Saucepan

User Tools

Site Tools

Trace: custom_lists geolocation endpoints
infoblox_threat_defense:endpoints

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_threat_defense:endpoints [2025/02/17 00:54] bstaffordinfoblox_threat_defense:endpoints [2026/02/15 02:36] (current) – [Endpoint Config] bstafford
Line 1: Line 1:
-====== BloxOne Endpoints ======+====== Infoblox Endpoints ======
 ===== Best Practice ===== ===== Best Practice =====
 [[https://docs.infoblox.com/space/BloxOneThreatDefense/35377424/Best+Practices+for+Endpoint|Official Best Practice]] [[https://docs.infoblox.com/space/BloxOneThreatDefense/35377424/Best+Practices+for+Endpoint|Official Best Practice]]
 ===== Internal Host Detection ===== ===== Internal Host Detection =====
-The endpoint can be configured to detect when it is on the corporate network and thus told to not establish DOT to Cloud because the local DNS server will be BloxOne VM that will do the security.+Endpoint can be configured to detect when it is on the corporate network and thus told to not establish DoT session to Infoblox Cloud because the local DNS server will be applying DNS security.
  
-  * Set under Manage > Endpoints > Endpoint Groups > Bypass mode. +  * Set under Manage > Security > Endpoints > Endpoint Groups > Bypass mode. 
   * Set the FQDN and a TXT record.   * Set the FQDN and a TXT record.
  
-Client will then do a TXT query for FQDN. If the result matches the value you put in the TXT record (that the endpoint will have a copy of), then the end point knows it is inside the network and it will not do DOT back to cloud.+Endpoint will then do a TXT query for FQDN. If the result matches the value you put in the TXT record (that the endpoint will have a copy of), then the end point knows it is inside the network and it will not do DOT back to cloud.
  
-===== BloxOne Config =====+===== Endpoint Config =====
  
 You should be able to resolve ''amiawesome.ibrc'' to ''127.0.0.1'' (which goes to ''127.0.0.127'') if the endpoint is working (local domain on laptop if endpoint is running) You should be able to resolve ''amiawesome.ibrc'' to ''127.0.0.1'' (which goes to ''127.0.0.127'') if the endpoint is working (local domain on laptop if endpoint is running)
Line 18: Line 18:
 <code>C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.6</code> <code>C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.6</code>
  
 +PowerShell can follow this file
 +<code>Get-Content "C:\ProgramData\Infoblox\ActiveTrust Endpoint\logs\proxy.4.log" -wait -tail 5</code>
 +
 +On Windows, you can also find the registry keys at
 +<code>Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Infoblox\ActiveTrust Endpoint</code>
 +
 +===== PTR and Internal Zones =====
 The files above are where Internal Domains are configured. Also, this is where BloxOne Endpoint automatically adds internal domains to the "Internal Domain" list as follows: The files above are where Internal Domains are configured. Also, this is where BloxOne Endpoint automatically adds internal domains to the "Internal Domain" list as follows:
 +  * <any DNS suffix assigned to your network interface>
   * local   * local
 +  * ipv4only.arpa
   * 10.in-addr.arpa   * 10.in-addr.arpa
   * 16.172.in-addr.arpa   * 16.172.in-addr.arpa
Line 38: Line 47:
   * 31.172.in-addr.arpa   * 31.172.in-addr.arpa
   * 168.192.in-addr.arpa   * 168.192.in-addr.arpa
 +  * 254.169.in-addr.arpa
   * c.f.ip6.arpa   * c.f.ip6.arpa
   * d.f.ip6.arpa   * d.f.ip6.arpa
-  * ipv4only.arpa 
-  * 254.169.in-addr.arpa 
   * 8.e.f.ip6.arpa   * 8.e.f.ip6.arpa
   * 9.e.f.ip6.arpa   * 9.e.f.ip6.arpa
Line 47: Line 55:
   * b.e.f.ip6.arpa   * b.e.f.ip6.arpa
  
 +This can be summarised as
 +  *   * <any DNS suffix assigned to your network interface>
 +  * local
 +  * ipv4only.arpa
 +  * 10.0.0.0/8
 +  * 172.16.0.0/12 (172.[16-31].0.0/16)
 +  * 192.168.0.0/16
 +  * 169.254.0.0/16
 +  * fc00::/7 (fc00::/8 and fd00::/8)
 +  * fe80::/16
 +  * fe90::/16
 +  * fea0::/16
 +  * feb0::/16
  
 +===== Config Files =====
 The following file is written every few seconds. The following file is written every few seconds.
 <code>C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Coredns_info.4</code> <code>C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Coredns_info.4</code>
Line 143: Line 165:
  
 If the admin changes the "Automatically remove endpoints after a period of inactivity" setting to a value greater than or equal to 30 days but less than the last connected time of endpoint, then the endpoint will be moved automatically to recycle bin in the next cycle (within 24 hours). Hence, it considers the past time of inactivity also when "Automatically remove endpoints after a period of inactivity" is configured. If the admin changes the "Automatically remove endpoints after a period of inactivity" setting to a value greater than or equal to 30 days but less than the last connected time of endpoint, then the endpoint will be moved automatically to recycle bin in the next cycle (within 24 hours). Hence, it considers the past time of inactivity also when "Automatically remove endpoints after a period of inactivity" is configured.
 +===== Follow Query Logs ==== 
 +This will print the latest 5 lines of DNS logs and then prints queries live as they are made. 
 +<code>Get-Content "C:\ProgramData\Infoblox\ActiveTrust Endpoint\logs\proxy.4.log" -wait -tail 5</code>
 ===== Palo Alto Networks ===== ===== Palo Alto Networks =====
-When using Palo Alto Networks, if you have a split-tunnel VPN where only internal data goes over the VPN, don't forget to set "Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows only)" to "No" in the Portal config so that the Palo DNS servers are not the default for the endpoint.+When using Palo Alto Networks GlobalProtect VPN or Prisma Access, if you have a split-tunnel VPN where only internal data goes over the VPN, don't forget to set "Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows only)" to "No" in the Portal config so that the client device does not force the use of the GlobalProtect specified DNS servers for default DNS resolution.
  
 ===== Updates ===== ===== Updates =====
Line 154: Line 178:
  
 ===== PowerShell Scripts ===== ===== PowerShell Scripts =====
-Scripts that extract data from the Endpoint config.+Scripts that extract data from the Endpoint config. Courtesy of CoPilot.
 ==== Show Local IP ==== ==== Show Local IP ====
 Show the local DNS server IP issued by DHCP. This isn't visible via ''ipconfig'' when Infoblox Endpoint has overridden that setting. Show the local DNS server IP issued by DHCP. This isn't visible via ''ipconfig'' when Infoblox Endpoint has overridden that setting.
Line 215: Line 239:
 if (-not $found) { if (-not $found) {
     Write-Output "No line containing 'activetrust.net' was found."     Write-Output "No line containing 'activetrust.net' was found."
 +}</code>
 +==== Show SSID History ====
 +Show all SSID connected to and DNS IP addresses
 +<code># Define the path to the folder containing the files
 +$folderPath = "C:\ProgramData\Infoblox\ActiveTrust Endpoint\config"
 +
 +
 +# Define the regex pattern for the file names (GUID format)
 +$guidPattern = "^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}"
 +
 +
 +# Define the regex pattern to match the template
 +$pattern = "^\{([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})\}(.+?)\|(DHCP(?:,DHCPv6)?)((?:,\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})+)$"
 +
 +
 +
 +# Get all files in the folder
 +$files = Get-ChildItem -Path $folderPath
 +
 +# Iterate over each file
 +foreach ($file in $files) {
 +    # Check if the file name matches the GUID pattern
 +    if ($file.Name -match $guidPattern) {
 +        # Read the content of the file
 +        $fileContent = Get-Content -Path $file.FullName
 +        
 +
 +        # Iterate over each line in the file
 +        foreach ($line in $fileContent) {
 + # Check if the line matches the pattern
 + if ($line -match $pattern) {
 + $guid = $matches[1]
 + $ssid = $matches[2]
 + $dhcp = $matches[3]
 + $ips = $matches[4] -split ","
 +
 + # Print the extracted data
 + Write-Output ""
 + #Write-Output "GUID: $guid"
 + Write-Output " SSID: $ssid"
 + #Write-Output " Type: $dhcp"
 + foreach ($ip in $ips) {
 + if ($ip -ne "") {
 + Write-Output " $ip"
 + }
 + }
 +
 +        }
 +
 +    }
 }</code> }</code>
infoblox_threat_defense/endpoints.1739753641.txt.gz · Last modified: by bstafford