Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

After you configure a Grid Master and add members, you might need to perform the following tasks:

Changing Grid Properties

You can change a Grid name, its shared secret, and the port number of the VPN tunnels that the Grid uses for communications. Note that changing the VPN port number, time zone, date or time requires a product restart.
To modify the properties of a Grid, do the following:

  1. From the Grid tab, select the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the General tab -> click the Basic tab, and then modify any of the following:

    • Grid Name: Type the name of a Grid. The default name is Infoblox.

    • Shared Secret: Type a shared secret that all Grid members use to authenticate themselves when joining the Grid. The default shared secret is test.

    • Shared Secret Retype: Type the shared secret again to confirm its accuracy.

    • Time Zone: Choose the applicable time zone from the drop-down list.

    • Date: Click the calendar icon to select a date or enter the date in YYYY-MM-DD format.

    • Time: Click the clock icon to select a time or enter the time in HH:MM:SS format.

    • VPN Port: Type the port number that the Grid members use when communicating with the Grid Master through encrypted VPN tunnels. The default port number is 1194. For more information about port numbers for grid communication, see Creating a Grid Master.

    • Enable Recycle Bin: Select the checkbox to enable the Recycle Bin. The Recycle Bin stores deleted items when the user deletes Grid, DNS, or DHCP configuration items. Enabling the Recycle Bin allows you to undo deletions and to restore the items on the appliance at a later time. If you do not enable this feature, deleted items from the GUI are permanently removed from the database.

    • Audit Logging: Select one of the following:

      • Detailed: This is the default type. It is automatically selected. It provides detailed information on all administrative changes such as the date and time stamp of the change, administrator name, changed object name, and the new values of all properties.

      • Brief: Provides information on administrative changes such as the date and time stamp of the change, administrator name, and the changed object name. It does not show the new value of the object.

      • WAPI Detailed: Select this option to view detailed WAPI (RESTful API) session information logs for successful WAPI calls such as PUT, POST, and DELETE. You can view the URI, InData and response time for each WAPI call. For more information, see Monitoring Tools.

      • In the Grid Properties editor, select the General tab -> click the Advanced tab (or click Toggle Advanced Mode) and modify any of the following:

        • Enable GUI Redirect from Member: Select this checkbox to allow the appliance to redirect the Infoblox GUI from a Grid member to the Grid Master.

          Note that if read-only API access is enabled for a Grid Master Candidate, then selecting the Enable GUI Redirect from Member checkbox for the Grid Master Candidate does not redirect the Infoblox GUI from the Grid Master Candidate to the Grid Master. For more information about enabling read-only API access on a Grid Master Candidate, see Enabling Read-only API Access on the Grid Master Candidate below.

        • Enable GUI/API Access via both MGMT and LAN1/VIP: Select this checkbox to allow access to the Infoblox GUI and API using both the MGMT and LAN1 ports for standalone appliances and MGMT and VIP ports for an HA pair. This feature is valid only if you have enabled the MGMT port. For information about enabling the MGMT port, see Appliance Management.

          Note that the appliance uses the MGMT port only to redirect the Infoblox GUI from a Grid member to the Grid Master even after you enable the Enable GUI/API Access via both MGMT and LAN1/VIP feature.

    • Show Restart Banner: Select this checkbox to enable the appliance to display the Restart Banner at the top of Grid Manager whenever the appliance notifies you that a service restart is required.

    • Require Name: Select this checkbox to prompt the administrator to input the username before performing the service restart. When you select this checkbox, the appliance displays the Confirm Restart Services dialog box. Enter the username in the Name field and click Restart Services. For information about restarting service, see Restarting Services.

  4. Save the configuration.

If you changed the VPN port number, time zone, date or time, Grid Manager displays a warning indicating that a product restart is required. Click Yes to continue, and then log back in to Grid Manager after the application restarts.

Configuring Security Level Banner

You can publish a security banner that indicates the security level of the Infoblox Grid. It appears on the header and footer of all pages of Grid Manager. The security level can be Top Secret, Secret, Confidential, Restricted, and Unclassified. Each message type is associated with a predefined security level color. You can modify this color at any point of time. Grid Manager automatically uses an appropriate contrasting text font color that goes with the banner color. Only superusers can configure and enable this feature.
To configure the advanced security level banner for a Grid:

  1. From the Grid tab, select the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the Security tab -> Advanced tab.

  4. Complete the following:

    • Enable Security Banner: Select this to enable the display of the security banner.

    • Security Level: From the drop-down list, select the security level for the banner.

    • Security Level Color: The default color is displayed in the drop-down. If necessary, using the drop-down list, select the required color for the security level banner. When you change the security level, Grid Manager resets default color for that level.

    • Classification Message: Enter the message you want to display in the security banner. You can enter up to 190 characters.

  5. Save the configuration.

Security banner that you have configured will appear on the header and footer of the Grid Manager screen including the Login screen.

Configuring Notice and Consent Banner

You can configure and publish a notice and consent banner as the first login screen that includes specific terms and conditions you want end users to accept before they log in to the Infoblox Grid. When an end user tries to access Grid Manager, this banner is displayed as the first screen. Before accessing the login screen of the Grid Manager, the user must accept the terms and conditions displayed on the consent screen. Only superusers can configure and enable this feature.
To configure the notice and consent banner, do the following:

  1. From the Grid tab, open the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the Security tab -> Advanced tab, and then specify the following:

    • Enable Notice and Consent Banner: Select this checkbox to enable the display of the notice and consent banner. In the text field, enter the message that you want the banner to show. The message cannot exceed 10,000 characters.

  4. Save the configuration.

This banner appears as the first screen when users access Grid Manager. Users must read the terms and conditions and then click Accept on the consent screen before they can access the login screen of Grid Manager.

Configuring Informational Level Banner

You can publish the informational banner for multiple uses, such as to indicate whether the Infoblox Grid is in production or a lab system. The banner can also be used for issuing messages of the day. The informational level banner appears on the header of the Grid Manager screen. You can publish the banner information you want and set the banner color. Grid Manager automatically uses an appropriate contrasting text font color that goes with the banner color. Only superusers can configure and enable this feature.
To configure the advanced informational banner for a Grid`, do the following:

  1. From the Grid tab, select the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the General tab -> Advanced tab

  4. Specify the following:

    • Enable informational GUI Banner: Select this checkbox to enable the display of the informational banner message.

    • Banner Color: The default color is displayed in the drop-down. If necessary, using the drop-down list, select the required color for the informational level banner.

    • Message: Enter the message you want to display in the informational banner. You can enter up to 190 characters.

  5. Save the configuration.
    Informational banner appears on the header of the Grid Manager screen.

Configuring Recursive Deletions of Networks and Zones

Use Grid Manager, to configure a group of users that are allowed to delete or schedule the deletion of a network container, its child objects, a zone and the zone’s child objects. For instructions on deleting a network container or a zone, see Deleting Network Containers and Removing Zones.
When you select All Users or Superusers, these users can choose to delete a parent object and reparent its child objects, or they can choose to delete a parent object and all its child objects. These options appear only if a network container or a zone has child objects. For instructions on scheduling recursive deletion of network containers and zones, see Scheduling Recursive Deletions of Network Containers and Zones.
When you select Nobody, all the users can delete the parent object only. All the child objects, if any, are re-parented. For more information about scheduling deletions, see as described in Scheduling Deletions .Note that you can restrict specific users to perform recursive deletions of network containers and zones only through Grid Manager. These settings do not prevent other users from performing recursive deletions through the API.

Note

You must have Read/Write permission to all the child objects in order to delete a parent object. Recursive deletion is applicable to all zone types except stub and forward-mapping zones.

The appliance puts all deleted objects in the Recycle Bin, if enabled. You can restore the objects if necessary. When you restore a parent object from the Recycle Bin, all its contents, if any, are re-parented to the restored parent object. For information about Recycle Bin, see Finding and Restoring Data.
To configure the group of users to perform recursive deletions:

  1. From the Grid tab, select the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the General tab -> Advanced tab.

  4. Under Present the option of recursive deletion of networks or zones to, select one of the following:

    • All Users: Select this to allow all users, including superusers and limited-access users, to choose whether they want to delete the parent object and its contents or the parent object only when they delete a network container/network or a zone. This option is selected by default.

    • Superuser: Select this to allow only superusers to choose whether they want to delete the parent object and its contents or the parent object only when they delete a network container/network or a zone.

    • Nobody: When you select this, users can only delete the parent object (network container or zone). All child objects, if any, are re-parented.

  5. Save the configuration.

Setting the MTU for VPN Tunnels

You can configure the VPN MTU (maximum transmission unit) for any appliance with a network link that does not support the default MTU size (1500 bytes) and that cannot join a Grid because of this limitation. If an appliance on such a link attempts to establish a VPN tunnel with a Grid Master to join a Grid, the appliance will receive a PATH-MTU error, that indicates that the path MTU discovery process has failed. For information about the MTU discovery process, see RFC 1191, Path MTU Discovery.
To avoid this problem, set a VPN MTU value on the Grid Master for any appliance that cannot link to it using a 1500-byte MTU. When the appliance contacts the master during the key exchange handshake that occurs during the Grid-joining operation, the master sends the appliance the MTU setting to use.
To set the VPN MTU for a Grid member, do the following:

  1. In the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member checkbox -> Edit icon.

  2. Select the Network -> Advanced tab of the Grid Member Properties editor.

  3. In the VPN MTU field, enter a value between 600 and 1500.

  4. Save the configuration and click Restart if it appears at the top of the screen.

Removing a Grid Member

You might want or need to remove a member from a Grid, perhaps to disable it or to make it an independent appliance or an independent HA pair. Before you remove a member, make sure that it is not assigned to serve any zones or networks.
To remove a Grid member do the following:

  1. In the Grid tab, open the Grid Manager tab -> Members tab

  2. Select the Grid_member checkbox

  3. Click the Delete icon.

Promoting a Grid Master Candidate

To promote a Grid Master candidate to a Grid Master, you must have already designated a member as a Grid Master Candidate, by selecting the Master Candidate option in the General tab of the Grid Member Properties editor. You can designate any member as a Grid Master Candidate. The Grid Master Candidate gets a complete copy of the Grid database. Therefore, Infoblox recommends that you configure the same appliance models for the Grid Master and Grid Master Candidates. By default, the Grid Master promotion uses UDP port 1194. Make sure that the UDP 2114 and UDP 1194 ports are open between the Grid members and a newly designated Grid Master. During a Grid Master promotion, the newly promoted Grid Master continuously contacts all Grid members, including the original Grid Master on the UDP port 2114, until it reaches them. Upon reaching them, the newly promoted Grid Master notifies all Grid members that it is the new Grid Master. Next, the Grid Members restart and attempt to establish normal Grid communications (via BloxSync) with the newly promoted Grid Master. Before promoting a Grid Master Candidate, check your firewall rules to ensure that the Master Candidate can communicate with all the Grid members. For information about grid communications, see About Grids.

Note

Before promoting a Grid Master Candidate, ensure that valid client SSL certificates are installed. For more information about installing certificates, see Managing Certificates.

Testing the Connection of the Master Candidate with the Grid Members

Before promoting a Grid Master Candidate, check whether the Grid Master Candidate is connected to the rest of the Grid members, by scheduling a test promotion. You can do this either by using Grid Manager or by using the NIOS CLI. For information about scheduling a test promotion by using the NIOS CLI, see show test_promote_master and set test_promote_master.

The connection of the Grid Master Candidate to the rest of the Grid members is checked by sending specifically crafted test packets from the Grid Master Candidate and checking whether the Grid members are able to receive these packets.

To test the connection of the Grid Master Candidate with the Grid members, complete the following:

  1. In the Grid tab -> Grid Manager tab, expand the Toolbar, and then click GMC Promote Test.

  2. In the GMC Promote Test editor, do the following:

    1. Click the Schedule icon at the top of the wizard. In the Schedule Change panel, do one of the following:

      • To run a test promotion immediately, select Now.

      • To schedule a test promotion to run later, select Later, and enter a date, time, and time zone.

    2. From the Select GMC drop-down list, select the Grid Master Candidate that you want to promote to Grid Master.

    3. In the Timeout (secs) field, set the timeout for the packet to be received in seconds. That is, if the packet is not received by the Grid members within this timeout, the connection is deemed to have failed.

    4. Select the Continuous Testing checkbox if you want the Grid Master Candidate to send packets to the selected Grid members on a continual basis. The maximum period of time for which packets can be sent is 120 seconds.

    5. In the Members table, select the Grid members to which the Grid Master Candidate must establish a connection.

  3. Click Start to start the test promotion. You can click Stop at any time to stop the test promotion.

  4. Click GMC Promotion Test Results to view the status of the test promotion.

Notes

  • You cannot upgrade the Grid during a test promotion. 

  • You can test promote of only one Grid Master Candidate at a time.

  • If new members are added when a test promotion is in progress, connection between the new members and the Grid Master Candidate will not be tested.

  • If Threat Protection is enabled in the Grid and the member running the Threat Protection service is in the list of tested members, you must set the value in the Timeout field to at least 30 seconds. This is because Threat Protection needs to publish a new rule that allows traffic to pass from tested members. If you set a lower timeout value, the packets may be dropped, and the test will report that the member cannot connect to the tested Grid Master Candidate.

  • Communication between DUT and Grid Master is not tested because of firewall complications and running the OpenVPN connection. Communication is supposed to be already checked and DUT is already connected to Grid Master.

  • You cannot run continuous testing when a regular test is in progress and you cannot run a regular test when continuous testing is in progress.

  • If multiple public cloud instances such as AWS, Azure, GCP and so on are configured as the Grid Master Candidate, ensure that these instances are able to communicate with other public cloud instances. Otherwise, the Grid Master Candidate promote test does not work.

  • When you configure a Grid Master Candidate which includes an External NTP server and when you promote a Grid Master Candidate to Grid Master, the External NTP is enabled in the Grid Master Candidate. In case you try to edit the member properties an error message is displayed. Therefore, Infoblox recommends that you remove the External NTP configuration before you promote the Grid Master Candidate.  

Promoting the Master Candidate

To promote a Master Candidate, you can make a direct serial connection to the console port on the active node of an HA Candidate or to the console port on a single Candidate. You can also make a remote serial connection (using SSH v2) to the candidate. Enter the following Infoblox CLI command to promote a Master Candidate:
set promote_master.
You can do one of the following to promote a Master Candidate:

  • Immediately notify all Grid members about the promotion.

  • Set a sequential notification to provide wait time for Grid members to join the new Grid Master. Staggering the restarts of Grid members can minimize DNS outages. The sequential order for Grid members to join the new Grid Master begins with the old Grid Master and then the Grid members in FQDN order. The default delay time is 120 seconds. You can configure the delay time from a minimum of 30 seconds up to 600 seconds.

Notes

  • During a Grid Master promotion, ensure that you do not designate a Grid member as a Grid Master Candidate or promote a Master Candidate. In addition, wait up to two hours since the last promotion to perform another Grid Master promotion. Otherwise, you might experience unnecessary member reboots. Whenever possible, separate any operations that require product restarts by at least an hour.

  • When a Grid Master Candidate is selected as a subscribing member, then after Grid Master Candidate promotion, the subscription still takes place through the previous Grid Master Candidate member which is new a Grid member. 

To promote a Grid Master Candidate, do the following:

  1. Establish a serial connection (through a serial console or remote access using SSH) to the Master Candidate. For information about making a serial connection, as described in Method 2-Using the CLI, see Deploying a Single Independent Appliance.

  2. At the CLI prompt, use the command set promote_master to promote the Master Candidate and send notifications to all Grid members immediately, or promote the Master Candidate to the Grid Master immediately and specify the delay time for the Grid members to join the new Grid Master. For more information about the command, refer to the Infoblox CLI Guide.

  3. To verify the new master is operating properly, log in to the Infoblox Grid Manager on the new master using the VIP address for an HA master or the IP address of the LAN1 port for a single master.

  4. Check the icons in the Status column. Also, select the master, and then click the Detailed Status icon in the table toolbar. You can also check the status icons of the Grid members to verify that all Grid members have connected to the new master. If you have configured delay time for Grid member notification, it will take some time for some members to connect to the new master. You can also check your firewall rules and log in to the CLI to investigate those members.

Note that when you promote the Master Candidate to a Grid Master, the IP address will change accordingly. If you have configured a FireEye appliance, then any changes in the Grid Master IP address, FireEye zone name, associated network view or the DNS view will affect the Server URL that is generated for a FireEye appliance. The FireEye appliance will not be able to send alerts to the updated URL when there is a change in the IP address. You must update the URL in the FireEye appliance to send alerts to the NIOS appliance. For more information, see Configuring FireEye RPZs.

Reconnecting Groups After Grid Master Candidate Promotion

This feature gives you more control over the Grid Master Candidate promotion, minimizes service outages by allowing you to group the members and schedule a time for the groups to reconnect to the newly promoted Grid Master. As soon as the scheduled time arrives, members of Grid Master Candidate groups will re-connect to the newly promoted master.

To schedule a group reconnection to the newly promoted Grid Master Candidate, do the following:

  1. From the Grid tab -> Grid Manager tab, expand the Toolbar, and then click GMC Group Promotion.

  2. In the GMC Group Promotion Schedule editor, specify the following:

    • Activate GMC Group Promotion Schedule: Select this option to enable the scheduled reconnection of the group after the Grid Master Candidate is promoted.

    • Click the + icon and specify the following in Add GMC Group Wizard:

      • Name: Provide the group’s name.

      • Promotion Policy: Select either Simultaneously or Sequentially, as required.
        Simultaneously: Select this option to simultaneously reconnect the group members after the Grid Master Candidate promotion at the same time.
        Sequentially: Select this option to sequentially reconnect the group members after Grid Master Candidate promotion in a sequence. Note that when you select sequentially, each group member joins the Grid master in a sequence with an interval of 30 seconds.

      • Time Zone: Select a time zone that applies to the start time you enter. If this time zone is different
        from the Grid time zone, the appliance converts the time you enter here based on the Grid time
        zone, after you save this schedule. When you display this schedule again, it displays the
        converted time. Selecting the time zone here does not affect any time zone settings in the Grid.
        (For information about setting the Grid and member time zones, see Managing Time Settings). After the Grid Master Candidate promotion, members will reconnect based on the selected time zone.

      • Date: Enter a start date of the group members reconnecting after Grid Master Candidate promotion in YYYY-MM-DD (year-month-day) format. You can click the calendar icon to select a date from the calendar widget.

      • Time: Enter a start time of the group members reconnecting after Grid Master Candidate promotion in hh:mm:ss AM/PM (hour:minute:second in AM or PM) format. You can select a time from the drop-down list.

      • Comment: Enter your comments.

      • Click Next.

      • In the Members Assignment wizard, select the Grid member(s) to add to the newly created group.

  3. Save and close the wizard.

To modify an existing group, on the GMC Group Promotion Schedule editor:

  1. Click Edit icon, and modify the changes in Add GMC Group Wizard.

  2. Save and close the wizard.

To delete an existing Grid Master Candidate group, do the following in the GMC Group Promotion Schedule editor:

  1. Click the Delete icon.

  2. In the Delete Confirmation dialog box, click Yes.

After enabling the Grid Master Candidate group promotion, use the set promote_master CLI command to start the Grid Master Candidate promotion.
Use the set gmc_promotion disable CLI command to disable the Activate GMC Group Promotion Schedule option. Note that, this command can be executed on Grid Master and Grid Master Candidate. For more information see, set gmc_promotion.

Notes

  • If the Activate GMC Group Promotion Schedule option is not enabled on Grid Master, and if you choose to continue with Grid Master Candidate promotion using the command, set promote_master, then the Grid Master Candidate promotion works as described in Promoting the Master Candidate.

  • By default, all the members are part of the Default group. The Grid Master Candidate group members can be customized according to your requirement; however Grid Master Candidate cannot be customized as Grid Master Candidate is part of the Default group only.

  • If you want to reconnect members of any group to the newly promoted Grid Master, irrespective of the scheduled time, you can click Join Group Now option, by selecting the following Join Group Now icon,

    in GMC Group Promotion Schedule editor. This works only during the promotion of a Grid Master Candidate. That is, Join Group Now is activated (enabled) only during the promotion of Grid Master Candidate group; it is disabled after the scheduled time of all the groups expires after the Grid Master Candidate is promoted. For any offline member, the Join Group Now will be disabled 8 hours after the Grid Master Candidate promotion.

  • The Add GMC Group Wizard in the GMC Group Promotion Schedule editor is available only for future schedules. The maximum scheduled time for the promotion of any Grid Master Candidate group is 8 hours.

  • We do not recommend enabling a schedule Grid upgrade and GMC Group Promotion Schedule at the same time.

  • The Time Zone for any group, displays the Grid Manager’s time zone, and if there are any member(s) in the group, the Time Zone automatically reflects the first group member(s) time zone.

  • The scheduled Time displays the new time zone, if the Time Zone is modified or if a member is moved across different groups.

  • During the Grid Master Candidate promotion, if a Grid member is offline, Grid Manager continuously attempts to connect to the offline Grid member for every 60 seconds.

  • If the GMC Group Promotion Schedule editor is disabled after Grid upgrade, then you can unset the previously triggered Grid Master Candidate promotion, by using the CLI command set gmc_promotion forced_end. It is recommended to run this command when the Grid is completely upgraded. For more information see, set gmc_promotion.

Enabling Read-only API Access on the Grid Master Candidate

You can enable read-only API access on the Grid Master Candidate to provide additional scalability of read/write API requests on the Grid Master, which in turn improves the performance of the Grid Master. The read-only API access is disabled by default for new installations.

When you enable read-only API access on an HA Grid Master Candidate, you can access the API service only on an active node. If the API service is disabled for an admin group, the users in the admin group cannot access read-only API service on the Grid Master Candidate, even though read-only API access is enabled for the Grid Master Candidate. Also, the users in the admin group should have at least read-only permission to access the API service.

The appliance logs all API logins in the audit log and syslog. You can view the audit log and syslog of the Grid Master Candidate under the Administration -> Logs tab.

To enable read-only API access on the Grid Master Candidate:

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_Master_Candidate checkbox, and then click the Edit icon.

    • In the Grid Member Properties editor, select the General tab -> Basic tab, and then do the following:
      Read Only API access: This field is displayed only when the Grid member is designated as a Master Candidate. Select this checkbox to enable read-only API access on the Grid Master Candidate. Enabling this checkbox will only allow read-only API access and not write API access. Note that if you enable this checkbox, you cannot access the GUI using the IP address of the Grid Master Candidate.

  2. Save the configuration.

  • No labels