What is an Airgap environment?

It is environment that does not have connectivity to the internet. Hence it is not able to connect to the online MTIS site and download the latest threat xmls for usage by MRA.

What is the Airgap feature that MRA supports?

Starting from MRA 2.5, users can upload the Threat xmls in a zipped archive format. It is published by the MTIS and the new threats are added to it daily. If MRA already has some threats files present in its database, MRA can intelligently identify the “delta” and upload it. It is a great feature to update the MRA threat content without having to depend upon the internet connectivity. It is also helpful when one wants to update the threat content in a short while without having to wait to download them from the online MTIS server.

The threat zip file can be downloaded from:

https://threatfeed.mtis.mcafee.com/ctp/data/LatestThreats_YYYY_MM_DD.zip

Just replace the values:

YYYY – Year (e.g. 2010)

MM – Month (e.g. 10)

DD – Date (e.g. 26)

How do I use this feature?

The feature can be easily used. Lets walk over it using an ePO 4.5 setup (steps are exactly same for ePO 4.6)

Step 1: Go to the “Risk and Compliance” > “Threats” page

ss1.JPG

Step 2: Click on the "Actions" > "Risk Advisor" > “Import Threats From File” option

ss2.JPG

Step 3: Click on the “Browse” button and point to the downloaded Threat zip file in the local machine or the network

ss3.JPG

Step 4: You may optionally select the “MRA: Data Import/Reconciliation” and “MRA: Threat Asset Coverage Analysis” subtasks to add these to the current task. They may be left unchecked if the user plans to run them separately

ss4.JPG

Step 5: Click on the “Run” button to trigger the task. The task will run and get reflected in the “Server Task Log”

ss5.JPG

Step 6:  Once this runs successfully, the threats are imported and shown in “Threats” page in MRA.