Differences

This shows you the differences between two versions of the page.

--- infoblox_nios:adp [2024/06/16 19:36] – bstafford
+++ infoblox_nios:adp [2026/02/16 02:58] (current) – bstafford
@@ Line 4: / Line 4: @@
 [[https://www.infoblox.com/resources/deployment-guide/advanced-dns-protection-ruleset-tuning|ADP Tuning]]
-Bear in mind that "Advanced DNS Protection" as a licence also protects the protcols for:
+[[https://blogs.infoblox.com/community/infoblox-advanced-dns-protection-rules-viewing-the-tip-of-an-iceberg/|ADP Rules]]
+[[https://www.infoblox.com/code/wp-content/themes/Divi-child/f/adp-basic-config/story_html5.html?lms=1&lms=1|Old Training Video]]
+To ensure proper performance, ADP locks 2 CPU core to process network traffic.
+Bear in mind that "Advanced DNS Protection" as a license also protects the protocols for:
   * DNS
   * DHCP
@@ Line 19: / Line 25: @@
 When running ADP on the Grid, to download the latest updates, the Grid Master needs to resolve and access ''https://ts.infoblox.com'' on tcp-443. You may need to configure the proxy settings in the Grid and you may need to disable TLS inspection on the proxy.
+===== Licence=====
+  * SW_TP = Threat Protection
+  * TP_SUB = Threat Protection Update
+You cannot install TP_SUB without already having SW_TP installed.
+You cannot install ADP on a NIOS appliance that has the MS Management license installed.
+===== Enable Accelerated Networking =====
+Accelerated Networking (sometimes called 'fast-path') is not enabled on the MGMT interfaces of appliances deployed with NIOS 9.0.5 or later. Older appliances upgraded to NIOS 9.0.5 keep it enabled.
+It can be enabled/disabled on MGMT interface manually from 9.0.5 onward.
+<code>set mgmt_exclusion_from_fastpath <on|off></code>
+Ideally, don't enable on MGMT. Disabling on MGMT means that SSH can happen to MGMT without going through accelerated networking.
+Remember, DoH cannot run on MGMT. DoT can run on MGMT if, and only if, accelerated networking is enabled on MGMT.
 ===== Enable ADP =====
+Remember, the option to install the ADP licence is not available until the appliance has the correct resources (RAM/CPU) allocated. See the table below for the RAM/CPU that needs to be allocated per model of NIOS appliance.
 Remember, installing ADP licence ("Threat Protection (Software add-on) license") will reboot the member.
@@ Line 51: / Line 75: @@
 <code>CEF:0|Infoblox|NIOS Threat|8.6.2-49947-c076333333a0|110100200|EARLY DROP UDP DNS named version attempts|8|src=**** spt=63141 dst=**** dpt=53 act="DROP" cat="Reconnaissance" nat=0 nfpt=0 nlpt=0 fqdn=version.bind hit_count=1</code>
+Another example log where we block a specific domain from being resolved.
+  * Facility: daemon
+  * Level: ERROR
+  * Server: threat-protect-log
+  * Message: CEF:0|Infoblox|NIOS Threat|9.0.6-53318-82020f7ffaad|120303001|Blacklist:blockedinconfig.domain.com|7|src=25.26.27.28 spt=52223 dst=192.168.1.123 dpt=53 act="DROP" cat="BLACKLIST UDP FQDN lookup" nat=0 nfpt=0 nlpt=0 fqdn=blockedinconfig.domain.com hit_count=3</code>
 ===== DoH =====
 To test DoH on Linux Client, [[https://www.linuxbabe.com/ubuntu/dns-over-https-doh-resolver-ubuntu-dnsdist|this page is a useful guide]]. I had to use a proper certificate (Lets Encrypt) to get it to work. I put the HTTPS cert on the DoH member of the Infoblox Grid and also imported the intermediate and root certificates into the Grid.