The Infoblox BloxOne Threat Defense Cloud Client on NIOS allows the interaction between BloxOne Threat Defense Cloud and outbound endpoints so you can collect blocked/logged request via feeds or domains detected by Threat Insight in BloxOne Threat Defense Cloud and send the outbound events to external endpoints. When you enable and configure BloxOne Threat Defense Cloud Client on an on-prem NIOS member, the client uses threat API calls to request RPZ events from BloxOne Threat Defense Cloud, and then convert the data into outbound events. These events are periodically synchronized (between BloxOne Threat Defense Cloud and NIOS) and sent to the configured outbound endpoints. Note that the client requests only subsequent data since the last data timestamp, and each synchronization happens based on the schedule and retrieves only the current data.

You can configure notification rules to filter incoming events using the following fields: Threat Origin (NIOS, BloxOne Threat Defense Cloud), BloxOne Threat Defense Cloud Hit Type (DNS RPZ, Threat Analytics), BloxOne Threat Defense Cloud Hit Class and BloxOne Threat Defense Cloud Hit Property. When you configure notification rules to filter incoming events using these fields for BloxOne Threat Defense Cloud Client, relevant information gets synchronized with the event types that you add to the list. This synchronization happens periodically based on the interval that you define. For more information about notification rules, see Configuring Notification Rules.

You can select any Grid member to execute the BloxOne Threat Defense Cloud Client. Infoblox uses event filters on the selected Grid Member to limit the amount of logs. For debugging purposes, information about the client connection status will be displayed in the infoblox.log file. An error is logged in the debug mode for any exceptions that appear when the data is requested and received from the BloxOne Threat Defense Cloud. NIOS logs any critical messages in the syslog.

You must specify the email address and password in the Grid Properties Editor before you enable the BloxOne Threat Defense Cloud Client. For more information about configuring Integration with BloxOne threat defense cloud, see below. The server stores the email address and the password so that it can request a new API key. The server requests an API key through the Cloud Services Portal, so that the cloud client is authorized to retrieve data from BloxOne Threat Defense Cloud. 

The following figure shows how Threat Insight in the BloxOne Threat Defense Cloud client and BloxOne Threat Defense Cloud Client use a common API interface to interact with BloxOne Threat Defense Cloud. For more information about enabling BloxOne threat defense cloud client for outbound, see below.

Best Practices for Configuring BloxOne Threat Defense Cloud Client

• Ensure that you have enabled the following on the BloxOne Threat Defense Cloud Client:
  

  • An email address and a password.

  • A Grid member that is online.

• Ensure that at least one outbound notification rule for DNS RPZ event type is active for outbound settings.

• Only superusers can update the BloxOne Threat Defense Cloud Client settings.

• If the timestamp for the data collected by the BloxOne Threat Defense Cloud Client is ahead of the current time in NIOS, then such events are logged in the syslog. In such an instance, the client does not request any data until the current time reaches the timestamp of the data that is collected and it logs a message in the Infoblox.log based on the time interval that you have set.

Configuring Integration with BloxOne Threat Defense Cloud

To integrate the BloxOne Threat Defense Cloud client with BloxOne Threat Defense Cloud, you must have already created a user profile and the API key for the user profile in the Cloud Services Portal. 

To configure the BloxOne Threat Defense Cloud client to integrate with BloxOne Threat Defense Cloud, you must configure the URL of the Cloud Services Portal and credentials for logging in to the portal. Complete the following steps:

1. Grid: From the Grid tab, select the Grid Manager tab, and then select Grid Properties -> Edit from the Toolbar.
   Standalone appliance: From the System tab, select the System Manager tab, and then select System Properties -> Edit from the Toolbar.

2. In the Grid Properties Editor or the System Properties Editor, click Toggle Advanced Mode to switch to the advanced mode.
   Note that if the editor is already in the advanced mode, then you will see the Toggle Basic Mode button.

3. On the BloxOne Threat Defense Cloud Integration tab -> Basic tab, specify the following in the BloxOne Threat Defense Cloud Integration section:
   BloxOne Threat Defense Cloud Integration
   

   • URL: Displays the REST API URL of the Infoblox Cloud Services Portal.

   • Credentials:

     • Email: Enter the email address that is registered in the Cloud Services Portal. This email address is used for authorization by the Cloud Services Portal. 

     • Password: Enter the password that is registered in the Cloud Services Portal. This password is used for authorization by the Cloud Services Portal.

     • Test Connection: Click this to test the connectivity between NIOS and the Cloud Services Portal.

4. Save the configuration.

Enabling BloxOne Threat Defense Cloud Client for Outbound

To configure an BloxOne Threat Defense Cloud Client to collect event types from BloxOne Threat Defense Cloud and send them to external endpoints, complete the following steps: 

1. From the Grid tab, select the Ecosystem tab -> Outbound Endpoint tab, and then click BloxOne Threat Defense Cloud Client from the Toolbar. 

2. In the BloxOne Threat Defense Cloud Client editor, complete the following:
   

   • Enable Cloud Client: Select this checkbox to enable the BloxOne Threat Defense Cloud Client to send outbound events.

   • Grid member: Click Select to select a Grid member on which you run the configured client. Click Clear to clear the value. You can select any Grid member where the cloud client must be executed.

   • Interval: Specify how often to request the list of event types from BloxOne Threat Defense Cloud, in seconds or minutes. This value is set to one minute by default. The time interval is measured from the previous data synchronization.

   • The list of requested event types: Select the respective checkbox to enable or disable an event type. The event types that you request from the BloxOne Threat Defense Cloud are listed here. You cannot add or remove them.

3. Save the configuration.