Configuring Network Scopes

For Infoblox Platform to properly apply a security policy, you must define the network scope so Infoblox Platform knows which external networks, user groups, DNS forwarding proxies, IPAM, and Infoblox Endpoint groups are affected. All policy rules you define for this security policy will be applied to the entities in the network scope. Any policy rules outlined within this security policy will then be applied to the entities defined in the network scope.

To set your network scope for the security policy, complete the following:

On the Network Scope page of the Create New Security Policy wizard, click the Add Source menu and choose one of the following options. For each of the options, you can choose the applicable objects from the AVAILABLE table and move them to the SELECTED table using the right-pointing arrow) icon. You can click the the double right-pointing arrows icon to select all the objects. You can also search for a specific object using the Search function. To remove an object from the SELECTED table, click the close icon or the trashcan icon. When you have completed your selection, click Add to add the objects, or click Cancel to discard your changes.
- External Networks: Select this to add external networks to the network scope. For more information, see Configuring External Networks.
- DNS Forwarding Proxy: Select this to add DNS forwarding proxies to your network scope. For more information about DNS forwarding proxy, see Using DNS Forwarding Proxy.
- Endpoint Groups: Select this to add Infoblox Endpoint groups to your network scope. For information about Infoblox Endpoint groups, see BloxOne Endpoint Group Assignment.
- User Groups: Select this to add user groups to the network scope. The available user groups are those that have been synchronized through the third-party IdP (identify provider) that your admin has configured for access authentication. For more information, see Synchronizing User Groups.
- IPAM: Select this to add internal networks to the network scope. When adding tags to IPAM scopes, any tag-based changes in an IPAM scope based on tags can take up to 5 minutes to take effect.
  To associate a security policy with DDI IPAM objects in the DNS query, do the following:
  1. Select an IP Space to add to your security policy (Configure > IPAM/DHCP).
  2. Click the horizontal menu item to display the IP Address block(s) associated with the IP Space. From among the listed address blocks, choose an address block to add to your security policy. Make a note of your selected IP space and address block you want associated with your security policy.
- IPAM Hosts: Select this to add IPAM hosts to your network scope. IPAM hosts and DHCP ranges can also be added to a policy using tags. To associate a security policy with an IPAM host, do the following:
  To associate a security policy with an IPAM host, do the following:
  1. Select an available IPAM host from those listed under AVAILABLE HOSTS on the Manage IPAM Hosts panel to add to your security policy.
  2. Click the right-pointing arrow) to add the IPAM host to your security policy. Or, click the double right-pointing arrows to add all available IPAM Hosts to your policy. To remove a previously selected IPAM hosts, click the trashcan.
  3. Click Save followed by clicking Finish to complete the configuration process, or click Next to proceed to the next step of the configuration process
- Tags: Select this to add user-defined tags to your network scope. When the network scope includes an object included in multiple policies, then the policy precedence order will determine which policy is enforced. Changes in policy tagging are updated by the system and may take up to 5 minutes to complete. When multiple tagging changes occur to a security policy, the policy will reflect the most recent change to the policy. Network scope can be defined using tags for DNS Forwarding Proxy, Endpoints, Endpoint Groups, IPAM networks, individual IPs, IPAM Host objects, and ranges. Policy rules can be defined using tags for custom lists as well as application and category filters. For more information on tags, see Applying Tags.
- Metadata: Select this to add Metadata to your network scope. Network scope for Infoblox Endpoint can be defined using metadata for operating systems and endpoint version. To configure metadata, do the following:
  - ATTRIBUTE: Select an attribute from among the listed options in the drop-down list. Attributes supported include Endpoint Location, Endpoint Hostname, and OS Version.
  - VALUE: Select a value from among the listed options in the drop-down list to associate with the attribute. You can use the search tool to find a specific value. The values supported for endpoint version include Current and Previous. The value supported for endpoint location include Country. Multiple countries can be selected when configuring location. The value supported for endpoint hostname is the Device name. The values supported for OS Family include Windows, MacOS, Linux, ChromeOS, iOS, and Android.
  - For each source you have added, click Add. The source appears in the table. You can click the Add Source menu again to choose another source for your network scope.
  - After you define your network scope, you can proceed to add policy rules, set precedence order and bypass codes.
  - To edit metadata, select Policy Rules, then click Manage.
  - Click Next in the wizard to define policy rules. For more information, see Adding Policy Rules and Setting Policy Precedence.

2. From the Hosts page (Configure > Networking > IPAM/DHCP > Hosts), perform a search in the search field on the IP address to locate any host(s) already associated with the IP space. If a host is not yet associated with the IP space, you will have to associate the host with the IP space by selecting the host and editing it. If an host is not associated with the IP space, then the configuration will not work within the security policy. When the Edit Infoblox Container dialogue appears, in the IP Space field, select the chosen IP space from among the list of host options from which to associate with the IP Space you have previously selected.
3. Once an IP space has been associated with the host, click Save & Close to save the configuration.
4. Next, go to Configure > Security > Policies to create the security policy to be associated with the security policy and with the chosen address block.
5. In the Network Scope section of the Create New Policy dialogue, click Add Source and select IPAM from among the drop-down menu choices.
6. On the Manage IPAM page, locate your chosen IP space and select it. From the listed IPAM objects on the page, select those IPAM object(s) you want to be associated with it (in this case, the IP address block). Once you have made your selections, click Add followed by Save to save the configuration. For more information about IPAM, see DHCP in the Infoblox Universal DDI documentation.
7. For each source you have added, click Add. The source appears in the table. You can click the Add Source menu again to choose another source for your network scope.
8. After you define your network scope, you can proceed to add policy rules, set precedence order and bypass codes.
9. Click Next in the wizard to define policy rules. For more information, see Adding Policy Rules and Setting Policy Precedence.

For information on using overlapping subnets to define policy scope, see Allowing Overlapping Internal and External Subnets When Defining Security Policy Scope.

Note

A security policy can also be applied to a specific fixed IP address or reserved address. Both fixed addresses and reserved addresses can be added to IPAM within an address block residing on your server. To do this, select the IP block and drill down until the fixed or reserved IP address is displayed. Once you have located the fixed or reserve IP address to which you are interested in applying the security policy, click Add to apply the policy to the fixed IP address or hostname.

For information about other tasks in creating a new security policy, see the following: