Integrate TIE file reputation with Forcepoint NGFW

Integrate Forcepoint NGFW with McAfee® Data Exchange Layer (DXL) and McAfee® Threat Intelligence Exchange (TIE) file reputation to receive file reputation data from the TIE server. Use the reputation data in file filtering to improve the malware detection coverage of Forcepoint NGFW.

Before you begin

To generate the DXL certificates required for the exchange of file reputation data with the TIE server, you must configure an ePO Server element and initialize the ePO Server SSL context.

Note: Integrating TIE file reputation requires enabling McAfee TIE and authorizing the use of the McAfee TIE service.

DXL is a framework of client software and brokers that enables the exchange of real-time encrypted file information between integrated security components in the network environment. The TIE server uses DXL to collect file reputation data. When Forcepoint NGFW is integrated with DXL and TIE file reputation, Forcepoint NGFW engines can request and automatically receive up-to-date file reputations from the TIE server. This ensures that NGFW Engines always have the latest file reputations available for use in file filtering.

Use of TIE file reputation does not require a separate license in the SMC. However, the DXL service components, such as the DXL broker, might require a separate DXL license.

Note: You cannot use TIE file reputation with Sidewinder Proxies. If the File Filtering Policy uses TIE file reputation, it is ignored for traffic that uses Sidewinder Proxies. If no other scanners are available, file transfers are allowed or discarded according to the selection for the Action When No Scanners Are Available option.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Authorize the use of TIE in the Management Client.
    1. Select Menu > System Tools > Global System Properties.
    2. On the Global Options tab, select Enable McAfee Global Threat Intelligence (GTI) and Threat Intelligence (TIE) usage.
  2. Enable TIE file reputation checks.
    1. Select Configuration.
    2. Right-click an engine, then select Edit <element type>.
    3. Browse to Add-Ons > File Reputation.
    4. In the File Reputation Service drop-down list, select McAfee Threat Intelligence Exchange (TIE).
    5. Next to the ePO Server field, click Select, then select the ePO Server element.
    6. Click Save and Refresh.
      The DXL certificates are automatically generated.

Result

TIE file reputation scan can now be used for malware detection in the File Filtering Policy.

Global System Properties dialog box — Global Options tab

Use this tab to show users in the Home view. You can also authorize McAfee® Global Threat Intelligence™ (McAfee GTI) and McAfee® Threat Intelligence Exchange (TIE) usage.

Option Definition
Enable McAfee Global Threat Intelligence (GTI) and McAfee Threat Intelligence Exchange (TIE) usage When selected, enables McAfee GTI and McAfee TIE usage.
Show Users in the Home View When selected, users that have been recently active are shown in the Home view.
Retrieve Information for Users Active A user is considered active if they have generated log data. Select the time period to retrieve the information. The longer the time period, the greater the performance impact.
Display Users as
  • User Names — The name of the user is shown. The information is shown as it is shown in the logs.
  • Source IP Addresses — If user name information is not available, or cannot be shown due to privacy legislation, you can show only the source IP address of the user.
Show Users From These Networks

(Only if Display Users as is Source IP Addresses

If you want to show users as source IP addresses, select the networks where your users are located.

Engine Editor – Add-Ons – File Reputation

Use this branch to enable file reputation services for file filtering.

Option Definition
File Reputation Service Select the file reputation service to use.
  • None — Disables file reputation services.
  • Threat Intelligence Exchange (TIE) — Enables the use of McAfee TIE file reputation services for file filtering.
  • Global Threat Intelligence (GTI) — Enables the use of McAfee GTI file reputation services for file filtering.
Option Definition
>When File Reputation Service is Threat Intelligence Exchange (TIE)
ePO Server Shows the selected McAfee ePO Server element. The McAfee ePO server handles the request for DXL credentials initiated by the SMC.
Select Opens the Select Element dialog box, where you can select an ePO Server element.
DXL Certificates Shows the currently valid DXL certificates.
Generate DXL Certificates Generates new certificates.
Option Definition
>When File Reputation Service is Global Threat Intelligence (GTI)
HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.