====== Infoblox Endpoints ======
===== Best Practice =====
[[https://docs.infoblox.com/space/BloxOneThreatDefense/35377424/Best+Practices+for+Endpoint|Official Best Practice]]
===== Internal Host Detection =====
Endpoint can be configured to detect when it is on the corporate network and thus told to not establish DoT session to Infoblox Cloud because the local DNS server will be applying DNS security.
* Set under Manage > Security > Endpoints > Endpoint Groups > Bypass mode.
* Set the FQDN and a TXT record.
Endpoint will then do a TXT query for FQDN. If the result matches the value you put in the TXT record (that the endpoint will have a copy of), then the end point knows it is inside the network and it will not do DOT back to cloud.
===== Endpoint Config =====
You should be able to resolve ''amiawesome.ibrc'' to ''127.0.0.1'' (which goes to ''127.0.0.127'') if the endpoint is working (local domain on laptop if endpoint is running)
Config file on Windows:
C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.4
C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.6
PowerShell can follow this file
Get-Content "C:\ProgramData\Infoblox\ActiveTrust Endpoint\logs\proxy.4.log" -wait -tail 5
On Windows, you can also find the registry keys at
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Infoblox\ActiveTrust Endpoint
===== PTR and Internal Zones =====
The files above are where Internal Domains are configured. Also, this is where BloxOne Endpoint automatically adds internal domains to the "Internal Domain" list as follows:
*
* local
* ipv4only.arpa
* 10.in-addr.arpa
* 16.172.in-addr.arpa
* 17.172.in-addr.arpa
* 18.172.in-addr.arpa
* 19.172.in-addr.arpa
* 20.172.in-addr.arpa
* 21.172.in-addr.arpa
* 22.172.in-addr.arpa
* 23.172.in-addr.arpa
* 24.172.in-addr.arpa
* 25.172.in-addr.arpa
* 26.172.in-addr.arpa
* 27.172.in-addr.arpa
* 28.172.in-addr.arpa
* 29.172.in-addr.arpa
* 30.172.in-addr.arpa
* 31.172.in-addr.arpa
* 168.192.in-addr.arpa
* 254.169.in-addr.arpa
* c.f.ip6.arpa
* d.f.ip6.arpa
* 8.e.f.ip6.arpa
* 9.e.f.ip6.arpa
* a.e.f.ip6.arpa
* b.e.f.ip6.arpa
This can be summarised as
* *
* local
* ipv4only.arpa
* 10.0.0.0/8
* 172.16.0.0/12 (172.[16-31].0.0/16)
* 192.168.0.0/16
* 169.254.0.0/16
* fc00::/7 (fc00::/8 and fd00::/8)
* fe80::/16
* fe90::/16
* fea0::/16
* feb0::/16
===== Config Files =====
The following file is written every few seconds.
C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Coredns_info.4
Contents are
{
"message":"OK",
"version":"ipv4n3",
"started_at":"0001-01-01T00:00:00Z",
"reloaded_at":"2024-02-23T08:04:49.2445042Z",
"healthy":"healthy",
"ttl":"2024-02-23 08:15:09:000",
"health_status":
[{
"zone":".",
"queries":
{
"total_count":183,
"invalid_count":0,
"invalid_since":"2024-02-23T08:15:01.8066193Z",
"last_invalid_rcode":"",
"last_invalid_error":""
},
"tests":
{
"healthy":"healthy",
"tests_count":1,
"failed_tests_count":0,
"last_tests":
{
"tcp":
{
"tested_at":"2024-02-23T08:04:52.468004Z",
"successful":true,
"domain":"pool.ntp.org.",
"received_rcode":"NOERROR",
"received_error":"",
"intercepted_rcode":"NOERROR",
"intercepted_error":""
},
"udp":
{
"tested_at":"2024-02-23T08:04:52.470587Z",
"successful":true,
"domain":"pool.ntp.org.",
"received_rcode":"NOERROR",
"received_error":"",
"intercepted_rcode":"NOERROR",
"intercepted_error":""
}
}
}
}]
}
Also under ''C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\'' you will find the local file for each network you connect to and it stores the network name and DNS details.
Folder that contains all past and current installation MSI files of B1E as well as join token.
C:\ProgramData\Infoblox\ActiveTrust Endpoint\download
Logs are in:
C:\ProgramData\Infoblox\ActiveTrust Endpoint\logs
* control_app.SERIAL.log
* msi_autoupgrade.log
* proxy.4.log
* proxy.6.log
* service.log
* upgrade.log
===== Supported Versions =====
[[https://docs.infoblox.com/space/BloxOneThreatDefense/35374317/Downloading+Endpoint|Windows/Mac]]:
* Apple:
* macOS Sonoma
* macOS Ventura
* macOS Monterey
* macOS BigSur
* Microsoft:
* Windows 11
* Windows 10
* Linux:
* Ubuntu 22.x
* Ubuntu 20.x
* Red Hat 8.x
NOTE: (Windows 7 doesn't support required ciphers)
[[https://docs.infoblox.com/space/BloxOneThreatDefense/35405037/Downloading+and+Enrolling+of+BloxOne+Mobile+Endpoint+on+Your+Device|iOS/Android]]:
* iPhone (iOS 14.0 or later)
* iPad (iOS 14.0 or later)
* Android devices (10.0 and up)
[[https://docs.infoblox.com/space/BloxOneThreatDefense/35374788/Deployment+of+Infoblox+BloxOne+Chromebook+Client|Chrome OS]]:
* Chromebook devices in your organization must be running Chrome OS version 88 or later.
===== Endpoint Auto-Removal =====
The following describes the expected behavior for endpoints that are in the inactive state for more than 30 days and "Automatically remove endpoints after a period of inactivity" is set to 0 on the group that contains those endpoints.
If the admin changes the "Automatically remove endpoints after a period of inactivity" setting to a value greater than or equal to 30 days but less than the last connected time of endpoint, then the endpoint will be moved automatically to recycle bin in the next cycle (within 24 hours). Hence, it considers the past time of inactivity also when "Automatically remove endpoints after a period of inactivity" is configured.
===== Follow Query Logs ====
This will print the latest 5 lines of DNS logs and then prints queries live as they are made.
Get-Content "C:\ProgramData\Infoblox\ActiveTrust Endpoint\logs\proxy.4.log" -wait -tail 5
===== Palo Alto Networks =====
When using Palo Alto Networks GlobalProtect VPN or Prisma Access, if you have a split-tunnel VPN where only internal data goes over the VPN, don't forget to set "Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows only)" to "No" in the Portal config so that the client device does not force the use of the GlobalProtect specified DNS servers for default DNS resolution.
===== Updates =====
[[https://support.infoblox.com/s/article/Infoblox-Endpoint-Updates-and-Support-Policy|KB Article]] on Endpoint update policy.
https://s3.amazonaws.com/roaming-client-prod/
customer-downloads/0004241f-23c8-4972-b590-0add06c65366/mac/ActiveTrustEndpoint-1.8.5.zip
https://s3.amazonaws.com/roaming-client-prod/customer-downloads/0004241f-23c8-4972-b590-0add06c65366/mac/ActiveTrustEndpoint-1.8.5.zip.57b95cae2c84bba911e67b169b59b883.md5
===== PowerShell Scripts =====
Scripts that extract data from the Endpoint config. Courtesy of CoPilot.
==== Show Local IP ====
Show the local DNS server IP issued by DHCP. This isn't visible via ''ipconfig'' when Infoblox Endpoint has overridden that setting.
# Define the path to the input file
$filePath = "C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.4"
# Read the file line by line
Get-Content $filePath | ForEach-Object {
# Check if the line contains "alternate SERVFAIL,REFUSED"
if ($_ -match "alternate SERVFAIL,REFUSED\s+\.\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})") {
# Extract the IP address using a regular expression
$ipAddress = $matches[1]
# Print the IP address to the screen
Write-Output "Found IP address: $ipAddress"
}
}
==== Show Local Domains ====
Read the file and extract the local domains. Ignore the default ones from Infoblox. You may want to ignore local domains. This will then give you the list of Application domains that are configured "Allow - Local Resolution".
# Define the path to the input file
$filePath = "C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.4"
# List of words to ignore
$ignoreWords = @(
"activetrust.net", "inca.infoblox.com", "infoblox.com", "inuk.infoblox.com",
"local", "10.in-addr.arpa",
"16.172.in-addr.arpa", "17.172.in-addr.arpa", "18.172.in-addr.arpa",
"19.172.in-addr.arpa", "20.172.in-addr.arpa", "21.172.in-addr.arpa",
"22.172.in-addr.arpa", "23.172.in-addr.arpa", "24.172.in-addr.arpa",
"25.172.in-addr.arpa", "26.172.in-addr.arpa", "27.172.in-addr.arpa",
"28.172.in-addr.arpa", "29.172.in-addr.arpa", "30.172.in-addr.arpa",
"31.172.in-addr.arpa", "168.192.in-addr.arpa", "c.f.ip6.arpa", "d.f.ip6.arpa",
"ipv4only.arpa", "254.169.in-addr.arpa", "8.e.f.ip6.arpa", "9.e.f.ip6.arpa",
"a.e.f.ip6.arpa", "b.e.f.ip6.arpa", "{"
)
# Read the file line by line
$fileContent = Get-Content -Path $filePath
# Initialize a flag to indicate if the target line is found
$found = $false
# Iterate over each line in the file
foreach ($line in $fileContent) {
if ($line -match "activetrust.net") {
# If the line contains the target word, split it into words
$words = $line -split "\s+"
# Print each word on a new line, ignoring specified words
foreach ($word in $words) {
if ($ignoreWords -notcontains $word) {
Write-Output $word
}
}
# Set the flag to true and break the loop
$found = $true
break
}
}
# If the target line was not found, print a message
if (-not $found) {
Write-Output "No line containing 'activetrust.net' was found."
}
==== Show SSID History ====
Show all SSID connected to and DNS IP addresses
# Define the path to the folder containing the files
$folderPath = "C:\ProgramData\Infoblox\ActiveTrust Endpoint\config"
# Define the regex pattern for the file names (GUID format)
$guidPattern = "^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}"
# Define the regex pattern to match the template
$pattern = "^\{([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})\}(.+?)\|(DHCP(?:,DHCPv6)?)((?:,\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})+)$"
# Get all files in the folder
$files = Get-ChildItem -Path $folderPath
# Iterate over each file
foreach ($file in $files) {
# Check if the file name matches the GUID pattern
if ($file.Name -match $guidPattern) {
# Read the content of the file
$fileContent = Get-Content -Path $file.FullName
# Iterate over each line in the file
foreach ($line in $fileContent) {
# Check if the line matches the pattern
if ($line -match $pattern) {
$guid = $matches[1]
$ssid = $matches[2]
$dhcp = $matches[3]
$ips = $matches[4] -split ","
# Print the extracted data
Write-Output ""
#Write-Output "GUID: $guid"
Write-Output " SSID: $ssid"
#Write-Output " Type: $dhcp"
foreach ($ip in $ips) {
if ($ip -ne "") {
Write-Output " $ip"
}
}
}
}
}
}