FAQs for Endpoint Security Firewall Global Threat Intelligence

Recent updates to this article

Date	Update
December 20, 2019	Tagged article with Endpoint Security Firewall 10.7.x.
September 12, 2019	Updated How do I configure ENS Firewall GTI exclusions for the internal network?
August 12, 2019	Added What are the ENS Firewall GTI rule names? and updated the GTI log example.
September 5, 2018	Initial publication.

This article provides detailed information about ENS Firewall Global Threat Intelligence (GTI) functionality.

What host name and port number need to be open for GTI functionality to work?
To work properly, the following host name and port number must be open. Make sure that they are open on any gateway firewalls, and if applicable, from the proxy server.
 

• GTI Rule - In
• GTI Rule - Out

• If you do not use a proxy server, the ENS client requires direct connectivity to the GTI host name and port.
• If you use a proxy server, the proxy server requires connectivity to the GTI host name and port. Configure the proxy server options in the ENS Common policy under the section named Proxy Server. There are two options for configuring a proxy server:
  • Use system proxy settings – ENS Firewall GTI uses a proxy server only if a proxy server is configured on the system.
  • Configure proxy server – ENS Firewall GTI always uses the specified proxy server.
     
  TIP: Exclude the GTI addresses from the proxy server. For information, see KB79640.

To verify the ENS Common proxy server settings, review the \ProgramData\McAfee\Endpoint Security\Logs\EndpointSecurityPlatform_Debug.log file.

08/31/2018 09:27:48.465 AM   mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [enableHTTPAuth] with its value [false]
08/31/2018 09:27:48.481 AM   mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyServerAddress] with its value [10.10.10.1]
08/31/2018 09:27:48.481 AM   mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyServerPort] with its value [8080]
08/31/2018 09:27:48.481 AM   mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyType] with its value [2],/div>

If a failure occurs, review the EndpointSecurityPlatform_Debug.log for proxy authentication errors. See KB88190 for further details.

08/31/2018 12:38:36.920 PM   mfeesp(3052.4660) GTIBL.GTI.Debug: Could not connect to host tunnel.web.trustedsource.org.:443 via HTTP proxy Proxy.customer.com:80; HTTP status code = 407
08/31/2018 12:38:36.921 PM   mfeesp(3052.4660) GTIBL.GTI.Debug: could not setup proxy (proxy host: Proxy.customer.com  host: tunnel.web.trustedsource.org.)


What IP addresses can I use to test the GTI functionality?
Use the following IP addresses to test the ENS Firewall GTI functionality. When you access these IP addresses, blocked events must display in the ENS FirewallEventMonitor.log file with the rule name GTI Rule - TCP - Out.
What happens to traffic if the ENS Firewall can't reach the GTI server?
With ENS 10.6.0 and later, you can configure the ENS Firewall to either block or allow traffic by default if the GTI ratings server is not reachable. Configure the setting If McAfee GTI ratings server is not reachable in the ENS Firewall Options policy under the section named McAfee GTI Network Reputation.


What hash type is used for file queries?
With ENS 10.6.0 and later, use SHA-256 for file queries to GTI. ENS continues to support MD5 for policy configuration and reporting.


Are domain name ratings used?
No. The IP address of the connection request is rated against the GTI database. Domain name ratings are not used.


Can GTI ratings differ depending on how a connection is made?
Yes. GTI ratings differ depending on how a connection is made. For example, port 25 traffic to an IP address can have a different GTI rating than port 80 traffic.


How do I configure ENS Firewall GTI exclusions for the internal network?
To bypass your internal network, if you are using routable IP addresses, add the IP addresses as a Defined Network. Go to the ENS Firewall Options policy, and add the IP addresses under the section Defined Networks.


Does ENS Firewall GTI automatically exclude any IP addresses?
ENS Firewall GTI automatically excludes the following IP addresses from a ratings check:

• 10.0.0.0 - 10.255.255.255
• 169.254.0.0 - 169.254.255.255
• 172.16.0.0 - 172.31.255.255
• 192.168.0.0 - 192.168.255.255
• 127.0.0.1 - 127.255.255.255
• 0000:0000:0000:0000:0000:0000:0000:0001
• 0000:0000:0000:0000:0000:FFFF:0A00:0000 - 0000:0000:0000:0000:0000:FFFF:0AFF:FFFF
• 0000:0000:0000:0000:0000:FFFF:AC10:0000 - 0000:0000:0000:0000:0000:FFFF:AC1F:FFFF
• 0000:0000:0000:0000:0000:FFFF:C0A8:0000 - 0000:0000:0000:0000:0000:FFFF:C0A8:FFFF
• 0000:0000:0000:0000:0000:FFFF:A9FE:0000 - 0000:0000:0000:0000:0000:FFFF:A9FE:FFFF
• FE80:0000:0000:0000:0000:0000:0000:0000 - FE80:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

What rules does GTI trigger if traffic is blocked?
ENS Firewall GTI triggers the firewall rule GTI Rule - TCP - Out or GTI Rule - TCP - In if network traffic is blocked due to matching the configured GTI Rating Threshold. 


Is an event sent to ePO if traffic is blocked?
If the setting Log matching traffic is enabled in the ENS Firewall Options policy under the section McAfee GTI Network Reputation, Event ID 35002 events are generated and reported to the ePO server.


Can I use ePO queries to report on GTI events?
Yes. A default query named Endpoint Security Firewall: Events from McAfee GTI in the last 6 months is provided. You can also create your own ePO queries to report on GTI events.


How can I dispute GTI ratings or learn more about GTI ratings?
To dispute or request any further information about GTI ratings, you have two options:

• Visit the McAfee TrustedSource website at https://www.trustedsource.org
• Contact sites@mcafee.com.