Dashboards provide summary views for most of the data and trends in your Grid. Infoblox recommends not to modify default dashboards. To modify settings of a default dashboard, you can either clone a default dashboard, or create a new dashboard from scratch and then add panels and reports. For example, you can create a new dashboard called "DNS and DHCP Activities," and then add DNS report, add DHCP related reports, such as DHCP Top Lease Clients and DHCP Lease History, to the new dashboard. When you save the "DNS and DHCP Activities" dashboard, the reporting server saves all the reports added to the dashboard and displays dashboard with updated data. By doing this, user-defined dashboards can provide single point of access to review multiple reports that are relevant to the activities you want to monitor. If you modify a default dashboard, you can reset to its default settings. Each dashboard comes with a set of filters to further refine report data, as described in About Dashboard Filters .
When you upgrade to 7.3.0 or later, all your system reports are migrated to Reporting tab > Dashboards.

WARNING: Infoblox recommends that you do not modify the predefined dashboards even if you have appropriate permissions. Editing the default dashboards changes the default settings and your changes become permanent. In addition, you might not be able to see the latest changesmade by Infoblox. You can select a default dashboard and clone it to modify any of the settings, such as permissions, panels, and so on. For information, see Cloning Dashboards .

In the Dashboard panel, you can do the following using the Edit drop-down list:

• • Edit panels as described in Editing Dashboards .
  • Edit source, title, and description.
  • Edit permissions as described in Editing Permissions .
  • Clone a dashboard as described in Cloning Dashboards .
  • Reset dashboards, as described in Resetting Dashboards.

Creating New Dashboards

When you add a new dashboard, Grid Manager displays it in the Reporting -> Dashboards tab. You can add multiple panels and reports to the new dashboard. For information, see Editing Dashboards .
To create a new dashboard:

1. From the Reporting tab -> select the Dashboards tab.
2. Click Create New Dashboard.
3. Complete the following:
   • Title: Enter the dashboard title.
   • Description: Dashboard description.
   • Permissions: Click Shared in App to share a dashboard to other users. Depending on their permissions, other users can edit the dashboard. When Private is selected, the dashboard is available only to the user who creates it. You can change permissions later while editing a dashboard.
4. Click Create Dashboard.

Cloning Dashboards

It is not recommended to modify default dashboards. You can select a default dashboard and clone it to modify any of the settings, such as permissions, panels, and so on.

Note: You do not need any permission to create, modify, and delete your own personal dashboard. However, limited-access users need Read and Write permissions to modify cloned dashboards. For information about administrative permissions, see Administrative Permissions .

When you clone a dashboard, you can do the following:

• View and set permissions, as described in Editing Permissions .
• Schedule PDF delivery, as described in Scheduling PDF Delivery for Dashboards .
• Edit panels, as described in Editing Dashboards .

To create a personal dashboard:

1. From the Reporting tab, select the Dashboards tab.
2. Select the dashboard you want to modify, click Edit -> Clone.
3. Enter a new title, ID, and description.
4. Set its permissions. Select Private if you do not want to share the cloned dashboard with other users. Select Clone if you want the cloned dashboard to have the same permissions as the original dashboard.
5. Click Clone Dashboard.
6. Optionally, you can edit permissions, as described in Editing Permissions or click View to view the cloned dashboard.

Resetting Dashboards

Infoblox recommends not to modify default dashboards. However, when you make changes to the default dashboards, you can reset to its default settings.
To reset a dashboard:

1. From the Reporting tab -> select the Administration tab.
2. Click Reset Dashboards.
3. Select the check box of the dashboard or Select all to select all the dashboards.
4. Click Reset selected dashboards.

The dashboard you have modified will reset to its default settings.

Editing Dashboards

To edit the panels and filters of a dashboard, it is recommended to clone the default dashboard, and then add panels, filters and reports to the cloned dashboard. When you add a report to the panel, Grid Manager generates the corresponding dashboard in the panel. When you save the dashboard, Grid Manager updates reports in each panel. Alternatively, you can edit the XML source code to add filters and panels to a cloned dashboard, as described in Editing the XML Source Code of a Dashboard .
To add panels and filters to a dashboard:

1. From the Reporting tab -> select the Dashboards tab ->  select a dashboard.
2. From the Edit drop-down list, select Edit Panels.
3. In the Edit: <Dashboard> pane, you can click Add Panel or Add Input or Edit Source.

Note: You cannot modify or delete the default values set for the dashboard filters. For example, you cannot delete or modify the filter All set for Members. When you add a new input using the editor, make sure that you edit the source and refer to the token for the input in the search string. By doing so, the search is updated when you change the input value. For information editing source, refer to Splunk documentation.

4. Optionally, you can click  to delete a filter. When you delete a filter, make sure that you delete the filter information from the XML source code as well. For information, see Editing the XML Source Code of a Dashboard .

5. Expand the panel categories and select the panel you want to add. For detailed information about how to add panel categories, refer to the Splunk documentation.

6. Click Add to Dashboard.

Editing the XML Source Code of a Dashboard

Note: Before editing dashboards, forms, and panel files in simple XML source code, you should be familiar with the basic layout of dashboards and the XML elements that define them. Infoblox recommends that you save a copy of the source code of the dashboard before making any modifications.

To edit the XML source code for a dashboard:

1. From the Reporting tab, select the Dashboards tab.
2. Select a dashboard you want to edit the XML source code, click Edit -> Edit Source.

You can add filters, such as check box, drop-down list, radio button, and text box. For information about how to edit the XML source code, refer to the Splunk documentation.

Example - Adding an extensible attribute filter

If your reporting data contains the "location" extensible attributes associated to members, adding the following sample XML code to the XML source code will create an extensible attribute filter, Member Location:

<input type="dropdown" token="ea_location">

       <label>Member Location</label>

       <choice value="All">All</choice>

       <default>All</default>

       <search>

         <query>| inputlookup __grouping_by_ea_tag_lookup

                | spath input=EA path=Location output=EA_Location

                | stats count by EA_Location </query>

         <earliest>$time.earliest$</earliest>

         <latest>$time.latest$</latest>

      </search>

      <fieldForLabel>EA_Location</fieldForLabel>

      <fieldForValue>EA_Location</fieldForValue>

      <change>

        <condition value="All">

          <set token="ea_location_str"> | noop </set>

        </condition>

        <condition value="*">

         <set token="ea_location_str"> | spath input=EA path=Location output=EA_Location

                                       | where EA_Location="$value$"</set>

        </condition>

      </change>

</input>

<search id="base_search">

   <query>index=ib_system_summary report=si_cpu_usage

          $members$

          $ea_site_str$

          $ea_location_str$

          $group_by_str$

          $group_by_stats$

            | timechart bins=1000 $calculation_method$(CPU_PERCENT) by $time_chart_field$

where max in $topn$ useother=f

         | interpolate 1200</query>

   <earliest>$time.earliest$</earliest>

   <latest>$time.latest$</latest>

</search>

The generated PDF appears in a browser window. You can view, download, or print the PDF from the browser window. A single dashboard PDF includes up to 1,000 rows of table data.
Do the following to print a dashboard:

1. From the Reporting tab, select the Dashboards tab -> select a dashboard.
2. Click Print. The default print driver for your browser opens with print settings.

Scheduling PDF Delivery for Dashboards

To schedule PDF delivery for dashboards, you must first create a new dashboard. Ensure that email notification settings are configured prior to scheduling PDF delivery. For information, see Configuring Email Notification Settings . To schedule PDF delivery, you can use the dashboard Edit drop-down list. You can access the Edit drop-down list directly from a dashboard or from the Dashboards page.

Note: Scheduled PDF delivery is not available for dashboards that include forms.

Do the following if the Schedule PDF Delivery option is disabled:

1. Open the dashboard for which you want to schedule PDF delivery.
2. Click Open in Search icon available at the bottom of the dashboard panel.
3. From the Save As menu, click Dashboard Panel.

To set up PDF delivery for the dashboard with a single panel:

1. From the Reporting tab, select the Dashboards tab.
2. Do one of the following:
   • Select the dashboard you want to schedule, click Edit -> Schedule PDF Delivery. If the Schedule PDF Delivery option is disabled, follow the steps as described above.
   • Open the dashboard in the Dashboards page and click Schedule PDF Delivery from the Edit drop-down list.

3. In the Edit PDF Schedule dialog box, do the following:

1. • Select the Schedule PDF Delivery check box to enable PDF delivery.
   • Select a schedule. For more information, refer to the Splunk documentation.
   • In the Email To text box, specify email address.
   • Select paper size and paper layout. You can change the paper size and paper layout, if data is not displayed properly in the PDF delivery.
   • To receive dashboard PDFs immediately, click Send Test Email.

4. Click Save.

Note: To set up PDF delivery for the dashboard with multiple panels, repeat the above steps from step 1 to step 4 and add other panels to the dashboard created for the first panel.

Figure 40.13 Edit PDF Schedule dialog box

 
  
Click Send Test Mail to receive Dashboard PDFs Immediately

About Dashboard Filters

You can apply different filters to control the data displayed in the dashboards. The data on the dashboard is displayed based on the various filter criteria you select.
To apply a filter:

1. From the Reporting tab, select the Dashboards tab -> select a dashboard.
2. Apply filter criteria appropriately and click Submit. 
   The dashboards display results based on the filters that you apply.

The most common filters are as follows:

• Time
• Top N: Top most filter options. The default is 10. You can select from a set of fixed values for the TopN filter setting: 5, 10, 20, 50, 100, 200, 250, or 500.
• Members: Grid members configured on the appliance.
• Network
• Member Site, as described in Applying Extensible Attribute Filters .

Applying Time Filters

You can generate a dashboard for a specific time interval by applying time filters. You can filter results by preset time ranges, create custom time ranges, specify time ranges based on dates or date and time, or work with advanced features in the time range picker. For information about Time range picker, refer to the Splunk documentation.
The date and time displayed in the Time filters are based on the time zone set in your user profile by default. For more information about how to configure a time zone, see Setting the Browser Time Zone . However, the timestamp displayed in the results for a dashboard is based on the time zone configured on the reporting server.

Note: The NIOS reporting data is updated at a certain time interval, rather than updating continuously. Therefore, the Real-time option in the Time filter might not work for most of the dashboards. For information about update time intervals, see Reporting Indexes and Update TimeIntervals .

Applying Extensible Attribute Filters

You can use extensible attribute filters to narrow down the search by including only members that contain certain extensible attribute values. An extensible attribute added to a member is displayed in the Extensible Attribute filter. For information about managing extensible attributes, see About Extensible Attributes . When you configure group-by-extensible-attribute search and apply the Extensible Attribute filter, the dashboard displays results for grouped members that have the same extensible attribute value for the Site extensible attribute. If you have configured multiple attribute values for a member, then applying the Extensible Attribute filter displays all the attribute values associated with that member. For example, if member 1 has predefined attribute Site with attribute values member a and member b and member 2 has predefined attribute Site with attributes values member c and member d, then the dashboard displays member a and member b when you apply the Member Site <member 1> filter.
In addition, you can apply Group By EA Tag filter and group members with the same extensible attribute value so that instead of displaying data per member, the reports display data per group of members with the same value for the Site extensible attribute. When you apply Group By EA Tag filter, you can set the data calculation method to decide which statistic value [Aggregate, Average, or Maximum] you want to be displayed for grouped members. You can group by Active Directory Sites for the IPAMv4 Network Usage Statistics report, IPAMv4 Top Utilized Networks report, and DHCPv4 Network Usage Statistics report.
To apply an extensible attribute and group by EA tag/field filters:

1. From the Reporting tab, select the Dashboards tab -> select a dashboard.
2. In the filter section, complete the following:
   • Member <Extensible Attribute>: Select an extensible attribute configured for a member. If you need an additional extensible attribute filter, you must first clone the default dashboard, and then add an extensible attribute filter by editing the XML source code. For information, see Editing the XML Source Code of a Dashboard .
   • Group By EA Tag/Field: Select an extensible attribute to enable the reporting server to group networks by members that have certain extensible attribute tags or fields. Note that this option is available for specific dashboards only.

Note: If you use special characters in the extensible attribute name, the appliance replaces these special characters with equivalent values. For example, the extensible attribute Site In London is displayed as Site20In20London in the Group By EA Tag/Field drop-down list. In this example, space is replaced with 20. If you add the extensible attribute London@, it is displayed as London40 in the Group By EA Tag/Field drop-down list.

• • Calculation Methods: This field is enabled only when you select the Group by EA Tag/Field check box. The displayed result varies based on your search definitions. The result values can contain information such as event counts, DNS queries, traffic rate, and usage trends. For example, when you select Maximum, the DNS Query Rate by Member dashboard shows all the members that have the same extensible attributes and members with the maximum DNS queries, and the Threat Protection Event Count By Member dashboard shows the members that have the same extensible attributes and maximum event counts. Select one of the following methods:
    • Aggregate: Displays the sum of values for individual members in a group.
    • Average: Displays the mathematical average of a group. This value is obtained by adding values for all members in a group and then dividing the total by the number of members.
    • Maximum: Displays the maximum value among the members in a group.

Note: When you apply Group By EA Tag/Field in Active Directory Sites supported reports, the values displayed in these reports are aggregated sum of absolute values (sum of values of individual networks in a group) and utilization% is the mathematical average of the group.

You can configure the group-by-extensible-attribute filter and data calculation methods for the following dashboards only:

• • CPU Utilization Trend (Detailed)
  • IPAMv4 Network Usage Statistics
  • IPAMv4 Top Utilized Networks
  • IPAMv4 Network Usage Trend
  • DDNS Update Rate Trend
  • DHCPv4 Usage Statistics
  • DNS Daily Query Rate by Member
  • DNS Query Rate by Member
  • DNS Daily Peak Hour Query Rate by Member
  • DNS Response Latency Trend
  • DNS Cache Hit Rate Trend
  • DNS Traffic Control Resource Availability Trend
  • DNS Traffic Control Resource Pool Availability Trend
  • DNS Traffic Control Response Distribution Trend
  • Memory Utilization Trend
  • Traffic Rate by Member
  • Threat Protection Event Count By Member
  • Threat Protection Event Count By Member Trend

Predefined Dashboards

Table 40.9 lists the dashboard categories and their corresponding dashboard. You can apply filters and view the dashboards in table, stacked area, or in both the view. 
Table 40.9 Dashboard Categories

Audit Log Events 
The Audit Log Events dashboard provides information about the administrator-initiated events such as login events, logout events, service restarts, appliance reboots, write operations such as the addition, modification, and deletion of objects, etc. The default dashboard displays the audit log events for all admin users and for all Grid members in table format. You can use the displayed fields as filters to get specific information you want displayed in the dashboard. Only superusers can view and modify this dashboard.
This dashboard displays the following information about each audit log event in table format:

• Timestamp: The date, time, and time zone the task was performed. The time zone is the time zone configured on the member.
• Admin: The admin user who performed the task.
• Action: The action performed. This can be one of the following: Called, Created, Deleted, Login_Allowed, Login_Denied, Message, Modified, and Logout.
• ObjectT ype: The object type of the object involved in this task.
• Object Name: The name of the object involved in this task.
• Execution Status: The execution status of the task. Possible values are Executed, Normal, Pending Approval, and Scheduled.
• Message: Detailed information about the performed task.
• Members: The Grid member on which the task was performed.

IPAMv4 Utilization Reports

DHCPv4 Top Utilized Networks

The DHCPv4 Top Utilized Ranges dashboard provides statistics about the top most utilized DHCPv4 networks. The default dashboard includes the top 10 most utilized DHCPv4 networks within the last 24 hours.
This dashboard displays the following information in table format:

• Timestamp: The date and time of the recorded utilization.
• Network View: The network view.
• Network: The network address.
• CIDR: The subnet mask in CIDR format.
• DHCPv4 Utilization%: The percentage of DHCP addresses in use over the total number of DHCP addresses provisioned.
• Ranges: The number of DHCP address ranges in the network.
• Provisioned: The total number of IP addresses in the range.
• Dynamic: The number of dynamic IP addresses in the range.
• Static: The number of static IP addresses in the range.
• Free: The number of free DHCP addresses.
• Used: The total number of IP addresses in use.

DNS Statistics per DNS View

The DNS Statistics per DNS View dashboard provides DNS zone statistics for each DNS view in a given time frame. The default dashboard includes information for all network views, all members, all IPv4 and IPv6 reverse-mapping zones, all forward-mapping zones, and all DNS records by record type.
This dashboard displays the following information in table format:

• Timestamp: The date and time of the event.
• View: The DNS view.
• Members: The FQDN of the member that is associated with the DNS view.
• Forward-Mapping Zone: The number of forward-mapping zones.
• IPv4 Reverse-Mapping Zone: The number of IPv4 reverse-mapping zones.
• IPv6 Reverse-Mapping Zone: The number of IPv6 reverse-mapping zones.
• Signed Zone: The number of signed zones.
• Host: The number of host records.
• LBDN: Number of LBDNs assigned to the zone. Note that if an LBDN is assigned to multiple zones or views, the appliance displays it separately for each zone or view.
• Total Records: The total number of DNS resource records.

Grid Manager also displays the number of each relevant DNS resource records.

DNS Statistics per Zone

Since every DNS view can have multiple zones and each zone can have multiple records, this dashboard highlights the list of all zones and provides statistics based on every DNS Zone. This dashboard allows you to identify how many and what type of DNS records each zone is serving and use these statistics for more effective planning.
The DNS Statistics per Zone displays the following information:

• Timestamp: Timestamp of events.
• Zone: FQDN of zone.

• Function: Zone function: [Forward-Mapping, IPv4 Reverse-Mapping, IPv6 Reverse-Mapping]

• Signed: Boolean to indicate if the zone is signed.
• Hosts: Number of hosts.
• LBDN: Number of LBDNs assigned to the zone. Note that if an LBDN is assigned to multiple zones or views, the appliance displays it separately for each zone or view.
• Total Records: Number of total resource records, Host are not counted.
  • A Records: number of A records.
  • AAAA Records: number of AAAA records.
  • CNAME Records: number of CNAME records.
  • DNAME Records: number of DNAME records.
  • DNSKEY Records: number of DNSKEY records.
  • DS Records: number of DS records.
  • MX Records: number of MX records.
  • NAPTR Records: number of NAPTR records.
  • NSEC Records: number of NSEC records.
  • NSEC3PARAM Records: number of NSEC3PARAM records.
  • NSEC3 Records: number of NSEC3records.
  • NS Records: number of NS records.
  • PTR Records: number of PTR records.
  • RRSIG Records: number of RRSIG records.
  • SOA Records: number of SOA records.
  • SRV Records: number of SRV records.
  • TXT Records: number of TXT records.
  • Other Records: number of other records.

IPAMv4 Network Usage Statistics

The IPAMv4 Network Usage Statistics dashboard provides usage statistics for each network in a given time frame. This dashboard displays the following information in table format:

• Timestamp: The timestamp when the network container was created.
• Network: The network address.
• Network View: The network view.
• CIDR: The subnet mask in CIDR format.
• AD Site: The Active Directory Site associated with the network. For networks that are not associated with Active Directory Domains and Sites, or when you delete an Active Directory server, the appliance displays no_value in this column.
• DHCPv4 Utilization%: The percentage of DHCP addresses in use over the total number of DHCP addresses provisioned.
• Total: The total number of IPAM addresses in the network.
• Allocated: The number of allocated IP addresses in the network.
• Reserved: The number of reserved IP addresses in the network.
• Assigned: The number of assigned IP addresses in the network.
• Protocol: IPv4 or IPv6.
• Utilization%: The percentage of IP address in use over the total number of IP addresses in the network.
• Unmanaged: The number of discovered IP addresses that do not have corresponding records on the appliance, such as A records, PTR records, fixed address records, host records, or leases.

IPAMv4 Network Usage Trend

The IPAMv4 Network Usage Trend dashboard provides IPAM usage trends for the network utilization in specific Active Directory Sites over time. Each of the line graphs is represented with a different color. This is a detailed report only. You can aggregate the report based on the networks or Active Directory Sites.
This dashboard displays the following information:

• Time: The timestamp of the event.
• Usage%: The percentage of IPAM address network usage.

IPAMv4 Top Utilized Networks

The IPAMv4 Top Utilized Networks dashboard provides statistics about the top most utilized IPv4 networks. The default dashboard includes the top 10 most utilized networks within the last hour.
This dashboard displays the following information in table format:

• Timestamp: The date and time of the recorded utilization.
• Network View: The network view.
• Network: The network address.
• CIDR: The subnet mask in CIDR format.
• ADSite: The Active Directory Site associated with the network. For networks that are not associated with Active Directory Domains and Sites, or when you delete an Active Directory server, the appliance displays no_value in this column.
• DHCPv4 Utilization%: The percentage of IP address in use over the total number of IP addresses in the network.
• Total: The total number of IP addresses in the network.
• Assigned: The total number of IP addresses assigned in the network.
• Reserved: The total number of reserved IP addresses in the network.
• Unmanaged: The number of discovered IP addresses that do not have corresponding records on the appliance, such as A records, PTR records, fixed address records, host records, or leases.

DNS Object Count Trend for Flex Grid License

The DNS Object Count Trend for Flex Grid License dashboard lists the average DNS object count across all IB-FLEX members in the Grid during the past five days. The DNS object count is calculated as the total DNS resource record count for all DNS zones with IB-FLEX member as the Grid primary. The data is generated once every 24 hours and the average is calculated over 5 days.

This dashboard displays the following information in either line chart or table format:

• Show Filters: Click Show Filters to enable the filters.
• Time: Select a value from the drop-down list. The default value is Last 6 days.
• Line Chart: Click Line Chart to view the data in line chart format.
• Table: Click Table to view the data in table format.
• Both: Click Both to view the data in both line chart and table format.

Device (Discovery) Dashboards

Inactive IP Addresses

The Inactive IP Addresses dashboard lists inactive IP addresses that are not in use since the initial specified time, and remain so through the last discovery cycle. For example, you can use this dashboard to compare the state of all ports on devices for one month's operation versus 1 weeks' operation. The dashboard lists inactive IP addresses associated with Hosts, IPv4 and IPv6 Fixed Address objects, and IPv4 Reservation objects. Each unique IP address within each network view appears exactly once in the dashboard. You can go to the Data Management –> IPAM page to delete listed inactive IP addresses.
By default, this dashboard operates for all devices across all network views. This dashboard supports use of a single time filter. You can filter by device name or network view.
This dashboard displays the following IP address and device information in table format:

• IP: The IP address.
• Last MAC/DUID: The discovered MAC or DUID.
• Type: Inactive IP address object type: Fixed Address, IPv4 Reservation or Host.
• Device Type: The type of device connected to the inactive IP address. Types include Router, Firewall, Switch-Router, and Switch.
• Device Name: The name of the device connected to the inactive IP address.
• Port/Interface: The device interface bound to the IP address.
• Network View: The network view containing the inactive IP address.

Port Capacity Delta by Device

The Port Capacity Delta by Device dashboard provides three Start/End time ranges by which each measured device illustrates how many interfaces move into and out of the three key functional states for each port: Administratively Up/ Operationally Up, Administratively Up/Operationally Down and Administratively Down/Operationally Down.
For example, consider a port that is in the Administratively Up/ Operationally Up status on a given device at the beginning of a one-week measurement (Start), and that it is the only port that changes state for that device in the measurement period. At the end of the measurement period (End) it goes into an Administratively Up/Operationally Down state. At first, the Administratively Up/ Operationally Up Start counter reflects the discovered state at the beginning of the measurement period. When the port changes state, and its change is discovered, the Administratively Up/ Operationally Up End counter decrements by 1; the Administratively Up/ Operationally Down Start counter increases by 1. The data format is similar to the Port Capacity Utilization by Device report except that each data point divides into two values (Start and End), reflecting the delta.
You can filter by device name or network view, or both.
This dashboard displays the following categories of information in table format:

• Device Name: Name of the listed device.
• Admin Up, Operation Up Start: count at the starting time of measurement of device interfaces in Admin Up/Operational Up status.
• Admin Up, Operation Up End: count at the ending time of measurement device interfaces in Admin Up/Operational Up status.
• Admin Down, Operation Down Start: count at the starting time of measurement of device interfaces in Admin Down/Operational Down status.
• Admin Down, Operation Down End: count at the ending time of device interfaces in Admin Down/Operational Down status.
• Admin Up, Operation Down Start: count at the starting time of measurement of device interfaces in Admin Up and Operational Down status.
• Admin Up, Operation Down End: count at the ending time of device interfaces in Admin Up and Operational Down status.
• Total Available: The total number of available ports for the listed device.
• Network View: the Grid Manager Network View to which the device is associated.

Port Capacity Trend

The Port Capacity Trend report is a line graph of device port utilization over time. It uses the Administratively Up/ Operationally Up, Administratively Up/Operationally Down, and Administratively Down/Operationally Down counters; by default, for all interfaces across all devices, across all network views, to produce a line chart illustrating four broad data categories:

• Admin Up, Operation Up: cumulative count over time of device interfaces in Admin Up/Operational Up status.
• Admin Down, Operation Down: cumulative count over time of device interfaces in Admin Down/Operational Down status.
• Admin Up, Operation Down: cumulative count over time of device interfaces in Admin Up and Operational Down status.
• Total Available: Total number of ports on all devices across all network views, whether provisioned or not.

The default time span for this trend chart is one week of measurement. You can filter by device name or network view, or both. You will need to know the device name or network view name for filter entry.
Should you turn off filtering, the dashboard shows the collected data 'for all time;' for the entire period since monitoring began.

Port Capacity Utilization by Device

The Port Capacity Utilization by Device provides the devices' overall port status for the specified time, without stating devices' or individual ports' operating state. Each device's count of unused interfaces, within each network view, appears exactly once in the dashboard. By default, the table sorts by ascending Device Name. By default, this dashboard lists all devices, across all network views. You can filter by device name or network view, or both. Grid Manager takes snapshots of data for Port Capacity reports every six hours.
You will see three distinct port configuration combination counts per device:

• Administratively Up, Operationally Up
• Administratively Up, Operationally Down
• Administratively Down, Operationally Down

This dashboard displays the following information in table format:

• Device Name: The name of the device associated with the port status counts.
• Admin Up, Operation Up: The count of device interfaces in Admin Up/Operational Up status.
• Admin Down, Operation Down: The count of device interfaces in Admin Down/Operational Down status.
• Admin Up, Operation Down: The count of device interfaces in Admin Up and Operational Down status.
• Total Available: Total number of interfaces available for the device, whether provisioned or not.
• Network View: The network view containing the listed device.

IP Address Inventory

The IP Address Inventory dashboard provides information about all IP addresses that can be discovered by NetMRI (IPAM sync), vDiscovery, and Network Insight solutions. This dashboard displays the list of IP addresses, management platform, discovered name, and the details of the network devices that have been discovered.
The dashboard data can be filtered by Time, Network View, IP Address, Management Platform, First Seen and Last Seen timestamps. For instance, you can filter by Management Platform and see which platform the device possesses during the given time frame.

• IP address: The discovered IPv4 or IPv6 address.
• Discovered Name: The discovered name of the device.
• First Seen: The timestamp when the IP address was first seen in the network.
• Last Seen: The timestamp when the IP address was last seen in the network.
• Network View: The network view with which the IP address is associated.
• Managed: Indicates if the discovered device is managed by NIOS. For NIOS managed device, you can define basic characteristics and manage those devices on NIOS.
• Management Platform: The platform information from where IP address is discovered. This can be Network Insight, Amazon, OpenStack, or VMware.
• VLAN Name: The VLAN name on the switch port.
• VLAN ID: The VLAN ID on the switch port.

Network Inventory

The Network Inventory dashboard provides information about all known networks. The dashboard displays the list of device IP addresses, IP address utilization%, management platform, and the netmask details of the devices that have been discovered.
This dashboard displays a table that contains the following information:

• Device IP Address: The IP address of the device.
• Netmask: The netmask of the network.
• First Seen: The timestamp when the IP address was first seen in the network.
• Last Seen: The timestamp when the IP address was last seen in the network.
• Network View: The network view with which the device is associated.
• Utilization%: Displays the percentage based on the IP addresses that are currently in use on the network. For example, a /30 subnet mask can have two IP addresses that are in use. If both IP addresses are detected then the Utilization% is 100%.
• Managed: Indicates whether this network is a managed or unmanaged object in NIOS. Managed objects are configured for DNS or DHCP and have corresponding NIOS objects such as fixed addresses, DNS records, or host records, which you can manage directly in NIOS.
• Management Platform: The platform information on which IP address is discovered. This can be Network Insight, Amazon, OpenStack, or VMware.
• VLAN ID: The VLAN ID on the switch port.
• VLAN Name: The VLAN name on the switch port.

Network Insight Dashboards

The Network Insight dashboards are available only when you have configured the Network Insight appliance as a Grid member with a valid Network Insight license installed. For information about Network Insight, see Infoblox Network Insight.

End Host History

The End Host History dashboard provides the history of the end hosts discovered by Network Insight in a given time frame across all network views. This dashboard is applicable only for the Network Insight solution. The dashboard displays the list of MAC addresses for end hosts, their IP addresses and the details of the network devices from which the end hosts have been discovered.
The dashboard data can be filtered by Network View, MAC Address, IP Address, First Seen and Last Seen timestamps. For instance, you can filter by MAC address and see which IP address the end host possesses during the given time frame. You can also filter by the First Seen and/or Last Seen timestamp and find the MAC addresses of the end hosts becoming active and/or going offline.
This dashboard displays the following information in table format:

• MAC Address: The MAC address of the end host.
• IP address: The IP address of the end host.
• First Seen: The timestamp when the MAC address was first seen in the network.
• Last Seen: The timestamp when the MAC address was last seen in the network.
• Network View: The network view with which the end host is associated.
• Device Name: The name of the network device that has the ARP (Address Resolution Protocol) of the end host.
• Device Vendor: The vendor of the network device that has the ARP of the end host.
• Device Model: The model of the network device that has the ARP of the end host.
• Device OS Version: The OS version of the network device that has the ARP of the end host.
• Device IP Address: The management address of the network device that has the ARP of the end host.
• Device Interface: The interface name of the network device that has the ARP of the end host.
• Device VLAN: The VLAN ID of the interface that has the ARM (Asynchronous Response Mode) of the end host.
• AP Name: The name of the access point of the device. This column is displayed only for wireless devices.
• AP IP Address: The IP address of the access point of the device. This column is displayed only for wireless devices.
• SSID: The unique name of the WLAN (Wireless Local Area Network).
• User Name: The name of the user. This column is displayed only when the Identity Mapping feature on the appliance is enabled. For information about how to enable the Identity Mapping feature, see Enabling Identity Mapping.

Device Interface Inventory

The Device Interface Inventory dashboard provides interface statistics of devices discovered by Network Insight in a given time frame. This dashboard is applicable only for the Network Insight solution. The dashboard displays the list of interface IP addresses, device operating system, device model, discovered name, and the details of the network devices that have been discovered.
This dashboard displays a table that contains the following information:

• Network View: The network view to which the device is associated.
• Device IP Address: The IP address of the network device.
• Device Name: The name of the network device.
• Device Type: The device type as discovered. This can be Switch, Router, or Switch-Router.
• Device Vendor: The vendor of the network device.
• Device Model: The model of the network device.
• Device OS Version: The OS version of the network device.
• Interface Name: The interface name of the network device.
• Interface IP: The IP address of the device interface.
• Interface Description: Additional information about the device interface.
• Admin Status: The switched interface's Admin status (whether the port is administratively enabled by the operator).
• Operation Status: The switched interface's operating status.
• Last Port Changed: The timestamp of the last change made on the interface (change can be anything such as changing the description, changing the VLAN, or changing the interface status to up or down).
• Trunk Port: Indicates if the interface is enabled for trunking (allows multiple VLANs). Displays Yes or No.
• Type: The standard interface type supported by the port.
• Speed: The line speed of each listed interface.
• VLAN ID: The VLAN ID on the switch port.
• VLAN Name: The VLAN name on the switch port.
• Network: The network address.

Device Inventory

The Device Inventory dashboard provides statistics of device inventory data discovered by Network Insight in a given time frame. This dashboard is applicable only for the Network Insight solution. The dashboard displays the list of interface IP addresses, device operating system, device model, discovered name, and the device details that have been discovered.
This dashboard displays a table that contains the following information:

• Device Type: The device type as discovered. This can be Switch, Router, Firewall, Load Balancer, Switch-Router and so on.
• Asset Type: Indicates that the device is a physical device, virtual device, or host.
• Device Vendor: The vendor of the device.
• Device Model: The model of the device.
• OS Version: The version of the operating system that is running on the device.
• Device Name: The name of the device.
• Chassis S/N: Displays the hardware serial number. This displays multiple values if there are more than one chassis or modules installed on the hardware.
• Device IP Address: The IP address of the network device.
• Network View: The network view with which the device is associated.
• First Seen: The timestamp when the IP address was first seen in the network.
• Last Seen: The timestamp when the IP address was last seen in the network.

Device Components

The Device Components dashboard provides information about device components discovered by Network Insight. This dashboard is applicable only for the Network Insight solution. The dashboard displays the list of device IP addresses, device operating system version, device model, device vendor, discovered name, and the device model that have been discovered.
This dashboard displays a table that contains the following information:

• Device IP: The IP address of the device.
• Network View: The network view with which the device is associated.
• Device Name: The name of the device.
• Device Model: The model of the device.
• Device Vendor: The vendor of the device.
• OS Version: The version of the operating system that is running on the device.
• Name: The name of the network component.
• Description: Additional information about the network component.
• Class: The device category.
• S/N: Displays the hardware serial number. This displays multiple values if there are more than one chassis or modules installed on the hardware.
• Model: The product name or model of the network device.
• Hardware Rev: The hardware version number of the device.
• Firmware Rev: The firmware version of the device.
• Software Rev: The software version of the device.

IPAMv4 Device Networks

The IPAMv4 Device Networks dashboard provides IPAMv4 device usage for each network in a given time frame. This dashboard displays the following information:

• IPAM Network: The network address.
• Utilization%: The percentage of IP address in use over the total number of IP addresses in the network.
• Network View: The network view.
• Device IP: The IP address of the device.
• Device Name: The name of the device.
• Interface IP: The IP address of the device interface.
• Device Model: The model of the device.
• Device Vendor: The vendor of the device.
• Device OS Version: The version of the operating system that is running on the device.

DHCP Dashboards

Device Class Trend

The Device Class Trend dashboard provides trends for the top device classes used by remote clients in a given time frame. The default dashboard displays line graphs for the top device classes used by remote clients over the last 24 hours. Each of the device class is represented with a different color line graph.

Device Fingerprint Change Detected

The Device Fingerprint Change Detected dashboard provides information about the devices whose fingerprint data gets changed in a given time frame. In other words, this dashboard includes all devices used by remote clients that were detected to have the same Mac address but different device class in a given time frame.
The following example illustrates how the fingerprint data can change in a given time frame:
A client device having dual boot option may request for an IP address while switching between operating systems, resulting in a change of fingerprint data and if a client's device uses Mac Boot Camp, the mac address remains unchanged, but fingerprint data changes when it switches operating system.

Note: The Device Fingerprint Change Detected report includes all devices whose fingerprint data has been changed within the last seven days. It ignores devices whose fingerprint data has been changed for more than seven days.

This dashboard displays a table that contains the following information:

• Time: The time the lease was obtained.
• Mac/DUID: The Mac address or DUID of the client's device.
• Current Device Type: The current fingerprint description of the device.
• Current Device Class: The current fingerprint class of the device.
• Previous Device Type: The fingerprint description of the device before changing the fingerprint data.
• Previous Device Class: The fingerprint class of the device before changing the fingerprint data.
• Lease IP: The lease IP address of the device.
• Action: The current status of the lease. The lease status can be one of the following: Issued, Renewed, Freed, or Abandoned.

Device Trend

The Device Trend dashboard provides trends for the top operating systems used by remote clients in a given time frame. The default dashboard displays line graphs for the top 10 operating systems used by remote clients over the last 24 hours. Each of the operating system is represented with a different color line graph. For more information about DHCP fingerprint detection, see About DHCP Fingerprints.

DHCP Lease History

The DHCP Lease History dashboard provides DHCP lease history in a given time frame. The search of the DHCP Lease History report is scheduled hourly by default.
DHCP Lease History reports can impose heavier system loads than for other alert types in the NIOS system. Avoid defining too many personal reports or alerts of this type for Grid reporting. Other types of reports do not impose significant performance restrictions. Also see About IP Blocks and IP Block Groups for methods to avoid this issue. You can drill down to the IP address of the lease and view user history for the selected IP address. 

Note: When you join a new member to the Grid and do not start reporting service on the member, lease history for this member is not captured in the DHCP Lease History report. You can view lease history for this member in the Data Management tab -> DHCP tab -> Leases tab.

The default dashboard displays the following information in table format:

• Time: The timestamp when the lease information was updated.
• Members: The DHCP member that granted the lease.
• Member IP: The IP address of the DHCP member that granted the lease.
• Lease IP: The IP address of the lease. You can click the lease IP address to view login details of the user. For information about User History for Lease IP sub-report, see User History for Lease IP. You can also view subscription data for the selected lease IP. For information, see Subscription Data.
• Protocol: Indicates whether the lease is for an IPv4 or IPv6 address.
• Action: The status of the lease. This can be one of the following: Issued, Renewed, Freed, or Abandoned.
• Hostname: The host name that the DHCP client sent to the appliance using DHCP option 12.
• MAC/DUID: For an IPv4 address, this is the MAC address of the lease. For an IPv6 address, this is the DUID (DHCP Unique Identifier) of the DHCP client that received the lease.
• Lease Time: The lease time of the DHCP client.

Note: Some of the options in the Lease Time filter might not display any data.

• Lease Start: The start date of the lease.
• Lease End: The end date of the lease.
• Fingerprint: The name of the DHCP fingerprint or vendor ID of the leased client that was identified through DHCP fingerprint detection. This field displays No Match for devices that do not match the filter criteria and those that do not have any DHCP fingerprint information. For information about DHCP fingerprints, see About DHCP Fingerprints.
• Component Name: The name of the device.
• Component Port: The port or interface connected to the device.
• Device Class: Filter by the device category to which the leased client belongs.

DHCP Message Rate Trend

The DHCP Message Rate Trend dashboard provides the overall DHCP message rate trends for DHCP message types in a given time frame. The default dashboard displays the actual, maximum, average, and minimum rate trends in the last 24 hours for the following message types: DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, and DHCPACK.
This dashboard displays the following information:

• Time: The timestamp of the event.
• DHCPDISCOVER: The actual rate trend of the DHCPDISCOVER messages.
• DHCPOFFER: The actual rate trend of the DHCPOFFER messages.
• DHCPREQUEST: The actual rate trend of the DHCPREQUEST messages.
• DHCPACK: The actual rate trend of the DHCPACK messages. Each of the line graphs is represented with a different color.

DHCP Top Lease Clients

The DHCP Top Lease Clients dashboard provides information about the DHCP clients that have issued, renewed, and freed within a certain time frame.
This dashboard shows the following information:

• MAC/DUID: The MAC address or DUID of the DHCP client.
• Issued: The total number of DHCP lease issued.
• Renewed: The number of DHCP lease renewals.
• Freed: The number of leases that were released.
• MAC/DUID Total: The total number of DHCP leases that were being requested, renewed, and released.
• Fingerprint: The name of the DHCP fingerprint or vendor ID of the leased client that was identified through DHCP fingerprint detection. This field displays No Match for devices that do not match the filter criteria and those that do not have any DHCP fingerprint information. For information about DHCP fingerprints, see About DHCP Fingerprints.

DHCPv4 Range Utilization Trend

The DHCPv4 Range Utilization Trend dashboard provides DHCP usage trends for the top five most utilized address ranges in a given time frame. The default dashboard includes the top five most utilized DHCP ranges among all network views, all members, all subnets, and all IPv4 addresses.
The default dashboard displays line graphs for the top five most utilized address ranges and shows their DHCPv4 usage trends over the last 24 hours. Each of the five address ranges is represented with a different color line graph.

DHCPv4 Usage Statistics

The DHCPv4 Usage Statistics dashboard provides the overall DHCPv4 usage in a given time frame. The default dashboard includes all network views, all members, all subnets, all IPv4 addresses, and all DHCP ranges, and the default time frame is the last hour. The table is sorted by DHCP utilization rate.
This dashboard displays the following information in table format:

• Timestamps: The date and time of the event.
• Network View: Filter by a specific network view.
• Network: The network address.
• CIDR: The subnet mask in CIDR format.
• AD Site: The Active Directory Site associated with the network. For networks that are not associated with Active Directory Domains and Sites, or when you delete an Active Directory server, the appliance displays no_value in this column.
• DHCPv4 Utilization: The percentage of DHCP address in use over the total number of DHCP addresses provisioned.
• Ranges: The total number of IP address ranges in the network.
• Provisioned: The total number of DHCP addresses configured.
• Dynamic: The number of dynamic DHCP leases issued.
• Static: The number of static DHCP addresses configured.
• Free: The number of free DHCP addresses.
• Used: The total number of DHCP addresses in use.

DHCPv4 Usage Trend

The DHCPv4 Usage Trend dashboard provides the overall DHCP usage trend for all members in a given time frame. The default dashboard includes information about all DHCP ranges in all network views, all members, all subnets, and all IPv4 addresses. It displays line graphs for the dynamic, static, and free DHCPv4 leases and shows their DHCPv4 usage trends over the last 24 hours. Each of the DHCPv4 leases is represented with a different color line graph.
This dashboard displays the following information:

• Time: The timestamp of the event.
• Dynamic: The number of dynamic DHCP leases issued.
• Static: The number of static DHCP addresses configured.
• Free: The number of free DHCP addresses.

Each of the line graphs is represented with a different color.
When you select more than one member as the filter criteria, the dashboard displays line graphs for each of the following data: Dynamic, Static, and Free, for each selected member.
Microsoft Servers: Specify Microsoft servers assigned to networks and DHCP ranges. This filter is available even if no MS Management license installed on GM and Grid members.

Top Device Classes

The Top Device Classes dashboard lists the top DHCP fingerprint device class for requesting clients. The default dashboard displays the top 10 device classes along with the percentage of leased devices within the last 24 hours. The appliance lists the top detected device class in table format. You can click a specific row in the table to view all the devices in the class that belong to the selected device class. GUI displays the fingerprints that are detected under a selected device class. The total number of fingerprints of a specific device class is equal to the total number that is displayed against the corresponding device class.
This dashboard displays a table that contains the following information for each top DHCP fingerprint device class:

• Device Class: The device category or fingerprint class for the requesting clients.
• Total: The total number of leased clients that belong to this DHCP fingerprint class.
• % of all devices: The percentage of the leased clients belonging to this DHCP fingerprint class over the total number of requesting clients.

Top Devices Denied an IP Address

The Top Devices Denied an IP Address dashboard lists the top DHCP fingerprint devices used by remote clients that were denied a lease or an IP address based on the fingerprint filter criteria you specified. The default dashboard displays the top 10 devices per combination of fingerprint and network which were denied an IP address within the last 24 hours. For example, if the same device is denied from two separate networks during the past 24 hours, and/or with different fingerprints, then multiple events will be listed in the table corresponding to this device. 
This dashboard displays a table that contains the following information for each denied DHCP fingerprint device class:

• Mac/DUID: The Mac address or DUID of the client's device.
• Fingerprint: The fingerprint description of the device used by remote clients.
• Device Class: The DHCP fingerprint class of the device used by remote clients.
• Network: The network to which the DHCP range belongs. For shared network, the network is the first network where the lease is prohibited due to fingerprint filter.
• Attempts: The total number of attempts by remote clients for an IP address in a given time frame.
• Last Attempt: The time stamp of the last attempt by remote client for an IP address in a given time frame.

Top Devices Identified

The Top Devices Identified dashboard lists the top DHCP fingerprints or detected operating systems for requesting clients. The appliance uses DHCP fingerprint detection to identify the operating systems or vendor IDs of remote clients. For more information about DHCP fingerprint detection, see DHCP Fingerprint Detection. The default dashboard displays the top 10 operating systems on which requesting clients are running within the last 24 hours.
The appliance lists the top detected operating systems or vendor IDs in table format. This dashboard shows the total number of different MAC devices that have requested a lease. You can click a specific row in the table to view a list of leased clients that belong to the selected operating system or device type. Grid Manager displays another report that specifies more detailed information, such as the leased IPs and MAC addresses for each device that matches the selected DHCP fingerprint. The lease history for a fingerprint shows all the lease events that occurred during the time period specified with the parent search (Top Devices Identified report). It represents the number of devices that use the MAC/DUID as the unique identifier. Note that a single MAC address may have several lease events that occur within the specified time range for the parent search. Hence, the total number of each fingerprint will not be equal to the lease history of a fingerprint.

Note: You can use all available filters for the parent Top Devices Identified report, but you can filter the detailed report using only the Fingerprint column.

This dashboard displays a table that contains the following information for each top DHCP fingerprint:

• Fingerprint: The name of the DHCP fingerprint or vendor ID for the requesting clients.
• Total: The total number of leased clients that belong to this DHCP fingerprint.
• % of all devices: The percentage of the leased clients belonging to this DHCP fingerprint over the total number of requesting clients.

DNS Dashboards

DDNS Update Rate Trend

The DDNS Update Rate Trend dashboard provides information about the dynamic DNS (DDNS) updates that occur on the DNS service. The default dashboard shows a line graph that tracks the rate of DDNS updates (counts per second) by query type in the given time frame.
This dashboard displays DDNS updates per second by the following query type: Success, Failure, Reject, and Prerequisite Reject. The time is displayed according to the time zone specified on the reporting server in UTC format. You can mouse over the graph to display the coordinates of any point in the graph.

DNS Cache Hit Rate Trend

The DNS Cache Hit Rate Trend dashboard provides information about the cache hit ratio of selected Grid members. The dashboard shows line graphs that track cache hit rates over a given time frame. Note that if you have one member with two DNS views and requests are sent to only one DNS view, the maximum hit rate is 50% (not 100%) for the member because one DNS view has 100% hit rate and the other has 0, and the average is 50%.

Note: The DNS Cache Hit Ratio Trend is the search associated with the DNS Cache Hit Rate Trend report.

DNS Daily Peak Hour Query Rate by Member

The DNS Daily Peak Hour Query Rate by Member dashboard shows the average or peak DNS Query rate at the busiest hour within a day. This dashboard will help you identify the load that is being carried by each DNS Server during busy hours. This dashboard can help you plan better for capacity and reduce the risk of overloading DNS devices.
This dashboard displays the following information

• Time: Timestamp of events.
• QPS: Query per second. QPS is calculated with two steps: 1) find out the busiest hour (on the top of hours such as from 8:00am to 9:00am) by average hourly QPS, and 2) use that hour's max/avg QPS as they daily max/avg QPS.

DNS Domain Query Trend

The DNS Domain Query Trend dashboard shows the trend of DNS queries for specific domains. This dashboard displays the DNS query trends for queries generated from both the internal and external sources.

DNS Domain Queried by Client

The DNS Domain Queried by Client dashboard shows the DNS domains being queried by the client. This dashboard displays the DNS domains that are being queried from both the internal and external sources.

Top DNS Clients by Query Type

The Top DNS Clients by Query Type dashboard lists the top DNS resource records that have been queried per client. This dashboard displays the DNS records query trends for queries that originate from both the internal and external sources.

Top DNS Clients Querying MX Records

The Top DNS Clients Querying MX Records dashboard lists the top MX records that have been queried per client. This dashboard displays the MX records query trends for queries that originate from both the internal and external sources.

DNS Daily Query Rate by Member

The DNS Daily Query Rate by Member dashboard shows the trend of the average or maximum daily DNS Query rate by member. This dashboard can help you identify the average or maximum daily load that is being carried by each DNS Server. This dashboard can help you plan better for capacity and reduce the risk of overloading DNS devices.
This dashboard displays the following information:

• Time: Timestamp of events.
• QPS: Query per second. QPS is calculated by the max/avg of 24 hourly QPS data per day (between midnights).

DNS Query Rate by Query Type

The DNS Query Rate by Query Type dashboard shows the trend of DNS queries per second by DNS record type. This dashboard displays line graphs of DNS query trends for selected DNS record types over a given time frame.

DNS Query Trend per IP Block Group

The DNS Query Trend per IP Block Group dashboard provides trend of DNS query counts aggregated over time intervals for user-defined IP block groups.
This dashboard displays the following information in table format:

• Time: Timestamp of events.
• Group: Name of the IP block group.
• Query Count: Total queries made to the IP block group for a specific time interval.

DNS Replies Trend

The DNS Replies Trend dashboard provides information about DNS query trends by message types. The dashboard shows line graphs that track DNS query replies by message type over a given time frame.
This dashboard displays line graphs of DNS query replies by the following query type: Failure, NXDomain, NXRRset, Referral, Success, Refused, and Other.

DNS Response Latency Trend

The DNS Response Latency Trend dashboard provides DNS latency response times for all or selected cache servers. This dashboard shows line graphs of DNS latency response times for each server.

DNS Effective Peak Usage Trend for Flex Grid License

The DNS Effective Peak Usage Trend for Flex Grid License dashboard lists the average of peak DNS queries per second for all IB-FLEX members in the Grid. The peak DNS queries per second are calculated as the maximum per day of average queries per second.
This dashboard displays the following information in either line chart or table format:

• Show Filters: Click Show Filters to enable the filters.
• Time: Select a value from the drop-down list. The default value is Last 30 days.
• Line Chart: Click Line Chart to view the data in line chart format.
• Table: Click Table to view the data in table format.
• Both: Click Both to view the data in both line chart and table format.

DNS Scavenged Object Count Trend

The DNS Scavenged Object Count Trend displays the number of removed stale DNS records per zone or DNS view over time. The default dashboard displays a reclaimed records count for the top five zones with the biggest number of records reclaimed over the last day.

DNS Query Rate by Member

The DNS Query Rate by Member dashboard shows the trend of DNS queries for selected members. This dashboard displays line graphs of DNS query trends for the selected members over a given time frame.

DNS Top Clients

The DNS Top Clients dashboard lists clients that have the most DNS queries. The dashboard shows horizontal bar charts that list clients that have the most total counts of DNS requests and their percentages over a given time frame. The default dashboard displays the top 10 clients within the last 24 hours. Note that the DNS Top Client report is not NAT client aware and therefore this dashboard does not show information for NAT'ed clients.
To generate data for DNS Response Latency Trend dashboard, the Grid member enabled for DNS service queries itself for PTR record 1.0.0.127.in-addr.arpa every minute. NIOS will not exclude such DNS queries and displays default client 127.0.0.1 in the DNS Top Clients report.

DNS Top Clients Per Domain

The DNS Top Clients Per Domain dashboard lists the clients that have the most DNS queries for specified domain names and their subdomains. The dashboard shows a horizontal bar chart that lists the clients that have the most total counts of DNS requests and their percentages over a given time frame. You can display the report data in bar chart form or in table form. The domain or domains are specified using filters. The default dashboard displays the top 10 clients within the last 24 hours.
You can define the domains for capture in the Grid Reporting Properties editor (Administration tab –> Reporting tab –> Grid Reporting Properties –> DNS tab –> Monitor queries made to the following domains check box).

DNS Top NXDOMAIN / NOERROR (no data)

The DNS Top NXDOMAIN / NOERROR (no data) dashboard shows the number of responses transmitted by the specified name server(s) indicating a client-specified non-existent domain name. This dashboard displays horizontal bar graphs of DNS query trends for the selected members over a given time frame.

• NXDOMAIN indicates that no records of any type existed for the query name;
• NOERROR (no-data) indicates that no data existed for the requested resource record type; other records may exist for the query name.

Note: The statistical data on the IB-4030 appliance may not be absolutely accurate if acceleration cache entries are reused after the TTL expiration for other data during a given report monitoring interval. The default interval is 10 minutes.

DNS Top Requested Domain Names

The DNS Top Requested Domain Names dashboard lists the top most requested domain names, their counts and the percentage of request over a given time frame. The dashboard shows horizontal bar charts that list the total counts and request percentage for the top most requested domain names. The default dashboard displays the top 10 domain names within the last 24 hours.

Note: The statistical data on the IB-4030 appliance may not be absolutely accurate if acceleration cache entries are reused after the TTL expiration for other data during a given report monitoring interval. The default interval is 10 minutes.

DNS Top SERVFAIL Errors Sent

The DNS Top SERVFAIL Errors Sent dashboard lists the top query names resulting in Infoblox name servers sending DNS response packets containing the SERVFAIL message, to downstream clients. The length of the list of top queries, the time period for the report, and other parameters are specified using filters. The default dashboard displays the top 10 query names within the last 24 hours. When capturing queries, the Grid member matches authoritative and recursive queries to generate events for the report. This dashboard displays no DNS client information, or the identities of impacted name servers, when the SERVFAIL originates from an upstream server.

DNS Top SERVFAIL Errors Received

The DNS Top SERVFAIL Errors Received dashboard lists the top queries resulting in Infoblox name servers receiving DNS response packets containing the SERVFAIL message from upstream name servers. The length of the list of top queries, the time period for the report, and other parameters are specified using filters. The default dashboard displays the top upstream query names within the last 24 hours. (The upstream query name may be a query name supplied by a client, or another name that is needed while processing a client query.) When capturing queries, the Grid member matches recursive queries to generate events for the report. This dashboard displays no DNS client information, or the identities of impacted name servers. This dashboard reflects the exact numeric value of the number of queries.

DNS Top Timed-out Recursive Queries

The DNS Top Timed-out Recursive Queries dashboard shows the number of queries sent to Infoblox Grid member name servers, that result in timeouts after sending recursive queries to upstream name servers. This dashboard displays horizontal bar graphs of DNS query trends for the selected members over a given time frame.

DNS Traffic Control Resource Availability Status

The DNS Traffic Control Resource Availability Status dashboard provides the percentage of specific DNS Traffic Control resources that are available, partially available or unavailable over time.
You can mouse over the pie chart to display the coordinates of any point in the pie chart. You can also drill down to view detailed data in table format.
This dashboard displays the following information:

• Available: Indicates if the resource is always available. When the availability of a resource is 100%, only then it is displayed as always available.
• Partially Available: Indicates if the resource is available sometimes. When the availability is less than 100% or more than 0%, only then it is displayed as partially available.
• Unavailable: Indicates if the resource is never available. When the availability is 0%, only then it is displayed as never available.

DNS Traffic Control Resource Availability Trend

The DNS Traffic Control Resource Availability Trend dashboard provides percentage of available DNS Traffic Control resources per server/health monitor pair over a period of time. You can aggregate data based on supported filtering categories and extensible attributes defined in the filtering feature.
The appliance aggregates data at every 10 minutes interval. You can mouse over the graph to display the coordinates of any point in the graph.
This dashboard displays the following information in either the line chart or table format:

• Date and Time: Timestamp of events.
• Availability%: Percentage of resources that are available.

DNS Traffic Control Resource Pool Availability Trend

The DNS Traffic Control Resource Pool Availability Trend dashboard provides information about the availability of load balanced resources that are grouped by extensible attributes over a selected period of time. The appliance aggregates data at every 10 minutes interval. You can mouse over the graph to display the coordinates of any point in the graph.
This dashboard displays the following information in either a line chart or a table format:

• Time: Timestamp of events.
• Resource Pool: The resource pools that are available.
• Availability%: The percentage of resource pools that are available.

DNS Traffic Control Resource Pool Availability Status

The DNS Traffic Control Resource Pool Availability Status dashboard provides information about the resource pools that are available, partially available, or unavailable at a certain time.
This dashboard displays the following information in a pie chart format:

• Available: Indicates if the resource pool is always available. When the availability of a resource pool is 100%, only then it is displayed as always available.
• Partially Available: Indicates if the resource pool is available sometimes. When the availability of a resource pool is less than 100% or more than 0%, only then it is displayed as partially available.
• Unavailable: Indicates if the resource pool is never available. When the availability of a resource pool is 0%, only then it is displayed as never available.

DNS Traffic Control Response Distribution Trend

The DNS Traffic Control Response Distribution Trend dashboard provides information about the number of responses returned by each resource. You can either group the results based on the resources in the pool, or by all resources with the associated same extensible attribute over a period of time. You can view how clients are load balanced or directed among different resources.
You can group the number of responses returned from each resource based on the pools. When you select Resource Pool, the appliance displays aggregated responses from resources belonging to a pool.
This dashboard displays the following information in either a line chart or a table format:

• Time: Timestamp of events.
• Resource: The resources that are available.
• Responses: The number of responses returned by each resource.

Security

FireEye Alerts

The FireEye Alerts dashboard lists the FireEye alerts that are received by the NIOS appliance. The dashboard displays the date and time when the alert was generated, mitigation action for the alert, ruleset specified for the blocked domain or IP address, and the name of the FireEye appliance that generated the alert. For more information about FireEye integrated RPZs, see Configuring FireEye RPZs.

Note: To enable this dashboard, you must select the Security check box in the Grid Reporting Properties editor. To select the check boxes, go to the Administration tab -> Reporting tab -> Grid Reporting Properties -> General tab
-> Basic tab -> select the check box Security under Report Category. Note that you can receive this dashboard only on the Grid Master, not on Grid members, even if you have selected Security as a report category on the members.

This dashboard displays the following information in table format:

• Time: The date and time when the alert was generated.
• AlertID: The alert type along with the alert ID.
• LogSeverity: The severity of the alert, which can be Critical, Major or Minor.
• AlertType: The type of alert received from the FireEye appliance.
• FireEyeAppliance: The FireEye appliance that generated the alert.
• RPZEntry: The RPZ rule specified for the FireEye alert.
• MitigationAction: The ruleset specified for the blocked domain name or IP address.

DNS Top RPZ Hits

The DNS Top RPZ Hits dashboard lists the top clients who received re-written responses through RPZ. The dashboard displays the total client hits and total rule hits over a given time frame. You can choose to view either the aggregated RPZ hits report or a detailed report of the top RPZ hits. In the Show filter, select Details to view the detailed report or select Aggregated Hits Count to view the aggregated report. When you select the Aggregated Hits Count option, the report data is consolidated based on the client ID, domain name, RPZ entry, RPZ severity, and mitigation action.
The appliance lists the top RPZ hits in table format. You can click a specific row in the table or the Client ID to view the DHCP lease history of a client. For information about DHCP lease history, see DHCP Lease History. Grid Manager displays another report that specifies more detailed information, such as the leased IPs, host name, and MAC addresses for each client. For more information about RPZs, see About Infoblox DNS Firewall. You can click Domain Name or RPZ Entry to view threat details of an RPZ rule. In addition, you can click the client IP address to view login details of the user. For information, see User History for IP Address.
You can compare the domain name and mitigation action in this dashboard with the RPZ rules and mitigation actions in the FireEye Alerts report to determine the RPZ hits received due to FireEye alerts.

Note: To enable this dashboard, you must select the DNS Query and Security check boxes in the Grid Reporting Properties editor. To select the check boxes, to the Administration tab -> Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab -> select the check boxes DNS Query and Security under Report Category.

This dashboard displays the following information in table format:

• Client ID: The IP address of the client that queried the domain name that is listed in the RPZ ruleset.
• Total Client Hits: The total number of hits received for each DNS view from the respective client.
• Domain Name: The domain name that was queried.
• Severity: The threat severity level of an RPZ zone associated with the RPZ rule that was triggered.
• RPZ Entry: The RPZ rule that was triggered based on client queries.
• Total Rule Hits: The total number of hits received for a specific RPZ rule.
• Mitigation Action: The ruleset specified for the blocked domain name or IP address.
• Substitute Addresses: The address which was substituted for the blocked domain.
• Time: The date and time when the last hit was received. This information is displayed only in the detailed DNS Top RPZ Hits report.

The sub-dashboard Threat Details displays the following information in table format:

Note: Make sure that DNS resolution is enabled and running properly on the reporting member to view Threat Details.

• RPZ Rule: The RPZ rule that was triggered based on client queries.
• First Identified: The date and timestamp of the first occasion that the threat was detected.
• Last Seen: The date and timestamp of the last occasion that the threat was detected.
• Threat Category: The category to which the threat belongs.
• Danger Level: The severity level of the threat.
• Short Description: The brief description of an RPZ rule.
• Description: The detailed description of an RPZ rule.

User History for IP Address

The User History for IP Address sub-dashboard displays the login details of the active users associated with the IP address of the client.
The default displays the following information in table format:

• Last Updated: Displays the timestamp when the user information was last updated.
• User Name: The logon name of the user.
• Domain: The domain name.
• IP Address: The IP address of the client.
• First Seen: The timestamp when the user logged in to the domain for the first time.
• Logout Time: The log out time of the user. This column displays NA when users are still active on the system.
• Last Seen: The timestamp when the user was last seen accessing a domain.
• User Status: Displays the status of the user. This can be one of the following: Active (logged in), Logged Out, Timed Out.
  • Active: The user is logged in and active.
  • Logged Out: The user has logged out of the system.
  • Timed Out: The user is logged in but has been idled for a certain period of time. The default is two hours. You can configured this time interval, as described in Configuring Active User Timeout Session.

User History for Lease IP

You can view user information associated with the lease IP address.
The default User History for Lease IP sub-dashboard displays the following information in table format:

• Last Updated: Displays the timestamp when the user information was last updated.
• User Name: The logon name of the user.
• Domain: The Active Directory domain name.
• IP Address: The IP address of the client.
• First Seen: The timestamp when the user logged in to the domain for the first time.
• Logout Time: The log out time of the user. This column displays NA when users are active on the system.
• Last Seen: The timestamp when the user was last seen accessing a domain.
• User Status: Displays the status of the user. This can be one of the following: Active (logged in), Logged Out, Timed Out.
  • Active: The user is logged in and active.
  • Logged Out: The user has logged out of the system.
  • Timed Out: The user is logged in but has been idled for a certain period of time. The default is two hours. You can configured this time interval, as described in Configuring Active User Timeout Session.

DNS Top RPZ Hits by Clients

The DNS Top RPZ Hits by Clients dashboard lists the total number of RPZ hits from a client during an interval, irrespective of the rules and mitigation actions. You can view the IP address of the client, total hits and the date and time during which the hits were received.
The appliance lists the top RPZ hits by clients in table format. You can click a specific row in the table to view the lease history of a client. Grid Manager displays another report that specifies more detailed information, such as the leased IPs, host name, and MAC addresses for each client. For more information about RPZs, see About Infoblox DNS Firewall. In addition, you can click the client IP address to view login details of the user. For information, see User History for IP Address.
This dashboard displays the following information in table format:

• Client ID: The IP address of the client that queried the domain name that is listed in the RPZ ruleset.
• Total Client Hits: The total number of hits received for all DNS view from the respective client.
• Time: The date and time when the last hit was received.

Top DNS Firewall Hits

The Top DNS Firewall Hits dashboard lists the top RPZ rules triggered over a given time frame. This dashboard lists information such as RPZ rule, percentage of RPZ rule hits, number of hits per RPZ rule, and the description of the threat that triggered the RPZ rule. The default dashboard displays the top 10 RPZ rules triggered within the last week.

Note: To enable this dashboard, you must select the DNS Query and Security check boxes in the Grid Reporting Properties editor. To select the check boxes, go to the Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab, and then select the check boxes DNS Query and Security under Report Category.

The dashboard displays the following information in table format:

• RPZ Rule: The RPZ rule that was triggered based on client queries.
• Percentage: The percentage based on the number of hits for the RPZ rule divided by the total number of hits for the top RPZ rules.
• # Hits: The total number of hits received for the RPZ rule.
• Description: The detailed description of the threat that triggered the RPZ rule.

DNS RPZ Hits Trend By Mitigation Action

The RPZ Hit Trend by Mitigation Action dashboard provides trends for the total number of RPZ hits for each mitigation action along with the total client hits in a given time frame. You can view this report in either a line chart, a stacked chart, or in table format. You can choose to display the report in all the three formats. The default dashboard displays stacked chart for the RPZ hits by the mitigation action in a given time frame. You can hover your mouse over the graph to view the coordinates in the graph. Note that the values plotted in the stacked chart and line chart are average hits aggregated over time.
The dashboard displays the following information in table format:

• Time: The date and time when the last hit was received.
• Block: Total number of queries that triggered a Block (No Data) and Block (No Such Domain) RPZ rule. For information about Block (No Data) and Block (No Such Domain) RPZ rules, see Managing Block (No Data) Rules and Managing Block (No Such Domain) Rules respectively.
• Passthru: Total number of queries that triggered the Passthru RPZ rule. For information about Passthru RPZ rule, see Managing Passthru Rules.
• Substitute: Total number of queries that triggered the Substitute (Domain Name) and Substitute (Record) RPZ rule. For information about Substitute (Domain Name) and Substitute (Record) RPZ rules, see Managing Substitute (Domain Name) Rules and Managing Substitute (Record) Rules respectively.
• Client Hits: Total number of queries that triggered an RPZ policy. The client hits is the sum of Block (No Data), Block (No Such Domain), Passthru, Substitute (Domain Name), and Substitute (Record) RPZ hits. Note that this data is not displayed in the Stacked Chart, but displayed in the Line Chart and in Table format.

Malicious Activity by Client

The Malicious Activity By Client dashboard lists the clients that have the most malicious activities. The default dashboard shows a bar chart that lists clients that have the most total counts of malicious activities that triggered the RPZ rule over the given time frame. The default dashboard displays the top 10 clients within the last week.

Note: To enable this dashboard, you must select the DNS Query and Security check boxes in the Grid Reporting Properties editor. To select the check boxes, go to the Administration tab -> Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab, and then select the check boxes DNS Query and Security under Report Category.

This dashboard displays the following information:

• Client ID: The IP address of the client that queried the malicious domains.
• # Hits: The total number of RPZ hits by the client.
• Domains: The top three malicious domains queried by the client.
• Last Active: The timestamp of the last attempt when the client queried a malicious domain.

DNS Firewall Executive Threat

The DNS Firewall Executive Threat dashboard is a predefined custom dashboard which consists of the following sub-dashboards:

• Top DNS Firewall Hits
• Malicious Activity by Client

Note: To enable this dashboard, you must select the DNS Query and Security check boxes in the Grid Reporting Properties editor. To select the check boxes, go to the Administration tab -> Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab, and then select the check boxes DNS Query and Security under Report Category.

Note that you have to use the filters for each of the sub-reports to get specific information. You can also click Download PDF from the Toolbar to download the DNS Firewall Executive Threat dashboard in PDF format which includes the three-panel report in a single PDF.

Threat Protection Event Count By Severity Trend

The Threat Protection Event Count By Severity Trend dashboard provides event count trends by severity in a given time frame. You can view event counts distributed for the following severity levels: Critical, Major, Warning and Informational. Each of the severity level of an event is represented with a different color.
You can also define alerts in this dashboard to notify administrators when a trend reaches a specified threshold. For information about how to define alerts, see About IP Blocks and IP Block Groups. When you configure alerts for this dashboard and define a threshold value to trigger SNMP traps for a specified reporting event type, the appliance triggers an alert every five minutes based on the filters you select. For information about how to trigger SNMP traps for reporting event types, see Defining Thresholds for Traps.

Threat Protection Event Count By Member Trend

The Threat Protection Event Count By Member Trend dashboard provides event count trends on members that supports Advanced DNS Protection in a given time frame. This dashboard tracks events on a member over a given time frame. The default dashboard displays line chart that show events trends over the last day on the selected member. The default dashboard displays the top 5 appliances in descending order.

Threat Protection Event Count By Rule

The Threat Protection Event Count By Rule dashboard displays event counts based on violations of individual rules. The appliance displays event count by rule in table format and sorts the records by Total Event Count in descending order. You can click a specific Security ID in the table to view sub-report for the individual rule, showing aggregate event instances with timestamps for a specific rule on all members.
This dashboard displays the following information in table format:

• SID: The unique rule ID.
• Category: The category to which the rule belongs.
• Log Severity: The severity of an event, which can be Critical, Major, Warning, or Informational.
• Event Name: The name and description of the rule.
• Alert Count: The alert count of an event.
• Drop Count: The drop count of an event.
• Total Event Count: The total number of event counts triggered by a match against the rule.

The sub-dashboard Threat Protection Event Count for Rule displays the following information in table format:

Note: The sub-report Threat Protection Event Count for Rule displays all the detected events for a specific SID on all members, regardless of the filters you apply to the parent Threat Protection Event Count By Rule report.

• Time: The timestamp of an event.
• Member: The name of the member that supports threat protection.
• Category: The category to which the rule belongs.
• Log Severity: The severity of an event, which can be Critical, Major, Warning, or Informational.
• Event Name: The name of a rule.
• Alert Count: The alert count of an event.
• Drop Count: The drop count of an event.
• Total Event Count: The total number of event counts triggered by a match against the rule.

Threat Protection Event Count By Time

The Threat Protection Event Count By Time dashboard displays event counts with timestamp in table format. This dashboard help you track security events behavior based on time of occurrence. For example, this dashboard indicates whether security events peak at specific times or if it has steadily increase over time.
This dashboard displays the following information in table format:

• Time: The timestamp of an event.
• SID: The unique rule ID.
• Member: The name of the member that supports threat protection.
• Category: The category to which the rule belongs.
• Log Severity: The severity of an event, which can be Critical, Major, Warning, or Informational.
• Event Name: The name and description of the rule.
• Alert Count: The alert count of an event.
• Drop Count: The drop count of an event.
• Total Event Count: The total number of event counts of a rule.

Threat Protection Event Count By Category

The Threat Protection Event Count By Category dashboard provides event counts by rule category. You can track rule categories that are under the most pressure from adverse events. This dashboard displays event counts in table format.
This dashboard displays the following information in table format:

• Category: The category to which a rule belongs.
• Critical Event Count: The number of critical events in the selected rule category.
• Major Event Count: The number of major events.
• Warning Event Count: The number of warning events.
• Informational Event Count: The number of informational events.
• Total Event Count: The total number of event counts triggered against a rule category.

Threat Protection Event Count By Member

The Threat Protection Event Count By Member dashboard provides event counts aggregated over time intervals for each member. This dashboard displays event count for each member in table format and sorts the records by Total Event Count in descending order.
This dashboard displays the following information in table format:

• Member: The name of the member that supports threat protection.
• Critical Event Count: The number of critical events on a member.
• Major Event Count: The number of major events detected on a member.
• Warning Event Count: The number of warning events detected on a member.
• Informational Event Count: The number of informational events detected on a member.
• Total Event Count: The total number of event counts detected on a member.

Threat Protection Top Rules Logged

The Threat Protection Top Rules Logged dashboard provides the list of the top 10 threat protection rules that are triggered by a source IP in a given time frame. You can also view the threat protection rules triggered by NAT'ed clients in a given time frame. You can view the source IP address, total number of events, rule name, and timestamp of the last event. If a rule is triggered by a NAT'ed client, then you can view the source IP address along with the port block of the NAT'ed client. You can also configure the appliance to display the report data in bar chart or in table form. The default dashboard displays bar chart for the top 10 rules that are triggered within the last seven days. This dashboard allows you to identify the IP address of a client and the rules it triggered.

Note: You can configure the top number of source IP addresses and threat protection rules on the appliance. For information about how to configure threat protection data, see Configuring Threat Protection Data on page 1578.

This dashboard displays the following information in table format:

• Rule: The name and description of a rule that is triggered by the source IP. For each threat protection rule, the active count is displayed for the top three source IP addresses.
• Logged Event Count: The total number of events triggered against the rule.
• Top Sources: The IP address of the top sources triggering this rule. By default, the top 3 source IPs are displayed.
• Last Active: The timestamp when the rule was last active.

Threat Protection Top Rules Logged by Source

The Threat Protection Top Rules Logged by Source dashboard provides statistics about the total number of events triggered by the top sources (by client IP addresses) in a given time frame. You can also view the statistics for the total number of events triggered by NAT'ed clients in a given time frame. For example, if you configure a range of ports for a NAT'ed client, and if there are events logged from different port blocks of the NAT'ed client, then each port block is considered as a logical client in the dashboard. You can view the source IP address, total number of events, rule name, and timestamp of an event. If an event is triggered by a NAT'ed client, then you can view the source IP address along with the port block of the NAT'ed client. The default dashboard displays a bar chart for the top 10 source IPs that triggered threat protection rules within the last seven days. This dashboard allows you to identify the IP address of the client and the rules it triggered.

Note: You can configure the top number of source IP addresses and threat protection rules on the appliance. For information about how to configure threat protection data, see Configuring Threat Protection Data.

This dashboard displays the following information in table format:

• Source: The IP address of a source that triggered a threat protection rule.
• Logged Event Count: The total number of events triggered by a source against the rule.
• Top Rules: The name of the top rules triggered by each source IP. By default, the top three rules are displayed.
• Last Active: The timestamp when the source was last active.

DNS Top Tunneling Activity

The DNS Top Tunneling Activity dashboard lists the clients that have the most number of DNS tunneling activities in a given time frame. The default dashboard shows a horizontal bar chart that lists clients that have the most total counts of DNS tunneling events and their percentages over the given time frame. You can also configure the appliance to display this dashboard in table format. The default dashboard displays the top 10 clients within the last week.
You can click the client IP address in the table or click the bar in the bar chart to view a sub-report Rule hits for Client IP for a specific client.
This dashboard displays the following information:

• Client IP: The source IP address that triggered the DNS tunneling event.
• Event Count: The total number of DNS tunneling events triggered by the client.

The sub-dashboard Rule hits for Client IP lists the number of events triggered by the selected client for each DNS tunneling category. It displays the following information in table format:

• Category: The category to which the DNS tunneling activity belongs. Category can include the type of DNS tunneling activities as well as tunneling tools used to generate the activities. A category can be short TTL, NXDomain, high-entropy domains, Iodine tool, and others.
• Event Count: The number of events triggered in each DNS tunneling category.
• Last Seen: The timestamp when the client was last active.

DNS Tunneling Traffic by Category

The DNS Tunneling Traffic by Category dashboard provides information about DNS tunneling activities by specific categories and the percentage of events by the category of DNS tunneling events in a given time frame. This dashboard helps you track abnormal DNS traffic. The default dashboard shows a pie chart that lists the categories of DNS tunneling events. You can mouse over the pie in the chart to view the DNS tunneling category, event counts, and their percentages. You can also configure the appliance to display this dashboard in table format. The default dashboard displays the top 10 DNS tunneling categories within the last week.
You can click the category in the table or in the pie chart to view the sub-dashboard DNS Top Tunneling Activity
dashboard for the selected category. For more information, see DNS Top Tunneling Activity. This dashboard displays the following information in table format:

• Category: The category to which the DNS tunneling activity belongs. Category can include the type of DNS tunneling activities as well as tunneling tools used to generate the activities. A category can be short TTL, NXDomain, high-entropy domains, Iodine tool, and others.
• Category%: The percentage based on the number of events in each DNS tunneling category divided by the total number of events in all the DNS tunneling categories.
• Description: The description about the rule that was triggered based on the client queries.

The sub-dashboard DNS Top Tunneling Activity dashboard displays the following information in table format:

• Client IP: The IP address of the source that triggered the DNS tunneling event.
• Rule SID: This field displays the rule ID for ADP rule hits. If you select Detected by Analytics Engine as the category, this field displays the name of the RPZ used for blacklisted domains detected through the analytics service.
• Event Count: The total number of events triggered by a match against the rule.
• Rule Description: The description about the rule that was triggered based on the client queries.
• Last Seen: The timestamp when the client was last active.

Top Malware and DNS Tunneling Events by Client

The Top Malware and DNS Tunneling Events by Client dashboard lists the clients that have the most number of outbound malicious queries (RPZ hits) and DNS tunneling events in a given time frame. This dashboard lists the IP address of the client, total number of outbound malicious queries, total number of DNS tunneling events, and the timestamp when the client was last active. The appliance displays the report data in table format. You can click the client IP in the table to view the sub-report Security Info for Client IP for a specific client.
This dashboard displays the following information in table format:

• Client IP: The IP address of the client that triggered the most number of outbound malicious queries (RPZ hits) and DNS tunneling events.
• Total DNS Tunneling Events: The total number of DNS tunneling events triggered by the respective client.
• Total Outbound malicious queries: The total number of RPZ hits received from the respective client.
• Last Seen: The timestamp when the client was last active.

The sub-dashboard Security Info for Client IP includes the DHCP and IP address management data along with the RPZ and DNS tunneling activities for the selected client. It displays the following information in table format:

• Host Name: The host name of the DHCP client.
• MAC/DUID: The MAC address or the DUID of the client.
• Lease Start - Lease End: The start and end date of the lease.
• Fingerprint: The DHCP fingerprint information of the client device.
• Top 3 RPZ rules: The top three RPZ rules triggered based on the queries from the selected client.
• Top 3 DNS tunneling events: The top three DNS tunneling events triggered by the selected client.
• Device Name: The name of the client device.
• Port/Interface: The name of the port or interface connected to the client device.

Cloud Dashboard

VM Address History

The VM Address History dashboard provides VM address history in a given time frame. This dashboard is applicable only for the Cloud Network Automation solution. You can generate this dashboard to view activities over time for specific VM interfaces in the cloud environment. This dashboard lists information such as IP address, Action, MAC address, Port ID, FQDN, VM Name, Network, Tenant ID, and other fields associated with the VM interfaces.
You can click a specific row in the table to view the DHCP Lease History dashboard for the VM. Grid Manager displays the DHCP Lease History dashboard below the VM Address History dashboard.

Ecosystem Dashboards

User Login History Report

The User Login History dashboard provides information about user login activities in a given time frame. You can use this dashboard to audit user logins. This dashboard allows you to identify the IP address of a client, domains used by a user to login, the number of active users, and the login activities of a user over a period of time.
This dashboard displays the following information in table format:

• Last Updated: Displays the timestamp when the user information was last synchronized with the Microsoft server.
• User Name: The logon name of the user.
• Domain: The Active Directory domain name.
• IP Address: The IP address of the client.
• First Seen: The timestamp when the user logged in to the Active Directory domain for the first time.
• Logout Time: The log out time of the user. This column displays NA when users are active on the Microsoft server.
• Last Seen: The timestamp when the user was last seen accessing an Active Directory domain.
• User Status: Displays the status of the user. This can be one of the following: Active (logged in), Logged Out, Timed Out.
  • Active: The user is logged in and active.
  • Logged Out: The user has logged out of the system.
  • Timed Out: The user is logged in but has been idled for a certain period of time. The default is two hours. You can configured this time interval, as described in Configuring Active User Timeout Session.

Subscription Data

The Subscription Data dashboard displays the user and device identity captured by the Cisco ISE for the subscribed member. The default dashboard displays user name, domain name, VLAN ID, Device operating system, and last discovered timestamp.
The predefined Subscription Data dashboard displays the following information:

• User Name: The logon name of the user.
• Domain: The domain name.
• SSID: Provision SSID. This is for corporate devices that connect to the corporate wireless SSID.
• VLAN Name: The name of the VLAN of the switch port.
• VLAN ID: The ID of the VLAN of the switch port.
• Device OS: Operating system of the device.
• Session State: The current status of the device.
• Security Group: Unique security group tag.
• Discovered At: Timestamp when the device was discovered.
• Quarantine Status: Indicates if the device should be quarantined or not.
• IP Address: The IP address of the client.
• Grid ID: The IP address of the subscribed member.

Publish Data

The Publish Data dashboard displays the RPZ, Security ADP, IPAM and DHCP lease information that is shared with the Cisco ISE.
The default Publish Data dashboard displays the following information:

• Last Updated: Timestamp when the data was last updated for the device.
• IP Address: The source IP address that is publishing the data.
• Target Address: The IP address of the target Cisco ISE.
• Publish Type: The event type that is published.
• Contents: Additional details of the published information.

System Utilization Dashboards

CPU Utilization Trend

The CPU Utilization Trend dashboard provides CPU usage trends over a given time frame. The default dashboard displays line graphs that show CPU usage trends for up to five members in the Grid over the last 24 hours. Each of the members is represented with a different color line graph.

Memory Utilization Trend

The Memory Utilization Trend dashboard provides memory usage trends over a given time frame. The default dashboard displays line graphs that show memory usage trends for up to five members in the Grid over the last 24 hours. Each of the members is represented with a different color line graph.

Traffic Rate by Member

The Traffic Rate by Member dashboard provides inbound and outbound traffic over a given time frame. The dashboard displays line graphs that show traffic rate for members with reporting service enabled within the last 24 hours. Grid Manager uses different color line graphs to distinguish inbound and outbound traffic for different members.

Flex Grid Licensing Features Enabled

The Flex Grid Licensing Features Enabled dashboard lists the overall status of licensed features across all IB-FLEX members in the Grid. You can also view the status of each feature for individual  members during a specified time period.

Note: When you move your mouse away from the FLEX Grid Licensing Features Enabled section, the Open in Search, Inspect, and Refresh icons might not show up in the GUI. You can view these icons when you move your mouse on the data displayed for the FLEX Grid Licensing Features Enabled dashboard.

This dashboard displays the following information in table format:

• Feature: Indicates the features on which the Flex Grid Activation license is installed.
  • Active Trust Plus: Displays Active Trust Plus as enabled on a member when any of the following RPZ feed zones are configured: antimalware-ip.rpz.infoblox.local, bot-ip.rpz.infoblox.local, exploitkit-ip.rpz.infoblox.local, malware-dga.rpz.infoblox.local, tor-exit-node-ip.rpz.infoblox.local, multi-domain.surbl.rpz.infoblox.local, and fresh-domain.surbl.rpz.infoblox.local.
  • Active Trust Standard: Displays Active Trust Standard as enabled on a member when any of the following RPZ feed zones are configured: base.rpz.infoblox.local, antimalware.rpz.infoblox.local, ransomware.rpz.infoblox.local, and bogon.rpz.infoblox.local.

Note: Active Trust Standard supports four zones whereas Active Trust Plus or Active Trust Advanced supports four zones and additional seven zones. This report displays the highest level of Active Trust support that is configured for a member.

• Authoritative DNS: Displays if DNS is enabled and authoritative zone is assigned to the member.
• DNS Cache Acceleration: Displays if DNS Cache Acceleration service is enabled on a member.
• DNS Traffic Control: Displays if DNS is enabled with resolver set to DNS server and the LBDN pool is configured for DNS Traffic Control.
• FireEye: Displays if DNS is enabled and FireEye zone is configured on a member.
• Recursive DNS: Displays information about whether DNS and recursion are enabled at the following levels:
  • Recursion is enabled at the member level.
  • Recursion is enabled at the Grid level and member inherits the setting.
  • Recursion is enabled for any DNS view assigned to a member.
• Security Ecosystem: Displays if TAXII is enabled on a member.
• Threat Analytics: Displays if Threat Analytics is enabled on a member.
• Threat Protection: Displays if Threat Protection service is enabled on a member.

License Pool Utilization

The License Pool Utilization dashboard provides information about the utilization of the dynamic licenses in a given time frame. This dashboard displays the total number of dynamic licenses available, percentage of pooled license allocation over time and other related information for each license pool. You can display the report data in table format, in line graph format, or both. Each of the line graphs, represented with a different color, is the utilization of licenses in one particular pool. The default dashboard displays the license pool utilization data for all the license pools. However, you can view the license pool utilization data for a specific license pool.
The default dashboard displays the following information:

• Period/Date: The time span of the license pool utilization.
• License Pool: The license pool such as vNIOS, DNS, DHCP, Grid, Cloud Platform, vNIOS CP-V800, and so on.
• Total License Count: The total number of available licenses.
• Utilization (%): The percentage of license pool utilization.

Note: The member details are not updated for alert emails in the Traffic Rate by Member report if the rises-by/drops-by operator is used. However, the member details are updated if you use the operators like greater than/less than in the alert filter.

System Capacity Prediction Trend

The System Capacity Prediction Trend dashboard forecasts the date and timestamp when the system resources such as CPU, database objects, DHCP leases, DNS queries meet its thresholds based on the current usage trends for the selected Grid member. This dashboard helps you determine the current usage, thresholds, and the predicted utilization over time. Using this dashboard, you can avoid unexpected usage of resources in your environment. In addition, you can scale the functional capacity for different appliance models.
The default dashboard displays the following information:

• CPU Threshold
  • Max CPU Utilization: Displays the maximum CPU used by the selected member.
  • CPU Threshold Prediction: Displays the predicted date and time when the CPU usage might reach its threshold based on your current usage.
  • CPU Trend Prediction: Displays the line graph to show the actual, threshold, and predicted CPU usage with a different color for the selected member and model type.
• DB Objects Threshold
  • Max DB Objects Utilization: The maximum number of database objects that is in use for the selected member.
  • DB Objects Threshold Prediction: Displays the predicted date and time when the database objects reach its thresholds based on your current usage trend.
  • DB Objects Trend Prediction: Displays the line graphs with different colors to show the actual database objects usage, database threshold value, and predicted database objects usage.
• DNS Thresholds
  • Datasheet Max QPS: The maximum number of queries sent to the selected member.
  • QPS Threshold Prediction: Displays the predicted date and time when the queries might reach its threshold based on your current trend.
  • QPS Prediction: Displays line graphs to show the actual number of queries, threshold, and predicted number of queries with a different color for the selected member.
• DHCP Thresholds
  • Datasheet Max LPS: Displays the appliance model and the number of DHCP leases issued.
  • LPS Threshold Prediction: Displays the predicted date and time when the DHCP leases might reach its threshold based on your current usage trend.
  • DHCP Activity Prediction: Displays the line graphs with a different color to show the actual, threshold, and predicted count of DHCP leases.

IPAM Prediction Dashboard

The IPAM Prediction dashboard provides information about the subnet utilization and DHCPv4 utilization in a graphical form to track the address usage trends over a time frame. This dashboard predicts the number of addresses used, configured thresholds for IPAM utilization, and forecasts the estimated address usage based on the current usage trends. Each of the line graphs is represented with a different color.

Internal Reports

You can monitor information about index volume usage on the reporting server for each report category and reporting members. You can track volume usage statistics by generating the following internal reports:

• Reporting Index Usage Statistics
• Reporting Volume Usage Trend per Category
• Reporting Volume Usage Trend per Member

Reporting Index Usage Statistics

The Reporting Index Usage Statistics dashboard provides information about the current disk space in use and the maximum index space configured for a reporting index. For information about the maximum index size allocated for each index, see Table 40.8 . The dashboard shows a bar chart for Index Disk Usage trend. You can mouse over the bar to view the index volume usage/maximum index space allocated for that reporting index.

Note: The Reporting Index Usage Statistics dashboard displays information for only those indexes that demonstrate activities or disk usage. So even if the indexes are enabled but have no activity or disk usage, then information about these indexes is not displayed in the Reporting Index Usage Statistics dashboard.

This dashboard shows the following information:

• Index (Reporting Member): The name of the index that holds specific types of reporting data.
• Index Disk Usage Trend (% used/day): The percentage of index disk usage on a daily basis. The trend shows the impact of changing the reporting partition disk allocation and index capacities.
• Earliest Event: The timestamp of the earliest event in the index.
• Max Volume (MB): The maximum index volume configured.
• Usage (%): The percentage of disk space that is currently in use for the index.
• Volume (MB): The current index volume in use.

Reporting License Usage

The Reporting License Usage dashboard provides license usage over a given time frame and license usage warning count if there is any license usage violation. The default dashboard displays bar chart that shows license usage in megabytes over a given time frame.
This dashboard shows the following information:

• License Usage (MB): The total reporting volume used by each report category in megabytes.
• Time: The timestamp of license usage.
• License Usage Warning Count: The warning count triggered due to license usage violation.

Reporting Volume Usage Trend per Category

The Reporting Volume Usage Trend per Category dashboard provides reporting volume usage trends over a given time frame. The default dashboard displays line chart that show reporting volume usage trends for report categories over the last day.
This dashboard shows the following information:

• Volume (MB): The total reporting volume used by each report category in megabytes.
• Time: The timestamp of events.

Reporting Volume Usage Trend per Member

The Reporting Volume Usage Trend per Member dashboard provides reporting volume usage trends on members in a given time frame. The default dashboard shows line graphs that track reporting volume usage trends on a member within the last day.
This dashboard shows the following information:

• Volume (MB): The total reporting volume used by each reporting member in megabytes.
• Time (UTC): The timestamp of events.