Integrate McAfee GTI file reputation with Forcepoint NGFW

Integrating Forcepoint NGFW with McAfee Global Threat Intelligence file reputation services allows access control based on the scan results.

Note: Integrating McAfee GTI requires enabling McAfee GTI File Reputation and authorizing the use of the McAfee GTI service.

The McAfee GTI database contains classifications of files. When a file transfer matches a rule in the File Filtering Policy that applies McAfee GTI file reputation, the NGFW Engine sends a hash of the file to the McAfee GTI cloud. McAfee GTI file reputation compares the hash of the file against the McAfee GTI database.

Note: Only a hash of the file is sent to the McAfee GTI cloud. No other data or telemetry information is sent to the McAfee GTI cloud.

Use of McAfee GTI file reputation does not require a separate license in the SMC.

For more details about the product and how to configure features, click Help or press F1.

Steps

Authorize the use of McAfee GTI in the Management Client.
1. Select Menu > System Tools > Global System Properties.
2. On the Global Options tab, select Enable McAfee Global Threat Intelligence (GTI) and Threat Intelligence (TIE) usage.
Enable McAfee GTI file reputation checks.
1. Select Configuration.
2. Right-click an engine, then select Edit <element type>.
3. Browse to Add-Ons > File Reputation.
4. In the File Reputation Service drop-down list, select McAfee Global Threat Intelligence (GTI).
5. Click Save and Refresh.

Result

McAfee GTI file reputation scan can now be used for malware detection in the File Filtering Policy.

Global System Properties dialog box — Global Options tab

Use this tab to configure general settings for the SMC and NGFW Engines.

You can also use this tab to:

Authorize McAfee® Global Threat Intelligence™ (McAfee GTI) and McAfee® Threat Intelligence Exchange (TIE) usage. Only administrators with unrestricted permissions can enable McAfee GTI and Threat Intelligence Exchange.
Show users in the Home view.
Set the expiration time for one-time passwords that are generated when you save the initial configuration for an NGFW Engine.

Option	Definition
Enable McAfee Global Threat Intelligence (GTI) and McAfee Threat Intelligence Exchange (TIE) usage	When selected, enables McAfee GTI and McAfee TIE usage.
Show Users in the Home View	When selected, users that have been recently active are shown in the Home view.
Retrieve Information for Users Active	A user is considered active if they have generated log data. Select the time period to retrieve the information. The longer the time period, the greater the performance impact.
Display Users as	User Names — The name of the user is shown. The information is shown as it is shown in the logs. Source IP Addresses — If user name information is not available, or cannot be shown due to privacy legislation, you can show only the source IP address of the user.
Show Users From These Networks (Only if Display Users as is Source IP Addresses	If you want to show users as source IP addresses, select the networks where your users are located.
One-Time Passwords Expire After	Defines the expiration time for one-time passwords that are generated when you save the initial configuration for an NGFW Engine. If the one-time password is not used, it automatically expires after the expiration time has elapsed. By default, one-time passwords expire after 30 days.

Engine Editor > Add-Ons > File Reputation

Use this branch to enable file reputation services for file filtering.

Option	Definition
File Reputation Service	Select the file reputation service to use. None — Disables file reputation services. Threat Intelligence Exchange (TIE) — Enables the use of McAfee TIE file reputation services for file filtering. Global Threat Intelligence (GTI) — Enables the use of McAfee GTI file reputation services for file filtering.

Option	Definition
When File Reputation Service is Threat Intelligence Exchange (TIE)
ePO Server	Shows the selected McAfee ePO Server element. The McAfee ePO server handles the request for DXL credentials initiated by the SMC. Click Select to select an element.
DXL Certificates	Shows the currently valid DXL certificates.
Generate DXL Certificates	Generates new certificates.

Option	Definition
When File Reputation Service is Global Threat Intelligence (GTI)
HTTP Proxies (Optional)	When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Click Add to add an element to the list, or Remove to remove the selected element. Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.

Option

Definition

When File Reputation Service is Global Threat Intelligence (GTI)

HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Click Add to add an element to the list, or Remove to remove the selected element.

Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.

HTTP Proxy Properties dialog box

Use this dialog box to change the properties of an HTTP proxy.

Option	Definition
General tab
Name	The name of the element or the domain name of the proxy.
Resolve (Optional)	Automatically resolves the domain name in the Name field.
IP Address	Specifies the IPv4 or IPv6 address of the HTTP proxy.
Port	Specifies the TCP port number of the HTTP proxy. The default port is 8080.
User Name (Optional)	Specifies the user name for logging on to the HTTP proxy.
Password (Optional)	Specifies the password for logging on to the HTTP proxy. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Category (Optional)	Includes the element in predefined categories. Click Select to select a category.
Tools Profile	Adds commands to the right-click menu for the element. Click Select to select an element.
Comment (Optional)	A comment for your own reference.

Option	Definition
Monitoring tab
Log Server	The Log Server that monitors the status of the element.
Status Monitoring	When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view.
Probing Profile	Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception	Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile	Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone	Selects the time zone for the logs.
Encoding	Selects the character set for log files.
SNMP Trap Reception	Enables the reception of SNMP traps from the third-party device.
NetFlow Reception	Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).