Infoblox enables you to You can configure Threat Insight on the a cloud client to detect and block blacklisted blocklisted domains. ; Threat Insight uses analytics algorithms to will detect DNS tunneling by analyzing incoming DNS queries and responses. With Threat Insight, you can also configure a whitelist and include an allowlist of trusted domains for which NIOS to will allow DNS traffic. Note that
Threat Insight for the a cloud destination accessed through the Data Connector is valid for local RPZ zones only. When you configure RPZs for a Gridgrid, you can also define rules to block DNS resolution for malicious domains or to redirect such cloud clients. Infoblox allows you to configure only one cloud client per Grid grid, and you must first request an API key through the Cloud Services Portal, to authorize Threat Insight requests from the cloud client.
Note that you
You must configure the Infoblox Data Connector to transport data from the Grid grid to BloxOne Threat Defense Cloud, and you can use this feature only when an RPZ license is installed in on the Gridgrid. When you configure Threat Insight for a cloud destination, the threat insight Threat Insight domains that are added in the Cloud Services Portal for the respective a user are synchronized with the RPZ zone that you add to the list. This synchronization happens periodically based on takes place according to the interval that you define.
If your Grid grid is running NIOS version 8.2.0, you can configure the Grid grid to retrieve blacklisted blocklisted domains , (which are detected by the Threat Insight feature, ) from the cloud destination and to block traffic by using RPZs. For more information about RPZs, refer to the the Infoblox NIOS Administrator Guide.
To configure Threat Insight for a cloud destination, complete do the following:
- Log in to Grid Manager.
- From the In the Data Management tab tab, select the DNS tab -> the DNS tab > Response Policy Zones tab tab, and then click click Threat Insight in the Cloud Client in in the Toolbartoolbar.
- Complete the following in the In the Threat Insight in the Cloud Integration Client wizard wizard, do the following:
- Enable Cloud Client: Select this checkbox to enable Threat Insight in the cloud client.
- Interval:
- Specify, in seconds or minutes, how often the results generated by Threat Insight are to be requested from the cloud client
- . The default is 10 minutes.
- The list of Response Policy Zones to use for
- blocklisted domains: Click the Add icon to add an RPZ to the list. When there are multiple zones, Grid Manager displays
- the Zone Selector dialog box, from which you can select
- a zone. You can add an RPZ from different network and DNS views. Whenever a new RPZ is added and the cloud client requests data, Grid Manager displays
- a Warning dialog to confirm that you wish to request all
- Threat Insight–detected domains
- in the cloud client. Even if you have
- clicked No in the Warning dialog, you can use
- the CLI command set cloud_services_portal_force_refresh
- in maintenance mode and set the flag to request all domains detected in the cloud client.
- Click Click Save & Close.