Understanding Threat Protection Rulesets and Rules
- Aliaksei Shautsou (Deactivated)
- Olga Nekrutkina
To fully implement Infoblox Advanced DNS Protection , ensure that you import the latest threat protection ruleset. To import rulesets, you must have the Threat Protection Update license installed on the appliance. For more information, see Supported Threat Protection Appliances and Licensing Requirements. A ruleset comprises all threat protection rules, including system and auto-generated rules, rule templates, custom rules (if any), and parameter definitions and values. For detailed information about threat protection rules, refer to the Infoblox Threat Protection Rules available on the Support web site. Infoblox supports a common threat protection ruleset for both hardware and Software ADP members. This ruleset supports all rules and templates. You can also manually upload your rulesets or download rulesets automatically from the IT server.
Infoblox Advanced DNS Protection supports the following threat protection rules:
- Predefined system and auto-generated rules, as described in System and Auto Rules.
- Custom rules, as described in Custom Rules.
Each threat protection rule belongs to a rule category. When you import a ruleset, the appliance publishes the system and auto rules in their respective categories. NIOS automatically manages rule categories and you cannot add, delete, or modify them. It also provides rule templates for creating custom rules. During a ruleset update, some categories and rules may be added or removed. These actions are performed without intervention after the updates are authorized or automatically executed. You cannot add or delete system and auto rules, but you can create custom rules through predefined rule templates and delete them when necessary.
Note: You can recover only custom rules from the Recycle Bin, if enabled. Rules, rule templates and categories that are removed through ruleset updates are permanently deleted and cannot be restored from the Recycle Bin.
To obtain initial rules and subsequent rule updates, you can configure the appliance to automatically download and publish rulesets or you can manually download them from the Infoblox Support web site and then publish them. For information about how to configure automatic and manual rule settings, see Configuring Grid Security Properties. Note that only the Grid Master receives rules and rule updates. Grid member receives rules and updates through standard Grid replication from the Grid Master. Ruleset data is not replicated to Grid members that do not have the Threat Protection services enabled.
Infoblox recommends that you configure the appliance to automatically receive ruleset updates so your appliance receives the latest rules periodically. If you prefer to manually download and publish rulesets, ensure that you download them frequently to receive the most updated rules. The appliance can store up to nine ruleset versions, and you can select up to five rulesets and switch between these versions for the Grid or members when necessary. For more information about ruleset versions and updates, see About Ruleset Versions and Updates.