cancel
Showing results for 
Search instead for 
Did you mean: 

Web Gateway: Integrating with the Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL)

Introduction

This guide will only include the minimum requirements to integrate MWG with TIE/DXL. For guidance on connecting endpoints or other products, please reference the Threat Intelligence Exchange Getting Started Guide on the McAfee community.

 

Prerequisites

In order to integrate a MWG and TIE/DXL, you'll need the following pre-requisites:

  • Web Gateway running 7.5.2 or greater
  • ePO 5.1.1 or later running on Windows Server 2008 R2 or later
  • VMware / ESXi server 5.1 or greater for hosting the TIE/DXL server

 

Setup

The setup section will consist of three separate parts:

  • ePO: Downloading/Installing required extensions and checking in packages
  • Configuring a TIE/DXL server
  • Connecting the MWG to DXL

ePO

Downloading required extensions and packages for ePO.

The extensions can be found in these locations:

    • McAfee Web Gateway > McAfee Data Exchange Layer
    • Reseller Support > Threat Intelligence Exchange

Note: If you are on EPO version 5.3 the DXL extensions may already be installed.

MePO extension

      • mepo_1.1.4.106.zip

Note: This extension is necessary in order for MWG to communicate to DXL. This can also be found on the McAfee Content Security Portal or on the McAfee Download Page under the 'McAfee Data Exchange Layer' product.

 

DXL extensions

      • DXLBrokerMgmt_1.x.0_Build_xxxx Package #x.zip
      • DXLClientMgmt_1.x.0_Build_xxx Package #x.zip
      • help_dxl_1xx.zip

 

DXL client package

      • DXLClient_1.x.0_Build_xxxx Package #x.zip

 

TIE extensions

      • TIEServerMgmt_1.x.0_Build_xxx Package #x.zip
      • TIEmMeta.zip
      • help_tie_1xx.zip
      • help_jtic_100.zip

 

TIE client package

      • JTICAgent.zip

 

Installing Extensions

Go to Menu > Software > Extensions and then click Install Extension. Install all of the extensions above.

 

Check in the DXL and TIE client package

Go to Menu > Software > Master Repository and then click Check In Package. Check in both packages listed above.

 

Configuring a TIE/DXL Server

Follow the guide Installing the TIE/DXL server. After completing this section come back to this article.

Note: The OVF file is pre-configured with 16GB of RAM, 8 CPUs, and 116 GB disk. Be sure to adjust the memory and CPUs to an appropriate value for your ESXI server and adjust the disk provisioning to 'Thin Provision'.

 

Connecting MWG to a DXL broker

  • In ePO, create an ePO user and give the user a role that has permissions for DXL McAfee MePO Certificate Creation.  (Menu > Users | Menu > Permissions Sets)
  • In ePO, Check the Policy for the McAfee Threat Intelligence Exchange Server Management to make sure Web Gateway Integration is enabled (Menu > Policy Catalog > Threat Intelligence Exchange Server Management)
  • In MWG, go to Configuration > ePolicy Orchestrator and specify the ePO user and password from above, as well as the hostname of the ePO server, hostname must be used, not IP. Save Changes.

 

  • In ePO, click on System Tree and change the Preset filter to 'This Group and All Subgroups'. You should see your MWG listed as a system.
    Note: MWG did not appear in the ePO System Tree until you do a service restart on mwg-core. (service mwg-core restart)

  • MWG will use MePO extension to communicate to ePO and fetch certificates/config from the DXL broker. If the subscription was successful, your /opt/mwg/data/dxl directory should look like this:

Successful MWG DXL.PNG

  • Edit your MWG system on ePO and click on the DXL Status tab to verify you have a 'Connected' status.

2-mod-epo-system-tree.png

 

Configuring MWG concept rules

Guidance and rule creation was provided by Michael Schneider via these community posts:
https://community.mcafee.com/videos/2217
Webgateway and DXL Integration done - what is m... | McAfee Communities

Important notes:

  • TIE at this time only provides file reputation for executables, drivers, and dll's.
  • The provided rules allow the MWG to query TIE server for reputation of supported files in order to provide filtering on the MWG.
  • The provided test rules will block if the reputation given by TIE is between 1-50(Known Malicious to Unknown).

 

Steps:

  • Import the attached rule set. You can also import the attached block page as well.
  • Override the TIE file reputation for a test executable file to 'Known Malicious'. In ePO, go to Menu > Systems Section > TIE Reputations. Import a file following the guidance outlined in the guide: How to Import File and Certificate Reputations into TIE

    set-tie-reputation.png
    Note: the import requires that you know the SHA-1 and MD5 Hash of the file. If you don't have a tool to get you this information, Online MD5 Hash Generator & SHA1 Hash Generator is an example site that offers an online tool.

  • Try to download the your test executable file through your MWG. You should receive the TIE File reputation Block template.

 mwg-rulesssss.png

 

Troubleshooting

I accidentally deleted the MWG system from ePO's System Tree. What do I do?!

Once MWG initially subscribes to DXL and pulls down the necessary certificates and config files, it no longer needs to communicate with ePO to query the TIE server for file reputation. However, for ePO reporting purposes it will be best if the MWG is added back in the System Tree.

Support Note: It's a common practice for admins to run reports/server tasks on ePO for *inactive agents* on ePO and remove them. In fact there is a default report called "Inactive agents". After MWG is removed from ePO, you're not easily able to track TIE detections for the MWG system. (ePO Dashboard: TIE Server Top 10 Systems with New Files...)

 

MWG doesn't exist as a system, so the System Name shows up obfuscated.

For example:

New Files on Systems Information

System Name: {2a703f0b-c5a9-201b-e41e-dc9b2bd20fbb}

Date: 8/6/15 5:00:00 PM

File Count: 12

 

To rejoin MWG back to ePO, you'll need to do the following:

    1. Go to Configuration > ePolicy Orchestrator, and click the button for Rejoining ePO

 

MWG can't connect to DXL - Error: "DXL is not available."

Possible Solution:

The plugins are not successfully installed on the ePO. Please check the ePO server and install all plugins.

-The broker is not reachable


rules.png

 

Error from mwg-core.errors.log:

[2016-03-23 11:04:04.031 +01:00] [DXLFiltersPlugin] [DXLNotAvailable] DXL not available.

[2016-03-23 11:05:20.435 +01:00] [DXLFiltersPlugin] [DXLNotAvailable] DXL not available.

 

Troubleshooting Broker Connection

If you are getting a DXL not available error in your MWG-core.errors.log and you have verified that your plugins are correctly installed on ePO, there is a possibility that your MWG is not able to  communicate with the configured brokers. In order to find out what brokers are configured you will need to pull the MWG_DXL.config file.

MWG_dxl.conf.png

 

Once you open the file, you can seen the broker UUID, Communication port, hostname and IP addressDXLTIE_MWG_dxl.config 8.png

From this information, use nslookup and telnet to ensure the MWG can communicate with the DXL broker on the configured port.

 

Notes, Observations, and gotchas

  • TIE provides file reputation for executables, drivers, and dll's.
  • MWG only relies on ePO for its initial subscription/connection in order to fetch config and certificates from the DXL broker.
  • MWG will not immediately appear in the ePO System Tree after you add in your ePO DXL credentials on MWG.  You will need to do a service restart on mwg-core. (service mwg-core restart)
  • The "Last Update" status ePO displays for MWGs DXL status (in System Tree) will ONLY reflect MWGs initial subscription/connection time. This value will never be updated again.
  • The "DXL" status page on ePO for the MWG system will show that MWG uses McAfee agent 4.6. Disregard this. MWG doesn't use McAfee Agent or that version; it uses the MePO extension
  • On the MWG, the ePO hostname must be used, not the IP
  • Removing MWG as a system in ePO will not affect any file reputation lookups that MWG makes to the TIE server as ePO is effectively not used post initial subscription.
  • Possible Values for Reputation Level:
    • Known Trusted: 99
    • Most likely trusted: 85
    • Might be trusted: 70
    • Unknown: 50
    • Might be Malicious: 30
    • Most likely malicious: 15
    • Known malicious: 1  (this is what we use in example file above)
    • Not set: 0
Labels (1)
Comments

Hi,

we tested several TIE/DXL integrations with MWG.

At the moment we see a lot of files with no name, no file Infos. This entries are growing since we intergrated MWG into TIE.

Any other Infos available?

Cheers

Finally we did some testing. Enclosed the result. You can download the Rulesets here:

Regarding DXL: MWG 7.6.x has a new feature (Button) where you can easily rejoin the DXL fabric.

Hi Troja,

We have the exact same issue with TIE 1.3 and MWG 7.6.2.2, no file name, no file info in the ePO console.

Did you find a solution for this?

Hi ​,

yes, i already fixed it. Check the Ruleset at my link below.

Cheers

Hi,

is there any reason why not check archives for executables? Like big performance degradation or such...?

Br. Ales

Hi ​,

first of all, you can put any information into TIE. Because the TIE database is filled by endpoint and network products. So finally non PEs can be published in TIE.

The lag is the enforcement on endpoint. It makes no sense to store information in TIE when the information is not used on endpoint or gateway. 🙂

From my point of information non PE support will be added with future releases of the product.

Cheers

Hi Troja, thanks for your comment regarding this, but sorry to ask, what is actually PE? So far haven't seen this abbreviation

Br. Ales

Hi ​,

PE means Portable Executable. See some infos from Wikipedia.

Portable Executable - Wikipedia, the free encyclopedia

Cheers

Aaah, thanks 🙂

Br. Ales

Is there any information available on firewall ports that need to be open to communicate with any of the other components mentioned? Nasty question, I know. But I could really use an overview of that.

Hello ​,

it also denpends on your environment. 🙂

First of all, MWG has no McAfee Agent installed, it´s a DXL enabled device.

1) During installation MWG needs a connection to EPO console port. This is needed, because you have to authenticate and this is only possible directly on EPO.

2) You need at least one DXL connection to a available dxl broker service.

3) MWG is uploading files to ATD using REST. Normally this is port 443.

Hope this helps.

Cheers

Hi Thorsten,

Thanks for your reply. I'm kind of looking for a comprehensive ports list that pertains to MWG, DXL, TIE, ATD, ePO, etc, pretty much everything. . The type of list that could serve as an input for a technical design document. I'm presently working it all out by hand, also including things like kerberos auth and so on and so forth. I'll just tell myself it's a one-time thing, lol 😉

Thanks again!

Hi ​,

this list is not available.

  • There is  list of used default ports in the EPO Manual.
  • There is a list of used default ports in the DXL/TIE Manuals.

EPO Ports (EPO 5.3.x Product Guide, Page 300)

TIE Related ports (Product Manual, Page 17)

There is also a Table after this screen where any port is explained

Hope this helps a little bit,

Cheers

Version history
Revision #:
6 of 10
Last update:
‎04-01-2019 01:40 AM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community