Creating Traffic Flows
- Shirly Tsang
- Gary Leicht
- Sri Raghu
To add a new traffic flow for the Data Connector, do the following:
Log in to the Infoblox Portal.
Go to Configure > Administration > Data Connector.
In the Traffic Flow Configuration tab, click Create Configuration.
Complete the following sections of the Create New Data Configuration wizard:
General
in the General pane, specify the following:Name: Enter a name for this configuration.
Description: Enter a description to distinguish this Data Connector from other flows. The maximum length of the description is 256 characters.
State: Use the slider to enable or disable this configuration. When the configuration is disabled, traffic does not flow.
Tags: Click Add and specify a key-value pair to associate with the application:
KEY: Enter a meaningful name for the key, such as a location or department.
VALUE: Enter a value for that key. For more information, see Managing Tags.
Click Next to proceed.
Log Source Configuration
In the Log Source Configuration pane, specify the following:Source: Select a source from among the available source options in the list of sources or click the Add icon to create a new source. For information on adding a new traffic flow data configuration source, see Adding a New Traffic Flow Source. Click Select to add the source to the configuration. The source field will be pre-populated when using a marketplace script subscribed to through Infoblox Ecosystem.
When selecting Schedule Source as a source, in the Scheduler section, add a valid chron expression.
Source Configuration: Click Add Log Type to add a log type (dependent on source type) from among the available options; Audit Log, DDI DHCP Lease Log, DDI Query/Response Log, Internal Notifications, Service Log, Threat Defense Query/Response Log, Threat Defence Threat Feeds Hit Log, IPAM Metadata/DHCP Lease Information, RPZ Logs for Threat Defense, and Logs for DDI.
Additional information based on source type:Infoblox Cloud Source: Using Infoblox Cloud Source user is able to select Audit Log, Internal Notifications, Service Log, Threat Defense Threat Feeds Hits Log, Threat Defense Query/Response Log, DDI DHCP Lease Log, DDI Query/Response Log.
Image: The Add Log Type options for log source.
For information on supported log types for Infoblox Cloud Source, see Log Source Configuration Export Options and Event Field Logs.CDC-NIOS source: Using CDC-NIOS source, select IPAM Metadata/DHCP Lease Information, Query/Response Log, or RPZ Logs. When selecting IPAM Metadata/DHCP Lease Information, no management options are available. In the case of IPAM Metadata/DHCP Lease Information, the log types are excluded from the filter configuration options by design. Do note that Threat Defense Query/Response Logs from Infoblox Platform Source and RPZ Logs from NIOS Source are not the same.
Image: The Add Log Type options for log source for CDC-NIOS.For For information on supported log types for CDC-NIOS, see Log Source Configuration Export Options and Event Field Logs (NIOS DNS Q/R and NIOS RPZ log types).
Export Fields: Click the Manage link associated with a selected log type to select your export options. For information on the available export options for each log type, see Log Source Configuration Export Options. When selecting IPAM Metadata/DHCP Lease Information for CDC-NIOS, no management options (the Manage hyperlink) are available. In this case, the log types are excluded from the filter configuration options.
Filters: Specify ETL Configurations by adding an ETL filter configuration in the text field.
Click Next to continue.
Destination Configuration
In the Destination Configuration pane, select a destination from among the available destination options in the list of destinations or click the Add icon to create a new destination. Click Select to add the destination to the configuration.When selecting CDC-NIOS as the source, select Infoblox Clloud Source as the destination.
Click Next to continue. For information on adding a new traffic flow data configuration destination, see Adding a New Traffic Flow Destination.
Service Instance
Choose a service instance from the drop-down menu.
a, Setting Up a Service instance for Infoblox Ecosystem
If you have subscribed to the Infoblox Ecosystem, you can choose Data Connector in Infoblox Cloud as the service instance. This option allows you to forward logs directly to Microsoft Sentinel and Splunk Cloud using HTTPS. For information, see Data Connector HTTP Destination for MSentinel and Splunk (Data Connector to On-prem or Cloud).
b. Setting Up a Service instance for Cloud-to-Cloud Log Transfer
To set up Cloud-to-Cloud log transfer, select Data Connector in Infoblox Cloud as the service instance. This option allows you to forward logs from cloud to cloud. For information, see Cloud-to-Cloud Log Transfer.
Image: Choosing Data Connector in Infoblox Cloud as the service instance.Summary
Use the Summary page to do the following:
Review the details of your new traffic flow instance before saving it.
Modify a specific configuration: Click the respective section in the navigation on the left, or click Back to go back to the previous sections.
View detailed information for a specific section. For example, Click Save & Close to save your configuration, or click Cancel to discard all the changes you have made
Name: Enter a name for this configuration.
Description: Enter a description to distinguish this Data Connector from other services. The maximum length of the description is 256 characters.
State: Use the slider to enable or disable this configuration. When the configuration is disabled, traffic does not flow.
Tags: Click Add and specify a key-value pair to associate with the application:
KEY: Enter a meaningful name for the key, such as a location or department.
VALUE: Enter a value for that key. For more information, see Managing Tags.
You can view your created traffic flows on the Data Connector Traffic Flows tab in the Infoblox Portal (Configure > Administration > Data Connector > Traffic Flow).