How to obtain a list of current Global Threat Intelligence IP addresses

Technical Articles ID: KB79640
Last Modified: 5/27/2020

Environment

IMPORTANT: IP addresses can change. So, McAfee recommends the use of a fully qualified domain name (FQDN). FQDN returns a list of active endpoints at the nearest Cloud Point of Presence (PoP).

McAfee Advanced Threat Defense (ATD)
McAfee Application and Change Control (MACC)
McAfee Email Gateway (MEG)
McAfee Endpoint Security for Linux (ENSL)
McAfee Endpoint Security for Mac (ENSM)
McAfee Endpoint Security (ENS) Adaptive Threat Protection (ATP)
McAfee ENS Firewall
McAfee ENS Web Control
McAfee GetSusp
McAfee Host Intrusion Prevention (Host IPS) for Servers
McAfee Management for Optimized Virtual Environments (MOVE)
McAfee MVISION Endpoint
McAfee Real Protect
McAfee SaaS Endpoint Protection
McAfee Stinger
McAfee Threat Intelligence Exchange (TIE) Server
McAfee VirusScan Command Line Scanner (VSCL)
McAfee VirusScan Enterprise (VSE)
McAfee VirusScan Enterprise for Storage (VSES)
McAfee Web Gateway (MWG)

Summary

Recent updates to this article

Date	Update
May 27, 2020	Added a note to contact Technical Support if you need additional information about threat telemetry.
April 9, 2020	Added the FQDN ens.ria.mcafee-cloud.com for ENS ATP.
January 17, 2020	Added the following Asia Pacific IP addresses in the "Additional configuration details" section: 3.1.208.14, 3.1.172.253, 13.251.72.88, 13.251.160.226, 18.141.7.33, 18.136.232.217, 18.138.54.213, 18.139.198.177, 18.139.210.109, 52.74.48.212, 52.76.69.100, 52.221.56.160.
December 17, 2019	Updated the "Additional configuration details" section that since 2018 the use of Public Cloud resources to augment the Global Threat Intelligence (GTI) Cloud was expanded. So, a client might be directed to a GTI Cloud PoP in the Public Cloud.
December 16, 2019	Added the following North America and Latin America IP addresses in the "Additional configuration details" section: 54.207.37.84, 54.207.36.207, 18.229.234.209, 18.229.221.41, 18.229.214.120, 18.229.230.27, 18.229.238.10, 18.231.55.149, 18.228.231.50, 18.228.142.252, 18.229.205.82, 18.229.227.102.

Access to Global Threat Intelligence (GTI) is configured on port 443 using an FQDN so that a DNS lookup can return the nearest and most accurate IP address records at any given time. This returned result can be any of several IP addresses across the globe. Because the exact IP address is not known in advance, firewall administrators must open port 443 outbound globally. If the firewall does not support the configuration of an open port against a host name, or if organizational security policies do not allow it, a specific GTI IP address must be used.

GTI is hosted as a global cloud service, so hard coding an IP address could result in an outage for one of the following reasons:

That particular IP address is taken out of service for maintenance.
A network outage segments a static path to a given IP address in a given data center.
The data center host changes.

The preferred configuration method is to configure access to the GTI servers to use port 443 to the FQDN.

Examples of some product FQDNs used with GTI

NOTES:

This list is not intended to be comprehensive. The FQDN depends on the product. See the product documentation for the most specific and up-to-date information.
Certain organizations that require additional information around of some types of threat telemetry should contact Technical Support.

Product	FQDNs
DAT based GTI Queries	avqs.mcafee.com
ENS	cloud.gti.mcafee.com
ENS ATP	ens.rest.gti.mcafee.com compute.amazonaws.com ens.ria.mcafee-cloud.com
ENS ATP (Real Protect)	realprotect1.mcafee.com
ENS Firewall	tunnel.web.trustedsource.org
ENS Web Control	sae.gti.mcafee.com
ENSL	enslinux.rest.gti.mcafee.com
ENSM	ens-mac.rest.gti.mcafee.com
GTI (formerly Artemis)	artemislist.gti.mcafee.com
Host IPS	tunnel.hips.trustedsource.org
MEG	tunnel.message.trustedsource.org
MOVE SVA	avqs.mcafee.com
MVISION Endpoint (GTI)	echelon.rest.gti.mcafee.com
MVISION Endpoint (Real Protect)	realprotect1.mcafee.com
MWG	tunnel.web.trustedsource.org mac.gti.mcafee.com sae.gti.mcafee.com saelist.gti.mcafee.com
TIE Module (TIE Server)	tie.gti.mcafee.com tieserver.rest.gti.mcafee.com
Solidcore GTI (Application Control)	cwl.gti.mcafee.com cwl2.gti.mcafee.com mace.rest.gti.mcafee.com

Solution

How to obtain a list of the current GTI IP addresses
Use one of the following to look up the FQDN using either nslookup for Windows systems, or a dig for *nix-based systems.

NOTES:

The IP address list is pulled from the Global Traffic Management (GTM) system. It represents the active endpoints at the nearest PoP at the time of the lookup.
Generally, these IP addresses do not change over time. But, that is not the same as saying that they will never change over time or that they will always be available or in-service. McAfee has no procedures in place to proactively notify customers regarding internal IT changes and maintenance.
McAfee provides this information to simplify the process for our customers to look up the list periodically on their own schedule. If the host name resolves to IP addresses and an open port 443 in your firewall, periodically check the list of IP addresses and make sure that there have been no changes. Changes could impact the performance and operation of many products that must communicate with GTI.

Examples:

Method	Command	Returned Output
nslookup	nslookup tunnellist.gti.mcafee.com	Server: Unknown Address: 192.168.1.1 Non-authoritative answer: Name: tunnellist.gti.mcafee.akadns.net Addresses: 8.18.25.23 8.18.25.24 8.18.25.25 8.18.25.26 8.18.25.27 8.18.25.28 8.18.25.29 8.18.25.60 8.18.25.61 8.18.25.62 8.18.25.63 8.18.25.16 8.18.25.17 8.18.25.18 8.18.25.19 8.18.25.20 8.18.25.21 8.18.25.22 Aliases: tunnellist.gti.mcafee.com
dig	[user_name]$ dig tunnellist.gti.mcafee.com	; <<>> DiG 9.8.3-P1 <<>> tunnellist.gti.mcafee.akadns.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16673 ;; flags: qr rd ra; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;tunnellist.gti.mcafee.com. IN A ;; ANSWER SECTION: tunnellist.gti.mcafee.com. 0 IN CNAME tunnellist.gti.mcafee.akadns.net. tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.29 tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.19 tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.17 tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.25 tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.27 tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.23 tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.22 tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.24 tunnellist.gti.mcafee.akadns.net. 0 IN A 161.69.92.16

If the security policy of an organization allows it, and network administrators would prefer to create rules around netblocks used for the GTI Cloud, they can use the following CIDR blocks:

GTI Cloud Netblocks

8.18.25.0/25

8.21.161.0/25

161.69.92.0/25

161.69.165.0/25

161.69.169.0/25

161.69.199.0/25

161.69.226.0/25

The netblocks are subject to change in the future, but would allow for more blanket coverage and one-time Access Control List configuration.

Additional configuration details
In addition to the above netblocks, in 2016 McAfee began using Public Cloud resources to augment the GTI Cloud. Since 2018 that use was expanded, and a client might be directed to a GTI Cloud PoP in the Public Cloud. The current IP address list for those resources is as follows.

North America and Latin America	18.210.181.15	3.17.93.252	54.207.37.84
	35.175.169.147	3.130.192.46	18.229.234.209
	52.22.248.114	3.14.168.72	18.229.221.41
	54.161.18.217	3.13.175.152	18.229.214.120
	3.218.82.178	3.13.177.14	18.229.230.27
	3.221.83.69	18.217.35.31	18.229.238.10
	3.220.208.37	3.17.222.216	18.231.55.149
	3.209.49.187	3.13.101.252	54.207.36.207
	3.82.88.111	13.58.126.78	18.228.231.50
	52.203.225.140	18.224.177.231	18.228.142.252
	18.204.0.196	18.221.176.175	18.229.205.82
	52.21.68.3	3.130.165.110	18.229.227.102
Europe, Middle East, and Africa	18.202.163.246	18.200.102.222	52.16.112.58
	18.203.176.203	34.245.253.161	54.72.18.197
	34.249.206.168	18.200.177.198	34.254.121.67
	52.215.124.82	3.248.4.201	63.35.83.224
Asia Pacific	13.112.13.181	13.113.20.59	52.69.144.176
	13.231.87.245	3.113.144.18	52.69.3.12
	52.192.234.170	3.113.179.87	3.113.200.66
	52.69.126.90	52.194.198.2	3.113.68.241
	18.136.232.217	3.1.208.14	18.141.7.33
	52.74.48.212	52.76.69.100	3.1.172.253
	13.251.72.88	18.139.210.109	52.221.56.160
	13.251.160.226	18.138.54.213	18.139.198.177

Related Information

For GTI best practices for minimizing network traffic, see KB74581.

For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:

If you are a registered user, type your User Id and Password, and then click Log In.
If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Affected Products

Advanced Threat Defense 4.8.x
Advanced Threat Defense 4.6.x
Advanced Threat Defense 4.4.x
Advanced Threat Defense 4.2.x
Advanced Threat Defense 4.0.x
Application and Change Control 8.2.x
Application and Change Control 8.0.x
Application and Change Control 7.0.x
Application and Change Control 6.5.x
Application and Change Control 6.2.x
Application and Change Control 6.1
Email Gateway 7.6
Endpoint Security Firewall 10.7.x
Endpoint Security Firewall 10.6.x
Endpoint Security Firewall 10.5.x
Endpoint Security for Linux Firewall 10.6.x
Endpoint Security for Linux Threat Prevention 10.x
Endpoint Security for Mac Firewall 10.x
Endpoint Security for Mac Threat Prevention 10.x
Endpoint Security for Mac Web Control 10.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Endpoint Security Threat Prevention 10.5.x
Endpoint Security Web Control 10.7.x
Endpoint Security Web Control 10.6.x
Endpoint Security Web Control 10.5.x
Host Intrusion Prevention 8.0
MOVE Antivirus Agentless 4.8.x
MOVE Antivirus Agentless 4.7.x
MOVE Antivirus Multi-platform 4.6.x
MVISION Endpoint - All Versions
SaaS Email Protection 1
SaaS Web Protection 1.0
Stinger
Threat Intelligence Exchange Server 3.x
Threat Intelligence Exchange Server 2.3.x
Threat Intelligence Exchange Server 2.2.x
VirusScan Command Line Scanner 6.1.x
VirusScan Enterprise 8.8
VirusScan Enterprise for Storage 1.3.x
VirusScan Enterprise for Storage 1.2.x
Web Gateway 9.0.x
Web Gateway 8.2.x
Web Gateway 8.1.x
Web Gateway 8.0.x
Web Gateway 7.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

How to obtain a list of current Global Threat Intelligence IP addresses

Environment

Summary

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

How to obtain a list of current Global Threat Intelligence IP addresses

Environment

Summary

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title