Recent updates to this article
| Date |
Update |
| April 14, 2021 |
Added the FAQ How do I test GTI connectivity using curl for Windows? |
| July 14, 2020 |
Updated the following FAQs:
- What rules does GTI trigger if traffic is blocked?
- Are domain name ratings used?
- How do I configure exclusions for the ENS Firewall GTI feature?
- How can I dispute GTI ratings or learn more about GTI ratings?
|
| December 20, 2019 |
Tagged article with Endpoint Security Firewall 10.7.x. |
| September 12, 2019 |
Updated How do I configure ENS Firewall GTI exclusions for the internal network? |
| August 12, 2019 |
Added What are the ENS Firewall GTI rule names? and updated the GTI log example. |
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
This article provides detailed information about ENS Firewall Global Threat Intelligence (GTI) functionality.
What host name and port number need to be open for GTI functionality to work?
To work properly, the following host name and port number must be open. Make sure that they are open on any gateway firewalls, and if applicable, from the proxy server.
Host: tunnel.web.trustedsource.org (IP address can vary)
Port: 443
Can I change the host name and port information for GTI reputation lookups?
No. The host name and port information used for GTI reputation lookups is hard-coded into the product. This information can’t be changed in the local configuration, or in the ePolicy Orchestrator (ePO) policies.
Does the GTI functionality work with or without a proxy server?
Yes. ENS Firewall GTI functions correctly with or without a proxy server. When a proxy server is configured, the internet browser is configured to connect directly to a proxy server for internet access.
- If you do not use a proxy server, the ENS client requires direct connectivity to the GTI host name and port.
- If you use a proxy server, the proxy server requires connectivity to the GTI host name and port. Configure the proxy server options in the ENS Common policy under the section named Proxy Server. There are two options for configuring a proxy server:
- Use system proxy settings – ENS Firewall GTI uses a proxy server only if a proxy server is configured on the system.
- Configure proxy server – ENS Firewall GTI always uses the specified proxy server.
TIP: Exclude the GTI addresses from the proxy server. For more information, see: KB79640 - Connecting to Global Threat Intelligence.
To verify the ENS Common proxy server settings, review the
\ProgramData\McAfee\Endpoint Security\Logs\EndpointSecurityPlatform_Debug.log file.
08/31/2018 09:27:48.465 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [enableHTTPAuth] with its value [false]
08/31/2018 09:27:48.481 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyServerAddress] with its value [10.10.10.1]
08/31/2018 09:27:48.481 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyServerPort] with its value [8080]
08/31/2018 09:27:48.481 AM mfeesp(9820.12244) LPC.CommonLPC.Debug: Fetching Property setting [gtiProxyType] with its value [2],/div>
If a failure occurs, review the
EndpointSecurityPlatform_Debug.log for proxy authentication errors. For more information, see:
KB88190 - Proxy server logon fails when specifying domain\username
08/31/2018 12:38:36.920 PM mfeesp(3052.4660) GTIBL.GTI.Debug: Could not connect to host tunnel.web.trustedsource.org.:443 via HTTP proxy Proxy.customer.com:80; HTTP status code = 407
08/31/2018 12:38:36.921 PM mfeesp(3052.4660) GTIBL.GTI.Debug: could not setup proxy (proxy host: Proxy.customer.com host: tunnel.web.trustedsource.org.)
How do I test GTI connectivity using curl for Windows?
Verify whether GTI connectivity is successful.
- If you use basic proxy server authentication, test the connection to GTI with the following command:
curl -kvU user -x proxyaddress:port https://tunnel.web.trustedsource.org:443
- If you don't use proxy server authentication, omit the user name and test the connection to GTI with the following command:
curl -kvx proxyaddress:port https://tunnel.web.trustedsource.org:443
- If you don't use a proxy server, test the connection to GTI with the following command:
curl -kv https://tunnel.web.trustedsource.org:443
What rules does GTI trigger if traffic is blocked?
ENS Firewall GTI triggers the following firewall rules if network traffic is blocked due to matching the configured GTI In or Out network-reputation threshold ratings.
- GTI Rule - TCP - In
- GTI Rule - UDP - In
- GTI Rule - TCP - Out
- GTI Rule - UDP - Out
What IP addresses can I use to test the GTI functionality?
Use the following IP addresses to test the ENS Firewall GTI functionality. When you access these IP addresses, blocked events must display in the ENS
FirewallEventMonitor.log file with the rule name
GTI Rule - TCP - Out.
207.67.117.51 HIGH RISK
207.67.117.52 MEDIUM RISK
207.67.117.53 UNVERIFIED RISK
Example block event:
Time: 07/08/2020 03:33:57 PM
Event: Traffic
IP Address: 207.67.117.51
Description: MICROSOFT TELNET CLIENT
Path: C:\Windows\System32\telnet.exe
Message: Blocked Outgoing TCP - Source 10.0.0.1 : (57640) Destination 207.67.117.51 : http (80)
Matched Rule: GTI Rule - TCP - Out
What happens to traffic if the ENS Firewall can't reach the GTI server?
You can configure the ENS Firewall to either block or allow traffic by default if the GTI ratings server is not reachable. Configure the setting
If McAfee GTI ratings server is not reachable in the ENS Firewall
Options policy under the section named
McAfee GTI Network Reputation.
What hash type is used for file queries?
ENS uses SHA-256 for file queries to GTI. ENS continues to support MD5 for policy configuration and reporting.
Are domain name ratings used?
No. The IP address and port number of the connection request is rated against the GTI database. Domain name ratings are not used.
Can GTI ratings differ depending on how a connection is made?
Yes. GTI ratings differ depending on how a connection is made. For example, port 25 traffic to an IP address can have a different GTI rating than port 80 traffic.
How do I configure exclusions for the ENS Firewall GTI feature?
You can add the affected IP addresses in the
Firewall Options policy under the
Defined Networks section.
- Values listed as Trusted configure the Firewall to bypass the entry from the GTI functionality, but also allow all network traffic to and from the defined value.
- Values listed as Not trusted configure the Firewall to bypass the entry from the GTI functionality. But, these values are also applied to ALLOW/BLOCK firewall rules where the Local Network or Remote Network is defined as Defined Networks (Not trusted).
Does ENS Firewall GTI automatically exclude any IP addresses?
ENS Firewall GTI automatically excludes the following IP addresses from a ratings check:
- 10.0.0.0 - 10.255.255.255
- 169.254.0.0 - 169.254.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255
- 127.0.0.1 - 127.255.255.255
- 0000:0000:0000:0000:0000:0000:0000:0001
- 0000:0000:0000:0000:0000:FFFF:0A00:0000 - 0000:0000:0000:0000:0000:FFFF:0AFF:FFFF
- 0000:0000:0000:0000:0000:FFFF:AC10:0000 - 0000:0000:0000:0000:0000:FFFF:AC1F:FFFF
- 0000:0000:0000:0000:0000:FFFF:C0A8:0000 - 0000:0000:0000:0000:0000:FFFF:C0A8:FFFF
- 0000:0000:0000:0000:0000:FFFF:A9FE:0000 - 0000:0000:0000:0000:0000:FFFF:A9FE:FFFF
- FE80:0000:0000:0000:0000:0000:0000:0000 - FE80:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Is an event sent to ePO if traffic is blocked?
If the setting
Log matching traffic is enabled in the ENS Firewall
Options policy under the section
McAfee GTI Network Reputation, Event ID 35002 events are generated and reported to the ePO server.
Can I use ePO queries to report on GTI events?
Yes. A default query named
Endpoint Security Firewall: Events from McAfee GTI in the last 6 months is provided. You can also create your own ePO queries to report on GTI events.
How can I dispute GTI ratings or learn more about GTI ratings?
To dispute or request any further information about GTI ratings, you have two options:
NOTE: Domain and URL ratings can differ from IP address:port number ratings. When using the Check URL action on the TrustedSource website, the rating for port 80 (http://207.67.117.51) or port 443 (https://207.67.117.51) is returned. GTI ratings might differ if the port number reported in the Firewall logs is not 80 or 443.
