Connecting to Global Threat Intelligence

Technical Articles ID: KB79640
Last Modified: 9/16/2020

Environment

McAfee Advanced Threat Defense (ATD)
McAfee Application and Change Control (MACC)
McAfee Email Gateway (MEG)
McAfee Endpoint Security for Linux (ENSL)
McAfee Endpoint Security for Mac (ENSM)
McAfee Endpoint Security (ENS) Adaptive Threat Protection (ATP)
McAfee ENS Firewall
McAfee ENS Web Control
McAfee Host Intrusion Prevention (Host IPS) for Servers
McAfee Management for Optimized Virtual Environments (MOVE)
McAfee MVISION Endpoint
McAfee SaaS Endpoint Protection
McAfee Stinger
McAfee Threat Intelligence Exchange (TIE) Server
McAfee VirusScan Command Line Scanner (VSCL)
McAfee VirusScan Enterprise (VSE)
McAfee VirusScan Enterprise for Storage (VSES)
McAfee Web Gateway (MWG)

Summary

Recent updates to this article

Date	Update
September 16, 2020	Updated to refer to the product documentation for the Global Threat Intelligence (GTI) FQDN for each product.
September 14, 2020	Moved non-Global Threat Intelligence ENS off-box communication URLs to KB93324.
January 17, 2020	Added the following Asia Pacific IP addresses in the "Additional configuration details" section: 3.1.208.14, 3.1.172.253, 13.251.72.88, 13.251.160.226, 18.141.7.33, 18.136.232.217, 18.138.54.213, 18.139.198.177, 18.139.210.109, 52.74.48.212, 52.76.69.100, 52.221.56.160.
December 17, 2019	Updated the "Additional configuration details" section that since 2018 the use of Public Cloud resources to augment the Global Threat Intelligence (GTI) Cloud was expanded. So, a client might be directed to a GTI Cloud PoP in the Public Cloud.

The purpose of this article is to provide the Global Threat Intelligence (GTI) IP addresses to allow so that your network can query GTI. But, McAfee recommends the use of a fully qualified domain name (FQDN) that returns a list of active endpoints at the nearest Cloud Point of Presence (PoP). IP addresses can change and to decouple endpoints from these changes, endpoints should not hardcode IP addresses mentioned in this article. McAfee is providing the list of IP addresses for allow list purposes only.

GTI is hosted as a global cloud service, so hard coding an IP address could result in an outage for one of the following reasons:

That particular IP address is taken out of service for maintenance.
A network outage segments a static path to a given IP address in a given data center.
GTI site host changes.

Access to GTI is configured on port 443 using an FQDN so that a DNS lookup can return the nearest and most accurate IP address records at any given time. This returned result can be any of several IP addresses across the globe. Because the exact IP address is not known in advance, firewall administrators must open port 443 outbound globally. The preferred configuration method is to configure access to the GTI servers to use port 443 to the FQDN.

Product FQDNs used with GTI
The FQDN depends on the product. To determine the FQDN, see the product documentation for your installed product.

For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

For a list and description of the ENS URLs used to perform off-box communication, see KB93324.

GTI IP addresses
If you have strict outbound traffic security rules in place, allow the GTI traffic using destination host name. But, if allowing the traffic by destination host name is not possible due to technical constraints, allow access to the following netblocks and Public Cloud resource IP addresses. The IP addresses are subject to change in the future.

Netblocks:

8.18.25.0/25

8.21.161.0/25

161.69.92.0/25

161.69.165.0/25

161.69.169.0/25

161.69.199.0/25

161.69.226.0/25

Public Cloud resource IP addresses:

North America and Latin America	18.210.181.15	3.17.93.252	54.207.37.84
	35.175.169.147	3.130.192.46	18.229.234.209
	52.22.248.114	3.14.168.72	18.229.221.41
	54.161.18.217	3.13.175.152	18.229.214.120
	3.218.82.178	3.13.177.14	18.229.230.27
	3.221.83.69	18.217.35.31	18.229.238.10
	3.220.208.37	3.17.222.216	18.231.55.149
	3.209.49.187	3.13.101.252	54.207.36.207
	3.82.88.111	13.58.126.78	18.228.231.50
	52.203.225.140	18.224.177.231	18.228.142.252
	18.204.0.196	18.221.176.175	18.229.205.82
	52.21.68.3	3.130.165.110	18.229.227.102
Europe, Middle East, and Africa	18.202.163.246	18.200.102.222	52.16.112.58
	18.203.176.203	34.245.253.161	54.72.18.197
	34.249.206.168	18.200.177.198	34.254.121.67
	52.215.124.82	3.248.4.201	63.35.83.224
Asia Pacific	13.112.13.181	13.113.20.59	52.69.144.176
	13.231.87.245	3.113.144.18	52.69.3.12
	52.192.234.170	3.113.179.87	3.113.200.66
	52.69.126.90	52.194.198.2	3.113.68.241
	18.136.232.217	3.1.208.14	18.141.7.33
	52.74.48.212	52.76.69.100	3.1.172.253
	13.251.72.88	18.139.210.109	52.221.56.160
	13.251.160.226	18.138.54.213	18.139.198.177

Related Information

For GTI best practices for minimizing network traffic, see KB74581.

Affected Products

Advanced Threat Defense 4.8.x
Advanced Threat Defense 4.6.x
Advanced Threat Defense 4.4.x
Advanced Threat Defense 4.2.x
Advanced Threat Defense 4.0.x
Application and Change Control 8.2.x
Application and Change Control 8.0.x
Application and Change Control 7.0.x
Application and Change Control 6.5.x
Application and Change Control 6.2.x
Application and Change Control 6.1
Email Gateway 7.6
Endpoint Security Adaptive Threat Protection
Endpoint Security Firewall 10.7.x
Endpoint Security Firewall 10.6.x
Endpoint Security for Linux Firewall 10.6.x
Endpoint Security for Linux Threat Prevention 10.x
Endpoint Security for Mac Firewall 10.x
Endpoint Security for Mac Threat Prevention 10.x
Endpoint Security for Mac Web Control 10.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Endpoint Security Web Control 10.7.x
Endpoint Security Web Control 10.6.x
Host Intrusion Prevention 8.0
MOVE Antivirus Agentless 4.8.x
MOVE Antivirus Agentless 4.7.x
MOVE Antivirus Multi-platform 4.6.x
MVISION Endpoint - All Versions
SaaS Email Protection 1
SaaS Web Protection 1.0
Stinger
Threat Intelligence Exchange Server 3.x
Threat Intelligence Exchange Server 2.3.x
Threat Intelligence Exchange Server 2.2.x
VirusScan Command Line Scanner 6.1.x
VirusScan Enterprise 8.8
VirusScan Enterprise for Storage 1.3.x
VirusScan Enterprise for Storage 1.2.x
Web Gateway 9.0.x
Web Gateway 8.2.x
Web Gateway 8.1.x
Web Gateway 8.0.x
Web Gateway 7.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Connecting to Global Threat Intelligence

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Connecting to Global Threat Intelligence

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title