Skip to main content
Skip table of contents

1528 - Using NIOS Advanced DNS Protection (ADP) Monitoring and Reporting

This lab requires a lab environment with Advanced DNS Protection capability!
Please ensure that you have deployed a NIOS Lab Environment (with Advanced DNS Protection) lab environment.

Scenario

As part of the corporate security policy, you are tasked with viewing syslog records, the Grid manager Security Dashboard, and Reporting Server Dashboards and Reports. You also configure SNMP Traps to send alerts to 10.100.0.10. A process on the linux server is executing multiple DNS queries, which will be intercepted by extibns.techblue.net.

Estimate Completion Time

  • 35 to 40 Minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Course References

  • 1022: NIOS Advanced DNS Protection Monitoring and Reporting

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  • Task 1: Set up NIOS-4 to join the Grid

  • Task 2: Adding Licenses and Setting up the reporting server

  • Task 3: Locate Threat Protection events in Syslog

  • Task 4: Configure SNMP traps

  • Task 5: Configure Grid Manager Security Dashboard

  • Task 6: View Grid Manager Security Dashboard

  • Task 7: Review Reporting Server Dashboards

  • Task 8: Identify the Top Clients triggering rules, and the Top Rules triggered

  • Task 9: Export Report Results


Task 1: Set up NIOS-4 to join the Grid

  • Log into NIOS-4 VM using the credentials (admin/infoblox).

  • Reset the VM to factory settings using the command reset all .

  • log back into the VM and validate that it has been reset.

  • Edit the network settings, using the following table:

IP Address

203.0.113.105

Netmask

255.255.255.0

Gateway

203.0.113.1

VLAN Tag

Untagged

IPv6 settings

n

Become a grid member

n

  • set the management interface settings using the command set interface mgmt, using the following table:

Enable Management port

y

IP address

10.35.22.105

Gateway

10.35.22.1

IPv6 settings

n

Restrict access

y

  • add the VM to the grid using the command set membership, using the following table:

Grid Master VIP

10.100.0.100

Grid name

infoblox

Grid Secret

test

Enable grid services on Management interface

y

Task 2: Adding Licenses and Setting up the reporting server

  • Add ADP license by navigating to Shared Drive/Licenses. Select the ADP.lic file

  • If you need to setup the reporting server Enter the following File Server Settings:

Configuration

Value

Username

training

Password

infoblox

Protocol

SCP

Host/ IP Address

10.100.0.205

Port

22

Path

/home/training/Documents/ReportingData

Task 3: Locate Threat Protection events in Syslog

  • Please wait for the reporting service to be online and running on all grid members, this might take up to 10 mins.

  • view syslog records generated on the extibns.techblue.net member which is providing Threat Protection services.

Task 4: Configure SNMP traps

  • Enable SNMP Traps for the Grid, enable SNMP v1/v2, Enter public for the community string.

  • Use the IP address 10.100.0.10 for the trap receiver.

Task 5: Configure Grid Manager Security Dashboard

  • Configure and view the threat protection status for members.

Task 6: View Grid Manager Security Dashboard

  • View the top Threat Protection rule triggered on the ADP server, extibns.techblue.net to identify the rule that is triggered the most. You also identify the client hitting the most Threat Protection rules.

Task 7: Review Reporting Server Dashboards

  • View the Threat Protection Event Count and the Threat Protection Top Rules dashboards.

Task 8: Identify the Top Clients triggering rules, and the Top Rules triggered

  • Use Reports to identify the Top Clients triggering Rules, and the top rules those client(s) triggered.

Task 9: Export Report Results

  • Export the results of the Threat Protection Top Rules Logged by Source report.


Solutions

Task 1 Solution: Set up NIOS-4 to join the Grid

  1. Log into NIOS-4 VM using the credentials (admin/infoblox).

  2. Reset the VM to factory settings using the command reset all.

  3. log back into the VM and validate that it has been reset by using the command show network and if the interface is using the default ip then the VM has been reset.

  4. Edit the network settings using the command set network, using the following table:

  5. set the management interface settings using the command set interface mgmt, using the following table:

  6. add the VM to the grid using the command set membership, using the following screenshot:

  7. Switch over the Jump-Desktop machine and log into the grid Ui with the credentials (admin/infoblox) on the address https://10.100.0.100/

  8. Verify that NIOS-4 has joined the grid under the name extibns.techblue.net

Task 2 Solution: Adding Licenses and Setting up the reporting server

  1. Navigate to Grid → Licenses → Members. Click the plus (+) symbol to add a new license.

  2. Click Select File to upload the license file.

  3. Navigate to Shared Drive/Licenses. Select the ADP.lic file and click Open.

  4. Click Save License(s).

  5. Confirm that Grid member extibns.techblue.net has the Threat Protection feature licensed. Notice that there are two parts to the license. The Software add-on, and the Update license.

  6. Click the very top Reporting tab (in between the Smart Folders and Grid tab).

    1. The app configuration wizard opens – if it doesn’t open immediately, or presents an error, wait 5 minutes and try again, the reporting server might still be starting up

  7. Click Continue to app setup pag

  8. Enter the following File Server Settings:

  9. Click Save, you will be taken to the Reporting Home Dashboard
    Note: you can click on the Grid tab to get back to the Grid Manager screen.

Task 3 Solution: Locate Threat Protection events in Syslog

  • In this task, you view syslog records generated on the extibns.techblue.net member which is providing Threat Protection services.

    1. Please wait for the reporting service to be online and running on all grid members, this might take up to 10 mins.

    2. Navigate to Administration → Log → Syslog.

    3. Select member extibns.techblue.net and select Threat Detection from the quick filter.

    4. Click Toggle multi-line view to view the Syslog records. There are multiple records showing Threat Protection rules being hit. In this example, the EARLY DROP TCP . The rule is in the DNS Protocol Anomalies category. from the source ip 192.0.113.105

YOU WILL SEE DIFFERENT RESULTS IN YOUR LAB.

Task 4 Solution: Configure SNMP traps

  • In this task, you configure SNMP Traps.

    1. Navigate to GridGrid Manager Members.

    2. Click Grid Properties in the Toolbar.

    3. Scroll down to SNMP in the Grid Properties Editor.

    4. Click the check box to enable SNMP v1/v2 Traps. Enter public for the community string.

    5. Click the plus (+) symbol to add a Trap Receiver. Use the IP address 10.100.0.10 for the trap receiver. Click Save & Close. Click Yes for confirmation when prompted with SCP Warning.

Task 5 Solution: Configure Grid Manager Security Dashboard

  • In this task, you configure and view the NIOS Security Dashboard.

    1. Navigate to Dashboards → Status → Security.

    2. Scroll down to Threat Protection Status for Member.

    3. Click the Gear icon to add the extibns.techblue.net member.

    4. Click Select Member. Select extibns.techblue.net from the list. Check the Auto Refresh Period button. Optionally change the visualization type for Traffic being dropped and/or Traffic being received.

    5. Click the gear icon again to close the edit window.

Task 6 Solution: View Grid Manager Security Dashboard

  • In this task, you view the top Threat Protection rule triggered on the ADP server, extibns.techblue.net to identify the rule that is triggered the most. You also identify the client hitting the most Threat Protection rules.

    1. Navigate to Dashboards → Status → Security.

    2. Scroll down to Threat Protection Status for Grid.

    3. Click Top 10 Rules. In this example, the DROP ICMP large packets is the top rule. You may see different results in your lab.

    4. Click the Top 10 Clients tab. In this example, the client with IP address 192.88.99.32 has generated the most hits. You may see different results in your lab.

Task 7 Solution: Review Reporting Server Dashboards

  • In this task, you view the Threat Protection Event Count and the Threat Protection Top Rules dashboards.
    Please note, you will see different results in your lab.

    1. Navigate to ReportingDashboards.

    2. Enter Threat Protection in the filter box. The list of dashboards is reduced to show just Threat Protection related dashboards. The list includes two Dashboards relating to Licensing and Enabled Grid features as you have recently licensed and enabled Threat Protection services.

    3. Select the Threat Protection Event Count Dashboard

    4. View the Threat Protection Event Count by Category table, to determine the most prevalent critical threat category for the Last 1 day. In the example, the category ICMP has the highest value, with 297 events.

    5. View the Threat Protection Even Count by Member table. In this example, there is only one entry. In our Grid, there is only one Grid member providing Threat Protection services, extibns.techblue.net.

    6. Scroll down to the Threat Protection Event Count by Rule table. The results here reflect what has been observed previously. The rule with the largest hit count is DROP OSPF unexpected packets.

    7. Use the SID value (Rule ID) to search for the DROP ICMP large packets rule in the active ruleset.

      1. Navigate to Data Management → Security → Threat Protection Rules.

      2. Click the version number of the active ruleset.

      3. Click Show Filter. Select Rule ID as the filter, equals as the operator, and 130400210. Click Apply.

      4. View the properties of the Rule. The rule 130400210 is an Auto rule. The Dashboard enables you to see the rules that are typically matched by your network traffic. You can then make a decision about which rules you wish/need to implement.

    8. Return to the Threat Protection Event Count Dashboard. View the Threat Protection Event Count by Severity Trend chart. Determine if there is a peak of activity at specific time periods. In this example, there is peak activity of critical events from about 12:45 pm. The results you see are likely to be different.

    9. Modify the dashboard to view Threat Protection Events in the last hour, viewing only the ICMP Category.

    10. Open the Threat Protection Top Rules Logged Dashboard, by navigating to Reporting → Dashboards.

    11. Use the Threat Protection Top Rules Logged by Source chart to identify which clients are attacking the server the most. In this example, IP address 192.0.0.164 has triggered the most events. You may obtain different results in your lab.

Task 8 Solution: Identify the Top Clients triggering rules, and the Top Rules triggered

  • In this task, you use Reports to identify the Top Clients triggering Rules, and the top rules those client(s) triggered.

    1. Navigate to ReportingReports.

    2. Enter Threat Protection in the filter box. The list of reports is reduced to show just Threat Protection Reports.

    3. Open the Threat Protection Top Rules Logged by Source report. Notice the default time period for the report is the week (7 days).

    4. In this example, client 192.0.0.164 has the top number of events. The top rule for this client is DROP OSPF unexpected . Other clients suchhave triggered multiple rules. This information is useful when tuning ADP

Task 9 Solution: Export Report Results

  • In this task, you export the results of the Threat Protection Top Rules Logged by Source report.

    1. Downloads the results of Threat Protection Top Rules Logged by Source report in CSV format.

      1. Click the Export icon

      2. Select CSV format

      3. Click Export

    2. Open the file in LibreOffice Calc.

    3. Click OK to open the file. The CSV file contains all the data from the report and can be used when you plan your ADP tuning.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.