Re: GTI File Reputation DNS Error - NS-7100 and NA-9100
You are receiving GTI file reputation notifications. The message notification description is “GTI File Reputation DNS Error Unreachable”.
This message means the sensor cannot get a response from the GTI file reputation website. The way GTi file reputation works is by sending a query to the IP address set on the sensor for GTI server IP. This DNS IP address resolves the query and sends a request to the gti file reputation website and then the DNS server waits for the response and then sends it to the sensor.
The “GTI server IP” should be an internal DNS server and from the outputs you have provided you have set “GTI server IP” to your Primary Nameserver IP.
GTI file reputation: • The sensor sends an example query like “sfqpit75pjh525siewar2dtgt5.avts.mcafee.com” to the DNS server you have specified (your local DNS server).
• The DNS server then resolves the query to get the GTI server IP addresses “avts.mcafee.com“ and then sends the hash value to the those IP addresses “sfqpit75pjh525siewar2dtgt5”.
• The GTI server provides the response to the DNS server of 127.x.x.x which is not a local address, but the severity of the hash value of the file (MDR hash value).
• The DNS server then passes the 127.x.x.x response to the sensor and it will translate this response to the severity / sensitivity of the file, so it can process the file through the sensor.
1: From the sensor CLI, you need to set the gti server ip. Perform command 'show gti config' Verify what is set for the "GTI Server IP" and the "Nameserver' IP addresses (DNS server). If the 'GTI Server IP' is not set to your internal DNS server, then perform the command below: set gtiserver ip dns-ip-address
show gti config Sample output: If you have enabled integration with the Private GTI Server IP address: Primary Nameserver IP : 10.1.1.1 Secondary Nameserver IP : Not Configured Timeout : 6 secs GTI Server IP : 10.1.1.1 GTI Certificate : Present [IP reputation configuration] GTI proxy is disabled
2: If you haven't set the DNS server ip on the sensor, then log into the NSM UI and navigate to Devices | Devices | <choose sensor from drop down> | Setup | Name Resolution and then add the DNS server IP addresses and then save. The update to the sensor will be instant and so perform the command 'show gti config' form the sensor CLI will show it has been set.
3: Also, make sure your network allows out connections to the GTI server from the sensor management port. In the KB article KB53733 for “Ports used for lookups and updates” you will find the information for McAfee GTI File Reputation query. https://kc.mcafee.com/agent/index?page=content&id=KB53733
McAfee GTI File Reputation query Source: Sensor Destination: avqs.mcafee.com and avts.mcafee.com (via DNS query to defined DNS server) Port: 53 UDP
GTI File Reputation requires that the sensor can communicate with the internal DNS and then the internal DNS communicates with the GTI server directly via the Internet or indirectly via an internal Proxy server.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.