FAQs for ENS Firewall Global Threat Intelligence
Technical Articles ID:
KB90837
Last Modified: 4/14/2021
Last Modified: 4/14/2021
Environment
McAfee Endpoint Security (ENS) Firewall 10.x
Summary
Recent updates to this article
This article provides detailed information about ENS Firewall Global Threat Intelligence (GTI) functionality.
What host name and port number need to be open for GTI functionality to work?
To work properly, the following host name and port number must be open. Make sure that they are open on any gateway firewalls, and if applicable, from the proxy server.
Can I change the host name and port information for GTI reputation lookups?
No. The host name and port information used for GTI reputation lookups is hard-coded into the product. This information can’t be changed in the local configuration, or in the ePolicy Orchestrator (ePO) policies.
\ProgramData\McAfee\Endpoint Security\Logs\EndpointSecurityPlatform_Debug.log file.
08/31/2018 09:27:48.465 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [enableHTTPAuth] with its value [false]
08/31/2018 09:27:48.481 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyServerAddress] with its value [10.10.10.1]
08/31/2018 09:27:48.481 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyServerPort] with its value [8080]
08/31/2018 09:27:48.481 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyType] with its value [2],/div>
If a failure occurs, review theEndpointSecurityPlatform_Debug.log for proxy authentication errors. For more information, see: KB88190 - Proxy server logon fails when specifying domain\username
08/31/2018 12:38:36.920 PM mfeesp(3052.4660) GTIBL.GTI.Debug: Could not connect to host tunnel.web.trustedsource.org.:443 via HTTP proxy Proxy.customer.com:80; HTTP status code = 407
08/31/2018 12:38:36.921 PM mfeesp(3052.4660) GTIBL.GTI.Debug: could not setup proxy (proxy host: Proxy.customer.com host: tunnel.web.trustedsource.org.)
How do I test GTI connectivity using curl for Windows?
Verify whether GTI connectivity is successful.curl -kvU user -x proxyaddress:port https://tunnel.web.trustedsource.org:443
curl -kvx proxyaddress:port https://tunnel.web.trustedsource.org:443
curl -kv https://tunnel.web.trustedsource.org:443
What rules does GTI trigger if traffic is blocked?
ENS Firewall GTI triggers the following firewall rules if network traffic is blocked due to matching the configured GTI In or Out network-reputation threshold ratings.
What IP addresses can I use to test the GTI functionality?
Use the following IP addresses to test the ENS Firewall GTI functionality. When you access these IP addresses, blocked events must display in the ENSFirewallEventMonitor.log file with the rule name GTI Rule - TCP - Out.
207.67.117.51 HIGH RISK
207.67.117.52 MEDIUM RISK
207.67.117.53 UNVERIFIED RISK
Example block event:
Time: 07/08/2020 03:33:57 PM
Event: Traffic
IP Address: 207.67.117.51
Description: MICROSOFT TELNET CLIENT
Path: C:\Windows\System32\telnet.exe
Message: Blocked Outgoing TCP - Source 10.0.0.1 : (57640) Destination 207.67.117.51 : http (80)
Matched Rule: GTI Rule - TCP - Out
What happens to traffic if the ENS Firewall can't reach the GTI server?
You can configure the ENS Firewall to either block or allow traffic by default if the GTI ratings server is not reachable. Configure the setting If McAfee GTI ratings server is not reachable in the ENS Firewall Options policy under the section named McAfee GTI Network Reputation.
What hash type is used for file queries?
ENS uses SHA-256 for file queries to GTI. ENS continues to support MD5 for policy configuration and reporting.
Are domain name ratings used?
No. The IP address and port number of the connection request is rated against the GTI database. Domain name ratings are not used.
Can GTI ratings differ depending on how a connection is made?
Yes. GTI ratings differ depending on how a connection is made. For example, port 25 traffic to an IP address can have a different GTI rating than port 80 traffic.
How do I configure exclusions for the ENS Firewall GTI feature?
You can add the affected IP addresses in the Firewall Options policy under the Defined Networks section.
Does ENS Firewall GTI automatically exclude any IP addresses?
ENS Firewall GTI automatically excludes the following IP addresses from a ratings check:
Is an event sent to ePO if traffic is blocked?
If the setting Log matching traffic is enabled in the ENS Firewall Options policy under the section McAfee GTI Network Reputation, Event ID 35002 events are generated and reported to the ePO server.
Can I use ePO queries to report on GTI events?
Yes. A default query named Endpoint Security Firewall: Events from McAfee GTI in the last 6 months is provided. You can also create your own ePO queries to report on GTI events.
How can I dispute GTI ratings or learn more about GTI ratings?
To dispute or request any further information about GTI ratings, you have two options:
Date | Update |
April 14, 2021 | Added the FAQ How do I test GTI connectivity using curl for Windows? |
July 14, 2020 | Updated the following FAQs:
|
December 20, 2019 | Tagged article with Endpoint Security Firewall 10.7.x. |
September 12, 2019 | Updated How do I configure ENS Firewall GTI exclusions for the internal network? |
August 12, 2019 | Added What are the ENS Firewall GTI rule names |
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
This article provides detailed information about ENS Firewall Global Threat Intelligence (GTI) functionality.
What host name and port number need to be open for GTI functionality to work?
To work properly, the following host name and port number must be open. Make sure that they are open on any gateway firewalls, and if applicable, from the proxy server.
Host: tunnel.web.trustedsource.org (IP address can vary)
Port: 443
Port: 443
Can I change the host name and port information for GTI reputation lookups?
No. The host name and port information used for GTI reputation lookups is hard-coded into the product. This information can’t be changed in the local configuration, or in the ePolicy Orchestrator (ePO) policies.
Does the GTI functionality work with or without a proxy server?
Yes. ENS Firewall GTI functions correctly with or without a proxy server. When a proxy server is configured, the internet browser is configured to connect directly to a proxy server for internet access.
Yes. ENS Firewall GTI functions correctly with or without a proxy server. When a proxy server is configured, the internet browser is configured to connect directly to a proxy server for internet access.
- If you do not use a proxy server, the ENS client requires direct connectivity to the GTI host name and port.
- If you use a proxy server, the proxy server requires connectivity to the GTI host name and port. Configure the proxy server options in the ENS Common policy under the section named Proxy Server. There are two options for configuring a proxy server:
- Use system proxy settings – ENS Firewall GTI uses a proxy server only if a proxy server is configured on the system.
- Configure proxy server – ENS Firewall GTI always uses the specified proxy server.
08/31/2018 09:27:48.481 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyServerAddress] with its value [10.10.10.1]
08/31/2018 09:27:48.481 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyServerPort] with its value [8080]
08/31/2018 09:27:48.481 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyType] with its value [2],/div>
If a failure occurs, review the
08/31/2018 12:38:36.921 PM mfeesp(3052.4660) GTIBL.GTI.Debug: could not setup proxy (proxy host: Proxy.customer.com host: tunnel.web.trustedsource.org.)
How do I test GTI connectivity using
Verify whether GTI connectivity is successful.
- If you use basic proxy server authentication, test the connection to GTI with the following command:
- If you don't use proxy server authentication, omit the user name and test the connection to GTI with the following command:
- If you don't use a proxy server, test the connection to GTI with the following command:
What rules does GTI trigger if traffic is blocked?
ENS Firewall GTI triggers the following firewall rules if network traffic is blocked due to matching the configured GTI In or Out network-reputation threshold ratings.
- GTI Rule - TCP - In
- GTI Rule - UDP - In
- GTI Rule - TCP - Out
- GTI Rule - UDP - Out
What IP addresses can I use to test the GTI functionality?
Use the following IP addresses to test the ENS Firewall GTI functionality. When you access these IP addresses, blocked events must display in the ENS
207.67.117.52 MEDIUM RISK
207.67.117.53 UNVERIFIED RISK
Example block event:
Event: Traffic
IP Address: 207.67.117.51
Description: MICROSOFT TELNET CLIENT
Path: C:\Windows\System32\telnet.exe
Message: Blocked Outgoing TCP - Source 10.0.0.1 : (57640) Destination 207.67.117.51 : http (80)
Matched Rule: GTI Rule - TCP - Out
What happens to traffic if the ENS Firewall can't reach the GTI server?
You can configure the ENS Firewall to either block or allow traffic by default if the GTI ratings server is not reachable. Configure the setting If McAfee GTI ratings server is not reachable in the ENS Firewall Options policy under the section named McAfee GTI Network Reputation.
What hash type is used for file queries?
ENS uses SHA-256 for file queries to GTI. ENS continues to support MD5 for policy configuration and reporting.
Are domain name ratings used?
No. The IP address and port number of the connection request is rated against the GTI database. Domain name ratings are not used.
Can GTI ratings differ depending on how a connection is made?
Yes. GTI ratings differ depending on how a connection is made. For example, port 25 traffic to an IP address can have a different GTI rating than port 80 traffic.
How do I configure exclusions for the ENS Firewall GTI feature?
You can add the affected IP addresses in the Firewall Options policy under the Defined Networks section.
- Values listed as Trusted configure the Firewall to bypass the entry from the GTI functionality, but also allow all network traffic to and from the defined value.
- Values listed as Not trusted configure the Firewall to bypass the entry from the GTI functionality. But, these values are also applied to ALLOW/BLOCK firewall rules where the Local Network or Remote Network is defined as Defined Networks (Not trusted).
Does ENS Firewall GTI automatically exclude any IP addresses?
ENS Firewall GTI automatically excludes the following IP addresses from a ratings check:
10.0.0.0 - 10.255.255.255 169.254.0.0 - 169.254.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 127.0.0.1 - 127.255.255.255 0000:0000:0000:0000:0000:0000:0000:0001 0000:0000:0000:0000:0000:FFFF:0A00:0000 - 0000:0000:0000:0000:0000:FFFF:0AFF:FFFF 0000:0000:0000:0000:0000:FFFF:AC10:0000 - 0000:0000:0000:0000:0000:FFFF:AC1F:FFFF 0000:0000:0000:0000:0000:FFFF:C0A8:0000 - 0000:0000:0000:0000:0000:FFFF:C0A8:FFFF 0000:0000:0000:0000:0000:FFFF:A9FE:0000 - 0000:0000:0000:0000:0000:FFFF:A9FE:FFFF FE80:0000:0000:0000:0000:0000:0000:0000 - FE80:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Is an event sent to ePO if traffic is blocked?
If the setting Log matching traffic is enabled in the ENS Firewall Options policy under the section McAfee GTI Network Reputation, Event ID 35002 events are generated and reported to the ePO server.
Can I use ePO queries to report on GTI events?
Yes. A default query named Endpoint Security Firewall: Events from McAfee GTI in the last 6 months is provided. You can also create your own ePO queries to report on GTI events.
How can I dispute GTI ratings or learn more about GTI ratings?
To dispute or request any further information about GTI ratings, you have two options:
- Visit the McAfee TrustedSource website at https://www.trustedsource.org.
NOTE: Domain and URL ratings can differ from IP address:port number ratings. When using the Check URL action on the TrustedSource website, the rating for port 80 (http://207.67.117.51) or port 443 (https://207.67.117.51) is returned. GTI ratings might differ if the port number reported in the Firewall logs is not 80 or 443.
- Contact sites@mcafee.com.
Related Information
For detailed information about configuring GTI features, see the Endpoint Security Product Guide.
For product documents, go to the Product Documentation portal.
Affected Products
Languages:
This article is available in the following languages:
English United StatesSpanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified