Document toolboxDocument toolbox

Configuring Outbound Endpoints

Owned by Panna .
Jun 20, 2022
17 min read

An endpoint sends outbound notifications based on the notification rule and the outbound template that you have configured. With NIOS, you can configure REST API, DXL, Syslog, Cisco ISE endpoints to send outbound notifications. You can use the RESTful API and DXL fabric to obtain core network service information from the Infoblox Grid to assist with profiling the source or destination of network devices or use the RESTful API and WAPI in DXL endpoint to change configurations in the Infoblox Grid to help mitigate security threats. In addition to querying inbound data and changing system configurations and query interfaces, you can use the RESTful API and DXL messages to send outbound notifications so you can prioritize your security needs by detecting new hosts or networks or managing network access control.

The REST API endpoint you configure must be REST enabled so that they can handle RESTful API calls. The DXL endpoints must be connected to DXL brokers and listen on specific DXL topics as configured in the DXL action template. You must upload session management and action templates before you configure endpoints.

Note

Infoblox recommends that you send notifications from a Grid Master Candidate, when it is available, instead of the Grid Master.

Configuring REST API Endpoints

You can configure REST API endpoints and define rules to send outbound notifications to the REST enabled target system.

To configure a REST API endpoint, complete the following:

  1. From the Grid/System tab, select the Ecosystem tab -> Outbound Endpoint tab and then click Add -> Add REST API Endpoint from the Toolbar.
  2. In the Add REST API Endpoint wizard, complete the following:
    • URI: Specify the URL for the endpoint to which you are sending the outbound notifications. Example: https://10.36.101.14/offices.
    • Test Connection: Click this to validate the endpoint settings and test the connectivity between the Grid Master and the endpoint. It does not test the connection between the Grid Master Candidate that is assigned as the outbound member and the endpoint. Grid Manager displays a message indicating whether the connection is successful. Note that the test does not validate username, password, or certificate for the endpoint. It only tests the basic connection between the Grid Master and the endpoint.
    • Name: Specify the name used to identify the endpoint.
    • Vendor Type: The REST API vendor type associated with the endpoint. This is optional.
    • Network View: This appears only when you have multiple network views. From the drop-down list, select the network view in which you want to create the network.
    • Auth Username: Enter the username of the target endpoint. The appliance ignores the Auth Username for WAPI related steps in any action templates if WAPI integration is configured. It still uses this username for other non-WAPI related steps.
    • Auth Password: Enter the user account password for the target endpoint. You can click Clear Password to clear the password and set a new one. The appliance ignores the Auth Username for WAPI related steps in any action templates if WAPI integration is configured. It still uses this password for other non-WAPI related steps.
    • Client Certificate: Click Select to upload the endpoint certificate. In the Upload dialog box, click Select to navigate to the certificate, and then click Upload.
    • WAPI Integration Username: If you have included at least one "wapi" related field in your action template, you must configure WAPI integration; otherwise the WAPI step will fail due to an authorization error. Enter the username of the admin user you want to designate for RESTful API outbound notifications. The appliance ignores the Auth Username and Auth Password for WAPI related steps in any action templates if WAPI integration is configured.
    • WAPI Integration Password: Enter the password of the admin user you have designated for RESTful API outbound notifications.
    • Server Certificate Validation: Select one of the following for server certificate validation:
      • Use CA Certificate Validation (Recommended): Select this to validate the CA certificate for the endpoint. The certificate is used to establish a secure connection to the endpoint before data transmission. Click CA Certificates to upload the trusted CA certificate of the endpoint. In the CA Certificates dialog box, click the Add icon, and then navigate to the certificate to upload it. This is the default.
        • Enable Host Validation: Select this to enable the validation of the hostname for the endpoint, in addition to the CA certificate. If you do not select this, the appliance validates only the CA certificate.
      • Do not use validation (Not recommended): Infoblox does not recommend using this for your production system. Use this for testing purposes only.
    • Member Source outbound API requests from: Select the one of the following to process and send outbound API notifications:
      • Selected Grid Master Candidate (Recommended): Select this to use the Grid Master Candidate to process and send outbound notifications to the endpoint. If there are multiple Grid Master candidates, select a Grid Master Candidate from the drop-down list. This is the recommended choice and is selected by default because the CPU and memory required for processing and sending outbound events from the Grid Master Candidate can be offloaded or manually load balanced across multiple Grid Master Candidates if required.

Note

If your outbound member is a Grid Master Candidate and in case the Grid Master Candidate is promoted to the Grid Master, make sure that you modify the outbound member to the Grid Master on the endpoint configuration to avoid any outbound notification failures. For information, see 26480155

      • Current Grid Master: Click this to use the Grid Master to send outbound notifications to the endpoint. When you use the Grid Master as the outbound member, ensure that it has enough CPU and memory to process all the workloads and processes, in addition to being an outbound member. Infoblox recommends that you use the Grid Master as an outbound member only for testing purposes to avoid overloading the Grid Master and to maintain optimal performance for the Grid.
    • Comment: Enter additional information about the REST API endpoint.
    • Disable: Select this if you want to save the configuration but do not want to use it yet. You can clear this checkbox when you are ready to use this configuration.

3. Click Next to set the duration of time that the endpoint waits for a response from the outbound member. Complete the following to specify session timeout value:

    • Timeout: Specify the session timeout value for the endpoint. The default value is 30 seconds.
    • Log Level: From the drop-down list, select the severity level for the events. The severity level you select here determines the type of events that are being logged. This can be Debug, Info, Warning, or Error. When you select Debug, all fields or variables used in the events that were sent to the endpoint are logged, including deduplicated events for RPZ hits. For information about deduplication, see Deduplicating Events. Note that setting this to Debug might slightly affect the performance of your production system.
    • Template: Click Select Template to select a session management template. For information, see Creating Session Management Templates.
    • Vendor Type: Displays the vendor information for the endpoint.
    • Template Type: Displays Session Management or Action based on the template you select.
    • Parameters: Displays the parameters of the template you select. You can access these values in the notification rules.

4. Click Next to add extensible attributes for the endpoint. For information, see Managing Extensible Attributes.

5. Save the configuration.

Configuring DXL Endpoints

When adding a DXL endpoint, you must configure the DXL client and the broker. DXL brokers that are installed on managed systems route messages between connected clients. The network of brokers tracks active consumers and dynamically adjusts the message routing as needed. As shown in the figure below, a broker relays a message when a client requests a service or when an update is broadcast.

An Outbound worker that acts as a DXL client sends data and templates using the DXL protocol to the DXL brokers fabric. You can change the format of the DXL message using relevant template. A connection is established as soon as the outbound worker starts transmitting the data.

You can manually configure the list of DXL brokers that are used by DXL clients in NIOS or import the broker configuration file. The DXL endpoint configuration requires import of DXL brokers list and their certificates on the Infoblox side as well as import of Infoblox certificate on the McAfee side. Note that you must install the Security Ecosystem license before you configure a DXL endpoint.

For a McAfee ePolice Orchestrator, you must do the following:

  1. Import NIOS certificate.
  2. Export DXL broker certificates.
  3. Export a DXL broker list.

To configure a DXL endpoint, complete the following:

  1. From the Grid/System tab, select the Ecosystem tab -> Outbound Endpoint tab and then click Add -> Add DXL Endpoint from the Toolbar.
  2. In the Add DXL Endpoint wizard, complete the following:

    • Name: Specify the name used to identify the endpoint.

    • Vendor Type: The DXL vendor type associated with the endpoint. This is optional.

    • Client Certificate: Click Generate to generate and upload both the client and CA certificates of the endpoint on NIOS. When you click Generate, the client certificate is automatically uploaded on NIOS and a copy of CA certificate is downloaded. Import this downloaded CA certificate to the DXL server. For information about how to import the CA certificate, refer to the McAfee documentation. If you already have the client certificate, you can upload it by clicking the Upload icon. Click Upload to upload the client certificate. In the Upload dialog box, click Select to navigate to the certificate, and then click Upload

    • CA Certificates: Click CA Certificates to upload the broker Certificate. Download the broker certificate from the DXL server and upload it to NIOS. In the CA Certificates dialog box, click the Add icon, and then navigate to the certificate to upload it.

    • WAPI Integration Username: If you have included at least one “wapi” related field in your action template, you must configure WAPI integration; otherwise, the WAPI step will fail due to an authorization error. Enter the username of the admin user you want to designate for DXL notifications.

    • WAPI Integration Password: Enter the password of the admin user you have designated for DXL notifications.

    • Member Source outbound API requests from: Select one of the following to process for sending outbound notifications:

        • Selected Grid Master Candidate (Recommended): Select this to use the Grid Master Candidate to process and send outbound notifications to the endpoint. If there are multiple Grid Master candidates, select a Grid Master Candidate from the drop-down list. This is the recommended choice and is selected by default because the CPU and memory required for processing and sending outbound events from the Grid Master Candidate can be offloaded or manually load balanced across multiple Grid Master Candidates if required.

          Note

          If your outbound member is a Grid Master Candidate and in case the Grid Master Candidate is promoted to the Grid Master, make sure that you modify the outbound member to the Grid Master on the endpoint configuration to avoid any outbound notification failures. For information, see 26480155.

        • Current Grid Master: Click this to use the Grid Master to send outbound notifications to the endpoint. When you use the Grid Master as the outbound member, ensure that it has enough CPU and memory to process all the workloads and processes, in addition to being an outbound member. Infoblox recommends that you use the Grid Master as an outbound member only for testing purposes to avoid overloading the Grid Master and to maintain optimal performance for the Grid.
    • Comment: Enter additional information about the DXL endpoint.
    • Disable: Select this if you want to save the configuration but do not want to use it yet. You can clear this checkbox when you are ready to use this configuration.

3. Click Next to add the DXL broker. There are two ways to configure the DXL broker. You can either manually enter the host name of the broker or you can import the broker configuration file using the Import option.

To create your own file with brokers list:

In the Brokers wizard, do the following:

    • Click Add to open the Add Broker wizard. Enter the host name in the Host Name text box. Optionally, you can enter the following information as well:
      • IP address: Enter the IP address of the DXL broker.
      • Unique ID: A unique identifier for the broker. This is useful for identifying the DXL broker in log messages.
      • Port information: The port number used to communicate with the DXL broker.

To import the broker configuration file:

In the Brokers wizard, do the following:

    • Click Import to upload the broker configuration file. In the Upload dialog box, click Select to navigate to the certificate. You can export the Broker configuration file brokerlist.properties file from McAfee ePolice Orchestrator (McAfee ePO). For information how to export, refer to the McAfee documentation. Click Upload to upload the broker configuration file.

Click Test Connection to validate the connectivity between the DXL broker fabric and the Grid Master.

4. Click Next to add a DXL topic. DXL uses topics to send data. You can then add the topic to a notification rule so that NIOS can send notifications when an event related to the topic occurs.

To add a topic:

    • Click the Topics tab. Click the Add icon to enter a topic. Topics may be in the format defined in the session management template. For example, /infoblox/outbound/LEASE.

4. Click Next to set the severity level for the events.

    • TimeoutSpecify the session timeout value for the endpoint. The default value is 30 seconds.
    • Log Level: From the drop-down list, select the severity level for the events. The severity level you select here determines the type of events that are being logged. This can be Debug, Info, Warning, or Error. When you select Debug, all fields or variables used in the events that were sent to the endpoint are logged, including deduplicated events for RPZ hits. For information about deduplication, see Deduplicating Events. Note that setting this to Debug might slightly affect the performance of your production system.
    • Vendor Type: Displays the vendor information for the endpoint.
    • Template Type: Displays Session Management template.
    • Parameters: Displays the parameters of the template you select. You can access these values in the notification rules

5. Click Next to add extensible attributes for the endpoint. For information, see Managing Extensible Attributes.

6. Save the configuration.

Configuring Syslog Endpoints

You can configure syslog endpoints to define syslog message format. When an event is triggered, the syslog message is sent based on the format you define. You can then analyse the data presented in the messages and take corrective measures. To do this, you must configure syslog endpoints. You can send syslog notifications either in raw or formatted text and also send a test syslog notification.

To configure a syslog endpoint, complete the following:

  1. From the Grid/System tab, select the Ecosystem tab -> Outbound Endpoint tab and then click Add -> Add Syslog Endpoint from the Toolbar.
  2. In the Add Syslog Endpoint wizard:
    • Name: Specify a name for the endpoint.
    • Click the + icon to add a syslog address:
    • Address: Enter the IP address of the syslog server.
    • Transport: Select the connection type that the syslog server will use. Supported types are UDP, TCP, and Secure TCP. If you select TCP or UDP, the default port number is 514 and you do not need to upload a certificate. If you select Secure TCPthe default port number is 6514 and  you need to upload a certificate.
    • Certificate: If you selected Secure TCP, you must upload an HTTPS or a CA certificate. For more information, see Managing Certificates.
    • Port: Specify the port number that the syslog server will use to communicate with NIOS.
    • Message Format: Select the format of the sys log message. If you select Formatted, you must specify the facility and severity to be sent in the syslog message header.
    • Host Name: If you selected Formatted as the message format, then the value that you select from the Host Name drop-down list is sent in the syslog message header.
    • Facility: Select the location that determines the processes and daemons from which the log messages are generated.
    • Severity: Select a severity for the syslog message. The severity type that you select is sent in the syslog message header.
    • Click Add. The syslog server details are added to the table. You can add more syslog addresses by clicking the + icon. You can also generate a test syslog notification by clicking Test.
    • Vendor Type: Select the vendor information for the endpoint.
    • WAPI Integration Username: If you have included at least one "wapi" related field in your action template, you must configure WAPI integration; otherwise the WAPI step fails due to an authorization error. Enter the user name of the admin user you want to designate for Syslog outbound notifications. The appliance ignores the Auth Username and Auth Password for WAPI related steps in any action templates if WAPI integration is configured.
    • WAPI Integration Password: Enter the password of the admin user you have designated for Syslog outbound notifications.
    • Member Source outbound API requests from: Select the one of the following to process and send outbound notifications:
    • Comment: Enter additional information about the REST API endpoint.
    • Disable: Select this if you want to save the configuration but do not want to use it yet. You can clear this checkbox when you are ready to use this configuration.
  3. Click Next to set the duration of time that the endpoint waits for a response from the outbound member. Complete the following to specify session timeout value:
    1. Timeout: Specify the session timeout value for the endpoint. The default value is 30 seconds.
    2. Log Level: From the drop-down list, select the severity level for the events. The severity level you select here determines the type of events that are being logged. This can be Debug, Info, Warning, or Error. When you select Debug, all fields or variables used in the events that were sent to the endpoint are logged, including deduplicated events for RPZ hits. Note that setting this to Debug might slightly affect the performance of your production system.
    3. Template: Click Select Template to select a session management template. 
    4. Vendor Type: Displays the vendor information for the endpoint.
    5. Template Type: Displays Session Management or Action based on the template you select.
    6. Parameters: Displays the parameters of the template you select. You can access these values in the notification rules.
  4. Click Next to add extensible attributes for the endpoint. For information, see Managing Extensible Attributes.
  5. Save the configuration.

Configuring Cisco ISE Endpoints

You can configure a Cisco ISE endpoint by either using the Ecosystem > Cisco ISE Endpoint tab or by using the Ecosystem > Outbound Endpoint tab. The instructions in this section pertain to configuring Cisco pxGrid 2.0. To configure Cisco pxGrid 1.0 and to use the Cisco ISE Endpoint tab, see Configuring Cisco ISE on NIOS.

To configure the Cisco ISE endpoint using the Outbound Endpoint tab, complete the following:

  1. From the Grid/System tab, select the Ecosystem tab -> Outbound Endpoint tab and then click Add -> Add Cisco ISE Endpoint from the Toolbar.
  2. In the Add Cisco ISE Endpoint wizard:
    • Server AddressEnter the IP address of the Cisco ISE.
    • Name: Specify a name for the endpoint.
    • Subscribing Member: Select a Grid Master Candidate that you want to subscribe as the client on the Cisco ISE. Or you can select the current Grid Master as the subscribing member. This member interacts with the Cisco ISE to obtain contextual information for the subscribed data types.
    • Vendor TypeThe vendor type associated with the endpoint. This is optional.
    • Client Certificate: Click Select to upload the client certificate. In the Upload dialog box, click Select to navigate to the certificate, and then click Upload.
    • Manage Certificates: Click CA Certificates to upload the self-signed certificate or CA certificate. In the CA Certificates dialog box, click the Add icon, and then navigate to the certificate to upload it.
    • WAPI Integration Username: If you have included at least one "wapi" related field in your action template, you must configure WAPI integration; otherwise the WAPI step fails due to an authorization error. Enter the user name of the admin user you want to designate for Cisco ISE outbound notifications. The appliance ignores the Auth Username and Auth Password for WAPI related steps in any action templates if WAPI integration is configured.
    • WAPI Integration Password: Enter the password of the admin user you have designated for Cisco ISE outbound notifications.
    • Test Connection: Click this to validate the endpoint settings and test the connectivity between the Grid Master and the endpoint. It also validates the certificate that you uploaded. It does not test the connection between the Grid Master Candidate that is assigned as the outbound member and the endpoint. Grid Manager displays a message indicating whether the connection is successful. Note that the test does not validate the user name and password for the endpoint. It only tests the basic connection between the Grid Master and the endpoint and validates the certificate.
    • Comment: Enter additional information about the Cisco ISE endpoint.
    • Disable: Select this checkbox if you want to save the configuration but do not want to use it yet. You can clear this checkbox when you are ready to use this configuration.
    • Click Next to set the duration of time that the endpoint waits for a response from the outbound member. Complete the following to specify session timeout value:
      1. Timeout: Specify the session timeout value for the endpoint. The default value is 30 seconds.
      2. Log Level: From the drop-down list, select the severity level for the events. The severity level you select here determines the type of events that are being logged. This can be Debug, Info, Warning, or Error. When you select Debug, all fields or variables used in the events that were sent to the endpoint are logged, including deduplicated events for RPZ hits. Note that setting this to Debug might slightly affect the performance of your production system.
      3. Template: Click Select Template to select a session management template. 
      4. Vendor Type: Displays the vendor information for the endpoint.
      5. Template Type: Displays Session Management or Action based on the template you select.
      6. Parameters: Displays the parameters of the template you select. You can access these values in the notification rules.
  3. Click Next to specify the data types that you are interested to obtain from the Cisco ISE. The Cisco ISE shares information only for the subscribed data types. Complete the following to specify data types you want to collect from the Cisco ISE server:
    • Subscription Settings: Select the predefined data types to which you want to subscribe from the Available Data Type table. Use the arrows to move data types from the Available Data Type table to the Selected Data Type table. NIOS receives information for all data types in the Selected Data Type table.
    • Map other data types to Extensible Attributes: You can create extensible attributes and map these extensible attributes to receive additional Cisco ISE data values, such as IP address, MAC, NAS IP Address, NAS Port ID, EPS Status, Posture Status, Posture Timestamp, Endpoint Profile Name, Account Session ID, and Audit Session ID. Click the Add icon and map a Cisco ISE data type to an extensible attribute. You can also select a row and click the Delete icon to delete it.
  4. Click Next to add data types that you want to publish to the Cisco ISE server. Use the arrows to move data types from the Available table to the Selected table. NIOS publishes information only for the data types that are added in the Selected table.
  5. Click Next to add extensible attributes for the endpoint. For information, see Managing Extensible Attributes.
  6. Save the configuration.

Modifying Outbound Endpoint Configuration

To modify an endpoint configuration:

  1. From the Grid/System tab, select the Ecosystem tab -> Outbound Endpoint tab, click the Action icon next to the endpoint name and select Edit from the menu.
  2. The <Endpoint Name> Endpoint editor provides the following tabs from which you can modify data:
    • General: You can modify the general information of an endpoint, as described in 2648015526480155
    • Brokers: You can modify the DXL broker configuration, as described in  26480155. This tab is available only for DXL endpoints.
    • Session Management: You can edit the session timeout value and upload a new session management template.
    • Extensible Attributes: You can add, modify, and delete extensible attributes that are associated with an endpoint. For information, see Managing Extensible Attributes.
  3. Save the configuration.

Viewing All Outbound Endpoints

The Outbound Endpoint tab displays all outbound endpoints that are configured on the NIOS appliance.
To view the list of outbound endpoints:

  1. From the Grid/System tab, select the Ecosystem tab, and click the Outbound Endpoint tab.
  2. Grid Manager displays the following information for each endpoint:
    • Name: The name of the endpoint.
    • Endpoint Type: The endpoint type, such as DXL or REST API.
    • URI: The URL to which the outbound notifications are sent.
    • Vendor Type: The vendor type associated with the endpoint.
    • Outbound Member: The outbound member that processes and sends outbound notifications. This can be either the Grid Master Candidate or the Grid Master. Infoblox recommends that you select the Grid Master Candidate and this is selected by default.
    • Comment: Additional information about the endpoint configuration.
    • Client Certificate Valid From: The timestamp when the client certificate for a notification endpoint is created.
    • Client Certificate Valid To: The timestamp when the client certificate for a notification endpoint expires.
    • Disabled: Indicates whether the endpoint is disabled.
    • Site: This is a predefined extensible attribute.

You can also do the following in this tab:

  • Click the Action icon  and do the following:
    • Edit: Select this to modify the endpoint information.
    • Delete: Select this to delete an endpoint. Click Yes in the Delete Confirmation (REST API Endpoint) dialog box to delete an endpoint.
    • View Debug Log: Select this to view debug messages about all events associated with the selected endpoint. Through a separate browser, you can view the debug logs from all Grid members.

  • Edit an outbound endpoint information.

    • Select the endpoint, and then click the Edit icon.
  • Delete an outbound endpoint.
    • Select the endpoint, and then click the Delete icon.
  • Export the list of outbound endpoints.
    • Click the Export icon.
  • Print the list of outbound endpoints.
    • Click the Print icon.
  • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.
  • Create a quick filter to save frequently used filter criteria:
    1. In the filter section, click Show Filter and define filter criteria for the quick filter.
    2. Click Save and complete the configuration In the Save Quick Filter dialog box.

The appliance adds the quick filter to the quick filter drop-down list in the panel. Note that global filters are prefixed with [G], local filters with [L], and system filters with [S].

  • Sort the outbound end points in ascending or descending order by column.