Document toolboxDocument toolbox

Configuring External Networks

Owned by Gary Leicht
Last updated: Sept 06, 2024
3 min read

 

Note: IPv4 subnets larger than /29 and IPv6 subnets larger than /56 will be verified by the Infoblox support team prior to becoming operational. Please allow 5 business days for support team verification.

Before you can apply security policies, you must first define the networks that you want to protect from malicious attacks. The first step in configuring Infoblox Threat Defense is to set up DNS Firewall by defining your remote networks. You can identify these external networks by their IP address subnets organized into groups, providing distinct networks for application in your DNS Security Policies.

Note

If you plan to use multiple external networks in your configuration, Infoblox recommends that you register all your networks as soon as possible. Pre-registering your networks ensures that they will be available when traffic is pointed at them, and prevents IP space belonging to your company from being incorrectly assigned. Please be aware that no protection is provided for traffic pointed to a network that has not yet been registered.

Before adding an external network, ensure that you understand the best practices. For information, see Best Practices for External Networks.

The External Networks page displays all the networks that you have defined. You can select a network and select Edit on the top Action bar to modify its information or select Remove to delete it. When you select a specific external network, you can also view its detailed information on the right panel of the page. Or, you can add a new external network to your configuration by clicking Create.

The Configure > Security > External Networks page displays the following information for external networks that are currently in your system:

  • NETWORK NAME: The external network name.

  • DESCRIPTION: An optional description for the external network.

  • SUBNET: The logical subdivision of an IP address. Both IPv4 and IPv6 IP addresses are supporting when configuring subnets. To avoid duplicate networks and issues with ACLs defined for the DNS Firewall, Infoblox Threat Defense does not allow a CIDR block that spans a wide range of IPs. You can enter a valid netmask between /24 and /32. Infoblox Threat Defense will return an error if you enter an invalid netmask. IPv4 subnets larger than /29 and IPv6 subnets larger than /56 will be verified by the Infoblox support team prior to becoming operational. Subnets /29 - /32 will not require verification. Please allow 5 business days for support team verification. For addition information about Subnets, see External Subnets. 

When you select an internal network, you can view the user information on the right panel. Click Subnets to view the subnets associated with the external network. 

You can also do the following in this tab:

  • Click the expand column icon to select the columns you want to display or use the arrow keys to reorder the columns.

  • Click the expand column icon > Edit to modify user information. You can also select the respective external network and click the Edit button to do so.

  • Click the expand column icon > Remove to delete an external network. You can also select the respective external network and click the Remove button to do so.

  • Select an external network to view additional details in the right panel. You can collapse the right panel by clicking the information icon.

  • Enter the value that you want to search in the Search text box. The Infoblox Portal displays the list of records that match the keyword in the text box.

Allowing Overlapping External Subnets When Defining Security Policy Scope

When defining a security policy scope for an external network residing behind a DNS firewall, then overlapping subnets containing IP addresses, hosts, or subnets included in other security policies within an organization are allowed. In this case, security policy precedence is used to select the security policy possessing the highest precedence to which the IP addresses, hosts, or subnets should be added. Subnets not already added as part of another security policy within the organization can be added to a different security policy within the same account.

If a public IP address or subnet is mistakenly added to an organization's security policy that has previously been registered by another registered organization, then the public IP address or subnet will not be allowed. In this case, the organization attempting to add the IP address or subnet will be notified regarding the issue since no overlapping of public IP addresses or subnets between organizations is allowed. For information on network scope, see Configuring Network Scopes. 

You can perform the following actions in this tab: