Saucepan

User Tools

Site Tools

Trace:
infoblox_threat_defense:endpoints

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_threat_defense:endpoints [2025/01/17 13:10] bstaffordinfoblox_threat_defense:endpoints [2026/02/15 02:36] (current) – [Endpoint Config] bstafford
Line 1: Line 1:
-====== BloxOne Endpoints ======+====== Infoblox Endpoints ======
 ===== Best Practice ===== ===== Best Practice =====
 [[https://docs.infoblox.com/space/BloxOneThreatDefense/35377424/Best+Practices+for+Endpoint|Official Best Practice]] [[https://docs.infoblox.com/space/BloxOneThreatDefense/35377424/Best+Practices+for+Endpoint|Official Best Practice]]
 ===== Internal Host Detection ===== ===== Internal Host Detection =====
-The endpoint can be configured to detect when it is on the corporate network and thus told to not establish DOT to Cloud because the local DNS server will be BloxOne VM that will do the security.+Endpoint can be configured to detect when it is on the corporate network and thus told to not establish DoT session to Infoblox Cloud because the local DNS server will be applying DNS security.
  
-  * Set under Manage > Endpoints > Endpoint Groups > Bypass mode. +  * Set under Manage > Security > Endpoints > Endpoint Groups > Bypass mode. 
   * Set the FQDN and a TXT record.   * Set the FQDN and a TXT record.
  
-Client will then do a TXT query for FQDN. If the result matches the value you put in the TXT record (that the endpoint will have a copy of), then the end point knows it is inside the network and it will not do DOT back to cloud.+Endpoint will then do a TXT query for FQDN. If the result matches the value you put in the TXT record (that the endpoint will have a copy of), then the end point knows it is inside the network and it will not do DOT back to cloud.
  
-===== BloxOne Config =====+===== Endpoint Config =====
  
-You should be able to resolve ''amiawesome.ibrc'' to ''127.0.0.127'' if the endpoint is working (local domain on laptop if endpoint is running)+You should be able to resolve ''amiawesome.ibrc'' to ''127.0.0.1'' (which goes to ''127.0.0.127''if the endpoint is working (local domain on laptop if endpoint is running)
  
 Config file on Windows: Config file on Windows:
Line 18: Line 18:
 <code>C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.6</code> <code>C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.6</code>
  
 +PowerShell can follow this file
 +<code>Get-Content "C:\ProgramData\Infoblox\ActiveTrust Endpoint\logs\proxy.4.log" -wait -tail 5</code>
 +
 +On Windows, you can also find the registry keys at
 +<code>Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Infoblox\ActiveTrust Endpoint</code>
 +
 +===== PTR and Internal Zones =====
 The files above are where Internal Domains are configured. Also, this is where BloxOne Endpoint automatically adds internal domains to the "Internal Domain" list as follows: The files above are where Internal Domains are configured. Also, this is where BloxOne Endpoint automatically adds internal domains to the "Internal Domain" list as follows:
 +  * <any DNS suffix assigned to your network interface>
   * local   * local
 +  * ipv4only.arpa
   * 10.in-addr.arpa   * 10.in-addr.arpa
   * 16.172.in-addr.arpa   * 16.172.in-addr.arpa
Line 38: Line 47:
   * 31.172.in-addr.arpa   * 31.172.in-addr.arpa
   * 168.192.in-addr.arpa   * 168.192.in-addr.arpa
 +  * 254.169.in-addr.arpa
   * c.f.ip6.arpa   * c.f.ip6.arpa
   * d.f.ip6.arpa   * d.f.ip6.arpa
-  * ipv4only.arpa 
-  * 254.169.in-addr.arpa 
   * 8.e.f.ip6.arpa   * 8.e.f.ip6.arpa
   * 9.e.f.ip6.arpa   * 9.e.f.ip6.arpa
Line 47: Line 55:
   * b.e.f.ip6.arpa   * b.e.f.ip6.arpa
  
 +This can be summarised as
 +  *   * <any DNS suffix assigned to your network interface>
 +  * local
 +  * ipv4only.arpa
 +  * 10.0.0.0/8
 +  * 172.16.0.0/12 (172.[16-31].0.0/16)
 +  * 192.168.0.0/16
 +  * 169.254.0.0/16
 +  * fc00::/7 (fc00::/8 and fd00::/8)
 +  * fe80::/16
 +  * fe90::/16
 +  * fea0::/16
 +  * feb0::/16
  
 +===== Config Files =====
 The following file is written every few seconds. The following file is written every few seconds.
 <code>C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Coredns_info.4</code> <code>C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Coredns_info.4</code>
Line 143: Line 165:
  
 If the admin changes the "Automatically remove endpoints after a period of inactivity" setting to a value greater than or equal to 30 days but less than the last connected time of endpoint, then the endpoint will be moved automatically to recycle bin in the next cycle (within 24 hours). Hence, it considers the past time of inactivity also when "Automatically remove endpoints after a period of inactivity" is configured. If the admin changes the "Automatically remove endpoints after a period of inactivity" setting to a value greater than or equal to 30 days but less than the last connected time of endpoint, then the endpoint will be moved automatically to recycle bin in the next cycle (within 24 hours). Hence, it considers the past time of inactivity also when "Automatically remove endpoints after a period of inactivity" is configured.
 +===== Follow Query Logs ==== 
 +This will print the latest 5 lines of DNS logs and then prints queries live as they are made. 
 +<code>Get-Content "C:\ProgramData\Infoblox\ActiveTrust Endpoint\logs\proxy.4.log" -wait -tail 5</code>
 ===== Palo Alto Networks ===== ===== Palo Alto Networks =====
-When using Palo Alto Networks, if you have a split-tunnel VPN where only internal data goes over the VPN, don't forget to set "Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows only)" to "No" in the Portal config so that the Palo DNS servers are not the default for the endpoint.+When using Palo Alto Networks GlobalProtect VPN or Prisma Access, if you have a split-tunnel VPN where only internal data goes over the VPN, don't forget to set "Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows only)" to "No" in the Portal config so that the client device does not force the use of the GlobalProtect specified DNS servers for default DNS resolution.
  
 ===== Updates ===== ===== Updates =====
Line 152: Line 176:
 <code>customer-downloads/0004241f-23c8-4972-b590-0add06c65366/mac/ActiveTrustEndpoint-1.8.5.zip</code> <code>customer-downloads/0004241f-23c8-4972-b590-0add06c65366/mac/ActiveTrustEndpoint-1.8.5.zip</code>
 <code>https://s3.amazonaws.com/roaming-client-prod/customer-downloads/0004241f-23c8-4972-b590-0add06c65366/mac/ActiveTrustEndpoint-1.8.5.zip.57b95cae2c84bba911e67b169b59b883.md5</code> <code>https://s3.amazonaws.com/roaming-client-prod/customer-downloads/0004241f-23c8-4972-b590-0add06c65366/mac/ActiveTrustEndpoint-1.8.5.zip.57b95cae2c84bba911e67b169b59b883.md5</code>
 +
 +===== PowerShell Scripts =====
 +Scripts that extract data from the Endpoint config. Courtesy of CoPilot.
 +==== Show Local IP ====
 +Show the local DNS server IP issued by DHCP. This isn't visible via ''ipconfig'' when Infoblox Endpoint has overridden that setting.
 +<code># Define the path to the input file
 +$filePath = "C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.4"
 +
 +# Read the file line by line
 +Get-Content $filePath | ForEach-Object {
 +    # Check if the line contains "alternate SERVFAIL,REFUSED"
 +    if ($_ -match "alternate SERVFAIL,REFUSED\s+\.\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})") {
 +        # Extract the IP address using a regular expression
 +        $ipAddress = $matches[1]
 +        # Print the IP address to the screen
 +        Write-Output "Found IP address: $ipAddress"
 +    }
 +}</code>
 +==== Show Local Domains ====
 +Read the file and extract the local domains. Ignore the default ones from Infoblox. You may want to ignore local domains. This will then give you the list of Application domains that are configured "Allow - Local Resolution".
 +<code># Define the path to the input file
 +$filePath = "C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.4"
 +# List of words to ignore
 +$ignoreWords = @(
 +    "activetrust.net", "inca.infoblox.com", "infoblox.com", "inuk.infoblox.com", 
 +    "local", "10.in-addr.arpa", 
 +    "16.172.in-addr.arpa", "17.172.in-addr.arpa", "18.172.in-addr.arpa", 
 +    "19.172.in-addr.arpa", "20.172.in-addr.arpa", "21.172.in-addr.arpa", 
 +    "22.172.in-addr.arpa", "23.172.in-addr.arpa", "24.172.in-addr.arpa", 
 +    "25.172.in-addr.arpa", "26.172.in-addr.arpa", "27.172.in-addr.arpa", 
 +    "28.172.in-addr.arpa", "29.172.in-addr.arpa", "30.172.in-addr.arpa", 
 +    "31.172.in-addr.arpa", "168.192.in-addr.arpa", "c.f.ip6.arpa", "d.f.ip6.arpa", 
 +    "ipv4only.arpa", "254.169.in-addr.arpa", "8.e.f.ip6.arpa", "9.e.f.ip6.arpa", 
 +    "a.e.f.ip6.arpa", "b.e.f.ip6.arpa", "{"
 +)
 +
 +# Read the file line by line
 +$fileContent = Get-Content -Path $filePath
 +
 +# Initialize a flag to indicate if the target line is found
 +$found = $false
 +
 +# Iterate over each line in the file
 +foreach ($line in $fileContent) {
 +    if ($line -match "activetrust.net") {
 +        # If the line contains the target word, split it into words
 +        $words = $line -split "\s+"
 +        
 +        # Print each word on a new line, ignoring specified words
 +        foreach ($word in $words) {
 +            if ($ignoreWords -notcontains $word) {
 +                Write-Output $word
 +            }
 +        }
 +        
 +        # Set the flag to true and break the loop
 +        $found = $true
 +        break
 +    }
 +}
 +# If the target line was not found, print a message
 +if (-not $found) {
 +    Write-Output "No line containing 'activetrust.net' was found."
 +}</code>
 +==== Show SSID History ====
 +Show all SSID connected to and DNS IP addresses
 +<code># Define the path to the folder containing the files
 +$folderPath = "C:\ProgramData\Infoblox\ActiveTrust Endpoint\config"
 +
 +
 +# Define the regex pattern for the file names (GUID format)
 +$guidPattern = "^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}"
 +
 +
 +# Define the regex pattern to match the template
 +$pattern = "^\{([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})\}(.+?)\|(DHCP(?:,DHCPv6)?)((?:,\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})+)$"
 +
 +
 +
 +# Get all files in the folder
 +$files = Get-ChildItem -Path $folderPath
 +
 +# Iterate over each file
 +foreach ($file in $files) {
 +    # Check if the file name matches the GUID pattern
 +    if ($file.Name -match $guidPattern) {
 +        # Read the content of the file
 +        $fileContent = Get-Content -Path $file.FullName
 +        
 +
 +        # Iterate over each line in the file
 +        foreach ($line in $fileContent) {
 + # Check if the line matches the pattern
 + if ($line -match $pattern) {
 + $guid = $matches[1]
 + $ssid = $matches[2]
 + $dhcp = $matches[3]
 + $ips = $matches[4] -split ","
 +
 + # Print the extracted data
 + Write-Output ""
 + #Write-Output "GUID: $guid"
 + Write-Output " SSID: $ssid"
 + #Write-Output " Type: $dhcp"
 + foreach ($ip in $ips) {
 + if ($ip -ne "") {
 + Write-Output " $ip"
 + }
 + }
 +
 +        }
 +
 +    }
 +}</code>
infoblox_threat_defense/endpoints.1737119429.txt.gz · Last modified: by bstafford