Infoblox Deployment Guide - Implementing Infoblox Data . PDF Free Download

2y ago

75 Views

1 Downloads

2.65 MB

31 Pages

Report/dmca

Download PDF

Transcription

ContentsOverview .3Prerequisites .3Installing Infoblox Data Connector .4Deploying Infoblox Data Connector .13Splunk Certificate Installation .26Testing the Data Connector .28Summary .31 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 2 of 31

OverviewThe Infoblox Data Connector VM (virtual appliance) is a utility that is designed to collect DNS query and responsedata from the Infoblox Grid members, filter out based on user criteria thus reducing the quantity of data, convertthe data to a format that can be securely transferred to the NIOS reporting server for report generation, InfobloxActiveTrust Cloud and Threat Insight in the Cloud (Infoblox Cloud destinations), or to third-party Splunk Indexer.The Data Connector acts as a central point for data collection across your network. Using the Data Connector tocollect DNS data helps reduce the impact of data exchange across your NIOS appliances and helps improve theperformance of your Grid.The Data Connector is designed to run on VMware ESXi servers. You can install the Data Connector VM on ahost running VMware ESXi 5.x or later. After configuring the Data Connector VM, note that you can register onlyone Data Connector with a Grid running NIOS 7.3.0 and later for reporting destination. Registration is not requiredfor cloud destinations and Splunk.When you set up a Data Connector VM, you use it solely for collecting DNS data, discovery information, leaseinformation, and MS AD user from the Grid and sending this data out. You cannot add licenses to run otherservices, such as DNS and DHCP.The network map below illustrates the basic concept of the data collection process, which includes collectingquery and response data from Grid members, storing them, and sending it back to the reporting server or otherthird-party destinations, including Infoblox Cloud destinations and Splunk indexers. You can then monitor thetrend of DNS queries by client, domain, time, record type, query type, and DNS view.PrerequisitesThe following are prerequisites for Infoblox Data Connector: Functional Infoblox Grid with a Grid Master and Reporting server running NIOS 7.3 or later. An administrative user account on the Grid. VMWare ESXi version is 5.x or later. Security Ecosystem license for Splunk destination only (other destinations do not require the license).Threat Insight 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 3 of 31

Installing Infoblox Data Connector1. Download the Data Connector .ova file from the Infoblox Support site (https://support.infoblox.com/).2. From the VMware vSphere client, select File Deploy OVF Template. Browse to the location of the file.3. Click Next. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 4 of 31

5. Verify the name on the Data Connector is satisfactory or change it. Highlight the inventory location forinstalling the Data Connector VM.6. Click Next. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 6 of 31

9. If applicable, select the the host within the cluster to be used for the Data Connector VM .10. Click Next. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 8 of 31

19. Click Finish after verifying all of the settings.Deploying Infoblox Data ConnectorThe example instructions below show how to configure the Data Connector to talk to a reporting server, Splunkinstance and Infoblox Cloud destinations.1. From the Data Connector VM console or an SSH client (using port 2020), log into the command lineinterface with the default credentials of username of ‘admin’ and password of ‘infoblox’. You will beasked to start up the wizard after your first boot up and login. Otherwise, type in ‘wizard’ and press‘Enter’ to start the wizard.2. You can change password for the Data Connector if you wish. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 13 of 31

3. Press Enter to configure admin network settings.4. Type dynamic to configure the server to set its network settings using DHCP. To configure a static IPaddress, type them on a single line using the format “mode gateway address mask vlanid”.a. Mode is set to either static, or dynamic (DHCP). This example uses static.b. Gateway sets the default gateway router address. 10.60.16.1 is used in the example below.c. Address is the IP address for the Data Connector VM. 10.60.16.29 is used in the example below.d. Mask is used to set the subnet mask. 255.255.255.0 is used in the example below.e. VLAN ID allows you to set a VLAN ID/tag if required for the network connection to work properly.Use 0 if VLAN tagging is not being used.Example: static 10.60.16.1 10.60.16.29 255.255.255.0 05. Press Enter.6. Type the IP address of the DNS server to be used and press Enter.7. For the domain configuration, enter the domain name to be used, or press ‘Enter’ to accept the default.8. Enter the hostname to be used for your Data Connector VM, or press ‘Enter’ to accept the default. NOTE:The maximum length of the name is 64 characters. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 14 of 31

9. Verify the configuration settings. Enter ‘y’ to accept or ‘n’ to go back and make changes.10. (Optional): If you have an active subscription to ActiveTrust Cloud Plus or Threat Insight in the Cloud, youcan provision your Data Connector server to send data to Infoblox Cloud destinations:a. Using your web browser, log into your ActiveTrust Cloud Plus account on the Cloud ServicesPortal (https://csp.infoblox.com/).b. Navigate to Administration Unified Reporting.c. Click ‘ ’ to add a new entry.d. Enter a (unique) name and select the Region.e. Click Save.f. Take note of the Name, URL and API Access Key as these will be required later in these steps.11. Continuing in your Data Connector CLI session, type “y” and press Enter to configure the data outputcloud registration settings.12. Enter the URL obtained from the Cloud Services Portal (CSP) which was generated above in step 10.13. Enter the API ID obtained from the Cloud Services Portal (CSP) which was generated above in step 10.14. For agent id, enter the Name obtained from the Cloud Services Portal (CSP) which was generated abovein step 10.15. For the agent ID, enter the Name which was obtained from the Cloud Services Portal (CSP) and whichwas generated above in step 10.16. Verify that the information entered is correct and press Enter. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 15 of 31

17. Steps 18 - 39 are optional and required if you are going to send data to Infoblox Cloud destinations18. For setups where data output cloud registration settings have been configured (as detailed above): Type“y” at the “configure data output cloud settings” prompt and press Enter.19. Enter the output cloud mode. The acceptable values are:a. Disabled - no data is processed to the ActiveTrust Cloud Plus portal. This is the default.b. Hold - Data is processed from the Grid members and is held. This is a good way to get statisticson the amount of data being sent to the Data Connector.c. Forward – data is forwarded to the ActiveTrust Cloud Plus portal.Note: As a best practice, it is best to hold the data when initially enabling this feature to determine theamount of data generated over time.20. Press Enter to confirm.21. Configure Infoblox Grid as source of IPAM, User, and lease data and also for time synchronization. Typein ‘data source grid’ from the prompt.22. Type ‘set username admin’. This command is used for setting the admin username for the DataConnector to login to the Grid.23. Type ‘set address IP address of Grid Master or Grid Master Candidate ’.24. Type ‘password’ to enter the admin password for the Grid master.25. Type ‘data source grid’ from the prompt.26. Type ‘sync’ to synchronize the connection between the Data Connector and Grid.27. Type ‘data source grid’ from the prompt. You will be using the ‘set query’ command to configure theGrid as the source of the IP metadata. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 16 of 31

28.29.30.31.Type ‘set query userinfo enabled’.Type ‘set query ipam enabled’.Type ‘set query lease enabled’.On the Grid side, you must configure syslog server to send DNS RPZ information to the Data Connector.Navigate to Grid Grid Manager Toolbar Grid Properties Edit. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 17 of 31

32. Click on the Monitoring button.33. Enable ‘Log to External Syslog Servers’. Click on the button to add a syslog server.34. In the screen above, type in the IP address of the Data Connector and set the Transport to TCP. Clickthe ‘Add’ button to add. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 18 of 31

35. If your grid is running version 8.0 and above, you need to enable a couple of items: Enable NetworkUsers Feature and Enable Object Change Tracking.36. Click on the General button and the Advanced tab. Click on Enable Network Users Feature.37. Click on the Object Change Tracking button. Click on the Enable Object Tracking Change.38. Click Save and Close. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 19 of 31

39. On the Data Connector side, enter ‘data source syslog’ from the prompt. Enter ‘set modeunencrypted’. This command enables the receiving of unencrypted syslog messages from the Grid viaTCP.40. Steps 41 - 46 are optional and required only if data should be forwarded to external Splunk.41. Configure data output Splunk settings. These settings are for sending data to an external SplunkEnterprise Indexer. The screen shot below is an example:42. Enter the IP address of the Splunk Indexer similar to the screen above. Hit Enter.43. Enter the Splunk index name similar to the screen above. Press Enter. This index name must also beentered on the Splunk server.44. Enter the Splunk default indexer port if it is different. Press Enter; otherwise, press Enter.45. Leave the mode at disabled as the certificate has not been installed. See the subsequent section onSplunk certificate installation for further configuration steps.46. Verify the settings. Type ‘y’ for yes and press Enter.47. Configure the admin settings. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 20 of 31

48. Enter a new greeting banner value, or press ‘Enter’ to accept the default.49. Configure the data input SCP settings. These settings will be used to configure the connection betweenthe Grid and the Data Connector.50. Configure the data source Grid settings. These settings allow the Data Connector to login to the GridMaster.51. Configure the data output settings. These settings are used for holding or sending data to the reportingserver. The acceptable values are:a. Disabled - no data is processed to the reporting server. This is the default.b. Hold - Data is processed from the Grid members and is held. This is a good way to get statisticson the amount of data being sent to the data connector.c. Forward – data is forwarded to the reporting server.Note: As a best practice, it is best to hold the data when initially enabling this feature todetermine the amount of data generated over time. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 21 of 31

52. Now that we have fully configured the Data Connector, switch to the Infoblox NIOS GUI to perform furtherconfigurations. After logging into the Infoblox NIOS GUI, navigate to Data Management Grid DNS ToolBar Edit Grid DNS Properties Logging Advanced.I.Enable Capture DNS Queries and/or Capture DNS Responses (best practice is to enable onlyone option at a time as this can have a performance impact on your server).II.Enable Capture queries/response for all domains.III.Set the Export to menu to SCP.IV.Set the Directory Path to (which represents ‘home directory’).V.Set the Server Address to the IP address for your Data Connector server.VI.Set the Username that was configured on the Data Connector.VII.Set the Password that was configured on the Data Connector.Steps 1 & 2 tells NIOS the type of data to forward to the Data Connector. Steps 3 to 5 tells NIOS the protocol andcredentials to use to transfer the data to the Data Connector.53. Click Save and Close. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 22 of 31

54. Go to Administration Reporting Toolbar Grid Reporting Properties.a. Check the box for Enable Data Indexing.b. Enable DNS Query Capture.c.Set the Index % for DNS Query Capture to a non-zero number. You may need to adjust othercategories to stay at or under 100%.d. Click Save & Close.e. Restart services .f.Click Save and Close. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 23 of 31

55. Navigate to Grid Members Toolbar Data Collection. Click on Enable Registration. Note: Thisscreen is not in NIOS 7.3. When you register the data connector, there is no check to accept registrationin NIOS 7.3. The registration from the data connector goes straight through. Skip to step 21.56. Click Save & Close.57. (Optional. Reporting destination only). From the Data Connector command-line interface, enter thecommand “data destination reporting registration register” to register with the Grid. This is necessaryif you are sending data to the Infoblox Reporting Server. Otherwise, skip the rest of the steps.Note: tab completion can be used to simplify the entry of these commands. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 24 of 31

58. (Optional. Reporting destination only). From the Grid GUI, navigate to Grid Member Toolbar Data Collection to check the registration status.59. From the Data Connector command-line interface, run the command ‘data source grid status’ to reviewinformation about the Grid that Data Connector is configured to connect to. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 25 of 31

Splunk Certificate InstallationCertificates must be installed and signed before any transactions can occur. The steps below will show you howto install and sign the certificates.1. Ensure that you can ping the IP address of the Splunk server. The command is ‘admin network ping IP address from the ‘ ’ prompt. You may have to type exit a couple of times to get to the prompt.2. From the ‘ ’ prompt, enter ‘data destination splunk’ and hit the enter key. This will put you in thecorrect subsystem to configure certificates.3. Download the certificate from Splunk server. The command is ‘cacertficate importscp://username@ IP address of Splunk server ://directory path/ certificate name .pem4. Now that we have the certificate from the Splunk server installed into the data connector, we need togenerate a certificate on the data connector and have it signed by the Splunk server. The commandis ‘certificate request’. This will be the forwarder certificate. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 26 of 31

5. Highlight and copy this certificate request to the CLI of the Splunk server.6. On the Splunk server, enter the command ‘openssl x509 -req -in name of file that contains thecertificate -extensions v3 usr –CA Splunk certificate .pem -CAkey Splunk key name .key -out name of pem file .pem’. This creates the signed certificate to be downloaded to the data connector.7. Back to the data connector screen. Import the signed certificate. The command is ‘certificate importscp:// username @ IP address :/ directory path of certificate / certificate name .pem’.8. You can show the certificate by entering the command ‘show certificate’. The output will be similar tothe screen show below:9. NOW you can set the mode of the data connector to forward data to the Splunk server. If thecommand does not return a forward mode, then the certificate authentication was not correct. You 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 27 of 31

will need to troubleshoot this certificate problem. Refer to your Splunk administrator for assistance.Testing the Data Connector1. On the Data Connector, you can check the statistics to ensure data is being collected and transmittedby running ‘data destination’ and then ‘stats’.Once DNS queries have been run against this grid the Data Connector will transfer query data to thereporting server. Click Reporting Reports and open the DNS Top Requested Domain report. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 28 of 31

2. On the ActiveTrust Cloud Plus side, here is a sample report of data coming from a on premises Grid.“Include On-Prem Data” checkbox must be selected.3. Here is the corresponding output from the nslookup command from a workstation. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 29 of 31

4. For Splunk connections, run a DNS query command to one of the Infoblox DNS members. By default,the queries will appear on Splunk server in 10 minutes. You can use the ‘dig’ command on Linux or‘nslookup’ on Windows.5. On the Splunk Indexes screen, ensure the Splunk index name is entered.6. On the Splunk reporting screen, you should start to see entries from the queries from step 4 after 10minutes. 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017Page 30 of 31

SummaryInfoblox’s Data Connector provides the following benefits: Serves as a central data colle

The Infoblox Data Connector VM (virtual appliance) is a utility that is designed to collect DNS query and response . 43. Enter the Splunk index name similar to the screen above. Press Enter. This index name must also be entered on the Splunk server. 44. Enter the