Integrate McAfee GTI file reputation with Forcepoint NGFW

Integrating Forcepoint NGFW with McAfee Global Threat Intelligence file reputation services allows access control based on the scan results.

Before you begin

Note: This feature requires a separate license.

Integrating McAfee GTI requires enabling McAfee GTI File Reputation and authorizing the use of the McAfee GTI service.

The McAfee GTI database contains classifications of files. When a file transfer matches a rule in the File Filtering Policy that applies McAfee GTI file reputation, the NGFW Engine sends a hash of the file to the McAfee GTI cloud. McAfee GTI file reputation compares the hash of the file against the McAfee GTI database.

Only a hash of the file is sent to the McAfee GTI cloud. No other data or telemetry information is sent to the McAfee GTI cloud.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Authorize the use of McAfee GTI in the Management Client.
    1. Select Menu > System Tools > Global System Properties.
    2. On the Global Options tab, select Enable McAfee Global Threat Intelligence (GTI) and Threat Intelligence (TIE) usage.
  2. Enable McAfee GTI file reputation checks.
    1. Select Configuration.
    2. Right-click an engine, then select Edit <element type>.
    3. Browse to Add-Ons > File Reputation.
    4. In the File Reputation Service drop-down list, select McAfee Global Threat Intelligence (GTI).
    5. Click Save and Refresh.

Result

McAfee GTI file reputation scan can now be used for malware detection in the File Filtering Policy.

Global System Properties dialog box — Global Options tab

Use this tab to configure general settings for the SMC and NGFW Engines.

You can also use this tab to:

  • Authorize McAfee® Global Threat Intelligence™ (McAfee GTI). Only administrators with unrestricted permissions (superusers) can enable McAfee GTI.
  • Show users in the Dashboard view.
  • Set the expiration time for one-time passwords that are generated when you save the initial configuration for an NGFW Engine.
  • Import Snort configuration files globally to configure default settings for Snort inspection for all NGFW Engines.

All settings are optional.

Option Definition
Enable McAfee Global Threat Intelligence (GTI) and McAfee Threat Intelligence Exchange (TIE) usage When selected, enables McAfee GTI usage.
Note: McAfee Threat Intelligence Exchange (TIE) is no longer supported in NGFW 6.10 and higher.
Show Users in the Dashboard View When selected, users that have been recently active are shown in the Dashboard view.
Retrieve Information for Users Active A user is considered active if they have generated log data. Select the time period to retrieve the information. The longer the time period, the greater the performance impact.
Display Users as
  • User Names — The name of the user is shown. The information is shown as it is shown in the logs.
  • Source IP Addresses — If user name information is not available, or cannot be shown due to privacy legislation, you can show only the source IP address of the user.
Show Users From These Networks

(Only if Display Users as is Source IP Addresses

If you want to show users as source IP addresses, select the networks where your users are located.
One-Time Passwords Expire After Defines the expiration time for one-time passwords that are generated when you save the initial configuration for an NGFW Engine. If the one-time password is not used, it automatically expires after the expiration time has elapsed.

By default, one-time passwords expire after 30 days.

Snort Configuration The externally created Snort configuration .zip file that contains the Snort configuration files and rules for Snort inspection.
  • Click Browse to select a file.
  • Click None to remove a previously imported file.
  • Click Export to export the Snort configuration file.

All NGFW Engines for which Snort inspection is enabled use the global Snort configuration by default.

Settings in the Snort configuration .zip file for an individual NGFW Engine are combined with the settings in the global Snort configuration .zip file. If any configuration files in a Snort configuration .zip file for an individual NGFW Engine have the same files name and paths as configuration files in the global Snort configuration .zip file, the overlapping files in the global Snort configuration .zip file are ignored.

Health Monitoring Specifies selection of either the Top Network Application or individual Network Application. This section includes the following fields:
  • Network Applications – Specifies the applications you need to individually select for monitoring. You can add or remove an application.
  • Top Network Applications – Specifies the applications that SMC automatically selects for monitoring, based on the accounting traffic. This is the default setting. You can even select the Top Network Application based on application usage.
  • Top Limit – Specifies the maximum number of network applications displayed on the Application Health Monitoring dashboard for monitoring. This is applicable only for Top Network Application. The default value of Top Limit is 10, however; you can configure this value.

Engine Editor > Add-Ons > File Reputation

Use this branch to enable file reputation services for file filtering.

Option Definition
File Reputation Service Select the file reputation service to use.
  • None — Disables file reputation services.
  • Threat Intelligence Exchange (TIE)This option is included for backward compatibility with legacy NGFW software versions. McAfee Threat Intelligence Exchange (TIE) is no longer supported in NGFW 6.10 and higher.
  • Global Threat Intelligence (GTI) — Enables the use of McAfee GTI file reputation services for file filtering.
Option Definition
When File Reputation Service is Global Threat Intelligence (GTI)
HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Click Add to add an element to the list, or Remove to remove the selected element.
Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.

HTTP Proxy Properties dialog box

Use this dialog box to change the properties of an HTTP proxy.

Option Definition
General tab
Name The name of the element or the domain name of the proxy.
Resolve

(Optional)

Automatically resolves the domain name in the Name field.
IP Address Specifies the IPv4 or IPv6 address of the HTTP proxy.
Port Specifies the TCP port number of the HTTP proxy. The default port is 8080.
User Name

(Optional)

Specifies the user name for logging on to the HTTP proxy.
Password

(Optional)

Specifies the password for logging on to the HTTP proxy. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds commands to the right-click menu for the element. Click Select to select an element.
Comment

(Optional)

A comment for your own reference.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Dashboard view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).