to the alert policy exceptions format introduced in release 9.0.2.

Download the security content bundle

After the upgrade, certain processes will be in a pending state until new security content is downloaded and installed. The
security content is downloaded and installed automatically for online customers. Offline customers must manually download
and install the new security content after upgrading appliances to release 10.0.2.

Downloading content from the DTI offline update portal

If you download Network Security 10.0 security content from the DTI Offline Update Portal, use the SCNET-8.0 channel of the
portal.

Caution

Downloading security content from a different channel will result in a loss of detection.

For details, see the Trellix DTI Offline Update Portal User Guide.

Upgrading IPMI 3.11 and BIOS 1.9 firmware for specific platforms

The NX 2550 model requires an upgrade to IPMI 3.11 and BIOS 1.9. You must install the IPMI upgrade before you upgrade the
BIOS. (COM-21016, COM-25601)

10 Network Security 10.x Release Notes

1| 10.0.2 Release Notes

For detailed instructions about upgrading IPMI, see the System Administration Guide.

To upgrade IPMI to version 3.11:

Note

IPMI network and password settings revert to factory defaults after this upgrade, and IPMI logs are deleted. Make a note of
your settings and back up your IPMI logs.
Do not shut down or remove power from the appliance during the upgrade.

1. Go to CLI configuration mode.

hostname > enable
hostname # configure terminal
2. Begin the upgrade:
hostname (config) # ipmi firmware update latest
3. Confirm the upgrade:
hostname (config) # show ipmi

If the upgrade fails, try the steps again.

If IPMI functions are not fully restored, perform a full power cycle (cold shutdown) on the appliance:

1. Stop the reload process:

hostname (config) # reload halt
2. Disconnect all power cables for 2 minutes.
3. After 2 minutes, reconnect power cables and restart the appliance.

To upgrade the BIOS to version 1.9:

1. Go to CLI configuration mode.

hostname > enable
hostname # configure terminal
2. Begin the upgrade:
hostname (config) # system bios firmware update latest

Note

Do not shut down or remove power from the appliance during the upgrade.

3. Confirm the upgrade:

hostname (config) # show system bios
4. Stop the reload process:

Network Security 10.x Release Notes 11

1| 10.0.2 Release Notes

hostname (config) # reload halt

5. Disconnect all power cables for 2 minutes.
6. After 2 minutes, reconnect power cables and restart the appliance.

YARA rules supported versions

YARA rules support version 4.3.2.

Important

Before you upgrade an Network Security appliance to the 10.0.0 release, modify any custom YARA rules to YARA 4.3.2. For
details about YARA 4.3.2, see YARA's Documentation, Release 4.3.2 by Victor Alvarez.

Enabling access to intel content

Advanced Threat Intelligence (ATI) is a cloud-based data collection and threat intelligence distribution feature that provides
actionable information about MVX-verified events on appliances. The threat intelligence tells you who is the threat actor behind
an attack, what has been targeted or breached, and (if known) how to mitigate the threat. The Trellix Research Labs team
continually uploads the latest threat intelligence to the Trellix Dynamic Threat Intelligence (DTI) cloud. When an MVX-verified
event triggers an alert, the appliance queries the DTI server for threat intelligence and stores the additional information in its
database. When you display an ATI alert, the alert details include the threat intelligence.

Appliances now need access to the Amazon Web Services (AWS) cloud for ATI communication. The intel context service is hosted
in multiple AWS regions and resolves to multiple IP addresses based on geographic location. To determine the IP addresses
for your location, go to https://dnschecker.org. See the AWS IP address range documentation for information about adding the
IP addresses to the allow list.

12 Network Security 10.x Release Notes

2| 10.0.1 Release Notes

10.0.1 Release Notes

This is the latest release of Trellix Network Security.

New features and changes

This section describes new features in the Trellix Network Security release 10.0.1.

• General enhancement:
ICAP available on the evidence collector:
You can now use ICAP on the evidence collector. The Web UI option for ICAP will not be available in this release.

• ISTag hash value updated:

ISTag field is part of ICAP response header. In earlier releases, the ISTag field value was a string containing appliance ID
and NX software version. Now, the ISTAG value is changed to MD5SUM hash.
The new ISTag hash generation syntax:
appliance_id:<appliance_ID>-release_version:<version>-sc_version:<version>-gi_version:<version>

New, modified and deprecated CLI commands

The CLI command in this section was added in this release.

• New CLI to reset all DTI services credentials

fenet dti credentials reset factory-default

Resets credentials of all the existing DTI services to factory settings.

Resolved issues

The following issues were resolved in the Trellix Network Security 10.0.1 release.

Tracking number Summary

COM-30410 Fixes an issue by removing the password present in

the API response for CMS appliances.

The 10.0.1 appliance has upgraded Apache httpd

to 2.4.56 to address a known vulnerability
(CVE-2022-36760) for products including Malware
Analysis, Central Management SystemEmail Security

Network Security 10.x Release Notes 13

2| 10.0.1 Release Notes

Tracking number Summary

— Server, File Protect, Network Security, and

Intelligent Virtual Execution - Server.

COM-31382 Fixes an issue by adding mechanism to clean up

outdated triage packages.

COM-31477 Fixes an issue where the localsig auto-extend feature

was disabled by default, resulting in the removal of
localsig rules upon reaching the TTL value.

COM-31481 Fixes an issue that, by default, upgraded all

the Network Security appliance applications to the
high-security factory default cipher-lists.

COM-31650 Fixes an issue that prevented the "show alerts type

all detail concise timeframe <>" CLI from displaying
alert details.

WEBMPS-26697 Fixes missing data issue in the dashboard report for

file analysis statistics widget.

WEBMPS-26810 The bandwidth graph is not appearing in the

Monitored Traffic widget on the Web UI dashboard
for NX1500 and vNX1500 appliances and the CLI
show network stats interface pether
is not generating the expected output.

WEBMPS-26904 Fixes the issue where commbroker SSL module was

not receiving any events. because of handshake
failure and unsupported ciphers.

WEBMPS-26910 A SSLi connection context leak was observed when

the server connection was closed in the SYN_SENT
state causing the connection reset on the client. This
issue is fixed.

14 Network Security 10.x Release Notes

2| 10.0.1 Release Notes

Tracking number Summary

WEBMPS-26926 Upgrade to BONA fails when customer has IPS policy

exception configured on 8.x or earlier release. This
issue is fixed.

WEBMPS-26933 Fixes incorrect submission rates in the health status.

WEBMPS-27006 Fixes an issue where the "Monitored traffic" widget

did not display graph data in sync with the set
timezone.

WEBMPS-27020 Fixes appearance of health warning even after

applying QINQ.

WEBMPS-27063 Fixes wrong attacker IP address reported by a

Network Security appliance when 3rd party feed is
added based on the Source IP address.

Known Issues

The following issues are known in the Trellix Network Security 10.0.1 release.

Tracking number Summary

COM-30639 Application accepts special characters as user inputs.

COM-30655 The database backup process takes a long time

when the alert purge is in progress.
Workaround: Schedule the database backup and
purge processes at different times.

COM-30656 Negation symbol '!' is not working before the

hostname or the username in deny user list.

COM-30659 Alert details might be missing from the report

generated during alert purging.

Network Security 10.x Release Notes 15

2| 10.0.1 Release Notes

Tracking number Summary

COM-31165 gisettings API is not restricting the maximum

number of inputs for a field as 10.

EMPS-17220 There could be websocket connection breaks

between the headless chrome and python library
due to issues with headless chrome. This will be
reconciled automatically and connection would be
reestablished.

WEBMPS-24391 In a virtual Network Security appliance on Hyper-

V, modifying the MTU value affects inline traffic.
The traffic is reinstated when fe_fastpath_mgr is
restarted.

WEBMPS-24484 IPS alerts for brute force login attempts do not

include the appID, although the appID is detected.

WEBMPS-24541 The CLI does not return any errors when you add
a duplicate of an existing configuration for Whitelist
and Homenet IP, or when you delete a configuration
that does not exist.

WEBMPS-26159 The Network Security appliance cannot stream data

to the Splunk server via a proxy when SSL is enabled
on the Splunk server.

Disable SAML in a Helix environment

SAML and HelixConnect are mutually exclusive. If the HelixConnect client is enabled on the Network Security appliance, you must
disable SAML authentication and authorization. Otherwise, the appliance will not come up after a system reboot.

For more information, see the Helix Integration Guide for Trellix devices.

• In the Software Requirements section, see “HelixConnect Client Software Requirements”.

• In the HelixConnect Troubleshooting section, see “Disabling SAML Authentication and Authorization”.

16 Network Security 10.x Release Notes

2| 10.0.1 Release Notes

Upgrade support

The Trellix Network Security 10.0.1 release requires a reboot for the update to take effect. You can upgrade your NX appliance to
10.0.1 from release 9.0.0 or later.

IPMI and BIOS firmware updates are required for the Network Security 2550 model. See the section "Upgrading IPMI 3.11 and
BIOS 1.9 Firmware for Specific Platforms" below.

Note

After an upgrade to version 10.0.1, certain processes will be in a pending state until new security content is downloaded and
installed. See the following section, "Download the security content bundle".

Caution

If your Network Security appliance is running in CC-NDcPP compliance mode and the Web Server CA certificate (or one of the
supplemental CA trust certificates added to the configuration) expires, the configuration database will fail to commit when
the appliance is rebooted, resulting in a nonrecoverable error. If this happens, reset the appliance to factory default settings.

Note

• Submissions from Network Security configured in hybrid mode will no longer be sent to Cloud MVX.
• Network Security appliances configured in hybrid mode will offload overflow submissions to the connected on-prem
cluster.

Migrating inline policy exceptions and IPS policy exceptions

For Network Security appliances configured with inline policy exceptions or IPS policy exceptions, the upgrade process automatically
migrates the existing policy exceptions to the alert policy exceptions format introduced in release 9.0.2.

Download the security content bundle

After the upgrade, certain processes will be in a pending state until new security content is downloaded and installed. The
security content is downloaded and installed automatically for online customers. Offline customers must manually download
and install the new security content after upgrading appliances to release 10.0.1.

Network Security 10.x Release Notes 17

2| 10.0.1 Release Notes

Downloading content from the DTI offline update portal

If you download Network Security 10.0 security content from the DTI Offline Update Portal, use the SCNET-8.0 channel of the
portal.

Caution

Downloading security content from a different channel will result in a loss of detection.

For details, see the Trellix DTI Offline Update Portal User Guide.

Upgrading IPMI 3.11 and BIOS 1.9 firmware for specific platforms

The NX 2550 model requires an upgrade to IPMI 3.11 and BIOS 1.9. You must install the IPMI upgrade before you upgrade the
BIOS. (COM-21016, COM-25601)

For detailed instructions about upgrading IPMI, see the System Administration Guide.

To upgrade IPMI to version 3.11:

Note

IPMI network and password settings revert to factory defaults after this upgrade, and IPMI logs are deleted. Make a note of
your settings and back up your IPMI logs.
Do not shut down or remove power from the appliance during the upgrade.

1. Go to CLI configuration mode.

hostname > enable
hostname # configure terminal
2. Begin the upgrade:
hostname (config) # ipmi firmware update latest
3. Confirm the upgrade:
hostname (config) # show ipmi

If the upgrade fails, try the steps again.

If IPMI functions are not fully restored, perform a full power cycle (cold shutdown) on the appliance:

1. Stop the reload process:

hostname (config) # reload halt

18 Network Security 10.x Release Notes

2| 10.0.1 Release Notes

2. Disconnect all power cables for 2 minutes.

3. After 2 minutes, reconnect power cables and restart the appliance.

To upgrade the BIOS to version 1.9:

1. Go to CLI configuration mode.

hostname > enable
hostname # configure terminal
2. Begin the upgrade:
hostname (config) # system bios firmware update latest

Note

Do not shut down or remove power from the appliance during the upgrade.

3. Confirm the upgrade:

hostname (config) # show system bios
4. Stop the reload process:
hostname (config) # reload halt
5. Disconnect all power cables for 2 minutes.
6. After 2 minutes, reconnect power cables and restart the appliance.

YARA rules supported versions

YARA rules support version 4.3.2.

Important

Before you upgrade an Network Security appliance to the 10.0.0 release, modify any custom YARA rules to YARA 4.3.2. For
details about YARA 4.3.2, see YARA's Documentation, Release 4.3.2 by Victor Alvarez.

Enabling access to intel content

Advanced Threat Intelligence (ATI) is a cloud-based data collection and threat intelligence distribution feature that provides
actionable information about MVX-verified events on appliances. The threat intelligence tells you who is the threat actor behind
an attack, what has been targeted or breached, and (if known) how to mitigate the threat. The Trellix Research Labs team
continually uploads the latest threat intelligence to the Trellix Dynamic Threat Intelligence (DTI) cloud. When an MVX-verified
event triggers an alert, the appliance queries the DTI server for threat intelligence and stores the additional information in its
database. When you display an ATI alert, the alert details include the threat intelligence.

Network Security 10.x Release Notes 19

2| 10.0.1 Release Notes

Appliances now need access to the Amazon Web Services (AWS) cloud for ATI communication. The intel context service is hosted
in multiple AWS regions and resolves to multiple IP addresses based on geographic location. To determine the IP addresses
for your location, go to https://dnschecker.org. See the AWS IP address range documentation for information about adding the
IP addresses to the allow list.

20 Network Security 10.x Release Notes

3| 10.0.0 Release Notes

10.0.0 Release Notes

This is the latest release of Network Security.

New features and changes

This section describes new features in the Trellix Network Security release 10.0.0.

Trellix rebranding updates

As Trellix continues our exciting evolution, our customers will begin to see our solutions reflect our new name and brand. In this
release, we have updated the Network Security Web UI with the Trellix logo and name. This rebranding change requires no effort
from you.

IPS enhancement for CSV import option on the IPS configure page
You can now import a CSV file to configure IPS rules based on specific categories using the Import Rules button on the IPS
Configure page. You can make bulk changes by selecting all-high severity IPS rules in CSV file rather than selecting rules manually
one at a time in UI.

Automated generation of artifacts

All the supported artifacts are now generated for malware-object and riskware-object alerts if the display of static information for
malicious and non-malicious files and URLs on the Network Security appliance Web UI is enabled. From this release, the display
of static information is enabled by default.

High Availability (HA) port pair

You can now configure the HA port-pair while creating the NX-HA pair.

Support for a new model on vmware ESXi platform

The NX 10500V has been introduced to achieve 8.5 Gbps throughput.

Geo-location integration for alerts

The Web UI provides geo-location information for all alerts and visually displays where the attacks originated.

Integration with Helix and HelixConnect

You can now integrate your Network Security appliance with Helix through the Network Security Web UI.

The HelixConnect client is automatically enabled when the Helix mode is enabled on the appliance. The appliance also
automatically registers with Helix through the HelixConnect client. The HelixConnect client can be independently enabled or
disabled even when the Helix mode is disabled.

For information about establishing connectivity with the HelixConnect client and enabling the functionality it offers, see theHelix
Integration Guide.

Datastreaming submission data to third-party SIEM

You can now configure datastreaming to Splunk servers.

Network Security 10.x Release Notes 21

3| 10.0.0 Release Notes

Metadata streaming through an HTTP proxy

Metadata streaming through an HTTP proxy is now supported.

MUSE Web UI improvements

The Network Security appliance Web UI has adopted the MUSE design for UX improvements.

DGA detection
Network Security appliances now have Domain Generation Algorithms (DGA) detection capabilities.

Alert policy exceptions are now supported for Domain Match alerts

• A new Bott alert category, Domain Match, has been added. Bott IOC domain alerts will be associated with this category.
• The signature id for all IOC domain alerts is 93000001. This sig-id can be used to apply policy exception over domain
match alerts.

New data retention and purging policy

You can now set the number of days to retain data in the database settings using the Network Security appliance Web UI.

Data will be purged after the retention period. You can change the frequency and time of the data purge.

IPv6 support on the IPMI for x600 appliances

IPMI on the Network Security 6th generation appliances are now compatible with IPv6 management network.

HTTP/2 Support
Supports HTTP/2 protocol. Added SSL Interception support for HTTPS/2 traffic.

Enhanced Inline file blocking using Global Cache

Improved file blocking using the Global cache.

Domain blocking ability enhancements

Enhanced blocking capability by adding support for bad domain blocking for DNS, HTTP and SSL traffic.

The Health Services tab

The Health Services tab allows you to configure health monitoring parameters for all the available health services on the
appliance.

Support for new AWS M6i instance types

A list of new AWS M6i instance types are supported in this release for Network Security instance. For more information refer to
the Trellix Device Deployment Guide.

Restoring the database from a backup file

You can now restore a backup database belonging to a different appliance model of the same release version. This feature is
useful when upgrading from one appliance model to another.

Configuring the homenet range during initial configuration

You can now configure the homenet IP address for Snort rules during the initial configuration of the Network Security appliance
using the Configuration wizard.

22 Network Security 10.x Release Notes

3| 10.0.0 Release Notes

IPS support for ICAP

IPS Policies can now be applied to the management interface. This will enable the ICAP module to detect IPS signatures.

List of ciphers modified

The existing FIPS and CC high-security cipher lists have been updated. For more details, refer to Network Security User Guide.

NX integration with AWS GWLB

Added support for easier deployment of NX behind a AWS Gateway Load Balancer.

Support SSL protocol anomaly detection

Added support for SSL protocol anomaly detection capability to detect weak SSL protocol usage on the network.

Event-based Packet Capture for malware callback and infection match alert
Supports event-based full Packet Capture for the malware callback and infection match alert.

High Availability support on x600 NX appliances

Added High Availability support for all x600 Network Security appliances.

Support file extraction and submission for the Evidence Collector Edition
Support added for file extraction and submission to on-prem Intelligent Virtual Execution - Server cluster for the Evidence
Collector edition.

Detection enhancement
Enhanced object extraction from dynamic HTML pages using Headless Chrome.

Termination of support for x400 appliances and NX 10550 Platform

Upgrade to release version 10.0.0 will not be supported on 4th generation appliances and NX 10550.

Enhancements

• All the supported formats for Rsyslog notifications are now displayed in the Network Security Web UI.
• The HTTP events generated on the appliance can now be sent to the HTTP Event Collector (HEC) on a Splunk Enterprise
instance.
• The malware artifacts data downloaded as a zip file for any specified alert includes OS Change Graph data.
• SSLi throughput has been improved for NX 5500 and NX 6500 appliances.
• The "auditor" user can now create, delete, and upload log-archives from the CLI.
• The factory default certificate generation key size is changed to 3072 bits.
• The Service Health Statistics Trend widget on the Network Security appliance Web UI dashboard highlights the health
level of the most critical service in each category tile.
• The Service Health Statistics Trend widget on the Network Security appliance Web UI dashboard includes the IPS event
filter, which shows the health status for recently filtered IPS events. If a signature ID is filtered more than 20 times in a
5-minute period, the health status for the IPS event filter will show 'Warning'.
• You can now delete both the completed packet capture instances and the running packet capture instances using
the Delete and Delete All options. When you delete a packet capture, both the PCAP data and the packet-capture
configuration data are deleted.

Network Security 10.x Release Notes 23

3| 10.0.0 Release Notes

• The Monitored Traffic widget on the Network Security appliance Web UI dashboard now has the option to view the
network traffic rate for a specific interface.
• Alert type 'Riskware-Object' has been added for the report type 'Riskware Details' for both Static and Scheduled Reports
in the Reports option on the Network Security Web UI.
• The FAUDE URL screenshot is now generated along with other artifacts after successful submission.
• Log-management functionality has been improved.
• If you download security content from the DTI Offline Update Portal, you now use the SCNET-8.0 channel of the portal.
• You can now download artifacts data corresponding to the specified artifact types (if available for the specified UUID) as
a zip file using the API.
• Added support for RHEL7.6 for KVM Network Security virtual.
• Added batching support for L7metadata for Network Investigator.
• Added additional health monitoring modules for unsupported SFP and per port QinQ.

New, modified, or deprecated CLI commands

The CLI commands in this section were added, modified, or deprecated for this release.

New commands

SSH server security enhancement

SSH server security now provides client IP address-based access control for specified user accounts using the following CLI
commands:

• [no] ssh server access-control allow-users <user-host-ip-pattern>

• [no] ssh server access-control allow-users <user-host-ip-pattern> enable

• [no] ssh server access-control deny-users <user-host-ip-pattern>

• [no] ssh server access-control deny-users <user-host-ip-pattern> enable

• [no] ssh server access-control enable

Enabling ALPN
Use the following command to enable ALPN if it is in disabled state. ALPN is generally enabled by default.

• policymgr ssl-intercept config alpn enable

DGA detection
NX devices detect Domain Generation Algorithms (DGA) attacks when you enable DGA detection. You can enable and disable
DGA detection using the following CLI commands:

• [no] smartvision dga-detect

Enables or disables DGA detection.

• smartvision dga-detect config update now

Forces a DGA configuration update.

24 Network Security 10.x Release Notes

3| 10.0.0 Release Notes

• [no] smartvision dga-detect whitelist* <domain address>

Configures an individual whitelist domain. Use the no parameter to delete the whitelist domain.
• smartvision dga-detect alert-threshold-intv <0-3600>

Sets the DGA alert threshold interval to between 0 and 3600 seconds.
• show smartvision dga-detect activity <1-240>

Displays DGA activity for the last number of hours up to 240 hours.
• show smartvision dga-detect config

Displays the DGA configuration.

BOTT alert thresholding redesign

These commands are used to configure IPS thresholding.

• [no] bottracker ips event-filter enable

• bottracker ips event-filter count <count>

• bottracker ips event-filter count <count>

bottracker commands to support IOC feature

These commands enable the IOC feature for detection.

• bottracker ioc ip enable

Enables the IOC IP feature that allows the Network Security appliance to match IP addresses detected in the network
traffic against the configured IOC IP addresses.
• [no] bottracker ioc ip enable

Disables the IPS event filtering feature to stop filtering IPS events.
• bottracker ioc domain enable

Enables the IOC domain feature that allows the Network Security appliance to match domains detected in network
traffic.
• bottracker ioc domain enable

Disables the IOC domain feature from detection.

• bottracker ioc url enable

Enables the IOC URL feature that allows the Network Security appliance to match urls detected in the network traffic
against the configure urls.

Commands for filtering IPS events

These commands enable the IPS Event filtering feature. You can enable or disable IPS event filtering feature using the following
CLI commands:

• bottracker ips event-filter enable

Enables the IPS Event filtering feature and filter IPS events detected by the IPS-enabled appliance.
• [no] bottracker ips event-filter enable

Disables the IPS Event filtering feature for event detected.

• bottracker ips event-filter count <count>

Network Security 10.x Release Notes 25

3| 10.0.0 Release Notes

Configures ips event count for reaching event filter limit.

• bottracker ips event-filter timeout <seconds>

Configures time period (in seconds) for which IPS event count is monitored.

Splunk integration enhancement

These commands define the parameters for the HTTP events that are sent to the HTTP Event Collector (HEC) on a Splunk
Enterprise instance.

• fenotify http service <service_name> prefer splunk collector-type <raw | event-collector>

Specifies the event collector to which the data is sent.

• fenotify http service <service_name> prefer splunk token <token>

Specifies the Splunk token to establish the connection between the appliance and the Splunk instance.
• fenotify http service <service_name> prefer splunk host <hostname>

Specifies the hostname of the appliance.

• fenotify http service <service_name> prefer splunk source <source>

Specifies the source.

• fenotify http service <service_name> prefer splunk index <index>

Specifies the name of an index by which the event data is indexed.

Evidence Collector command

Evidence collector Edition for file extraction

• foxd config object-extract enable

Enables object extraction on the Evidence Collector edition Network Security NX sensor.

Watch command

• watch "<show command>" interval <seconds>

Watch enables 'show' cli commands to run continuously in regular intervals without manual intervention. The “watch”
command can be run in all modes (standard, enable, and config). It allows you to configure intervals. The default interval
(when not specified explicitly) is 30 seconds.

Interface network statistics

• show network stats interface <interfaceName>

Displays network statistics for the specified interface.

Localsig enhancements

• show localsig file-hash

Show local signature generated file hashes.

• show localsig url

show localsig url.

26 Network Security 10.x Release Notes

3| 10.0.0 Release Notes

Modified commands

AV-suite commands
Some AV-suite commands are modified to replace AV-suite with gcache. The following are the modified commands:

• fenet dti gcache service

• [no] fenet dti gcache service override

• [no] fenet dti gcache service proxy

• [no] fenet dti gcache service type

Deprecated commands

AV-suite commands
A subset of AV-suite commands is deprecated.

• fenet dti av-suite service

• [no] fenet dti av-suite service override

• [no] fenet dti av-suite gcache service proxy

• [no] fenet dti av-suite gcache service type

• static-analysis av-suite whitelist enable

Resolved issues
The following issues were resolved in the Network Security 10.0.0 release.

Tracking number Summary

COM-12986 New logs could not be generated due to the Log

Manager Create button being disabled and the
progress showed "Archive being created". The issues
are resolved.

COM-23960 The physical disk serial number did not match the
output of
show media disk
. This issue is resolved.

COM-29773 Upgrading previously created certs under FireEye org

name is not supported.

Network Security 10.x Release Notes 27

3| 10.0.0 Release Notes

Tracking number Summary

COM-29806 Power supply failure alert notifications were created

unnecessarily in the following models: NX 3500, NX
4500, NX 5500. This issue is resolved

COM-29863 Apache has been upgraded to overcome the

vulnerability described in IAVM 2022-A-0124.

COM-29874 Vulnerabilities CVE-2022-22965, CVE-2022-22963,

and CVE-2022-22950 are resolved.

COM-29002 The show log continuous command was not

generating the expected output. The issue is
resolved.

COM-29377 The Velocity Engine has been upgraded to address

the Velocity Sandbox Bypass issue (CVE-2020-13936).

COM-29624 Some appliances could not connect to HelixConnect.

This issue is resolved.

COM-29702 CEF logs did not have the cs6 field extension. This
issue is resolved.

COM-30030 Alert notifications and alert logs were delayed when

many detections occurred simultaneously. This issue
is resolved.

COM-30031 The Apache vulnerability described in IAVM 2022-

A-0230 has been addressed.

COM-30144 The SMTP alerts using TLS failed to authenticate if

the password contained a
#
character. This issue is resolved.

28 Network Security 10.x Release Notes

3| 10.0.0 Release Notes

Tracking number Summary

COM-30244 mgmtd could not be recovered if a failure occurred.

The issue is resolved. mgmtd can now be recovered
by rebooting the system after a failure.

COM-30325 SNMP settings used to reset to default values on

reloading the site or logging out. The issue is
resolved.

COM-30344 TLS version 1.1 was not secure enough in

compliance mode for CC-NDcPP 2022 certification.
The issue is resolved. TLS is upgraded to version 1.2.

COM-30537 CVE-2021-46848 vulnerability has been addressed.

COM-30604 Delimiter between multiple SSH Allow users was not

effective. The issue was resolved.

COM-30641 The full file path was included in the "filename" field
in the metadata that was sent to cloud.fireeye.com.
This issue has been resolved.

COM-30743 License update was producing the error message,

"Internal error fetching licenses". The issue is
resolved.

COM-30788 You can now view datastreaming logs from the CLI
using the
show datastreaming log
command.

COM-30894 Issues of generating empty static reports have been

fixed.

COM-30935 SNMPv3 allowed the creation of a user with an

invalid SNMP key. This issue is resolved.

Network Security 10.x Release Notes 29

3| 10.0.0 Release Notes

Tracking number Summary

COM-30950 The original file names were being truncated in

the malware analysis table during local and remote
transfer. The issue is resolved.

COM-31007 Apache has been upgraded to overcome the

vulnerability described in CVE-2023-24998.

COM-31187 Advanced URL Defense reported an error on the

sensor appliance. The issue is resolved.

WEBMPS-21636 Issues related to backup, restore and reset factory

settings for IPS services are resolved.

• IPS Custom Rules were missing from the Only

Config backup.
• when the
reset factory keep-all-config
CLI command was executed, IPS Policy
Configuration, IPS Exception. Rules and IPS Custom
Rules configuration were not retained.

WEBMPS-21803 The NX 6500 appliance showed incorrect Warning

and Critical values for Maximum bandwidth in both
the CLI and the Web UI. The issues are resolved.

WEBMPS-24145 Security Content update failure did not trigger an

WEBMPS-24841 SNMP trap. The issue is resolved.

WEBMPS-24321 System Load and other services were generating

false health alerts. The issues are resolved.

WEBMPS-24531 ifName was not included in the interface-up /

interface-down SNMP trap. This issue is resolved.

WEBMPS-24836 The Network Security appliance could not cancel an

active packet capture service. The issue is resolved.

30 Network Security 10.x Release Notes

3| 10.0.0 Release Notes

Tracking number Summary

WEBMPS-24884 Source and destination IP addresses appeared

interchanged on the Alert Details page and in XML
and CSV files. The issue is resolved.

WEBMPS-25062 An issue created by the escape characters '\/\/' in

urllist.txt is resolved.

WEBMPS-25104 Riskware alert severity was displayed as N/A on the

Web UI Dashboard. This issue is resolved.

WEBMPS-25170 The Network Security appliance in L3 mode was

sending reset packets while the port-pairs were in
TAP mode. This issue is resolved

WEBMPS-25195 Inconsistencies in alerts from the Network Security

appliance and Helix are resolved.

WEBMPS-25426 250-****STARTTLS response instead of 250-

STARTTLS was not accepted on the Network Security
appliance. This issue has been resolved.

WEBMPS-25615 Proxy details were missing in the riskware alert

notification. The issue is resolved.

WEBMPS-25679 The Network Security appliance was receiving empty

IP address on configuring drop out-interface. The
issue is resolved. You need to execute policymgr
interface re-configure CLI command after configuring
any policymgr interface commands.

WEBMPS-25806 A database corruption event created multiple issues

on the Network Security 1500 appliance. These
issues are resolved.

WEBMPS-26034 Change in timezone was not being honoured by

the Service Health Digest notification. This issue is
resolved

Network Security 10.x Release Notes 31

3| 10.0.0 Release Notes

Tracking number Summary

WEBMPS-26238 IPS custom rule validation failed for rules with UDP
protocol and the TCP flags option. This issue is
resolved.

WEBMPS-26249 'Backup Reserve/free spaces is too low' error was

logged when generating a backup config+fedb even
though disk space is enough to store more backups.
This issue is resolved.

WEBMPS-26413 The disk space under /var/root/tmp/sa_python was

full. The issue is resolved.

WEBMPS-26418 SSL connection was timing out due to delayed SYN

ACK on the Network Security appliance. The issue is
resolved.

WEBMPS-26426 Inconsistency in ICAP blocking is resolved.

WEBMPS-26439 Issues arising due to a TCP evasion technique

are resolved. The evasion technique works by
overlapping a TCP segment with a fake packet.

WEBUI-14724 Naming a custom dashboard using non-ASCII and

hyphen characters failed on the Web UI with the
following error message: "Please enter a valid
name". This issue is resolved.

WEBUI-14821 When an IPS event was clicked on the Web

UI, the page did not respond. IPS performance
improvement has fixed this issue.

Known issues
The following issues are known in the Network Security 10.0.0 release.

32 Network Security 10.x Release Notes

3| 10.0.0 Release Notes

Tracking number Summary

COM-30639 Credentials in the login page are transmitted over

the SSL layer in plain text without encoding.

COM-30655 The database backup process takes a long time

when the alert purge is in progress.
Workaround: Schedule the database backup and
purge processes at different times.

COM-30656 Negation symbol '!' is not working before the

hostname or the username in deny user list.

COM-30659 Alert details might be missing from the report

generated during alert purging.

COM-30687 The appliance is known to be vulnerable to

CVE-2022-36760 if A JP servers are present.

COM-31165 gisettings API is not restricting the maximum

number of inputs for a field as 10.

DOC-6519 The bandwidth graph is not appearing in the

Monitored Traffic widget on the Web UI dashboard
for NX1500 and vNX1500 appliances and the CLI
show network stats interface pether
is not generating the expected output.

WEBMPS-24391 In a virtual Network Security appliance on Hyper-

V, modifying the MTU value affects inline traffic.
The traffic is reinstated when fe_fastpath_mgr is
restarted.

WEBMPS-24484 IPS alerts for brute force login attempts do not

include the appID, although the appID is detected.

WEBMPS-24541 The CLI does not return any errors when you add
a duplicate of an existing configuration for Whitelist

Network Security 10.x Release Notes 33

3| 10.0.0 Release Notes

Tracking number Summary

and Homenet IP, or when you delete a configuration

that does not exist.

WEBMPS-26159 The Network Security appliance cannot stream data

to the Splunk server via a proxy when SSL is enabled
on the Splunk server.

WEBUI-15000 For smartvision alerts generated earlier to 9.1.3

releases, base events details and events summary
information will not be displayed in Central
Management System.

Disable SAML in a Helix environment

SAML and HelixConnect are mutually exclusive. If the HelixConnect client is enabled on the Network Security appliance, you must
disable SAML authentication and authorization. Otherwise, the appliance will not come up after a system reboot.

For more information, see the Helix Integration Guide for Trellix devices.

• In the Software Requirements section, see “HelixConnect Client Software Requirements”.

• In the HelixConnect Troubleshooting section, see “Disabling SAML Authentication and Authorization”.

Upgrade support
The Trellix Network Security 10.0.0 release requires a reboot for the update to take effect. You can upgrade your NX appliance to
10.0.0 from release 9.0.0 or later.

IPMI and BIOS firmware updates are required for the NX 2550 model. See the section "Upgrading IPMI 3.11 and BIOS 1.9
Firmware for Specific Platforms" below

Note

After an upgrade to version 10.0.0, certain processes will be in a pending state until new security content is downloaded and
installed. See the following section, "Download the security content bundle".

34 Network Security 10.x Release Notes

3| 10.0.0 Release Notes

Caution

If your Network Security appliance is running in CC-NDcPP compliance mode and the Web Server CA certificate (or one of the
supplemental CA trust certificates added to the configuration) expires, the configuration database will fail to commit when
the appliance is rebooted, resulting in a nonrecoverable error. If this happens, reset the appliance to factory default settings.

Note

• Submissions from NX configured in hybrid mode will no longer be sent to Cloud MVX.
• NX appliances configured in hybrid mode will offload overflow submissions to the connected on-prem cluster.

Migrating inline policy exceptions and IPS policy exceptions

For Network Security appliances configured with inline policy exceptions or IPS policy exceptions, the upgrade process automatically
migrates the existing policy exceptions to the alert policy exceptions format introduced in release 9.0.2.

Download the security content bundle

After the upgrade, certain processes will be in a pending state until new security content is downloaded and installed. The
security content is downloaded and installed automatically for online customers. Offline customers must manually download
and install the new security content after upgrading appliances to release 10.0.0.

Downloading content from the DTI offline update portal

If you download Network Security 10.0.0 security content from the DTI Offline Update Portal, use the SCNET-8.0 channel of the
portal.

Caution

Downloading security content from a different channel will result in a loss of detection.

For details, see the Trellix DTI Offline Update Portal User Guide.

Upgrading IPMI 3.11 and BIOS 1.9 firmware for specific platforms

The NX 2550 model requires an upgrade to IPMI 3.11 and BIOS 1.9. You must install the IPMI upgrade before you upgrade the
BIOS. (COM-21016, COM-25601)

For detailed instructions about upgrading IPMI, see the System Administration Guide.

To upgrade IPMI to version 3.11:

Network Security 10.x Release Notes 35

3| 10.0.0 Release Notes

Note

IPMI network and password settings revert to factory defaults after this upgrade, and IPMI logs are deleted. Make a note of
your settings and back up your IPMI logs.
Do not shut down or remove power from the appliance during the upgrade.

1. Go to CLI configuration mode.

hostname > enable
hostname # configure terminal
2. Begin the upgrade:
hostname (config) # ipmi firmware update latest
3. Confirm the upgrade:
hostname (config) # show ipmi

If the upgrade fails, try the steps again.

If IPMI functions are not fully restored, perform a full power cycle (cold shutdown) on the appliance:

1. Stop the reload process:

hostname (config) # reload halt
2. Disconnect all power cables for 2 minutes.
3. After 2 minutes, reconnect power cables and restart the appliance.

To upgrade the BIOS to version 1.9:

1. Go to CLI configuration mode.

hostname > enable
hostname # configure terminal
2. Begin the upgrade:
hostname (config) # system bios firmware update latest

Note

Do not shut down or remove power from the appliance during the upgrade.

3. Confirm the upgrade:

hostname (config) # show system bios
4. Stop the reload process:
hostname (config) # reload halt
5. Disconnect all power cables for 2 minutes.
6. After 2 minutes, reconnect power cables and restart the appliance.

36 Network Security 10.x Release Notes

3| 10.0.0 Release Notes

YARA rules supported versions

YARA rules support version 4.3.2.

Important

Before you upgrade an Network Security appliance to the 10.0.0 release, modify any custom YARA rules to YARA 4.3.2. For
details about YARA 4.3.2, see YARA's Documentation, Release 4.3.2 by Victor Alvarez.

Enabling access to intel context

Advanced Threat Intelligence (ATI) is a cloud-based data collection and threat intelligence distribution feature that provides
actionable information about MVX-verified events on appliances. The threat intelligence tells you who is the threat actor behind
an attack, what has been targeted or breached, and (if known) how to mitigate the threat. The Trellix Research Labs team
continually uploads the latest threat intelligence to the Trellix Dynamic Threat Intelligence (DTI) cloud. When an MVX-verified
event triggers an alert, the appliance queries the DTI server for threat intelligence and stores the additional information in its
database. When you display an ATI alert, the alert details include the threat intelligence.

Appliances now need access to the Amazon Web Services (AWS) cloud for ATI communication. The intel context service is hosted
in multiple AWS regions and resolves to multiple IP addresses based on geographic location. To determine the IP addresses
for your location, go to https://dnschecker.org. See the AWS IP address range documentation for information about adding the
IP addresses to the allow list.

Network Security 10.x Release Notes 37

COPYRIGHT
Copyright © 2024 Musarubra US LLC.

Trellix and FireEye are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC, and their affiliates in the
US and /or other countries. Other names and brands are the property of these companies or may be claimed as the property of others.