...
- Edit panels as described in Editing Dashboards.
- Edit source, title, and description.
- Edit permissions as described in Editing Permissions.
- Clone a dashboard as described in Cloning Dashboards.
- Reset dashboards, as described in Resetting Dashboards.
Creating New Dashboards
When you add a new dashboard, Grid Manager displays it in the Reporting -> Dashboards tab. You can add multiple panels and reports to the new dashboard. For information, see Editing Dashboards.
To create a new dashboard:
...
Note: You do not need any permission to create, modify, and delete your own personal dashboard. However, limited-access users need Read and Write permissions to modify cloned dashboards. For information about administrative permissions, see Administrative Permissions.
...
When you clone a dashboard, you can do the following:
- View and set permissions, as described in Editing Permissions.
- Schedule PDF delivery, as described in Scheduling PDF Delivery for Dashboards.
- Edit panels, as described in Editing Dashboards.
To create a personal dashboard:
...
- Time
- Top N: Top most filter options. The default is 10. You can select from a set of fixed values for the TopN filter setting: 5, 10, 20, 50, 100, 200, 250, or 500.
- Members: Grid members configured on the appliance.
- Network
- Member Site, as described in Applying Extensible Attribute Filters.
Applying Time Filters
You can generate a dashboard for a specific time interval by applying time filters. You can filter results by preset time ranges, create custom time ranges, specify time ranges based on dates or date and time, or work with advanced features in the time range picker. For information about Time range picker, refer to the Splunk documentation.
The date and time displayed in the Time filters are based on the time zone set in your user profile by default. For more information about how to configure a time zone, see Setting the Browser Time Zone. However, the timestamp displayed in the results for a dashboard is based on the time zone configured on the reporting server.
...
- From the Reporting tab, select the Dashboards tab -> select a dashboard.
- In the filter section, complete the following:
- Member <Extensible Attribute>: Select an extensible attribute configured for a member. If you need an additional extensible attribute filter, you must first clone the default dashboard, and then add an extensible attribute filter by editing the XML source code. For information, see Editing the XML Source Code of a Dashboard.
- Group By EA Tag/Field: Select an extensible attribute to enable the reporting server to group networks by members that have certain extensible attribute tags or fields. Note that this option is available for specific dashboards only.
...
- CPU Utilization Trend (Detailed)
- IPAMv4 Network Usage Statistics
- IPAMv4 Top Utilized Networks
- IPAMv4 Network Usage Trend
- DDNS Update Rate Trend
- DHCPv4 Usage Statistics
- DNS Daily Query Rate by Member
- DNS Query Rate by Member
- DNS Daily Peak Hour Query Rate by Member
- DNS Response Latency Trend
- DNS Cache Hit Rate Trend
- DNS Traffic Control Resource Availability Trend
- DNS Traffic Control Resource Pool Availability Trend
- DNS Traffic Control Response Distribution Trend
- Memory Utilization Trend
- Traffic Rate by Member
- Threat Protection Event Count By Member
- Threat Protection Event Count By Member Trend
Predefined Dashboards
Table 40.9 lists the dashboard categories and their corresponding dashboard. You can apply filters and view the dashboards in table, stacked area, or in both the view.
Table 40.9 Dashboard Categories
Dashboard Category | Corresponding Dashboard | Displays IDNs in Punycode (Yes/No) |
|---|---|---|
Audit Log Events | Yes | |
IPAMv4 Utilization | Yes | |
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
| NA | ||
Devices (Discovery) | Yes | |
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
DHCP Dashboards | Yes | |
DHCP Fingerprints | Yes | |
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
DHCP Lease | Yes | |
IDN is not supported | ||
DHCP Performance | Yes | |
Yes | ||
Yes | ||
Yes | ||
DNS Dashboards | ||
DDNS Query | Yes | |
DNS Performance | Yes | |
| NA | ||
DNS Query | Yes | |
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Security Dashboards | Yes | |
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
Yes | ||
| Detailed RPZ Violations by Subscriber ID | NA | |
| RPZ Details for the Subscriber ID | NA | |
Ecosystem Dashboards | Yes | |
Yes | ||
Yes | ||
Cloud Dashboards | Yes | |
System Utilization | Yes | |
Yes | ||
Yes | ||
| NA | ||
Internal Dashboards | NA | |
NA | ||
NA |
Audit Log Events
The Audit Log Events dashboard provides information about the administrator-initiated events such as login events, logout events, service restarts, appliance reboots, write operations such as the addition, modification, and deletion of objects, etc. The default dashboard displays the audit log events for all admin users and for all Grid members in table format. You can use the displayed fields as filters to get specific information you want displayed in the dashboard. Only superusers can view and modify this dashboard.
This dashboard displays the following information about each audit log event in table format:
...
The Port Capacity Delta by Device dashboard provides three Start/End time ranges by which each measured device illustrates how many interfaces move into and out of the three key functional states for each port: Administratively Up/ Operationally Up, Administratively Up/Operationally Down and Administratively Down/Operationally Down.
For example, consider a port that is in the Administratively Up/ Operationally Up status on a given device at the beginning of a one-week measurement (Start), and that it is the only port that changes state for that device in the measurement period. At the end of the measurement period (End) it goes into an Administratively Up/Operationally Down state. At first, the Administratively Up/ Operationally Up Start counter reflects the discovered state at the beginning of the measurement period. When the port changes state, and its change is discovered, the Administratively Up/ Operationally Up End counter decrements by 1; the Administratively Up/ Operationally Down Start counter increases by 1. The data format is similar to the Port Capacity Utilization by Device report except that each data point divides into two values (Start and End), reflecting the delta.
You can filter by device name or network view, or both.
This dashboard displays the following categories of information in table format:
...
- IP address: The discovered IPv4 or IPv6 address.
- Discovered Name: The discovered name of the device.
- First Seen: The timestamp when the IP address was first seen in the network.
- Last Seen: The timestamp when the IP address was last seen in the network.
- Network View: The network view with which the IP address is associated.
- Managed: Indicates if the discovered device is managed by NIOS. For NIOS managed device, you can define basic characteristics and manage those devices on NIOS.
- Management Platform: The platform information from where IP address is discovered. This can be Network Insight, Amazon, OpenStack, or VMware.
- VLAN Name: The VLAN name on the switch port.
- VLAN ID: The VLAN ID on the switch port.
- VRF Name: The name of the VRF to which the interface with this IP address belongs.
- VRF Description: The description of discovered VRF.
- VRF RD: The address of the route distinguisher of discovered VRF.
- BGP AS: The number of the discovered BGP Autonomous System that uses the IP address.
Network Inventory
The Network Inventory dashboard provides information about all known networks. The dashboard displays the list of device IP addresses, IP address utilization %, management platform, and the netmask details of the devices that have been discovered.
This dashboard displays a table that contains the following information:
- Device IP Address: The IP address of the device.
- Netmask: The netmask of the network.
- First Seen: The timestamp when the IP address was first seen in the network.
- Last Seen: The timestamp when the IP address was last seen in the network.
- Network View: The network view with which the device is associated.
- Utilization%: Displays the percentage based on the IP addresses that are currently in use on the network. For example, a /30 subnet mask can have two IP addresses that are in use. If both IP addresses are detected then the Utilization% is 100%.
- Managed: Indicates whether this network is a managed or unmanaged object in NIOS. Managed objects are configured for DNS or DHCP and have corresponding NIOS objects such as fixed addresses, DNS records, or host records, which you can manage directly in NIOS.
- Management Platform: The platform information on which IP address is discovered. This can be Network Insight, Amazon, OpenStack, or VMware.
- VLAN ID: The VLAN ID on the switch port.
- VLAN Name: The VLAN name on the switch port.
- VRF Name: The name of the discovered VRF that uses IP addresses of the network.
- VRF Description: The description of the discovered VRF.
- VRF RD: The address of the route distinguisher of discovered VRF.
- BGP AS: The number of the discovered BGP Autonomous System that uses IP addresses of the network.
Note: In the columns VRF Name and BGP AS, if IPs in the network have multiple VRF or BGP AS records, the columns display “Multiple” as an aggregate value. In the columns VRF Description and VRF RD, if all VRF description or RD values for IP addresses are the same, then the columns display this value for the network. Otherwise the columns display “Multiple”.To see values for each IP, click the network -> List tab.
Network Insight Dashboards
The Network Insight dashboards are available only when you have configured the Network Insight appliance as a Grid member with a valid Network Insight license installed. For information about Network Insight, see Infoblox Network Insight.
End Host History
The End Host History dashboard provides the history of the end hosts discovered by Network Insight in a given time frame across all network views. This dashboard is applicable only for the Network Insight solution. The dashboard displays the list of MAC addresses for end hosts, their IP addresses and the details of the network devices from which the end hosts have been discovered.
The dashboard data can be filtered by Network View, MAC Address, IP Address, First Seen and Last Seen timestamps. For instance, you can filter by MAC address and see which IP address the end host possesses during the given time frame. You can also filter by the First Seen and/or Last Seen timestamp and find the MAC addresses of the end hosts becoming active and/or going offline.
This dashboard displays the following information in table format:
- MAC Address: The MAC address of the end host.
- IP address: The IP address of the end host.
- First Seen: The timestamp when the MAC address was first seen in the network.
- Last Seen: The timestamp when the MAC address was last seen in the network.
- Network View: The network view with which the end host is associated.
- Device Name: The name of the network device that has the ARP (Address Resolution Protocol) of the end host.
- Device Vendor: The vendor of the network device that has the ARP of the end host.
- Device Model: The model of the network device that has the ARP of the end host.
- Device OS Version: The OS version of the network device that has the ARP of the end host.
- Device IP Address: The management address of the network device that has the ARP of the end host.
- Device Interface: The interface name of the network device that has the ARP of the end host.
- Device VLAN: The VLAN ID of the interface that has the ARM (Asynchronous Response Mode) of the end host.
- AP Name: The name of the access point of the device. This column is displayed only for wireless devices.
- AP IP Address: The IP address of the access point of the device. This column is displayed only for wireless devices.
- SSID: The unique name of the WLAN (Wireless Local Area Network).
- User Name: The name of the user. This column is displayed only when the Identity Mapping feature on the appliance is enabled. For information about how to enable the Identity Mapping feature, see Enabling Identity Mapping.
Device Interface Inventory
...
The Device Trend dashboard provides trends for the top operating systems used by remote clients in a given time frame. The default dashboard displays line graphs for the top 10 operating systems used by remote clients over the last 24 hours. Each of the operating system is represented with a different color line graph. For more information about DHCP fingerprint detection, see About DHCP Fingerprints.
DHCP Lease History
The DHCP Lease History dashboard provides DHCP lease history in a given time frame. The search of the DHCP Lease History report is scheduled hourly by default.
DHCP Lease History reports can impose heavier system loads than for other alert types in the NIOS system. Avoid defining too many personal reports or alerts of this type for Grid reporting. Other types of reports do not impose significant performance restrictions. Also see About IP Blocks and IP Block Groups for methods to avoid this issue. You can drill down to the IP address of the lease and view user history for the selected IP address.
...
- Time: The timestamp when the lease information was updated.
- Members: The DHCP member that granted the lease.
- Member IP: The IP address of the DHCP member that granted the lease.
- Lease IP: The IP address of the lease. You can click the lease IP address to view login details of the user. For information about User History for Lease IP sub-report, see User History for Lease IP. You can also view subscription data for the selected lease IP. For information, see Subscription Data.
- Protocol: Indicates whether the lease is for an IPv4 or IPv6 address.
- Action: The status of the lease. This can be one of the following: Issued, Renewed, Freed, or Abandoned.
- Hostname: The host name that the DHCP client sent to the appliance using DHCP option 12.
- MAC/DUID: For an IPv4 address, this is the MAC address of the lease. For an IPv6 address, this is the DUID (DHCP Unique Identifier) of the DHCP client that received the lease.
- Lease Time: The lease time of the DHCP client.
...
- Lease Start: The start date of the lease.
- Lease End: The end date of the lease.
- Fingerprint: The name of the DHCP fingerprint or vendor ID of the leased client that was identified through DHCP fingerprint detection. This field displays No Match for devices that do not match the filter criteria and those that do not have any DHCP fingerprint information. For information about DHCP fingerprints, see About DHCP Fingerprints.
- Component Name: The name of the device.
- Component Port: The port or interface connected to the device.
- Device Class: Filter by the device category to which the leased client belongs.
...
- MAC/DUID: The MAC address or DUID of the DHCP client.
- Issued: The total number of DHCP lease issued.
- Renewed: The number of DHCP lease renewals.
- Freed: The number of leases that were released.
- MAC/DUID Total: The total number of DHCP leases that were being requested, renewed, and released.
- Fingerprint: The name of the DHCP fingerprint or vendor ID of the leased client that was identified through DHCP fingerprint detection. This field displays No Match for devices that do not match the filter criteria and those that do not have any DHCP fingerprint information. For information about DHCP fingerprints, see About DHCP Fingerprints.
DHCPv4 Range Utilization Trend
...
The Top Devices Identified dashboard lists the top DHCP fingerprints or detected operating systems for requesting clients. The appliance uses DHCP fingerprint detection to identify the operating systems or vendor IDs of remote clients. For more information about DHCP fingerprint detection, see DHCP Fingerprint Detection. The default dashboard displays the top 10 operating systems on which requesting clients are running within the last 24 hours.
The appliance lists the top detected operating systems or vendor IDs in table format. This dashboard shows the total number of different MAC devices that have requested a lease. You can click a specific row in the table to view a list of leased clients that belong to the selected operating system or device type. Grid Manager displays another report that specifies more detailed information, such as the leased IPs and MAC addresses for each device that matches the selected DHCP fingerprint. The lease history for a fingerprint shows all the lease events that occurred during the time period specified with the parent search (Top Devices Identified report). It represents the number of devices that use the MAC/DUID as the unique identifier. Note that a single MAC address may have several lease events that occur within the specified time range for the parent search. Hence, the total number of each fingerprint will not be equal to the lease history of a fingerprint.
...
The FireEye Alerts dashboard lists the FireEye alerts that are received by the NIOS appliance. The dashboard displays the date and time when the alert was generated, mitigation action for the alert, ruleset specified for the blocked domain or IP address, and the name of the FireEye appliance that generated the alert. For more information about FireEye integrated RPZs, see Configuring FireEye RPZs.
...
Note: To enable this dashboard, you must select the Security check box in the Grid Reporting Properties editor. To select the check boxes, go to the Administration tab -> Reporting tab -> Grid Reporting Properties -> General tab
-> Basic tab -> select the check box Security under Report Category. Note that you can receive this dashboard only on the Grid Master, not on Grid members, even if you have selected Security as a report category on the members.
...
The DNS Top RPZ Hits dashboard lists the top clients who received re-written responses through RPZ. The dashboard displays the total client hits and total rule hits over a given time frame. You can choose to view either the aggregated RPZ hits report or a detailed report of the top RPZ hits. In the Show filter, select Details to view the detailed report or select Aggregated Hits Count to view the aggregated report. When you select the Aggregated Hits Count option, the report data is consolidated based on the client ID, domain name, RPZ entry, RPZ severity, and mitigation action.
The appliance lists the top RPZ hits in table format. You can click a specific row in the table or the Client ID to view the DHCP lease history of a client. For information about DHCP lease history, see DHCP Lease History. Grid Manager displays another report that specifies more detailed information, such as the leased IPs, host name, and MAC addresses for each client. For more information about RPZs, see About Infoblox DNS Firewall. You can click Domain Name or RPZ Entry to view threat details of an RPZ rule. In addition, you can click the client IP address to view login details of the user. For information, see User History for IP Address.
You can compare the domain name and mitigation action in this dashboard with the RPZ rules and mitigation actions in the FireEye Alerts report to determine the RPZ hits received due to FireEye alerts.
...
- Last Updated: Displays the timestamp when the user information was last updated.
- User Name: The logon name of the user.
- Domain: The domain name.
- IP Address: The IP address of the client.
- First Seen: The timestamp when the user logged in to the domain for the first time.
- Logout Time: The log out time of the user. This column displays NA when users are still active on the system.
- Last Seen: The timestamp when the user was last seen accessing a domain.
- User Status: Displays the status of the user. This can be one of the following: Active (logged in), Logged Out, Timed Out.
- Active: The user is logged in and active.
- Logged Out: The user has logged out of the system.
- Timed Out: The user is logged in but has been idled for a certain period of time. The default is two hours. You can configured this time interval, as described in Configuring Active User Timeout Session.
User History for Lease IP
...
- Last Updated: Displays the timestamp when the user information was last updated.
- User Name: The logon name of the user.
- Domain: The Active Directory domain name.
- IP Address: The IP address of the client.
- First Seen: The timestamp when the user logged in to the domain for the first time.
- Logout Time: The log out time of the user. This column displays NA when users are active on the system.
- Last Seen: The timestamp when the user was last seen accessing a domain.
- User Status: Displays the status of the user. This can be one of the following: Active (logged in), Logged Out, Timed Out.
- Active: The user is logged in and active.
- Logged Out: The user has logged out of the system.
- Timed Out: The user is logged in but has been idled for a certain period of time. The default is two hours. You can configure this time interval, as described in Configuring Active User Timeout Session.
DNS Top RPZ Hits by Clients
The DNS Top RPZ Hits by Clients dashboard lists the total number of RPZ hits from a client during an interval, irrespective of the rules and mitigation actions. You can view the IP address of the client, total hits and the date and time during which the hits were received.
The appliance lists the top RPZ hits by clients in table format. You can click a specific row in the table to view the lease history of a client. Grid Manager displays another report that specifies more detailed information, such as the leased IPs, host name, and MAC addresses for each client. For more information about RPZs, see About Infoblox DNS Firewall. In addition, you can click the client IP address to view login details of the user. For information, see User History for IP Address.
If you have configured Infoblox Subscriber Services, you can click Subscriber ID to view the sub-dashboard RPZ Details for the Subscriber ID dashboard. For information, see RPZ Details for the Subscriber ID.
...
- Time: The date and time when the last hit was received.
- Block: Total number of queries that triggered a Block (No Data) and Block (No Such Domain) RPZ rule. For information about Block (No Data) and Block (No Such Domain) RPZ rules, see Managing Block (No Data) Rules and Managing Block (No Such Domain) Rules respectively.
- Passthru: Total number of queries that triggered the Passthru RPZ rule. For information about Passthru RPZ rule, see Managing Passthru Rules.
- Substitute: Total number of queries that triggered the Substitute (Domain Name) and Substitute (Record) RPZ rule. For information about Substitute (Domain Name) and Substitute (Record) RPZ rules, see Managing Substitute (Domain Name) Rules and Managing Substitute (Record) Rules respectively.
- Client Hits: Total number of queries that triggered an RPZ policy. The client hits is the sum of Block (No Data), Block (No Such Domain), Passthru, Substitute (Domain Name), and Substitute (Record) RPZ hits. Note that this data is not displayed in the Stacked Chart, but displayed in the Line Chart and in Table format.
...
The DNS Firewall Executive Threat dashboard is a predefined custom dashboard which consists of the following sub-dashboards:
...
Note: To enable this dashboard, you must select the DNS Query and Security check boxes in the Grid Reporting Properties editor. To select the check boxes, go to the Administration tab -> Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab, and then select the check boxes DNS Query and Security under Report Category.
...
The Threat Protection Event Count By Severity Trend dashboard provides event count trends by severity in a given time frame. You can view event counts distributed for the following severity levels: Critical, Major, Warning and Informational. Each of the severity level of an event is represented with a different color.
You can also define alerts in this dashboard to notify administrators when a trend reaches a specified threshold. For information about how to define alerts, see About IP Blocks and IP Block Groups. When you configure alerts for this dashboard and define a threshold value to trigger SNMP traps for a specified reporting event type, the appliance triggers an alert every five minutes based on the filters you select. For information about how to trigger SNMP traps for reporting event types, see Defining Thresholds for Traps.
Threat Protection Event Count By Member Trend
...
Note: You can configure the top number of source IP addresses and threat protection rules on the appliance. For information about how to configure threat protection data, see Configuring Threat Protection Data on page 1578.
...
This dashboard displays the following information in table format:
...
Note: You can configure the top number of source IP addresses and threat protection rules on the appliance. For information about how to configure threat protection data, see Configuring Threat Protection Data.
...
This dashboard displays the following information in table format:
...
The DNS Tunneling Traffic by Category dashboard provides information about DNS tunneling activities by specific categories and the percentage of events by the category of DNS tunneling events in a given time frame. This dashboard helps you track abnormal DNS traffic. The default dashboard shows a pie chart that lists the categories of DNS tunneling events. You can mouse over the pie in the chart to view the DNS tunneling category, event counts, and their percentages. You can also configure the appliance to display this dashboard in table format. The default dashboard displays the top 10 DNS tunneling categories within the last week.
You can click the category in the table or in the pie chart to view the sub-dashboard DNS Top Tunneling Activity
dashboard for the selected category. For more information, see DNS Top Tunneling Activity. This dashboard displays the following information in table format:
...
- Last Updated: Displays the timestamp when the user information was last synchronized with the Microsoft server.
- User Name: The logon name of the user.
- Domain: The Active Directory domain name.
- IP Address: The IP address of the client.
- First Seen: The timestamp when the user logged in to the Active Directory domain for the first time.
- Logout Time: The log out time of the user. This column displays NA when users are active on the Microsoft server.
- Last Seen: The timestamp when the user was last seen accessing an Active Directory domain.
- User Status: Displays the status of the user. This can be one of the following: Active (logged in), Logged Out, Timed Out.
- Active: The user is logged in and active.
- Logged Out: The user has logged out of the system.
- Timed Out: The user is logged in but has been idled for a certain period of time. The default is two hours. You can configured this time interval, as described in Configuring Active User Timeout Session.
Subscription Data
The Subscription Data dashboard displays the user and device identity captured by the Cisco ISE for the subscribed member. The default dashboard displays user name, domain name, VLAN ID, Device operating system, and last discovered timestamp.
The predefined Subscription Data dashboard displays the following information:
...
You can monitor information about index volume usage on the reporting server for each report category and reporting members. You can track volume usage statistics by generating the following internal reports:
- Reporting Index Usage Statistics
- Reporting Volume Usage Trend per Category
- Reporting Volume Usage Trend per Member
Reporting Index Usage Statistics
The Reporting Index Usage Statistics dashboard provides information about the current disk space in use and the maximum index space configured for a reporting index. For information about the maximum index size allocated for each index, see Table 40.8 . The dashboard shows a bar chart for Index Disk Usage trend. You can mouse over the bar to view the index volume usage/maximum index space allocated for that reporting index.
...