Skip to main content
Skip table of contents

Using NIOS DNS Firewall Monitoring and Reporting (1526)

This lab requires a NIOS 9.0 Lab Environment

This lab guide has been developed using the new NIOS 9.0 Lab Environment (experimental) lab. Please ensure that you deploy a NIOS 9.0 lab environment to complete these lab tasks. If you use a different lab environment, this is untested, and the lab likely will not work.

Scenario

As part of the corporate security policy, you are tasked with identifying potentially compromised clients and reviewing recent DNS security events. Using the Security Dashboard and Reporting Server, you analyze RPZ hits, verify the status of name servers and RPZ feeds, and identify affected clients. You then create a search for hits on the infoblox-base.rpz.infoblox.local feed, add it to a custom dashboard, generate a report, and configure an alert that sends an email to noc@techblue.net when new hits are detected.

Estimate Completion Time

  • 45 to 55 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  1. Analyze the Security Dashboard Widgets

  2. Investigate the available Reporting Server Dashboards to identify DNS Top RPZ Hits

  3. Create a new Dashboard called DDI Security Dashboard

  4. Create a DDI Security Dashboard Panel and a Report based on RPZ Hits

  5. Create an Email Alert triggered by RPZ Hits

Task 1: Analyze the Grid Status and Health using Security Dashboard Widgets

  • View the RPZ Recent Hits in the Security Dashboard to identify clients that are causing many RPZ hits.

  • Use the Security Dashboard to confirm the status of the Grid name servers, ibns1.techblue.net and ibns2.techblue.net

  • Investigate the peak time when the most RPZ hits occur

Task 2: Investigate the available Reporting Server Dashboards to identify DNS Top RPZ Hits

If the reporting server needs to be configured, use the following instructions to set it up:

  • Click Continue to the app setup page

    • Username: training

    • Password: infoblox

    • Protocol: SCP

    • Host/ IP Address: 10.100.0.205

    • Port: 22

    • Path: /home/training/Documents/ReportingData

Please allow 25 to 30 minutes for the Reporting Server to pull data off the Grid and populate its Dashboards and Reports. This waiting time is only required for this simulated lab environment, as the Grid and the Reporting Server haven’t had enough time to sync.

  • Use the Reporting Server to provide information about RPZ Hits

Task 3: Create a new Dashboard called DDI Security Dashboard

  • Create a new dashboard using XML source from the Infoblox Community.

    • This Dashboard provides a good visual representation of DDI Security and will be popular with less technical senior staff.

    • The XML is stored in the Reporting - DNS Firewall Dashboard.xml file in the Shared Drive/NIOS Imports folder on jump-desktop.

Task 4: Create a DDI Security Dashboard Panel and a Report based on RPZ Hits

  • Create a search for RPZ Hits. The Search is saved as a Dashboard Panel on the new DDI Security Dashboard.

  • Use the previously created Search to create a report called infoblox-base RPZ Hits.

Task 5: Create an Email Alert triggered by RPZ Hits

  • Create an Alert for hits on the Base RPZ. When the Alert triggers, an email is sent to noc@techblue.net.

Solutions

Task 1 Solution: Analyze the Grid Status and Health using Security Dashboard Widgets

In this task, you are trying to investigate the recent spike in RPZ hits using the NIOS Dashboard; you will view the RPZ Recent Hits in the Security Dashboard to identify clients causing a large number of RPZ hits, use Threat Lookup to investigate domain names that appear in the RPZ hits and may pose potential threats, confirm the status of the Grid name servers ibns1.techblue.net and ibns2.techblue.net using the Security Dashboard, and investigate the peak times when the most RPZ hits occur.

  1. On the jump-desktop machine, open a browser window to https:/10.100.0.100.

  2. Navigate to Dashboards → Status → Security.

  3. Turn on auto-refresh for the security Dashboard.

    image-20250214-111329.png

  4. Find the Security Status for Grid widget.

    • The widget displays high-level information about the Grid sec’s security status separately.

    • In this example, Both ibns1.techlblue.net and ibns2.techblue.net are in a critical state, by hovering over each member name in the widget we can view that member’s status and by hovering over the RPZ status bar we can view detailed security information such as RPZ hit sources, Trends and triggered RPZs.

      image-20250214-113906.png
      image-20250214-113931.png

  5. Find the Response Policy Zone (RPZ) Status for Grid widget.

  6. Click on the Top 10 Grid Members tab.

    • In this tab, we can see number of hits per action (Block, Substitute and Passthru) per member. If we hover over any section of the bar chart we can see the number of hits for that section.

      image-20250214-115236.png

  7. Click on the RPZ Recent Hits tab.

    • In this tab, we can see the latest domains triggering an RPZ hit alongside the source of the domain and the RPZ policy that got triggered. In this example, the results show recent RPZ Hits for the client with IP Address 10.35.22.10 as the top result or the most recent.

      image-20250214-115204.png

  8. Finally, click on the Trends tab.

    • This tab displays a timeline visualizing the type and number of RPZ hits.

      image-20250214-115056.png

  9. Click on the Health tab.

    • This tab displays the time of the latest updates made for each configured RPZ.

      image-20250214-115019.png

  10. Find the Response Policy Zone (RPZ) Status for Member widget.

    • This widget displays similar information as the Policy Zone (RPZ) Status for Grid but for a selected Grid member.

    • The widget contains three tabs: RPZ Recent Hits, Trends and Health, specifically for the selected grid member.

  11. Click the cog wheel icon.

  12. Select ibns1.techblue.net.

    image-20250214-115402.png

  13. Click the View Syslog button.

    • This is a unique feature for this widget and will allow us to view syslogs for the selected Grid members quickly.

  14. Hover the mouse over one of the message entries to view the full log message.

    image-20250214-120133.png

Task 2 Solution: Investigate the available Reporting Server Dashboards to identify DNS Top RPZ Hits

If the reporting server needs to be configured, use the following instructions to set it up:

  • Click Continue to the app setup page

    • Username: training

    • Password: infoblox

    • Protocol: SCP

    • Host/ IP Address: 10.100.0.205

    • Port: 22

    • Path: /home/training/Documents/ReportingData

In this task, you will investigate the reporting server for default reports and dashboards to help examine the grid security status and investigate the recent spike in RPZ hits.

Please allow 25 to 30 minutes for the Reporting Server to pull data off the Grid and populate its Dashboards and Reports. This waiting time is only required for this simulated lab environment, as the Grid and the Reporting Server haven’t had enough time to sync.

  1. Navigate to Reporting → Reports.

  2. Type RPZ in the filter box.

    image-20250214-120613.png

  3. Click the DNS Top RPZ Trend By Mitigation Action report.

    • This report will use a bar chart to display the number of RPZ hits divided by action.

    • Click on any of the bars to view more details.

    • the actions are Block, Substitute, NULL or Allow and ClientHit or Passthru.

      image-20250214-121134.png

  4. Click the DNS Top RPZ Hits report.

    • This report displays the total number RPZ hits per domain against the entire Grid, displayed in both a bar chart and table formats.

      image-20250214-121547.png

  5. Click the DNS Top RPZ Hits by Clients report.

    • This report displays the total number of RPZ hits per IP address against the entire Grid, displayed in both a bar chart and table formats.

      image-20250214-121950.png

    • After your investigation, you determined that the cause for the recent spike in RPZ hits was due to a singular IP 10.35.22.10 which might be infected. You are now confident that the Grid handled the attempts from this device appropriately. You now can hand this information to the SOC team to investigate this device further and present it to your manager.

Task 3 Solution: Create a new Dashboard called DDI Security Dashboard

In this task, you create a new dashboard using XML source from the Infoblox Community. This Dashboard provides a good visual representation of DDI Security and will be popular with less technical senior staff, helping you with your presentation to the management team about the recent RPZ spike incident. The XML is stored in the Reporting - DDI Security Dashboard.xml file in the Shared Drive/NIOS Imports folder on the Linux Desktop.

  1. Navigate to Reporting → Dashboards.

  2. Click Create New Dashboard.

  3. Type test in the Title field.

    • It will be replaced by the title in the XML file.

  4. Change the Permissions to Shared in the App.

    • This will allow other admins and operators to view the dashboard you created.

  5. Select Shared in App the dashboard is available to others.

  6. Select Classic Dashboards.

  7. Click Create.

    image-20250214-123617.png

  8. Click the Source button.

    • This will allow us to directly add the XML script to the dashboard.

      image-20250214-124240.png

  9. Navigate to the Shared Drive/NIOS Imports directory on jump-desktop.

  10. Right-click on the Reporting - DNS Firewall Dashboard.xml file.

  11. Open the file with the Geany application.

    image-20250214-124205.png

  12. Click Edit and choose Select All.

    image-20250214-124413.png

  13. Click Edit and choose Copy.

    image-20250214-124422.png

  14. Switch back to the Grid Manager.

  15. Highlight the existing text in the dashboard source window.

  16. Right-click to paste the XML you copied over the top of the existing XML.

    image-20250214-124536.png

  17. Click Save, then Refresh.

    image-20250214-131735.png

Task 4 Solution: Create a DDI Security Dashboard Panel and a Report based on RPZ Hits

In this task, you are adding an extra element to the custom dashboard you created earlier, which is to highlight the usage of a specific RPZ infoblox-base.rpz.infoblox.local. Since this was the most hit RPZ in the recent RPZ spike incident, this will be an effective way to communicate your team’s work when presenting to the management. You will use the search function as it is the easiest way to get exactly the output you’re looking for, and then add the search result as a dashboard panel. You will also generate a report off the same search query highlighting the infoblox-base.rpz.infoblox.local RPZ.

  1. Navigate to Reporting  → Search.

  2. Enter the following text as the Search command: index=ib_dns RPZ_QNAME="*.infoblox-base.rpz.infoblox.local"| timechart count by CLIENT

  3. Click the Search button.

  4. Click the Visualization button.

    • This search result will visualise the use of the infoblox-base over a selected period.

      image-20250214-133437.png

  5. Click the Save As button.

  6. Select the Existing Dashboard link.

    image-20250214-133530.png

  7. Select DNS Firewall Dashboard as the dashboard where the panel will go.

  8. Select Column as the Panel content.

    image-20250214-133859.png

  9. Click Save, then View Dashboard to look at the panel on your customized dashboard.

    • Scroll to the bottom of the dashboard to view the new panel.

      image-20250214-133939.png

  10. Navigate back to Reporting → Search.

  11. Expand the Search history panel and locate the search query.

  12. Click the Add to Search button.

    image-20250214-134540.png

  13. Click the Search button, then the Visualization button.

  14. Click Save As and select Report.

    image-20250214-135053.png

  15. Enter infoblox-base RPZ hits for your report name.

  16. Choose Chart+Table for Content.

  17. Select Yes for Time Range Picker.

  18. Click Save.

    image-20250214-135214.png

  19. Click View to see the Report.

    image-20250214-135400.png

Task 5 Solution: Create an Email Alert triggered by RPZ Hits

In this task, you create an Alert for hits on the infoblox-base RPZ. When the Alert triggers, an email is sent to the NOC team. This is to help your organization to be more responsive to security incidents in the future.

  1. Navigate to Reporting → Reports.

  2. filter down results to rpz using the search bar.

  3. Click Open in Search for the infoblox-base RPZ Hits report.

    image-20250214-140154.png

  4. Click Alert in the Save As list.

    image-20250214-140253.png

  5. Specify a Title for the Alert infoblox-base RPZ hits Alert.

  6. Choose Shared in App for Permissions,

  7. Choose Real-Time for Alert Type.

  8. Set the Expire value to 30 days.

    image-20250214-140640.png

  9. Set the Trigger alert when value to Number of Results is greater than 10 in 20 minutes.

  10. Set Trigger value to For each Result.

  11. Set the Suppress results containing field value field to infoblox-base.rpz.infoblox.local

  12. Set the Throttle value to suppress triggering for 10 minutes.

    image-20250214-142009.png

  13. Click the Trigger Action button.

  14. Select Send Email.

    image-20250214-141132.png

  15. Send the email to noc@techblue.net

  16. Set the Priority to High.

  17. Select the check boxes to include Search String, Trigger Condition, and Attach PDF.

    image-20250214-141851.png

  18. Click Save.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close