Document toolboxDocument toolbox

Configuring the Distribution Server

Owned by Gary Leicht
Last updated: Oct 25, 2023
3 min read

To configure the distribution server as step 3 in the four-step On-Prem Firewall Service set-up process, complete the following: 

Step 3: Configure the Distribution Server

Click Distribution Server Configuration Values. In the Distribution Server Details dialog, copy the information listed below; you will use it to configure the DNS Firewall client. You must configure a DNS server to act as a lead secondary that receives feed updates from the threat intelligence data server and redistributes the updates to other servers.

To configure the distribution server, do the following: 

  1. BLOXONE THREAT DEFENSE CLOUD HITS RPZ FEED: Use this switch to enable and disable access to your custom zone from the data captured in BloxOne Cloud. Enabling this control enables the Maximum feed entries and Expiring days fields for configuration.
  2. Name: The name of your custom RPZ zone file. 
  3. Maximum feed entries: If BLOXONE THREAT DEFENSE CLOUD HITS RPZ FEED is enabled, then the RPZ can have at most 10,000 records. Set a value from 0 to 10,000.
  4. Expiring days: Days to expiration, or Time-to-Live (TTL), can be set from 1 to 30 days. Once an indicator has exceeded this value, it will be removed from the RPZ. 
  5. DISTRIBUTION SERVER - US WEST: Distribution servers are listed for US EAST and US WEST regions. NIOS operates on BIND, so connections must be made via IP addresses, which are used to configure appliances on the network. Preference is given to connecting via IPv4, but IPv6 is also an option 
    • IPv4: Displays the IPv4 address of the distribution server for US West. Click Copy to copy the IP address.
    • IPv4 (Notify): Displays the IPv4 distribution server address for the US West where feed notifications and messages are sent.
    • IPv6: Displays the IPv6 address of the distribution server for US West. Click Copy to copy the IP address.
  6. DISTRIBUTION SERVER - US EAST: Distribution servers are listed for US EAST and US WEST regions. NIOS operates on BIND, so connections must be made via IP addresses, which are used to configure appliances on the network. Preference is given to connecting via IPv4, but IPv6 is also an option. Be aware that your RPZ feeds might originate from an IP address other than the IP address with which they were originally configured. RPZ feeds reflect the IP address from where they originate, not the IP address of your distribution server.
    • IPv4: Displays the IPv4 address of the distribution server for US East. Click Copy to copy the IP address.
    • IPv4 (Notify): Displays the IPv4 distribution server address for the US East where feed notifications and messages are sent. 

    • IPv6: Displays the IPv6 address of the distribution server for US East. Click Copy to copy the IP address.

  7. TSIGThe Cloud Services Portal generates a TSIG key by using the account information under the account name. However, you can specify a new key name and a new TSIG key for your on-prem hosts. Do keep in mind that new keys will be active in one hour. Once the new key is active, you can add the new key name and TSIG key to your on-prem devices.  
    • Key Algorithm: From the drop-down list, select HMAC_MD5 algorithm (512 bit) or HMAC_SHA256 algorithm (256 bit). 
    • Key Name: This field displays the name of the TSIG key. A TSIG key is required for RPZ zone transfers for the On-Prem Firewall. The resulting Key Name and TSIG key can be added to your on-prem devices. They provide the required authorization to transfer zone files.
    • TSIG Key: This field displays the TSIG key, which is used for authentication when information about threat intelligence feeds is being downloaded. If you have a complex configuration—for example, if you use standalone Infoblox appliances or Infoblox Grids that receive threat intelligence feeds from other standalone appliances or Grids, not directly from the Infoblox distribution servers—ensure that you use the same TSIG key for the feed zone transfers. To modify the TSIG key format to a different TSIG type,  select the supported TSIG key types from the drop-down list.

Note

Once the new key becomes active (which might take up to an hour), you can add it to your on-prem devices.

Warning

When changing the TSIG key format, you must enter the new key into NIOS.

  • For more information about selecting TSIG key options for the On-Prem DNS Firewall, see Selecting a TSIG Key Format.

  • Once you have selected your distribution server, click Save & Close to proceed to the next step.

For information on enabling custom RPZ feeds, see Enabling and Scaling of Custom RPZ Feeds.

Once Step 3 has been completed, proceed to Step 4, the final step, of the On-Prem DNS Firewall configuration process.