Document toolboxDocument toolbox

Configuring Notification Rules

Owned by Aliaksei Shautsou (Deactivated)
Last updated: Jul 30, 2017 by Gireesh Geetha
8 min read

You can configure notification rules after you have uploaded outbound templates and configured outbound endpoints on the NIOS appliance. For information about adding outbound endpoints, see Configuring Outbound Endpoints. To send outbound notifications from NIOS to the target endpoints, you must configure notification rules. When adding rules, you must associate the correct action template to the rule. The appliance validates the event type specified in the template with the event type that you select in the notification rule. The parameters defined in a template decides the way NIOS specific data is presented to an endpoint. Each notification rule specifies the target endpoint, notification rule criteria, and the outbound template being used to take action for the matching events.

Note: When you remove all the notification rules associated with an endpoint, all the debug logs for that endpoint will also be removed.

While configuring notification rules, you can decide whether you want to reduce the amount of redundant RPZ hit events or not. Oftentimes, RPZ hits come from the same client IPs, query FQDNs, or networks. To avoid receiving excessive RPZ events at the endpoint, you can configure the appliance to remove or deduplicate subsequent RPZ events (after sending the first event) within a certain time period based on Source IP, Query Name, RPZ Policy, and other related fields. Depending on your configuration, the appliance sends the first RPZ event and deduplicates subsequent events that match your filtering criteria within the configured lookback interval. For more information, see Deduplicating RPZ Events.

Adding Notification Rules

To add notification rules:

  1. From the Grid tab, select the Ecosystem tab -> Notification tab, and then click the Add icon.
    or
    From the Grid tab, select the Ecosystem tab, and click Add Notification Rule from the Toolbar.
  2. In the Add Notification wizard, complete the following.
    • Name: Enter the name of the notification rule.
    • Target: Click Select Endpoint to select the endpoint type. If there are multiple endpoints, the All Endpoints Selector dialog box is displayed, from which you can select an endpoint name, such as Cisco ISE.
    • Target Type: Displays the target type. You cannot change this.
    • Comment: Enter useful information about the notification rule.
    • Disable: Select this option to disable the notification rule.
  3. Click Next and complete the following to configure notification rules for the selected endpoint:
    • Event: Depending on the licenses you have installed in the Grid, you can select the event types you want to apply to the notification rules. The outbound member collects data for the selected events based on your configuration. Note that if there is a significant amount of data or if the network bandwidth is not sufficient, the outbound member might drop some of the events. In this case, you can access the syslog to view the messages related to dropped events. In addition to basic information (such as timestamp, member IP, network, and others), data collected for some event type might include enriched data such as discovered data, parent network information, and associated extensible attributes.

Note: The event type you select here will affect the templates that are available when you select the RESTful API template you want to use for the outbound notifications. For example, if you select DNS RPZ as the event type, only templates configured for DNS RPZ event type are available for selection.

From the drop-down list, select the event types you want to monitor for the notification rules:

      • DNS RPZ: Select this to collect data for RPZ events. The DNS RPZ event type is available only if you have installed the RPZ license in the Grid. When you select this event type, you can enable event deduplication in the next step so the appliance can avoid sending excessive events to the endpoint based on your configuration.
      • DNS Tunneling: Select this to collect data for DNS tunneling events.
      • DHCP Leases: Select this to collect data for DHCP leases. Since the same IP addresses might be used by multiple systems, the appliance matches both the IP and the MAC address or the DUID to ensure the discovered data is most likely to be correct.
      • Object Change DHCP Fixed Address IPv4 and IPv6, DB Change DHCP Network IPv4 and IPv6, DB Change DHCP Range IPv4 and IPv6, DB Change DNS Host Address IPv4 and IPv6: Select any of these to collect data for database changes in fixed addresses, DHCP ranges, networks and DNS host addresses.
    • Action: This field is displayed only if you have selected Cisco ISE as the endpoint (the Target field). Otherwise, this field is hidden.

In the Match the following rule section, select the filters, operators and values from the drop-down lists for the selected event type. You can use the + icon to construct nested expressions for the rule. Depending on the event type you have selected, you can select the following possible filters:

    • DNS RPZ: Action Policy, RPZ Name, RPZ Type, Rule Name, and Source IP
    • DNS Tunneling: Source IP
    • DHCP Leases: DHCP Fingerprint and Lease State.
    • Object Change DHCP Fixed Address IPv4: Disable, IPv4 Address, MAC, Name, Network, and Network View
    • Object Change DHCP Fixed Address IPv6: Address Type, Disable, DUID, IPv6 Address, IPv6 Prefix, IPv6 Prefix Bits, Name, Network, and Network View
    • DB Change DHCP Network IPv4: Disable, Network, and Network View
    • Object Change DHCP Network IPv6: Disable, Network, and Network View
    • Object Change DHCP Range IPv4: Disable, Network, Network View, and Server Association Type
    • Object Change DHCP Range IPv6: Address Type, Disable, Network, Network View, and Server Association Type
    • Object Change DNS Host Address IPv4: Host, IPv4 Address, MAC, Network, and Network View Association Type
    • Object Change DNS Host Address IPv6: Address Type, DUID, Host, IPv6 Address, IPv6 Prefix, IPv6 Prefix Bits, and Network View

4. Click Next. If you have selected DNS RPZ as the event type, go to Deduplicating RPZ Events to configure deduplication. Otherwise, go to Selecting Action Template   to select an action template.

Deduplicating RPZ Events

  1. This step appears only if you have selected DNS RPZ as the event type. To avoid excessive notifications received at the endpoint, complete the following to configure event deduplication:
    • Enable RPZ event deduplication: Select this to enable event deduplication for RPZ hits. When you enable deduplication, the appliance suppress redundant notifications based on your configuration.
    • Log all dropped events due to deduplication to the syslog: Select this if you want to log all the events that have been dropped due to deduplication. Selecting this allows the appliance to record all the dropped events to the syslog.
    • Select the fields to use for deduplication: From the Available table, pick the fields you want to use for filtering the deduplication and move them to the Selected table using the right arrow. You can also deselect any fields by selecting and moving them from the Selected table to the Available table using the left arrow. Event deduplication is done based on the conditions of the selected fields. The following example explains how deduplication works if two RPZ hits occur within the lookback interval, as follows:

RPZ hit 1: source_ip: 1.2.3.4, query_name: server1.bad.com, rpz_policy: NXDOMAIN, query_type: qname, network.network_view: internal, network.network: 1.2.3.0/24
RPZ hit 2: source_ip: 1.2.3.4, query_name: www.something.com, rpz_policy: NXDOMAIN, query_type: qname, network.network_view: internal, network.network: 1.2.3.0/24
If you have selected only Source IP for deduplication, the appliance sends only the first RPZ event to the endpoint. If you have selected both Source IP and Query Name, both PRZ events are sent to the endpoint.

    •   Lookback Interval: Enter the time interval during which the appliance evaluates RPZ hit events and stops sending redundant events to the endpoint (based on your configuration). At the end of this interval, the appliance resume scanning of the client IP, query FQDN, or network for RPZ events. The minimum interval is five seconds and the maximum is 15 minutes. The default is 10 minutes.

2. Click Next to select an action template for the endpoint, as described in Selecting Action Template.

Selecting Action Template

  1. In this step, select the outbound template you want to use for outbound notifications. The appliance validates the event type that is added to the notification rule and then matches that with the event type configured in the template.

    In the Template field, click Select Template to associate an action template with the notification rule. If there are multiple templates, the <DXL or RESTful API> Template Selector dialog box is displayed, from which you can select an action template. Note that only templates that have the same event type configured for the notification rule appear in this dialog.

    The following information is displayed about the selected action template:
    • Vendor Type: The vendor type associated with the endpoint.
    • Action Type: The type of action that will be taken for the matching events.
    • Parameters: Displays the associated parameters of the template, such as Name, Value, and Type. You can click the Value cell and modify the value for the parameter.

2. Save the endpoint configuration.

Modifying Notification Rules

To modify a notification rule:

  1. From the Grid tab, select the Ecosystem tab -> Notification tab, click the Action icon next to the notification rule and select Edit from the menu.
  2. The Notification Rule editor provides the following tabs from which you can modify data:
    • General: You can modify the Target and Comment fields.
    • Rules: You can edit the event type and the rule, as described in Configuring Notification Rules.
    • Templates: You can select a new action template for the notification rule.
  3. Save the configuration.

Viewing All Notification Rules

To view the list of notification rules:

  1. From the Grid tab, select the Ecosystem tab, and click the Notification tab.
  2. Grid Manager displays the following information:
    • Name: Name of the notification rule.
    • Target: The target name.
    • Action: The action type.
    • Comment: Comments that were entered for the notification rule.
    • Disable: Displays whether the notification rule is disabled.

You can do the following in this tab:

    • Click the Action icon  and do the following:
      • Edit: Select this to modify the notification rule.
      • Delete: Select this to delete a notification rule.
      • Test Rule: Select this to execute the parameters and fields of a template against the notification criteria and verify whether the notification rule works for the event (specified in the template). Make changes to the template if required, and you can view this information in the debug log.
      • View Debug Log: Select this to view debugging messages for the selected notification rule.
    • Edit the notification rule information.
      • Select the notification rule, and then click the Edit icon.
    • Delete a notification rule.
      • Select the notification rule, and then click the Delete icon.

Note: When you remove all the notification rules associated with an endpoint, all the debug logs for that endpoint will also be removed.

    • Print the list of notification rules.
      • Click the Print icon.
    • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.
    • Create a quick filter to save frequently used filter criteria:
    1. In the filter section, click Show Filter and define filter criteria for the quick filter.
    2. Click Save and complete the configuration In the Save Quick Filter dialog box.

The appliance adds the quick filter to the quick filter drop-down list in the panel. Note that global filters are prefixed with [G], local filters with [L], and system filters with [S].

    • Sort the notification rules in ascending or descending order by column.