Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Infoblox enables you to configure Threat Insight on the cloud client to detect and block blacklisted domains. Threat Insight uses analytics algorithms to detect DNS tunneling by analyzing incoming DNS queries and responses. With Threat Insight, you can also configure a whitelist and include trusted domains for NIOS to allow DNS traffic. Note that Threat Insight for the cloud destination through the Data Connector is valid for local RPZ zones only. When you configure RPZs for a Grid, you can also define rules to block DNS resolution for malicious domains or redirect such clients. Infoblox allows you to configure only one cloud client per Grid and you must first request an API key through the Cloud Services Portal to authorize Threat Insight requests from the cloud client.

Note that you must configure the Infoblox Data Connector to transport data from the Grid to BloxOne Threat Defense Cloud and you can use this feature only when an RPZ license is installed in the Grid. When you configure Threat Insight for cloud destination, the threat insight domains that are added in the Cloud Services Portal for the respective user are synchronized with the RPZ zone that you add to the list. This synchronization happens periodically based on the interval that you define.

If your Grid is running NIOS version 8.2.0, you can configure the Grid to retrieve blacklisted domains, which are detected by the Threat Insight feature, from the cloud destination and block traffic using RPZs. For more information about RPZs, refer to the Infoblox NIOS Administrator Guide.

To configure Threat Insight for cloud destination, complete the following:

  1. Log in to Grid Manager.

  2. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then click Threat Insight in the Cloud Client in the Toolbar.

  3. Complete the following in the Threat Insight in the Cloud Integration Client wizard:

    • Enable Cloud Client: Select this checkbox to enable Threat Insight in the cloud client.
    • Interval: You can specify how often to request Threat Insight results from the cloud client in seconds or minutes. The default is 10 minutes.
    • The list of Response Policy Zones to use for blacklisted domains: Click the Add icon to add an RPZ to the list. When there are multiple zones, Grid Manager displays the Zone Selector dialog box from which you can select one. You can add an RPZ from different network and DNS views. Whenever a new RPZ is added and the cloud client requests data, Grid Manager displays a Warning dialog box to confirm that you wish to request all detected domains by Threat Insight in the cloud client. Even if you have clicked No in the Warning dialog box, you can use the set cloud_services_portal_force_refresh CLI command in maintenance mode and set the flag to request all domains detected in the cloud client.

  4. Click Save & Close.

  • No labels