You must install required licenses before you can use the RPZ feature. An RPZ license is required to configure local RPZs and RPZ feeds. 

This section includes the following topics:

For more information, see For Local RPZs and RPZ Feeds below. For FireEye integrated RPZs, you must first install an RPZ license, and then a Security Ecosystem license. For more information, see For FireEye Integrated RPZs below. For all RPZ related licenses, you can install either a temporary or a permanent license on the NIOS appliance. The temporary license provides a 60-day free trial, which can be upgraded to a permanent license. After the license expires, the RPZs will remain intact, but you cannot delete existing or add new entries to it. Infoblox provides RPZ licenses that are compatible with each product model.

For Local RPZs and RPZ Feeds

Before you install an RPZ license, ensure that the following is completed:

Grid members are properly configured and DNS is enabled on the members.

Superusers can configure RPZs and RPZ rules by default. You can also assign global permissions for all RPZs and RPZ rules to specific admin groups and roles. For more information about administrative permissions for zones, see Administrative Permissions for DNS Resources.

Grid-wide licenses for RPZ

Infoblox offers a Grid-wide BloxOneThreat Defense Business On-Premises, BloxOneThreat Defense Business Cloud, and BloxOneThreat Defense Advanced additional services for DNS Firewall feature. These are subscription licenses that you may have to purchase from Infoblox. When you purchase these services, you can use the BloxOne threat subscription data on any appliance that can run DNS Firewall across the Infoblox Grid which you have configured. You can buy these additional services if you do want to use Infoblox threat data and instead use your own or an external threat feed. With these additional services, you get to use a separate license key for each Grid that you use.

When you configure Grid-wide RPZ license for each Grid, RPZ rules are not applied for queries that originate from the other RPZ member(s) of the Grid. When you use multiple Infoblox Grids, you can use the same TSIG key to configure feed zones across all Grids to synchronize feed subscriptions. Note that these services are valid for NIOS versions 8.0 and above. For more information about managing Grid-wide licenses, see Managing Licenses.

For a thorough understanding of the RPZ process using various NIOS versions, consider a scenario where you have configured four members on the Grid: GM(RPZ license), M1(RPZ license), M2(DNS license), M3(RPZ license), and RM1 (Reporting Member).

In NIOS version 8.x:

• When you install a Grid Wide RPZ license, all members with DNS licenses are added to the ACL list:

infoblox-deny-rpz { localhost; GM_IP, Member1_IP; Member2_IP; Member3_IP; }

• When you install a Grid Wide RPZ license, but not a member level RPZ license, NIOS adds all the members with DNS licenses to the ACL list:
  
  infoblox-deny-rpz { localhost; GM_IP, Member1_IP; Member2_IP; Member3_IP; }
  
  
• When you do not install a Grid-wide RPZ license but install member-level RPZ licenses, NIOS adds all  members that have RPZ licenses to the ACL list and enables the Apply RPZ rules only on this member if possible check box for that member. You can clear the check box. 
  
  infoblox-deny-rpz { localhost; GM_IP, Member1_IP; Member2_IP; Member3_IP; }

Note the following about Grid-wide licenses for RPZ:

• NIOS displays rpz in the Grid-wide and Member tabs when RPZ license is installed.
• When you enable a temporary license for RPZ, it is enabled at the Grid level and listed under the Grid Wide tab. You do not have to set the license at the member level.
• NIOS performs a pre-provision check for an RPZ member who joins the Grid to verify if a Grid-wide license is installed for the RPZ member. If the Grid-wide license is found, NIOS allows the member to join the Grid.
• If an RPZ license expires, Feed Zone stops receiving feed updates after the grace period. However, the RPZ feature remains until it expires. This grace period TTL is configured in BloxOne Plus/Advanced services.
• After you remove the Grid-wide license for RPZ, this feature still keeps functioning for members that do not have a Grid-wide license until you restart the service. When you remove the RPZ license that is associated with a specific member, NIOS restarts the service automatically and disables RPZ for the respective member.
• NIOS checks for a Grid-wide license of a pre-provisioned type when a member first joins the Grid. For example, if a member is pre-provisioned for RPZ and a Grid-wide RPZ license is installed, then NIOS allows the member to join the Grid, even though the member does not have a valid RPZ license.

Customizing Threat Feeds on an RPZ Member

To configure an RPZ member to use your own or external threat feeds instead of RPZ feeds, complete the following:

1. From the Data Management tab, select DNS, and then click Members.
2. Select a member and click Edit from the Toolbar.
3. In the Member DNS Properties editor, click General tab -> Advanced tab.
   • Apply RPZ rules only on this member if possible: Select this check box if the forwarders must not apply RPZ rules to the responses that is returned to the other member, when this RPZ member queries other Grid member details.
4. Save the configuration.

For FireEye Integrated RPZs

You can enable FireEye integrated RPZs on the appliances that have both the RPZ and Security Ecosystem licenses installed. Note that you must install an RPZ license prior to installing the Security Ecosystem license.

NIOS appliance creates a new group, fireeye-group, when you add the first FireEye zone. The FireEye admin group is read-only and you cannot assign permissions to it. It will not have any superuser privileges and you cannot modify or delete this group. You can add users to the fireeye-group admin group, and FireEye users can only send alerts to the NIOS appliance. They cannot access the Infoblox GUI, CLI, API, or RESTful API. These users are authenticated based on the usernames and passwords you configure in the FireEye admin group. Only admin users who belong to the FireEye admin group can publish FireEye alerts. Other admin users cannot do so. For information about how to configure the FireEye appliance, see Configuring the FireEye Appliance.

To add users to the fireeye-group, complete the following:

1. From the Administration tab, select Administrators, and then click Admins.
2. Click Add and enter the usernames and passwords. For more information on how to add users to an admin group, see Creating Local Admins. Select fireeye-group for the admin group and add users to this group.

Uninstalling the Security Ecosystem License

When you uninstall the Security Ecosystem license, new FireEye alerts will not be processed. However, the FireEye integrated RPZs and the rules in those zones will not be deleted. Note the following when you uninstall the Security Ecosystem license:

• New FireEye alerts will not be processed
• FireEye RPZ zones that were created before uninstalling the license will remain
• You cannot create new FireEye RPZ zones
• RPZ rules created from the alert will remain
• Note that if the RPZ and Security Ecosystem licenses are installed, then you must first remove the Security Ecosystem license to remove the RPZ license.
• The fireeye-group and the FireEye zones will remain even after you delete the Security Ecosystem license.