This video shows how to configure McAfee NGFW to integrate with McAfee Global Threat Intelligence(GTI). GTI provides real-time cloud-based file reputation information. Next Generation Firewall will send the file's MD5 hash to GTI, and GTI responds instantly with the reputation score.
You can also watch the steps described in this document by viewing the video below.
I - Configure GTI on the Next Generation Firewall
Below is an image of the Security Management Center console (SMC), which is the centralized management tool to manage the Next-Generation Firewall.
Before configuring GTI on the firewall, you have to authorize the use of McAfee GTI through the SMC. To do so, go to File > System Tools > Global System Properties and click on the "McAfee GTI" tab.
Enable to authorize the McAfee GTI usage and click "Ok."
The next step is to configure a policy for sending file hashes to the GTI. In the next in firewall 5.8 release, we have introduced a new policy called File Filtering Policy. If you want the Next Generation Firewall in your environment to send a file hash to the GTI cloud, you will have to add a File Filtering Policy to your current Firewall Policy. The rules in the File Filtering Policy will decide on which files the Firewall to send to the GTI cloud. You can create a new File Filtering policy by right clicking and create a new file filtering policy in the "File Filtering Policies" tab of the SMC.
For demonstration purposes, we will be examining a policy that has already been created. Right click on the File Filtering policy for GTI and edit the policy. In the File Filtering policy, "Source" is the source location of the file, such as a web server, and "Destination" is a secure network, such as your office internal network.
You can select the type of the files that the firewall will send to GTI for file reputation. Right click in the "Actions" tab and click "Allow After". A pop-up window will open up where you make your scan selections.
Select "GTI File Reputation Scan" and select the file reputation based on your environment. Click "Ok".
We now have to add this File Filtering policy to a regular firewall policy. To do so, go back to "Policies" and open the firewall policy. In our case, we want everything in the network 192.168.102.0 and 101.0 to go through the File Filtering policy.
Double-click the action tab and make sure to turn on the File Filtering policy.
Go to the "Inspection" tab and select the File Filtering policy we created earlier.
Lastly, we have to enable GTI on the firewall that will send the hash to GTI. To do so, Go to the firewall, right click on the firewall and then "Edit Single Firewall Configuration".
Go to "Add-ons" and click "GTI File Reputation" and check the box to enable GTI file reputation check. Save and upload the policy.
We have now completed the next in firewall integration with GTI let's test this integration
Test the Configuration
Before we start the test, let's start the logs. In this example, user "Matt" will try to download a file from the web server.
Since this is a known bad file, the Next Generation Firewall sends the hash of this file to the GTI cloud. GTI responds instantly with the reputation score. Since the reputation of this file is malicious, the Next Generation Firewall will block the file right away. Let’s test one more download. Again, we will start the logs, and user "Matt" will download a new file.
The Next Generation Firewall blocked the known bad file by receiving a response from GTI. The new policy has been set up and configured correctly.