1 2 3 Previous Next 28 Replies Latest reply on Dec 21, 2016 2:34 PM by infosecjeff

    Webgateway and DXL Integration done - what is missing in my configuration?

    Troja

      Hi all,

      today i integradet MWG into my DXL environment. I studied the  MWG 7.5.2 product guide and KB84824.

       

      I configured this settings:

      1. Added the MePO extension and activated "Enable msgbus authentication using test certificates" in the Mcafee Agent policy.
      2. Configured the "ePO DXL Settings" in MWG.
      3. MWG successfully registered to EPO and is shown under the System Tree.
      4. i added any DXLTopic to MWG found in EPO. Tested with several different Topics, but no change.
        • /mcafee/service/tie/cert/agents
        • /mcafee/service/tie/cert/info
        • /mcafee/service/tie/cert/reputation
        • /mcafee/service/tie/cert/reputation/set
        • /mcafee/service/tie/cert/search
        • /mcafee/service/tie/cert/update_metadata
        • /mcafee/service/tie/file/agents
        • /mcafee/service/tie/file/info
        • /mcafee/service/tie/file/reputation
        • /mcafee/service/tie/file/reputation/set
        • /mcafee/event/epo/dxl/compinfo
        • /mcafee/event/epo/dxl/state
      5. Added a TIE Server Service
        • /mcafee/service/tie
      6. Added the rules from MWG Product Guide found on page 161.
      7. Downloaded a malware file from Dropbox to test DXL
        • If i take a look in EPO under TIE Reputations is see my proxy as the first entry and my test client as the second entry.
      8. Activated DXL Tracing to test my installation.

      20:56:29.517: Tracing enabled

      20:56:49.107: dxl_async_request(/mcafee/service/tie/file/reputation,760): DERR_OK

      {"hashes":[{"value":"St60SKwDOmb++/XS5grv1CjzQUU=","type":"sha1"},{"value":"Zmk0 wZJ9d/YY7lqaG2NE4Q==","type":"md5"}]}

       

      20:56:49.112: dxl_async_request callback for 760: ok

      {"reputations":[{"providerId":5,"createDate":1434826406,"trustLevel":1,"attribut es":{"4195730":"5"}},{"providerId":3,"createDate":1434826398,"trustLevel":0,"att ributes":{"2114965":"1","2139285":"72339069014638857","2101652":"1","2111893":"1 3","2102165":"1434826398"}}],"props":{"submitMetaData":1,"serverTime":1434826609 }}

      20:57:19.711: Tracing disabled

       

       

      Looks good so far, but there are some troubles and questions.

      1. Is the DXL Topic entry correct? Which Topis should be used and which topics must not be used.
      2. If a file is known in TIE MWG blocks the download, but the DXL Reputation is always 99. Even if i change the value of the file as "known Trusted". I´m not able to download the file again.
      3. If i download the file with Offline Behavior ATD scans the file and the result is "5 - know malicious": This is shown under TIE Reputations
        1. Enterprise Reputation -> unknown
        2. GTI Reputation -> unknown
        3. ATD Reputation -> known Malicious
        4. Even the file is known Malicious through TIE the file is not blocked by MWG
      4. How can write the URL Information for a known malicious file to TIE Database

       

      Has anyone tested this or has some more information?

       

      Cheers

        • 1. Re: Webgateway and DXL Integration done - what is missing in my configuration?
          michael_schneider

          Servus Thorsten,

           

          the below is all you need. MWG can just subscribe and not publish (yet).

          To be very clear - MWG can not publish reputations to TIE right now. We are working internally to get this lined up.

          The generic DXL protperties that are reference will enable you to do all kinds of cool things on a Main version while we introduce specfic properties such as TIE.Filereputation in the Controlled version of MWG. The generic properties will allow you to do all these things that the property automates by hand, so that you can use more and new features even when you are not a controlled release but have selected 7.5.2 as Main, once it becomes Main.

           

          TIE.jpg

          + you need to enter the ePO DXL credentials  under Configuration > ePO

          + you need the mep extension (available from https://contentsecurity.mcafee.com)

          + you need to have TIE/DXL running obviously

           

          and.... TIE/DXL + MWG

          • 2. Re: Webgateway and DXL Integration done - what is missing in my configuration?
            Troja

            Hallo Michael,

            thanks for the rely, the MWG product manual and the MWG help were confusing me, especially Page 160 in the product manual.

             

            So, i do not have to configure something under Configuration -> Proxies -> Data Exchange Layer. Is this right?

             

            But, and this is really helpful, i can see MWG under TIE Reputations (Where has file run) :-)

            mwg_and_tie.jpg

             

            Cheers,

            Thorsten

            • 3. Re: Webgateway and DXL Integration done - what is missing in my configuration?
              michael_schneider

              Yep - I know Thorsten, the guide is pretty detailed (which is good) but creates a wrong picture in that regard. As mentioned TIE/DXL and MWG is really easy with that single rule I posted.

              I'll ask my docu team to look into improving the section in the docu.

               

              thanks,

              Michael

              • 4. Re: Re: Webgateway and DXL Integration done - what is missing in my configuration?
                michael_schneider

                Small correction, the gating criteria for the rule set needs to be AND not OR.

                • 5. Re: Re: Webgateway and DXL Integration done - what is missing in my configuration?
                  smalldog

                  Dear All,

                   

                  I need to config MWG, ATD and TIE. Could you show me steps to integration these together? Have any document about this? I could integration TIE with ATD but don't know about MWG.

                   

                  Thanks,

                  Smalldog

                  • 6. Re: Webgateway and DXL Integration done - what is missing in my configuration?
                    Troja

                    Hi smalldog,

                    this is real easy going. My information depends on a functioning TIE, DXL environment.

                    1) Install the Mobile EPO extension into EPO. You can download the extension from https://contentsecurity.mcafee.com -> download -> tools -> McAfee EPO extension -> MePO extension.

                     

                    2) After a successfull checkin you can see a new option in the McAfee Agent policy.

                    mepo.jpg

                    Activate this setting as seen in the screenshot.

                     

                    3) In MWG GUI -> Configuration -> ePolicy Orchestrator add the EPO Server name and an user account to register MWG to DXL.

                    You can use the admin account. If you are using a different user this EPO must must have the following user right granted: DXL McAfee MePO Certificate Creation:

                    Check the dxl Log on MWG if there are any errors. The log is located under the debug logs.

                    Note: There is no McAfee Agent installed on MWG. There is only a System Tree object generated in the EPO System Tree through the MePO extension!

                     

                    If anything is fine you can see MWG in the System Tree. Some infos which are important.

                    - The last communication field shows the date when the object was generated. This value will not be updated. At the moment this is made by design.

                    - The Agent version 4.6.0 is show. This is okay and made by design at the moment. Remember, there is no McAfee Agent installed on MWG!!

                     

                    3) Add the ruleset as shown above from to your MWG ruleset.

                    - Do NOT enter any value under Configuration -> Proxies (HTTP(S), SOCKS, ICAP...) -> Data Exchange Layer. This is not necessary.

                     

                    Finally just test your deployment with any file downloadable from internet.

                     

                    4) EPO Reporting

                    4.1) If anything is suscessfull you can see the proxy entry under TIE Reputations -> Where has file run ->  (dxlproxy.mal.ware is my mwg)

                    TIE_Reputations.jpg

                    4.2) The query "TIE Server Top 10 Systems with New Files in Last Week" also shows the requests of your proxy.

                    4.3) If you are using ATD version 3.4.8.96.50610 you will also see your ATD System like your MWG.

                    4.4) If using the ATD Threat Event extension in EPO you can see a Threat Event for any ATD detection in EPO.

                     

                    5) At the moment there are two limitations with MWG and the MePO extension.

                    • If MWG queries the TIE server database a entry without a file name is generated. This cannot be changed at the moment.
                    • If MWG is removed from the System Tree the systems is not registered again automatically. Even you are entering the EPO credentials MWG is not registered. In this case you have to do the following steps on MWG. I got htis information from support and it works.

                              -Stop MWG services: service mwg stop

                              -Delete the following folder and its contents: /opt/mwg/data/dxl (do NOT remove the subdirectories)

                               -Start MWG services: service mwg start

                     

                     

                    Hope this helps,

                    Cheers

                    • 7. Re: Re: Webgateway and DXL Integration done - what is missing in my configuration?
                      smalldog

                      Dear Troja,

                       

                      That's very clear. I will try your recommends. Thanks so much!

                       

                      Best Regards,

                      Smalldog

                      • 8. Re: Re: Webgateway and DXL Integration done - what is missing in my configuration?
                        smalldog

                        Dear Troja,

                         

                        I installed MePO extension that say successfully but i don't see new options "Enable msg..." also i can not assign permission "DXL McAfee MePO Certificate Creation, Create DXL McAfee MePO Certificates" on ePO. So i can not connect MWG to DXL. I don't know either i missing somethings? ePO version 5.1.1 and Web gateway 7.5.2.1.0 version.

                         

                        Thanks,

                        Smalldog

                        • 9. Re: Re: Webgateway and DXL Integration done - what is missing in my configuration?
                          Troja

                          Hm,

                          are you using a McAfee Agent Extension with version 5?

                          Cheers

                          1 2 3 Previous Next