====== Infoblox Ecosystem ======
The Infoblxo Ecosystem licence is a single, Grid wide licence that gets applied to the Grid Master. It enables the Infoblox appliances to initiate API calls to third party vendor appliances (e.g. Palo Alto Networks firewalls).
===== Initial Setup with Palo Alto Networks =====
Set the extensible attributes
Grid Manager > Administration > Network Views > default > edit
Add Extensible Attributes default values
* PaloAlto_Asset_Sync true
* PaloAlto_Asset_Tag allow
* PaloAlto_Security_Sync true
* PaloAlto_Security_Tag deny
* PaloAlto_Timeout 30
PaloAlto_Asset_SyncedAt and PaloAlto_Security_SyncedAt have no default value
PaloAlto_Asset_Sync and PaloAlto_Security_Sync should have the following list of options
* true
* false
To create the Extensible Attributes
Grid Manager > Administration > Extenisble Attributes
(No default values)
^ Name ^ TYPE ^ REQUIRED ^ INHERITANCE ^ COMMENT ^
|PaloAlto_Asset_Sync | List | No | Yes | Whether or not syncing asset events with PAN is desired.|
|PaloAlto_Asset_SyncedAt | String | No | No | Timestamp for when the asset is synced with PAN.|
|PaloAlto_Asset_Tag | String | No | Yes | Tag that attaches to an IP to polulate it in a Dynamic Address Group (allow).|
|PaloAlto_Security_Sync | List | No | Yes | Whether or not syncing security events with PAN is desired.|
|PaloAlto_Security_SyncedAt | String | No | No | Timestatmp for when the security event is synced with PAN.|
|PaloAlto_Security_Tag | String | No | Yes | Tag that attaches to an IP to populate it in a Dynamic Address Group (deny).|
|PaloAlto_Timeout | Integer | No | Yes | Starting |
with PAN-OS 9.0 a tag can contain an optional timeout attribute. The default is 0 (never expires) or a timeout value in seconds for the tag. The maximum timeout is 2592000 (30 days).
===== Palo Alto Networks =====
Remember, you need to create the address groups and tags on teh firewall before configuring infoblox.
Also, it is best practice to create a dummy address in each address group as each address group must have at least one object to be valid.
The main difference between this code and Infoblox template code is that this code doesn't put objects into "shared". it assumes no multi-vsys and will put things into
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ instead of /config/shared/
There are two types of templates - session managment and event.
Session managment may use event types for some actions (e.g. device login and logout).
Session managment templates are assigned to "Outbound Endpoint" configs. This is also where you define variables that can be used in Event types.
Event types are assigned to "Notification" configs.
The reason all the Infoblox guides say that you have to enable Multi VSYS is that they inject into "shared" which only exists on Multi VSYS system.
vendor_identifier (e.g. "vendor_identifier":"Palo Alto",) has to match a predifined list from Infobox
JSON PATH is at the bottom of the event file.
192.168.99.0/27
Variables in templates (e.g. ${S::infoblox-created-objects}) are deffined in PAN_Session.txt
When you edit PAN_Session.txt, you need to reimport it into Infoblox Grid and then check it under
Grid > Ecosystem > Outbound Endpoint > (firewall endpoint) > Session Management.
Then re-import the template that you are editing with the new variable name.
To update the firewall with new host records (IP) when new hosts are added, create the following
PAN_Host_IPv4
Event = Object Change Host Address IPv4
Match the following rule
IPv4 Address matches CIDR 192.168.99.0/27 (This does not have to match a specific subnet, 192.168.0.0/16 would match all subnets within 192.168.0.0/16)
Template = Palo Alto Static Assets
By default, this will create an Address object named after the IP (e.g. IP = 192.168.1.1 Name = 192.168.1.1). No tags. It will be added to the Address Group Iblox_Host_Allow)
===== FROM DEMO ======
This is from the Cloud based partner Demo system that Infoblox offers.
The following are the rules for triggers.
PAN_Lease:
Template = Palo Alto Dynamic Assets
Event = DHCP Leases
Match = ANY
Rules:
Network View equals default
Lease State equals Active
Lease State equals Expired
Lease State equals Free
Lease State equals Released
IP Address matches CIDR 172.0.0.0/24
PAN_RPZ:
Template = Palo Alto Dynamic Security
Event = DNS RPZ
Match = ANY
Rules:
Action Policy equals Local Data
Action Policy equals NXDOMAIN
Action Policy equals No Data
Action Policy equals Passthru
Rule Name contains .
Source IP matches CIDR 127.0.1.0/24
PAN_Tunnel:
Template = Palo Alto Dynamic Security
Event = DNS Tunneling
Match = ANY
Source IP matches CIDR 172.0.0.0/8
Source IP matches CIDR 10.0.0.0/24
Source IP matches CIDR fc01::/64
PAN_ADP:
Template = Palo Alto Dynamic Security
Event = Security ADP
Match = ANY
Hits Count is creter than 5
Rule Action equals Alert
Rule Action equals Drop
Rule Action equals Pass
Rule Severity equals Critical
Rule Severity equals Major
Rule Severity equals Warning
Rule Severity equals Informational
PAN_Fixed_IPv6
Template = Palo Alto Dynmaic Assets
Event = Object Change Fixed Address Ipv6
Match the following rule:
Network View contains default
PAN_Host_IPv6
Template = Palo Alto Dynmaic Assets
Event = Object Change Host Address Ipv6
Match the following rule:
Network View contains default
PAN_Fixed_IPv4_Static
Template = Palo Alto Static Assets
Event = Object Change Fixed Address IPv4
Match the following rule:
IPv4 Address matches CIDR 172.0.0.0/24
PAN_Fixed_IPv4_Dynamic
Template = Palo Alto Dynmaic Assets
Event = Object Change Fixed Address IPv4
Match the following rule:
IPv4 Address matches CIDR 10.0.0.0/24
PAN_Host_IPv4_Static
Template = Palo Alto Static Assets
Event = Object Change Host Address IPv4
Match the following rule:
IPv4 Address match CIDR 172.0.0.0/24
PAN_Host_IPv4_Dynamic
Template = Palo Alto Dynamic Assets
Event = Object Change Host Address IPv4
Match the following rule:
IPv4 Address match CIDR 10.0.0.0/24
PAN_Records
Template = Palo Alto Static Records
Event = Object Change DNS Records
Match = ANY
Rules:
Networks View contains default
Zone Name contains .