Configuring BloxOne Threat Defense Cloud Destination

After you set up your Legacy Data Connector virtual appliance, you must set up certain configurations so the Legacy Data Connector can gather relevant information from the Grid members, and then send the data to the Infoblox BloxOne Threat Defense Cloud destination.

You must have Legacy Data Connector version 2.0 and later installed in order to support Infoblox BloxOne Threat Defense Cloud configuration. You can either configure a new Legacy Data Connector using the correct version or upgrade your existing Legacy Data Connector to 2.0 or later. For information about new installation, see Deploying the Legacy Data Connector Virtual Appliance. To upgrade an existing Legacy Data Connector, see Upgrading the Infoblox Legacy Data Connector.

After you have the latest software version installed and the Legacy Data Connector is up and running, perform the following to set up your cloud environment to receive data from the Legacy Data Connector. The Legacy Data Connector collects the DNS query and response data, RPZ Hits, DHCP Leasing Information and IPAM, User Info data if available, from the Grid members, generates parquet files and sends the parquet files to the Infoblox BloxOne Threat Defense Cloud destination via http request.

To configure Legacy Data Connector VM to send DNS data from Infoblox Grid to BloxOne Threat Defense Cloud, complete the following:

1. Configure the Grid to capture DNS queries and responses, as described in Configuring DNS Queries and Responses. Next, add the SCP user details on the Grid members to send DNS log data to the Legacy Data Connector VM. For information, see Configuring NIOS for Legacy Data Connector.

2. Configure the Data Connector as an external syslog server, so that the Grid members can send syslog to the Data Connector VM using TCP. Select DNS RPZ and Threat Protection as the logging category while configuring the Legacy Data Connector as an external syslog server. For information about configuring external syslog servers in NIOS, refer to the Infoblox NIOS Administrator Guide.

   Note

   Grid must transfer Syslog using TCP, either encrypted or unencrypted.

3. Enable DNS service on the Grid members.
4. Log in to the Data Connector CLI.
5. Configure the Legacy Data Connector, as described in Deploying the Legacy Data Connector Virtual Appliance.
6. Verify the configured network settings of the Data Connector using the admin.network > ip4 get command. 
   Example:
   admin.network > ip4 get
Configured System Setting:
gateway: 10.36.0.1
mask: 255.255.0.0
mode: static
address: 10.36.130.1
vlanid: 0
vlan configuration is only in effect in the static mode.
7. Use the data.source.grid > set address command to set the Grid IP, admin username, and password.
   Example:
   data.source.grid > set address 10.0.0.22
Command applied successfully.
data.source.grid > set username admin
Command applied successfully.
data.source.grid > password
Enter the NIOS admin's password:
Enter again:
Password updated

8. Configure BloxOne Threat Defense Cloud as destination using data.destination.cloud.registration > set command and set the URL, Agent ID, and API key for the BloxOne Threat Defense Cloud output, as follows:

   Note

   In order to get the BloxOne Threat Defense Cloud configuration parameters such as the URL, Agent ID, and API key, you can log in to your BloxOne Threat Defense Cloud portal and navigate to Administration tab -> Data Connectors tab. In the Data Connectors panel, the values for Agent ID, URL, and API key are displayed in the Name, URL, and API Access Key columns of the Data Collectors table respectively.

   data.destination.cloud.registration > set agent_id <Your_Agent_ID>
ok
data.destination.cloud.registration > set url https://usa-va.csp.infoblox.com/dnslog
ok
data.destination.cloud.registration > set api_key <Your_API_Key>
ok

   Note

   You must specify the same agent_id and api_key that you specify in the Cloud Services Portal (BloxOne Threat Defense Cloud Portal -> Administration -> Data Connectors) where Name is the agent_id and API Access Key is the api_key.

   
   

   After setting the URL, Agent ID, and API key for the BloxOne Threat Defense Cloud output, you can use the ping or account command to verify, as follows:

   data.destination.cloud.registration > ping
Cloud server "usa-va.csp.infoblox.com" is available

9. Use the data.destination.cloud > set mode command and set the cloud output mode to forward, as follows:
   data.destination.cloud > set mode forward
Data will start transmitting immediately
ok
10. Configure Infoblox Grid as source of DNS data and RPZ logs using data.source.grid > set username command and set the address, username, and password, as follows:
    data.source.grid > set username admin
Command applied successfully.
data.source.grid > set address 10.0.0.22
Command applied successfully.
data.source.grid > password
Enter the NIOS admin's password:
Enter again:
Password updated
    After setting the address, username, and password, you can use the data.source.grid > sync command to verify, as follows:
    data.source.grid > sync
Reregistering Data Collector with the Grid... done.
Updating Grid configuration... done.
    This function will synchronize NIOS Grid state with the Data Connector VM.
11. Use the data.source.syslog > set mode command and configure the mode to send the RPZ logs, as follows:
    data.source.syslog > set mode secure
ok
data.source.syslog > set mode unencrypted
ok
data.source.syslog > set mode both
ok
12. Generate a certificate request in .PEM format. This certificate request must be signed to get an operable syslog certificate. Run the following command:
    data.source.syslog > certificate request
    You can self-sign the generated certificate or send it to the Certification Authority for signing and get the operable Syslog Certificate.

13. Upload the signed Syslog Certificate. Run the following command to import the certificate from a SCP server or an FTP server:
    data.source.syslog > certificate import <scp|ftp>://loginname@serverIP:[port:]path
    Example:
    data.source.syslog > certificate import scp://root@10.1.1.1:999/DC2/

    Note

    The secure port number must be the same secure TCP port number configured on NIOS.

    
    Configure Infoblox Grid as source of IP Metadata using data.source.grid > set query command, as follows:
    data.source.grid > set query userinfo enabled
ok
data.source.grid > set query ipam enabled
ok
data.source.grid > set query lease enabled
ok
data.source.grid > query
userinfo: enabled
ipam: enabled
lease: enabled

    Note

    Note that userinfo is available only if the Grid is running NIOS 7.2.0 or later.

14. Specify the poll period for query Grid IPAM information in seconds, minutes, or hours. The minimum is 1 minute, the maximum is 365 days, and the default is 5 minutes.
    data.source.grid > set poll 6m
ok
    Optionally, you can set the API address, as follows:
    data.source.grid > set apiaddress grid|auto|<ip_addr>
    Example:
    data.source.grid > set apiaddress 10.0.0.22
ok

    
    

    Note

    In order to query the IP metadata, you must specify the IP address of the Grid Master Candidate or you can specify ‘auto’, so that the Legacy Data Connector can automatically determine the IP address.

    The Legacy Data Connector VM transfers DNS query and response data and DNS Firewall CEF logs to BloxOne Threat Defense Cloud. To view these data in the form of reports, log in to the BloxOne Threat Defense Cloud portal, navigate to the Analyze tab and select Activity reports → Total DNS Requests as well as all the reports under Threat Insight, including Malware, Command & Control, and Data Exfiltration reports. Note that to view the Data Connector VM data in these reports, you must select the check box Include on-Prem Data. For information about the reports generated based on data sent from Legacy Data Connector, refer to BloxOne Threat Defense Cloud.