How To Configure McAfee Next Generation Firewall To Integrate With McAfee GTI

Version 1


    Introduction

     

    This video shows how to configure McAfee NGFW to integrate with McAfee Global Threat Intelligence(GTI). GTI provides real-time cloud-based file reputation information. Next Generation Firewall will send the file's MD5 hash to GTI, and GTI responds instantly with the reputation score.

     

    Video

    You can also watch the steps described in this document by viewing the video below.

    Process

     

     

    I - Configure GTI on the Next Generation Firewall

     

    Below is an image of the Security Management Center console (SMC), which is the centralized management tool to manage the Next-Generation Firewall.

    NGFW-GTI 0.png

     

    Before configuring GTI on the firewall, you have to authorize the use of McAfee GTI through the SMC. To do so, go to File > System Tools > Global System Properties and click on  the "McAfee GTI" tab.

    NGFW-GTI 1.png

     

    Enable to authorize the McAfee GTI usage and click "Ok."

    NGFW-GTI 2.png

     

    The next step is to configure a policy for sending file hashes to the GTI. In the next in firewall 5.8 release, we have introduced a new policy called File Filtering Policy. If you want the Next Generation Firewall in your environment to send a file hash to the GTI cloud, you will have to add a File Filtering Policy to your current Firewall Policy. The rules in the File Filtering Policy will decide on which files the Firewall to send to the GTI cloud. You can create a new File Filtering policy by right clicking and create a new file filtering policy in the "File Filtering Policies" tab of the SMC.

    NGFW-GTI 3.png

     

    For demonstration purposes, we will be examining a policy that has already been created. Right click on the File Filtering policy for GTI and edit the policy. In the File Filtering policy, "Source" is the source location of the file, such as a web server, and "Destination" is a secure network, such as your office internal network.

    NGFW-GTI 4.png

     

    You can select the type of the files that the firewall will send to GTI for file reputation. Right click in the "Actions" tab and click "Allow After". A pop-up window will open up where you make your scan selections.

    NGFW-GTI 5.pngNGFW-GTI 6.png

     

    Select "GTI File Reputation Scan" and select the file reputation based on your environment. Click "Ok".

    NGFW-GTI 7.png

     

    We now have to add this File Filtering policy to a regular firewall policy. To do so, go back to "Policies" and open the firewall policy. In our case, we want everything in the network 192.168.102.0 and 101.0 to go through the File Filtering policy.

    NGFW-GTI 8.png

     

    Double-click the action tab and make sure to turn on the File Filtering policy.

    NGFW-GTI 9.png

     

    Go to the "Inspection" tab and select the File Filtering policy we created earlier.

    NGFW-GTI 10.png

     

    Lastly, we have to enable GTI on the firewall that will send the hash to GTI. To do so, Go to the firewall, right click on the firewall and then "Edit Single Firewall Configuration".

    NGFW-GTI 11.png

     

    Go to "Add-ons" and click "GTI File Reputation" and check the box to enable GTI file reputation check. Save and upload the policy.

     

    NGFW-GTI 12.png

     

    We have now completed the next in firewall integration with GTI let's test this integration

     

    Test the Configuration

     

    Before we start the test, let's start the logs. In this example, user "Matt" will try to download a file from the web server.

     

    NGFW-GTI 13.pngNGFW-GTI 15.png

     

    Since this is a known bad file, the Next Generation Firewall sends the hash of this file to the GTI cloud. GTI responds instantly with the reputation score. Since the reputation of this file is malicious, the Next Generation Firewall will block the file right away. Let’s test one more download. Again, we will start the logs, and user "Matt" will download a new file.

    NGFW-GTI 14.pngNGFW-GTI 17.pngNGFW-GTI 16.png

     

    The Next Generation Firewall blocked the known bad file by receiving a response from GTI. The new policy has been set up and configured correctly.