cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
J1mX1
Level 9
Report Inappropriate Content
Message 1 of 7

Site blocked by Firewall rule GTI Rule - TCP - Out. Best way to white list?

Jump to solution

A website our business needs to access is being blocked at our Endpoints due to the IP it is hosted on (a shared IP) being flagged by GTI.

Message 'chrome.exe tried to access x.x.x.x, violating the rule GTI Rule - TCP - Out and was Blocked'.

A threat intelligence check on McAfee labs actual lists the IP as 'Minimal risk' for web and 'High risk' for email.

What is the best way of whitelisting this website? Do you have to add the IP as a trusted network?? 

1 Solution

Accepted Solutions
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Site blocked by Firewall rule GTI Rule - TCP - Out. Best way to white list?

Jump to solution

@J1mX1 wrote:
I have found where I can add the IP address as 'NOT TRUSTED' within the Defined Network section of the Firewall Options. Do I then need to create a Firewall Rule separately defining access to this external IP address too ?

Simply adding the IP entry to the NOT TRUSTED will allow it to bypass the ENSFW GTI rating system, but yes, the network traffic will need to be allowed out eventually via a Firewall rule otherwise the BLOCK ALL TRAFFIC rule will deny it.  Although, you may already have a firewall rule to allow the traffic out based on your current rule configuration; if you see it hit the BLOCK ALL rule, then you don't have an ALLOW rule for it and you'll need to create one.

 

 

Yes, ENSFW GTI rates by IP:PORT number (not URL or DOMAIN); I've added some updated info to KB90837 to clarify this (will be republished soon).

View solution in original post

6 Replies
Dayananda
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Site blocked by Firewall rule GTI Rule - TCP - Out. Best way to white list?

Jump to solution

Hi,

 

First, you need to check the category of the website on https://www.trustedsource.org/ and if the reputation is high risk then you can submit a request with sites@mcafee.com  or on the same page so that reputation of the site will be changed accordingly.

Try this and let us know the result.

 

Regards,
Daya
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: Site blocked by Firewall rule GTI Rule - TCP - Out. Best way to white list?

Jump to solution

Hi @J1mX1  You can add the IP address in the Firewall Options policy as a DEFINED NETWORK - NOT TRUSTED entry to bypass GTI ratings for that IP (NOT TRUSTED values are also used inside Firewall Rules where the LOCAL/REMOTE NETWORK is set to DEFINED NETWORK (e.g., a variable IP address based on what you set in the NOT TRUSTED Options policy), if you have any rules set that way.

DEFINED NETWORKS - TRUSTED network values will configure the Firewall to ALLOW ALL to/from the IP, which you may not want.

KB90837 - FAQs for Endpoint Security Firewall Global Threat Intelligence
https://kc.mcafee.com/corporate/index?page=content&id=KB90837

 

J1mX1
Level 9
Report Inappropriate Content
Message 4 of 7

Re: Site blocked by Firewall rule GTI Rule - TCP - Out. Best way to white list?

Jump to solution
Thanks, I will try this and report back.
J1mX1
Level 9
Report Inappropriate Content
Message 5 of 7

Re: Site blocked by Firewall rule GTI Rule - TCP - Out. Best way to white list?

Jump to solution
I have found where I can add the IP address as 'NOT TRUSTED' within the Defined Network section of the Firewall Options. Do I then need to create a Firewall Rule separately defining access to this external IP address too ?
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Site blocked by Firewall rule GTI Rule - TCP - Out. Best way to white list?

Jump to solution

@J1mX1 wrote:
I have found where I can add the IP address as 'NOT TRUSTED' within the Defined Network section of the Firewall Options. Do I then need to create a Firewall Rule separately defining access to this external IP address too ?

Simply adding the IP entry to the NOT TRUSTED will allow it to bypass the ENSFW GTI rating system, but yes, the network traffic will need to be allowed out eventually via a Firewall rule otherwise the BLOCK ALL TRAFFIC rule will deny it.  Although, you may already have a firewall rule to allow the traffic out based on your current rule configuration; if you see it hit the BLOCK ALL rule, then you don't have an ALLOW rule for it and you'll need to create one.

 

 

Yes, ENSFW GTI rates by IP:PORT number (not URL or DOMAIN); I've added some updated info to KB90837 to clarify this (will be republished soon).

View solution in original post

J1mX1
Level 9
Report Inappropriate Content
Message 7 of 7

Re: Site blocked by Firewall rule GTI Rule - TCP - Out. Best way to white list?

Jump to solution
Thanks Daya for your feedback.
Checking the category of the URL it is classed as 'Business - Minimal Risk'. I hence assume it is being blocked by at the firewall by a GTI rule due to the IP address and not URL.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community