Loading...

Knowledge Center

How to obtain a list of current Global Threat Intelligence IP addresses
Technical Articles ID:   KB79640
Last Modified:  4/24/2019
Rated:

Environment

McAfee Advanced Threat Defense (ATD)
McAfee Application and Change Control (MACC)
McAfee Email Gateway (MEG)
McAfee Endpoint Security for Linux (ENSL)
McAfee Endpoint Security for Mac (ENSM)
McAfee Endpoint Security (ENS) Adaptive Threat Protection (ATP)
McAfee ENS Firewall
McAfee ENS Web Control
McAfee GetSusp
McAfee Host Intrusion Prevention (Host IPS) for Servers
McAfee Management for Optimized Virtual Environments (MOVE)
McAfee MVISION Endpoint
McAfee Real Protect
McAfee SaaS Endpoint Protection
McAfee Stinger
McAfee Threat Intelligence Exchange (TIE) Server 
McAfee VirusScan Command Line Scanner (VSCL)
McAfee VirusScan Enterprise (VSE)
McAfee VirusScan Enterprise for Storage (VSES)
McAfee Web Gateway (MWG)

Summary

IP addresses can change, so McAfee recommends the use of a fully qualified domain name (FQDN) that returns a list of active endpoints at the nearest Cloud Point of Presence (PoP).

Access to Global Threat Intelligence (GTI) is configured on port 443 using an FQDN so that a DNS lookup can return the nearest and most accurate IP address records at any given time. This returned result can be any of several IP addresses across the globe. Because the exact IP address is not known in advance, firewall administrators must open port 443 outbound globally. If the firewall does not support configuring an open port against a host name, or if organizational security policies do not allow it, a specific GTI IP address must be used.

GTI is hosted as a global cloud service, so hard coding an IP address could result in an outage for one of the following reasons:
  • That particular IP address is taken out of service for maintenance.
  • A network outage segments a static path to a given IP address in a given data center.
  • The data center host changes.
The preferred configuration method is to configure access to the GTI servers to use port 443 to the FQDN.

NOTE: The FQDN depends on the product, which requires you to see the product documentation for your installed product.

Examples of some product FQDNs used with GTI

NOTE: This list is not intended to be comprehensive. See the product documentation for the most specific and up-to-date information.
 
Product
 FQDNs
DAT based GTI Queries avqs.mcafee.com
ENS
cloud.gti.mcafee.com
ENS ATP
ens.rest.gti.mcafee.com
compute.amazonaws.com
ENS ATP (Real Protect)
realprotect1.mcafee.com
ENS Firewall tunnel.web.trustedsource.org
ENS Web Control sae.gti.mcafee.com
ENSL enslinux.rest.gti.mcafee.com
ENSM ens-mac.rest.gti.mcafee.com
GTI (formerly Artemis) artemislist.gti.mcafee.com
Host IPS tunnel.hips.trustedsource.org
MEG tunnel.message.trustedsource.org
MOVE SVA avqs.mcafee.com
MVISION Endpoint (GTI) echelon.rest.gti.mcafee.com
MVISION Endpoint (Real Protect) realprotect1.mcafee.com
MWG tunnel.web.trustedsource.org
mac.gti.mcafee.com
sae.gti.mcafee.com
saelist.gti.mcafee.com
TIE Module (TIE Server) tie.gti.mcafee.com
tieserver.rest.gti.mcafee.com
Solidcore GTI (Application Control) cwl.gti.mcafee.com
cwl2.gti.mcafee.com
mace.rest.gti.mcafee.com

Solution

How to obtain a list of the current GTI IP addresses
Use one of the following to look up the FQDN using either nslookup for Windows systems, or a dig for *nix-based systems. 
 
NOTES:
  • The IP address list is pulled from the Global Traffic Management (GTM) system and represents the active endpoints at the nearest PoP at the time of the lookup.
  • Generally, these IP addresses do not change over time, but that is not the same as saying that they will never change over time or that they will always be available or in-service. McAfee has no procedures in place to proactively notify customers regarding internal IT changes and maintenance.
  • McAfee provides this information to simplify the process for our customers to look up the list periodically on their own schedule. If the host name resolves to IP addresses and an open port 443 in your firewall, periodically check the list of IP addresses and ensure that there have been no changes. Changes could impact the performance and operation of various products that must communicate with GTI.
Examples:
 
Method Command Returned Output
nslookup nslookup tunnellist.gti.mcafee.com Server: Unknown
Address: 192.168.1.1

Non-authoritative answer:
Name: tunnellist.gti.mcafee.akadns.net

Addresses:
8.18.25.23
8.18.25.24
8.18.25.25
8.18.25.26
8.18.25.27
8.18.25.28
8.18.25.29
8.18.25.60
8.18.25.61
8.18.25.62
8.18.25.63
8.18.25.16
8.18.25.17
8.18.25.18
8.18.25.19
8.18.25.20
8.18.25.21
8.18.25.22

Aliases: tunnellist.gti.mcafee.com
dig [user_name]$ dig tunnellist.gti.mcafee.com ; <<>> DiG 9.8.3-P1 <<>> tunnellist.gti.mcafee.akadns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16673
;; flags: qr rd ra; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;tunnellist.gti.mcafee.com. IN A

;; ANSWER SECTION:
tunnellist.gti.mcafee.com. 0 IN CNAME tunnellist.gti.mcafee.akadns.net.
tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.29
tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.19
tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.17
tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.25
tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.27
tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.23
tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.22
tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.24
tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.16


If the security policy of an organization allows it, and network administrators would prefer to create rules around netblocks used for the GTI Cloud, they can use the following CIDR blocks:
 
GTI Cloud Netblocks
8.18.25.0/25
8.21.161.0/25
161.69.92.0/25
161.69.165.0/25
161.69.169.0/25
161.69.199.0/25
161.69.226.0/25

These netblocks are subject to change in the future, but would allow for more blanket coverage and one-time Access Control List configuration.

Additional configuration details
In addition to the above netblocks, in 2016 McAfee began using Public Cloud resources to augment the GTI Cloud. In 2018 that usage was expanded, and a client might be directed to a GTI Cloud PoP in the Public Cloud. The current IP address list for those resources is as follows:
 
North America and Latin America Europe, Middle East, and Africa Asia Pacific
18.210.181.15 18.202.163.246 13.112.13.181
35.175.169.147 18.203.176.203 13.231.87.245
52.22.248.114 34.249.206.168 52.192.234.170
54.161.18.217 52.215.124.82 52.69.126.90

Related Information

For GTI best practices for minimizing network traffic, see KB74581.
 
For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.