Integrate McAfee GTI file reputation with Engine

Integrating Engine with McAfee Global Threat Intelligence file reputation services allows access control based on the scan results.

Note: Integrating McAfee GTI requires enabling McAfee GTI File Reputation and authorizing the use of the McAfee GTI service.

The McAfee GTI database contains classifications of files. When a file transfer matches a rule in the File Filtering Policy that applies McAfee GTI file reputation, the Engine sends a hash of the file to the McAfee GTI cloud. McAfee GTI file reputation compares the hash of the file against the McAfee GTI database.

Note: Only a hash of the file is sent to the McAfee GTI cloud. No other data or telemetry information is sent to the McAfee GTI cloud.

Use of McAfee GTI file reputation does not require a separate license in the Secure SD-WAN Manager.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Authorize the use of McAfee GTI in the Management Client.
    1. Select Menu > System Tools > Global System Properties.
    2. On the Global Options tab, select Enable McAfee Global Threat Intelligence (GTI) and Threat Intelligence (TIE) usage.
  2. Enable McAfee GTI file reputation checks.
    1. Select Configuration.
    2. Right-click an engine, then select Edit <element type>.
    3. Browse to Add-Ons > File Reputation.
    4. In the File Reputation Service drop-down list, select McAfee Global Threat Intelligence (GTI).
    5. Click Save and Refresh.

Result

McAfee GTI file reputation scan can now be used for malware detection in the File Filtering Policy.

Global System Properties dialog box — Global Options tab

Use this tab to configure general settings for the Secure SD-WAN Manager and Engine.

You can also use this tab to:

  • Authorize McAfee® Global Threat Intelligence™ (McAfee GTI). Only administrators with unrestricted permissions (superusers) can enable McAfee GTI.
  • Show users in the Home view.
  • Set the expiration time for one-time passwords that are generated when you save the initial configuration for an Engine.
  • Import Snort configuration files globally to configure default settings for Snort inspection for all Engines.

All settings are optional.

Option Definition
Enable McAfee Global Threat Intelligence (GTI) and McAfee Threat Intelligence Exchange (TIE) usage When selected, enables McAfee GTI usage.
Note: McAfee Threat Intelligence Exchange (TIE) is no longer supported in Engine 6.10 and higher.
Show Users in the Home View When selected, users that have been recently active are shown in the Home view.
Retrieve Information for Users Active A user is considered active if they have generated log data. Select the time period to retrieve the information. The longer the time period, the greater the performance impact.
Display Users as
  • User Names — The name of the user is shown. The information is shown as it is shown in the logs.
  • Source IP Addresses — If user name information is not available, or cannot be shown due to privacy legislation, you can show only the source IP address of the user.
Show Users From These Networks

(Only if Display Users as is Source IP Addresses

If you want to show users as source IP addresses, select the networks where your users are located.
One-Time Passwords Expire After Defines the expiration time for one-time passwords that are generated when you save the initial configuration for an Engine. If the one-time password is not used, it automatically expires after the expiration time has elapsed.

By default, one-time passwords expire after 30 days.

Snort Configuration The externally created Snort configuration .zip file that contains the Snort configuration files and rules for Snort inspection.
  • Click Browse to select a file.
  • Click None to remove a previously imported file.
  • Click Export to export the Snort configuration file.

All Engines for which Snort inspection is enabled use the global Snort configuration by default.

Settings in the Snort configuration .zip file for an individual Engine are combined with the settings in the global Snort configuration .zip file. If any configuration files in a Snort configuration .zip file for an individual Engine have the same files name and paths as configuration files in the global Snort configuration .zip file, the overlapping files in the global Snort configuration .zip file are ignored.

Engine Editor > Add-Ons > File Reputation

Use this branch to enable file reputation services for file filtering.

Option Definition
File Reputation Service Select the file reputation service to use.
  • None — Disables file reputation services.
  • Threat Intelligence Exchange (TIE)This option is included for backward compatibility with legacy software versions. McAfee Threat Intelligence Exchange (TIE) is no longer supported in Engine 6.10 and higher.
  • Global Threat Intelligence (GTI) — Enables the use of McAfee GTI file reputation services for file filtering.
Option Definition
When File Reputation Service is Global Threat Intelligence (GTI)
HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Click Add to add an element to the list, or Remove to remove the selected element.
Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.

HTTP Proxy Properties dialog box

Use this dialog box to change the properties of an HTTP proxy.

Option Definition
General tab
Name The name of the element or the domain name of the proxy.
Resolve

(Optional)

Automatically resolves the domain name in the Name field.
IP Address Specifies the IPv4 or IPv6 address of the HTTP proxy.
Port Specifies the TCP port number of the HTTP proxy. The default port is 8080.
User Name

(Optional)

Specifies the user name for logging on to the HTTP proxy.
Password

(Optional)

Specifies the password for logging on to the HTTP proxy. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds commands to the right-click menu for the element. Click Select to select an element.
Comment

(Optional)

A comment for your own reference.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to Secure SD-WAN Manager log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).