Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

You can use the RESTful API to obtain core network service information from the Infoblox Grid to assist with profiling the source or destination of network devices, or use the RESTful API to change configurations in the Infoblox Grid to help mitigate security threats. In addition to querying inbound data and changing system configurations and query interfaces, you can use the RESTful API to send outbound notifications so you can prioritize your security needs by detecting new hosts or networks or managing network access control.
When there are serious threats, it is important that you receive notifications so you can address the threats accordingly. On the other hand, you may sometimes need to identify and manage low-risk or accidental threats so the endpoint performance is not negatively affected. For example, if a user inadvertently browses to a faulty web site and you have configured RPZ rules to block this site, you may want to receive notifications and take certain actions so the user is not being blocked or quarantined. In addition, when the Infoblox appliance detects a new host or network, the detection might trigger a vulnerability scan by services such as Qualys and a scan for RPZ events configured in NIOS. In this scenario, you might want to configure conditions to capture these events so you can receive outbound notifications and perform appropriate actions to handle the situation.
To enable outbound API notifications, you must have the Security Ecosystem license installed in your Grid. Depending on the notification rules for RPZ and threat protection event types you want to configure on NIOS, you may need to install the applicable licenses. For information about other licensing requirements, see Licensing Requirements on page 1758.
The outbound notification feature employs the following mechanism to enable and deliver event-driven messages to configured endpoints:

  1. Accepts the configuration of events that you want to monitor (such as RPZ hits) and the configuration of endpoints to which you want to send outbound notifications.
  2. Filters events for specific data sets or thresholds, such as RPZ hits for a specific domain within a specific time interval.
  3. Matches the selected events and conditions defined in the RESTful API templates to create outbound API messages.
  4. Sends outbound RESTful API notifications to the configured endpoints.

For example, you can first configure RPZ rules to mitigate a malicious IP address, and then configure REST endpoints to which you want to send the outbound notifications. When configuring your notification rule, you can match RPZ events that are initiated by the RPZ rules and apply the API template containing actions to mitigate the threat. The configuration rule then trigger outbound notifications, and the appliance sends the notifications to the configured REST endpoint and applies configured actions to combat the offensive IP address.
Before you configure the appliance to send RESTful outbound notifications, there are a few limitations you might want to consider, as described in Best Practices for Outbound Notifications . For detailed information about how to use the outbound notification feature, see Configuring Outbound Notifications .

Note: To access online resources about this feature, including training videos and sample API templates for supported ecosystem partners, ensure that you visit the Infoblox Community Site at https://community.infoblox.com.

For debugging purposes, you can look at the syslog to see if the Outbound service has been started or stopped on specific members. You can also set the logging level to Debug to view all events in the log files, including deduplicated events. However, leaving the logging level at the Debug level could negatively affect your system performance. Therefore, Infoblox does not recommend leaving the logging level at Debug. For information about how to configure the severity level and deduplication, see Configuring REST API Endpoints .









NIOS 8.1NIOS Administrator Guide (Rev. A) 1757
Using the RESTful API for Outbound Notifications

Licensing Requirements

You must install the Security Ecosystem license to enable outbound API notifications and configure REST endpoints. If you do not have the Security Ecosystem license installed, the outbound notification feature is disabled. You might also need the following licenses to configure notification rules for certain event types:
Table 47.1 Required Licenses

License

Event Types

RPZ

DNS RPZ

DNS and DHCP

DHCP Lease

Threat Analytics

DNS Tunneling


For information about how to install licenses, see Managing Licenses .

Administrative Permissions

Only superusers can add, edit, and delete REST endpoints and notification rules by default. Limited-access admin groups can perform these tasks only if their administrative permissions are defined. For information about administrative permissions, see About Administrative Permissions .

Best Practices for Outbound Notifications

The following are some best practices and limitations you might want to consider while configuring outbound notifications:

  • You can configure REST endpoints only on the Grid Master and Grid Master Candidate, but not Grid members.
  • During a scheduled full upgrade in the Grid, you cannot modify any configuration related to the outbound feature until all Grid members are upgraded.
  • Outbound notification is not supported during an HA failover. Any events that are in transit during a failover might be lost.
  • When you remove or disable a notification rule, no new events will be triggered. However, the appliance continues to process events that are already in queue.
  • The buffer to temporarily hold events temporarily are limited and not configurable in this release. In very unlikely conditions, events may be dropped due to a full buffer. If events are dropped, summary information is logged to the syslog to indicate the type of events and the number that have been dropped. If this issue occur continuously, contact Infoblox Technical Support.
  • Events generated due to changes made by admin users do not support the Microsoft Management feature. The appliance does not generate events when there are changes done from the Microsoft servers. However, if you make changes that need to be synchronized to the Microsoft servers, the object change event is generated before the changes are synchronized with the Microsoft servers.
  • The Grid Master Candidate will continue to perform event enrichments and outbound API calls during and after a Grid Master promotion.
  • If you disable the outbound notification feature or make changes to stop future notifications sent to an endpoint, all notifications that are currently in queue for this endpoint will stop immediately.
  • The appliance uses rate limiting to control both data collection from Grid members and outbound notifications to external endpoints. It is possible for the appliance to drop events if its buffer is full or if there is a loss of connection between the Grid Master and the Grid members. Logs for these events are consolidated and logged to the syslog.





1758NIOS Administrator Guide (Rev. A)NIOS 8.1
Configuring Outbound Notifications

  • The number of API notifications sent to external endpoints can be limited, depending on the requirements configured for the external servers. For example, some REST enabled servers only take 10 API calls per second. Some servers might put a user in suspended mode if the number of API calls sent to the user exceeds the limit. If necessary, you can adjust the rate limit criteria for API calls on the external servers.





  • No labels