Integrate McAfee GTI file reputation with Forcepoint NGFW
Integrating Forcepoint NGFW with McAfee Global Threat Intelligence file reputation services allows access control based on the scan results.
Before you begin
Integrating McAfee GTI requires enabling McAfee GTI File Reputation and authorizing the use of the McAfee GTI service.
The McAfee GTI database contains classifications of files. When a file transfer matches a rule in the File Filtering Policy that applies McAfee GTI file reputation, the NGFW Engine sends a hash of the file to the McAfee GTI cloud. McAfee GTI file reputation compares the hash of the file against the McAfee GTI database.
Only a hash of the file is sent to the McAfee GTI cloud. No other data or telemetry information is sent to the McAfee GTI cloud.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Authorize the use of McAfee GTI in the Management Client.
- Select .
- On the Global Options tab, select Enable McAfee Global Threat Intelligence (GTI) and Threat Intelligence (TIE) usage.
-
Enable McAfee GTI file reputation checks.
- Select Configuration.
- Right-click an engine, then select Edit <element type>.
- Browse to .
- In the File Reputation Service drop-down list, select McAfee Global Threat Intelligence (GTI).
- Click Save and Refresh.
Result
Global System Properties dialog box — Global Options tab
Use this tab to configure general settings for the SMC and NGFW Engines.
You can also use this tab to:
- Authorize McAfee® Global Threat Intelligence™ (McAfee GTI). Only administrators with unrestricted permissions (superusers) can enable McAfee GTI.
- Show users in the Home view.
- Set the expiration time for one-time passwords that are generated when you save the initial configuration for an NGFW Engine.
- Import Snort configuration files globally to configure default settings for Snort inspection for all NGFW Engines.
All settings are optional.
Option | Definition |
---|---|
Enable McAfee Global Threat Intelligence (GTI) and McAfee Threat Intelligence Exchange (TIE) usage | When selected, enables McAfee GTI usage. Note: McAfee Threat Intelligence Exchange (TIE) is no longer supported in NGFW 6.10 and higher.
|
Show Users in the Home View | When selected, users that have been recently active are shown in the Home view. |
Retrieve Information for Users Active | A user is considered active if they have generated log data. Select the time period to retrieve the information. The longer the time period, the greater the performance impact. |
Display Users as |
|
Show Users From These Networks (Only if Display Users as is Source IP Addresses |
If you want to show users as source IP addresses, select the networks where your users are located. |
One-Time Passwords Expire After | Defines the expiration time for one-time passwords that are generated when you save the initial configuration for an NGFW
Engine. If the one-time password is not used, it automatically expires after the expiration time has elapsed. By default, one-time passwords expire after 30 days. |
Snort Configuration | The externally created Snort configuration .zip file that contains the Snort configuration files and rules for Snort inspection.
All NGFW Engines for which Snort inspection is enabled use the global Snort configuration by default. Settings in the Snort configuration .zip file for an individual NGFW Engine are combined with the settings in the global Snort configuration .zip file. If any configuration files in a Snort configuration .zip file for an individual NGFW Engine have the same files name and paths as configuration files in the global Snort configuration .zip file, the overlapping files in the global Snort configuration .zip file are ignored. |
Engine Editor > Add-Ons > File Reputation
Use this branch to enable file reputation services for file filtering.
Option | Definition |
---|---|
File Reputation Service | Select the file reputation service to use.
|
Option | Definition |
---|---|
When File Reputation Service is Global Threat Intelligence (GTI) | |
HTTP Proxies
(Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Click Add to add an element to the list, or Remove to remove the selected element. Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than
one HTTP proxy, the additional HTTP proxies are ignored.
|
HTTP Proxy Properties dialog box
Use this dialog box to change the properties of an HTTP proxy.
Option | Definition |
---|---|
General tab | |
Name | The name of the element or the domain name of the proxy. |
Resolve (Optional) |
Automatically resolves the domain name in the Name field. |
IP Address | Specifies the IPv4 or IPv6 address of the HTTP proxy. |
Port | Specifies the TCP port number of the HTTP proxy. The default port is 8080. |
User Name
(Optional) |
Specifies the user name for logging on to the HTTP proxy. |
Password (Optional) |
Specifies the password for logging on to the HTTP proxy. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Tools Profile | Adds commands to the right-click menu for the element. Click Select to select an element. |
Comment (Optional) |
A comment for your own reference. |
Option | Definition |
---|---|
Monitoring tab | |
Log Server | The Log Server that monitors the status of the element. |
Status Monitoring | When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view. |
Probing Profile | Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element. |
Log Reception | Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected. |
Logging Profile | Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element. |
Time Zone | Selects the time zone for the logs. |
Encoding | Selects the character set for log files. |
SNMP Trap Reception | Enables the reception of SNMP traps from the third-party device. |
NetFlow Reception | Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10). |