Document toolboxDocument toolbox

Configuring Destinations

Owned by Shirly Tsang
Jul 31, 2019
4 min read

You can configure the Data Connector to send source data to the supported destinations, depending on the source and data type in your traffic flow. For information about the supported traffic flows, see Supported Traffic Flows.

The Data Connector supports the following destinations: NIOS Reporting Server, Splunk, and SIEMs (SIEM (Security Information and Event Managers)). SIEMs are tools that can perform real-time analysis of source data to identify malicious activities and threats to your network.

Click the following link to review configuration information for each destination.

Note

Before you can configure a destination for a traffic flow, ensure that you set up your destinations properly.

The following topics explain what you need to do for the supported destinations:

Infoblox has tested Data Connector with the following SIEM versions:

  • Micro Focus ArcSight ESM version 7.0.0.2410.0 and SmartConnector Version: 7.8.0.8070.0
  • IBM QRadar version 7.2.8
  • McAfee ESM version 10.1.0

Although Infoblox cannot guarantee that your SIEM integration will work if you use a software version other than the ones that we have tested, the likelihood of this happening is slim, because Data Connector uses generic syslog as the output mechanism.

Note

The Data Connector does not support multiple destinations, except for the following combinations:

  • A Cloud destination or a Reporting destination with only one supported SIEM tool.
  • Splunk and one of these SIEM destinations (Micro Focus ArcSight ESM, IBM QRadar, or McAfee ESM) at the same time.

Adding Destinations

To add sources for the Data Connector traffic flows, complete the following:

  1. Log in to the Cloud Services Portal.
  2. Click Manage -> Data Connector.
  3. Select the Destination Configuration tab, and click Create.
  4. From the Create drop-down list, select one of the following:
    • NIOS Reporting: To set the NIOS Reporting server as the destination.
    • Splunk: To set Splunk as the destination.
    • SIEM: To select one of the support SIEM tool as the destination.
  5. Depending on your selection, complete the following in the Create Source Configuration wizard:
    For NIOS Reporting:
    • Name: Enter the name of the destination. Select a name that best describes the destination and that you can distinguish this from other destinations.
    • Description: Enter the description of the destination. The field length is 256 characters.
    • State: Use the slider to enable or disable the destination configuration. Note that the destination configuration is in effect only when you enable it. If you disable the destination configuration, you will not be able to select this destination when you create a traffic flow.
    • In the NIOS GRID MASTER DETAILS section, complete the following:
      • FQDN/IP: Enter the FQDN or the IP address of the Grid Master.
      • Reporting Appliance Address: The IP address of the NIOS Reporting server.
      • User Name: Enter the user name for the Grid Master. The Data Connector uses this entry to access the appliance.
      • Password: Enter the password for the Grid Master. The Data Connector uses this entry to access the appliance.

For Splunk:

    • Name: Enter the name of the destination. Select a name that best describes the destination and you can distinguish this from other destinations.
    • Description: Enter the description of the destination. The field length is 256 characters.
    • State: Use the slider to enable or disable the destination configuration. Note that the destination configuration is in effect only when you enable it. If you disable the destination configuration, you will not be able to select this destination when you create a traffic flow.
    • In the SPLUNK DETAILS section, complete the following:
      • FQDN/IP: Enter the FQDN or the IP address of the Splunk indexer to which you want the Data Connector to send data.
      • Port: Enter the port number (between 1 and 65536) to reach the Splunk indexer.
      • Indexer Name: The name of the Splunk indexer.
      • Insecure Mode: Select this check box if you don't want to use a secure transport for the data. Otherwise, complete the following sections to uploade certificates for secure transport.
      • In the SPLUNK FORWARDING CERTIFICATE section, complete the following:
        • Forwarder Certificate: Click Select file to upload the forwarder certificate on the Splunk forwarder. You need to first generate a certificate request in .PEM format. This certificate request must be signed by the third-party Certification Authority for you to get a forwarder certificate.
        • Certificate Key Passphrase: Enter the key passphrase for the certificate.
    • In the SPLUNK CA CERTIFICATE section, complete the following:
      • CA Certificate: Click Select file to upload the CA signed certificate on the Splunk indexer.

For SIEM:

    • Name: Enter the name of the destination. Select a name that best describes the destination and you can distinguish this from other destinations.
    • Description: Enter the description of the destination. The field length is 256 characters.
    • State: Use the slider to enable or disable the destination configuration. Note that the destination configuration is in effect only when you enable it. If you disable the destination configuration, you will not be able to select this destination when you create a traffic flow.
    • Type: From the drop-down list, select the SIEM tool you want to configure as the destination.
    • In the SIEM DETAILS section, complete the following:
      • FQDN/IP: Enter the FQDN or the IP address of the SIEM tool to which you want the Data Connector to send data.
      • Port: Enter the port number (between 1 and 65536) to reach the SIEM tool.
    • In the SIEM CA CERTIFICATE section, complete the following:
      • CA Certificate: Click Select file to locate the CA certificate from the SIEM tool and upload it.