Document toolboxDocument toolbox

Outbound Notification Overview

You can use the RESTful API and DXL fabric to obtain core network service information from the Infoblox Grid to assist with profiling the source or destination of network devices or use the RESTful API and WAPI in DXL template to change configurations in the Infoblox Grid to help mitigate security threats. In addition to querying inbound data and changing system configurations and query interfaces, you can use the RESTful API and DXL messages to send outbound notifications so you can prioritize your security needs by detecting new hosts or networks or managing network access control.

When there are serious threats, it is important that you receive notifications so you can address the threats accordingly. On the other hand, you may sometimes need to identify and manage low-risk or accidental threats so the endpoint performance is not negatively affected. For example, if a user inadvertently browses to a faulty web site and you have configured RPZ rules to block this site, you may want to receive notifications and take certain actions so the user is not being blocked or quarantined. In addition, when the Infoblox appliance detects a new host or network, the detection might trigger a vulnerability scan by services such as Qualys and a scan for RPZ events configured in NIOS. In this scenario, you might want to configure conditions to capture these events so you can receive outbound notifications and perform appropriate actions to handle the situation.

To enable outbound API notifications, you must have the Security Ecosystem license installed in your Grid. Depending on the notification rules for RPZ and threat protection event types you want to configure on NIOS, you may need to install the applicable licenses. For information about other licensing requirements, see Licensing Requirements.
The outbound notification feature employs the following mechanism to enable and deliver event-driven messages to configured endpoints:

  1. Accepts the configuration of events that you want to monitor (such as RPZ hits) and the configuration of endpoints to which you want to send outbound notifications.
  2. Filters events for specific data sets or thresholds, such as RPZ hits for a specific domain within a specific time interval.
  3. Matches the selected events and conditions defined in the templates to create outbound messages.
  4. Sends outbound notifications to the configured endpoints.


Licensing Requirements

You must install the Security Ecosystem license to enable outbound API notifications. After you install the Security Ecosystem license, you can configure REST and DXL endpoints. If you do not have this license installed, the outbound notification feature is disabled. You might also need the following licenses to configure notification rules for certain event types:
Table 45.1 Required Licenses

License

Event Types

RPZ

DNS RPZ

DNS and DHCP

DHCP Lease

Threat Analytics

DNS Tunneling


For information about how to install licenses, see Managing Licenses.

Administrative Permissions

Only superusers can add, edit, and delete REST endpoints and notification rules by default. Limited-access admin groups can perform these tasks only if their administrative permissions are defined. For information about administrative permissions, see About Administrative Permissions.

Best Practices for Outbound Notifications

The following are some best practices and limitations you might want to consider while configuring outbound notifications:

  • You can configure REST and DXL endpoints only on the Grid Master and Grid Master Candidate, but not on Grid members.
  • During a scheduled full upgrade in the Grid, you cannot modify any configuration related to the outbound feature until all Grid members are upgraded.
  • Outbound notification is not supported during an HA failover. Any events that are in transit during a failover might be lost.
  • When you remove or disable a notification rule, no new events will be triggered. However, the appliance continues to process events that are already in queue.
  • The buffer to temporarily hold events temporarily are limited and not configurable in this release. In very unlikely conditions, events may be dropped due to a full buffer. If events are dropped, summary information is logged to the syslog to indicate the type of events and the number that have been dropped. If this issue occurs continuously, contact Infoblox Technical Support.
  • Events generated due to changes made by admin users do not support the Microsoft Management feature. The appliance does not generate events when there are changes done from the Microsoft servers. However, if you make changes that need to be synchronized to the Microsoft servers, the object change event is generated before the changes are synchronized with the Microsoft servers.
  • The Grid Master Candidate will continue to perform event enrichments and outbound API calls during and after a Grid Master promotion.
  • If you disable the outbound notification feature or make changes to stop future notifications sent to an endpoint, all notifications that are currently in queue for this endpoint will stop immediately.
  • The appliance uses rate limiting to control both data collection from Grid members and outbound notifications to external endpoints. It is possible for the appliance to drop events if its buffer is full or if there is a loss of connection between the Grid Master and the Grid members. Logs for these events are consolidated and logged to the syslog.
  • The number of outbound notifications sent to external endpoints can be limited, depending on the requirements configured for the external servers. For example, some REST enabled servers only take 10 API calls per second. Some servers might put a user in suspended mode if the number of API calls sent to the user exceeds the limit. If necessary, you can adjust the rate limit criteria for API calls on the external servers.