After you set up your Legacy Data Connector virtual appliance, you must set up certain configurations so the Legacy Data Connector can gather relevant information from the Grid members, and then send the data to the Infoblox BloxOne Threat Defense Cloud destination.
You must have Legacy Data Connector version 2.0 and later installed in order to support Infoblox BloxOne Threat Defense Cloud configuration. You can either configure a new Legacy Data Connector using the correct version or upgrade your existing Legacy Data Connector to 2.0 or later. For information about new installation, see Deploying the Legacy Data Connector Virtual Appliance. To upgrade an existing Legacy Data Connector, see Upgrading the Infoblox Legacy Data Connector.
After you have the latest software version installed and the Legacy Data Connector is up and running, perform the following to set up your cloud environment to receive data from the Legacy Data Connector. The Legacy Data Connector collects the DNS query and response data, RPZ Hits, DHCP Leasing Information and IPAM, User Info data if available, from the Grid members, generates parquet files and sends the parquet files to the Infoblox BloxOne Threat Defense Cloud destination via http request.
To configure Legacy Data Connector VM to send DNS data from Infoblox Grid to BloxOne Threat Defense Cloud, complete the following:
- Configure the Grid to capture DNS queries and responses, as described in Configuring DNS Queries and Responses. Next, add the SCP user details on the Grid members to send DNS log data to the Legacy Data Connector VM. For information, see Configuring NIOS for Legacy Data Connector.
Configure the Data Connector as an external syslog server, so that the Grid members can send syslog to the Data Connector VM using TCP. Select DNS RPZ and Threat Protection as the logging category while configuring the Legacy Data Connector as an external syslog server. For information about configuring external syslog servers in NIOS, refer to the Infoblox NIOS Administrator Guide.
Note title Note Grid must transfer Syslog using TCP, either encrypted or unencrypted.
- Enable DNS service on the Grid members.
- Log in to the Data Connector CLI.
- Configure the Legacy Data Connector, as described in Deploying the Legacy Data Connector Virtual Appliance.
- Verify the configured network settings of the Data Connector using the
admin.network > ip4get command.
Example:admin.network > ip4 getConfigured System Setting:gateway: 10.36.0.1mask: 255.255.0.0mode: staticaddress: 10.36.130.1vlanid: 0vlan configuration is only in effect in the static mode. - Use the
data.source.grid > set addresscommand to set the Grid IP, admin username, and password.
Example:data.source.grid > set address 10.0.0.22Command applied successfully.data.source.grid > set username adminCommand applied successfully.data.source.grid > passwordEnter the NIOS admin's password:Enter again:Password updated Configure BloxOne Threat Defense Cloud as destination using
data.destination.cloud.registration > setcommand and set the URL, Agent ID, and API key for the BloxOne Threat Defense Cloud output, as follows:Note title Note In order to get the BloxOne Threat Defense Cloud configuration parameters such as the URL, Agent ID, and API key, you can log in to your BloxOne Threat Defense Cloud portal and navigate to Administration tab -> Data Connectors tab. In the Data Connectors panel, the values for Agent ID, URL, and API key are displayed in the Name, URL, and API Access Key columns of the Data Collectors table respectively.
data.destination.cloud.registration > set agent_id <Your_Agent_ID>okdata.destination.cloud.registration > set url https://usa-va.csp.infoblox.com/dnslogokdata.destination.cloud.registration > set api_key <Your_API_Key>okNote title Note You must specify the same agent_id and api_key that you specify in the Cloud Services Portal (BloxOne Threat Defense Cloud Portal -> Administration -> Data Connectors) where Name is the
agent_idand API Access Key is theapi_key.After setting the URL, Agent ID, and API key for the BloxOne Threat Defense Cloud output, you can use the ping or account command to verify, as follows:
data.destination.cloud.registration > pingCloud server "usa-va.csp.infoblox.com" is available- Use the
data.destination.cloud > set modecommand and set the cloud output mode toforward, as follows:data.destination.cloud > set mode forwardData will start transmitting immediatelyok - Configure Infoblox Grid as source of DNS data and RPZ logs using
data.source.grid > set usernamecommand and set the address, username, and password, as follows:data.source.grid > set username adminCommand applied successfully.data.source.grid > set address 10.0.0.22Command applied successfully.data.source.grid > passwordEnter the NIOS admin's password:Enter again:Password updated
After setting the address, username, and password, you can use thedata.source.grid > synccommand to verify, as follows:data.source.grid > syncReregistering Data Collector with the Grid... done.Updating Grid configuration... done.
This function will synchronize NIOS Grid state with the Data Connector VM. - Use the
data.source.syslog > set modecommand and configure the mode to send the RPZ logs, as follows:data.source.syslog > set mode secureokdata.source.syslog > set mode unencryptedokdata.source.syslog > set mode bothok - Generate a certificate request in .PEM format. This certificate request must be signed to get an operable syslog certificate. Run the following command:
data.source.syslog > certificate request
You can self-sign the generated certificate or send it to the Certification Authority for signing and get the operable Syslog Certificate. Upload the signed Syslog Certificate. Run the following command to import the certificate from a SCP server or an FTP server:
data.source.syslog > certificate import <scp|ftp>://loginname@serverIP:[port:]path
Example:data.source.syslog > certificate import scp://root@10.1.1.1:999/DC2/Note title Note The secure port number must be the same secure TCP port number configured on NIOS.
Configure Infoblox Grid as source of IP Metadata usingdata.source.grid > set querycommand, as follows:data.source.grid > set query userinfo enabledokdata.source.grid > set query ipam enabledokdata.source.grid > set query lease enabledokdata.source.grid > queryuserinfo: enabledipam: enabledlease: enabledNote title Note Note that
userinfois available only if the Grid is running NIOS 7.2.0 or later.- Specify the poll period for query Grid IPAM information in seconds, minutes, or hours. The minimum is 1 minute, the maximum is 365 days, and the default is 5 minutes.
data.source.grid > set poll 6mok
Optionally, you can set the API address, as follows:data.source.grid > set apiaddress grid|auto|<ip_addr>
Example:data.source.grid > set apiaddress 10.0.0.22okNote title Note In order to query the IP metadata, you must specify the IP address of the Grid Master Candidate or you can specify ‘auto’, so that the Legacy Data Connector can automatically determine the IP address.
The Legacy Data Connector VM transfers DNS query and response data and DNS Firewall CEF logs to BloxOne Threat Defense Cloud. To view these data in the form of reports, log in to the BloxOne Threat Defense Cloud portal, navigate to the Analyze tab and select Activity reports → Total DNS Requests as well as all the reports under Threat Insight, including Malware, Command & Control, and Data Exfiltration reports. Note that to view the Data Connector VM data in these reports, you must select the check box Include on-Prem Data. For information about the reports generated based on data sent from Legacy Data Connector, refer to BloxOne Threat Defense Cloud.