Connecting to Global Threat Intelligence

Technical Articles ID: KB79640
Last Modified: 2/24/2021

Environment

McAfee Advanced Threat Defense (ATD)
McAfee Application and Change Control (MACC)
McAfee Email Gateway (MEG)
McAfee Endpoint Security for Linux (ENSL)
McAfee Endpoint Security for Mac (ENSM)
McAfee Endpoint Security (ENS) Adaptive Threat Protection (ATP)
McAfee ENS Firewall
McAfee ENS Web Control
McAfee Host Intrusion Prevention (Host IPS) for Servers
McAfee Management for Optimized Virtual Environments (MOVE)
McAfee MVISION Endpoint
McAfee SaaS Endpoint Protection
McAfee Stinger
McAfee Threat Intelligence Exchange (TIE) Server
McAfee VirusScan Command Line Scanner (VSCL)
McAfee VirusScan Enterprise (VSE)
McAfee VirusScan Enterprise for Storage (VSES)
McAfee Web Gateway (MWG)

Summary

Recent updates to this article

Date	Update
February 24, 2021	Added a note regarding *.cloudplatform.mcafee.com.
December 1, 2020	Removed netblocks 8.18.25.0/25 and 161.69.199.0/25.
September 16, 2020	Updated to see the product documentation for the Global Threat Intelligence (GTI) FQDN for each product.
September 14, 2020	Moved non-Global Threat Intelligence ENS off-box communication URLs to KB93324 - Endpoint Security off-box communication URLs.
January 17, 2020	Added the following Asia Pacific IP addresses in the "Additional configuration details" section: 3.1.208.14, 3.1.172.253, 13.251.72.88, 13.251.160.226, 18.141.7.33, 18.136.232.217, 18.138.54.213, 18.139.198.177, 18.139.210.109, 52.74.48.212, 52.76.69.100, 52.221.56.160.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

The purpose of this article is to provide the Global Threat Intelligence (GTI) IP addresses to allow so that your network can query GTI. But, McAfee recommends the use of a fully qualified domain name (FQDN) that returns a list of active endpoints at the nearest Cloud Point of Presence (PoP). IP addresses can change. To decouple endpoints from these changes, endpoints should not hardcode IP addresses mentioned in this article. McAfee is providing the list of IP addresses for allow list purposes only.

GTI is hosted as a global cloud service, so hard coding an IP address could result in an outage for one of the following reasons:

That particular IP address is taken out of service for maintenance.
A network outage segments a static path to a given IP address in a given data center.
GTI site host changes.

Access to GTI is configured on port 443 using an FQDN so that a DNS lookup can return the nearest and most accurate IP address records at any given time. This returned result can be any of several IP addresses across the globe. Because the exact IP address is not known in advance, firewall administrators must open port 443 outbound globally. The preferred configuration method is to configure access to the GTI servers to use port 443 to the FQDN.

Product FQDNs used with GTI
The FQDN depends on the product. To determine the FQDN, see the product documentation for your installed product.

For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

For a list and description of the ENS URLs used to perform off-box communication, see KB93324 - Endpoint Security off-box communication URLs.

NOTE: If you resolve any of these URLs/IP addresses, you might see the following as part of the domain name mapping: *.cloudplatform.mcafee.com. This name is an expected alias. The URLs can resolve to multiple and differing IP addresses at different times.

GTI IP addresses
If you have strict outbound traffic security rules in place, allow the GTI traffic using destination host name. But, if allowing the traffic by destination host name is not possible due to technical constraints, allow access to the following netblocks and Public Cloud resource IP addresses. The IP addresses are subject to change in the future.

Netblocks:

8.21.161.0/25

161.69.92.0/25

161.69.165.0/25

161.69.169.0/25

161.69.226.0/25

Public Cloud resource IP addresses:

North America and Latin America	18.210.181.15	3.17.93.252	54.207.37.84
	35.175.169.147	3.130.192.46	18.229.234.209
	52.22.248.114	3.14.168.72	18.229.221.41
	54.161.18.217	3.13.175.152	18.229.214.120
	3.218.82.178	3.13.177.14	18.229.230.27
	3.221.83.69	18.217.35.31	18.229.238.10
	3.220.208.37	3.17.222.216	18.231.55.149
	3.209.49.187	3.13.101.252	54.207.36.207
	3.82.88.111	13.58.126.78	18.228.231.50
	52.203.225.140	18.224.177.231	18.228.142.252
	18.204.0.196	18.221.176.175	18.229.205.82
	52.21.68.3	3.130.165.110	18.229.227.102
Europe, Middle East, and Africa	18.202.163.246	18.200.102.222	52.16.112.58
	18.203.176.203	34.245.253.161	54.72.18.197
	34.249.206.168	18.200.177.198	34.254.121.67
	52.215.124.82	3.248.4.201	63.35.83.224
Asia Pacific	13.112.13.181	13.113.20.59	52.69.144.176
	13.231.87.245	3.113.144.18	52.69.3.12
	52.192.234.170	3.113.179.87	3.113.200.66
	52.69.126.90	52.194.198.2	3.113.68.241
	18.136.232.217	3.1.208.14	18.141.7.33
	52.74.48.212	52.76.69.100	3.1.172.253
	13.251.72.88	18.139.210.109	52.221.56.160
	13.251.160.226	18.138.54.213	18.139.198.177

Related Information

For GTI best practices for minimizing network traffic, see KB74581 - Global Threat Intelligence File Reputation - best practices for minimizing network traffic.

Affected Products

Advanced Threat Defense 4.8.x
Advanced Threat Defense 4.6.x
Advanced Threat Defense 4.4.x
Advanced Threat Defense 4.2.x
Application and Change Control 8.2.x
Application and Change Control 8.0.x
Application and Change Control 7.0.x
Application and Change Control 6.5.x
Application and Change Control 6.2.x
Application and Change Control 6.1
Endpoint Security Adaptive Threat Protection
Endpoint Security Firewall 10.7.x
Endpoint Security Firewall 10.6.x
Endpoint Security for Linux Firewall 10.6.x
Endpoint Security for Linux Threat Prevention 10.x
Endpoint Security for Mac Firewall 10.x
Endpoint Security for Mac Threat Prevention 10.x
Endpoint Security for Mac Web Control 10.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Endpoint Security Web Control 10.7.x
Endpoint Security Web Control 10.6.x
Host Intrusion Prevention 8.0
MOVE Antivirus Agentless 4.8.x
MOVE Antivirus Agentless 4.7.x
MOVE Antivirus Multi-platform 4.6.x
MVISION Endpoint - All Versions
Stinger
Threat Intelligence Exchange Server 3.x
Threat Intelligence Exchange Server 2.3.x
Threat Intelligence Exchange Server 2.2.x
VirusScan Command Line Scanner 6.1.x
VirusScan Enterprise 8.8
VirusScan Enterprise for Storage 1.3.x
VirusScan Enterprise for Storage 1.2.x
Web Gateway 9.0.x
Web Gateway 8.2.x
Web Gateway 8.1.x
Web Gateway 8.0.x
Web Gateway 7.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Connecting to Global Threat Intelligence

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Connecting to Global Threat Intelligence

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title