Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »

You can configure Threat Insight on a cloud client to detect and block blocklisted domains; Threat Insight will detect DNS tunneling by analyzing incoming DNS queries and responses. With Threat Insight, you can also configure an allowlist of trusted domains for which NIOS will allow DNS traffic.

Threat Insight for a cloud destination accessed through Data Connector is valid for local RPZ zones only. When you configure RPZs for a grid, you can define rules to block DNS resolution for malicious domains or to redirect cloud clients. Infoblox allows you to configure only one cloud client per grid, and you must first request an API key through the Cloud Services Portal, to authorize Threat Insight requests from the cloud client.

You must configure the Infoblox Data Connector to transport data from the grid to BloxOne Threat Defense Cloud, and you can use this feature only when an RPZ license is installed on the grid. When you configure Threat Insight for a cloud destination, the Threat Insight domains added in the Cloud Services Portal for a user are synchronized with the RPZ zone that you add to the list. This synchronization takes place according to the interval you define.

If your grid is running NIOS version 8.2.0, you can configure the grid to retrieve blocklisted domains (which are detected by Threat Insight) from the cloud destination and to block traffic by using RPZs. For more information about RPZs, refer to the Infoblox NIOS Administrator Guide.

To configure Threat Insight for a cloud destination, do the following:

  1. Log in to Grid Manager.
  2. In the Data Management tab, select the DNS tab > Response Policy Zones tab, and click Threat Insight in the Cloud Client in the toolbar.
  3. In the Threat Insight in the Cloud Integration Client wizard, do the following:
    • Enable Cloud Client: Select this checkbox to enable Threat Insight in the cloud client.
    • Interval: Specify, in seconds or minutes, how often the results generated by Threat Insight are to be requested from the cloud client. The default is 10 minutes.
    • The list of Response Policy Zones to use for blocklisted domains: Click the Add icon to add an RPZ to the list. When there are multiple zones, Grid Manager displays the Zone Selector dialog box, from which you can select a zone. You can add an RPZ from different network and DNS views. Whenever a new RPZ is added and the cloud client requests data, Grid Manager displays a Warning dialog to confirm that you wish to request all Threat Insight–detected domains in the cloud client. Even if you have clicked No in the Warning dialog, you can use the CLI command set cloud_services_portal_force_refresh in maintenance mode and set the flag to request all domains detected in the cloud client.
  4. Click Save & Close.
  • No labels