infoblox:ecosystem
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| infoblox:ecosystem [2020/11/13 09:38] – created bstafford | infoblox:ecosystem [2025/12/30 11:53] (current) – bstafford | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Infoblox Ecosystem ====== | ====== Infoblox Ecosystem ====== | ||
| - | The Infoblxo Ecosystem licence is a single, Grid wide licence that gets applied to the Grid Master. It enables the Infoblox appliances to initiate API calls to third party vendor appliances (e.g. Palo Alto Networks firewalls). | + | ===== Guardrails |
| - | + | Ecosystem for TD = 4k events per user per day. | |
| - | ===== Initial Setup with Palo Alto Networks | + | |
| - | Set the extensible attributes | + | |
| - | + | ||
| - | Grid Manager > Administration > Network Views > default > edit | + | |
| - | + | ||
| - | Add Extensible Attributes default values | + | |
| - | * PaloAlto_Asset_Sync true | + | |
| - | * PaloAlto_Asset_Tag allow | + | |
| - | * PaloAlto_Security_Sync true | + | |
| - | * PaloAlto_Security_Tag deny | + | |
| - | * PaloAlto_Timeout 30 | + | |
| - | + | ||
| - | PaloAlto_Asset_SyncedAt and PaloAlto_Security_SyncedAt have no default value | + | |
| - | + | ||
| - | PaloAlto_Asset_Sync and PaloAlto_Security_Sync should have the following list of options | + | |
| - | * true | + | |
| - | * false | + | |
| - | + | ||
| - | + | ||
| - | To create the Extensible Attributes | + | |
| - | Grid Manager > Administration > Extenisble Attributes | + | |
| - | + | ||
| - | (No default values) | + | |
| - | + | ||
| - | ^ Name ^ TYPE ^ REQUIRED ^ INHERITANCE ^ COMMENT ^ | + | |
| - | |PaloAlto_Asset_Sync | List | No | Yes | Whether or not syncing asset events with PAN is desired.| | + | |
| - | |PaloAlto_Asset_SyncedAt | String | No | No | Timestamp for when the asset is synced with PAN.| | + | |
| - | |PaloAlto_Asset_Tag | String | No | Yes | Tag that attaches to an IP to polulate it in a Dynamic Address Group (allow).| | + | |
| - | |PaloAlto_Security_Sync | List | No | Yes | Whether or not syncing security events with PAN is desired.| | + | |
| - | |PaloAlto_Security_SyncedAt | String | No | | No | Timestatmp for when the security event is synced with PAN.| | + | |
| - | |PaloAlto_Security_Tag | String | No | Yes | Tag that attaches to an IP to populate it in a Dynamic Address Group (deny).| | + | |
| - | |PaloAlto_Timeout | Integer | No | Yes | Starting | | + | |
| - | with PAN-OS 9.0 a tag can contain an optional timeout attribute. The default is 0 (never expires) or a timeout value in seconds for the tag. The maximum timeout is 2592000 (30 days). | + | |
| - | + | ||
| - | + | ||
| - | ===== Palo Alto Networks ===== | + | |
| - | + | ||
| - | + | ||
| - | Remember, you need to create the address groups and tags on teh firewall before configuring infoblox. | + | |
| - | Also, it is best practice to create a dummy address in each address group as each address group must have at least one object to be valid. | + | |
| - | The main difference between this code and Infoblox template code is that this code doesn' | + | |
| - | / | + | |
| - | + | ||
| - | + | ||
| - | There are two types of templates - session managment and event. | + | |
| - | Session managment may use event types for some actions (e.g. device login and logout). | + | |
| - | Session managment templates are assigned to " | + | |
| - | Event types are assigned to " | + | |
| - | + | ||
| - | The reason all the Infoblox guides say that you have to enable Multi VSYS is that they inject into " | + | |
| - | + | ||
| - | vendor_identifier (e.g. " | + | |
| - | + | ||
| - | JSON PATH is at the bottom of the event file. | + | |
| - | + | ||
| - | 192.168.99.0/ | + | |
| - | + | ||
| - | Variables in templates (e.g. ${S:: | + | |
| - | + | ||
| - | When you edit PAN_Session.txt, | + | |
| - | Grid > Ecosystem | + | |
| - | + | ||
| - | Then re-import the template that you are editing with the new variable name. | + | |
| - | + | ||
| - | To update the firewall with new host records (IP) when new hosts are added, create the following | + | |
| - | + | ||
| - | PAN_Host_IPv4 | + | |
| - | < | + | |
| - | Match the following rule | + | |
| - | IPv4 Address matches CIDR 192.168.99.0/ | + | |
| - | Template = Palo Alto Static Assets</ | + | |
| - | + | ||
| - | By default, this will create an Address object named after the IP (e.g. IP = 192.168.1.1 Name = 192.168.1.1). No tags. It will be added to the Address Group Iblox_Host_Allow) | + | |
| - | + | ||
| - | ===== FROM DEMO ====== | + | |
| - | This is from the Cloud based partner Demo system that Infoblox offers. | + | |
| - | + | ||
| - | The following are the rules for triggers. | + | |
| - | + | ||
| - | PAN_Lease: | + | |
| - | < | + | |
| - | Event = DHCP Leases | + | |
| - | Match = ANY | + | |
| - | Rules: | + | |
| - | Network View equals default | + | |
| - | Lease State equals Active | + | |
| - | Lease State equals Expired | + | |
| - | Lease State equals Free | + | |
| - | Lease State equals Released | + | |
| - | IP Address matches CIDR 172.0.0.0/ | + | |
| - | + | ||
| - | + | ||
| - | PAN_RPZ: | + | |
| - | < | + | |
| - | Event = DNS RPZ | + | |
| - | Match = ANY | + | |
| - | Rules: | + | |
| - | Action Policy equals Local Data | + | |
| - | Action Policy equals NXDOMAIN | + | |
| - | Action Policy equals No Data | + | |
| - | Action Policy equals Passthru | + | |
| - | Rule Name contains . | + | |
| - | Source IP matches CIDR 127.0.1.0/ | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | PAN_Tunnel: | + | |
| - | < | + | |
| - | Event = DNS Tunneling | + | |
| - | Match = ANY | + | |
| - | Source IP matches CIDR 172.0.0.0/ | + | |
| - | Source IP matches CIDR 10.0.0.0/ | + | |
| - | Source IP matches CIDR fc01::/ | + | |
| - | + | ||
| - | PAN_ADP: | + | |
| - | < | + | |
| - | Event = Security ADP | + | |
| - | Match = ANY | + | |
| - | Hits Count is creter than 5 | + | |
| - | Rule Action equals Alert | + | |
| - | Rule Action equals Drop | + | |
| - | Rule Action equals Pass | + | |
| - | Rule Severity equals Critical | + | |
| - | Rule Severity equals Major | + | |
| - | Rule Severity equals Warning | + | |
| - | Rule Severity equals Informational</ | + | |
| - | + | ||
| - | + | ||
| - | PAN_Fixed_IPv6 | + | |
| - | < | + | |
| - | Event = Object Change Fixed Address Ipv6 | + | |
| - | Match the following rule: | + | |
| - | Network View contains default</ | + | |
| - | + | ||
| - | + | ||
| - | PAN_Host_IPv6 | + | |
| - | < | + | |
| - | Event = Object Change Host Address Ipv6 | + | |
| - | Match the following rule: | + | |
| - | Network View contains default</ | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | PAN_Fixed_IPv4_Static | + | |
| - | < | + | |
| - | Event = Object Change Fixed Address IPv4 | + | |
| - | Match the following rule: | + | |
| - | IPv4 Address matches CIDR 172.0.0.0/ | + | |
| - | + | ||
| - | PAN_Fixed_IPv4_Dynamic | + | |
| - | < | + | |
| - | Event = Object Change Fixed Address IPv4 | + | |
| - | Match the following rule: | + | |
| - | IPv4 Address matches CIDR 10.0.0.0/ | + | |
| - | + | ||
| - | PAN_Host_IPv4_Static | + | |
| - | < | + | |
| - | Event = Object Change Host Address IPv4 | + | |
| - | Match the following rule: | + | |
| - | IPv4 Address match CIDR 172.0.0.0/ | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | PAN_Host_IPv4_Dynamic | + | |
| - | < | + | |
| - | Event = Object Change Host Address IPv4 | + | |
| - | Match the following rule: | + | |
| - | IPv4 Address match CIDR 10.0.0.0/ | + | |
| - | + | ||
| - | + | ||
| - | PAN_Records | + | |
| - | < | + | |
| - | Event = Object Change DNS Records | + | |
| - | Match = ANY | + | |
| - | Rules: | + | |
| - | Networks View contains default | + | |
| - | Zone Name contains | + | |
infoblox/ecosystem.1605260305.txt.gz · Last modified: (external edit)