====== Infoblox Threat Defense Troubleshooting ======
===== DIG =====
The thing to know about BloxOne Threat Defense is that you can use DIG to get data on what is being resolved using
dig @52.119.41.100 .debug.infoblox.com ch txt
DOMAIN=google.com
dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep CAT
dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep APP
DOMAIN=google.com
alias ibcat='dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep CAT'
alias ibapp='dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep APP'
ibcat() {
dig @52.119.41.100 $1.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep CAT
}
ibapp() {
dig @52.119.41.100 $1.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep APP
}
nslookup -type=txt -class=chaos outlook.office365.com.debug.infoblox.com 52.119.41.100
Also know that ''*.infoblox.com'' and ''ntp.ubuntu.com'' are on the PASSTHRU list in the cloud which means it is expected that the Web Category comes back as ''Unknown'' - not because it is actually unknown but because the web categorisation engine doesn't process it.
====Debug NIOS with DFP enabled====
set expertmode on
dig @127.0.0.1 -p 1024 google.com
dig @127.0.0.1 -p 1024 google.com.debug.infoblox.com ch txt
==== infoblox.com ====
dig @127.0.0.1 A my-ip.debug.infoblox.com
The TXT includes the region
dig @127.0.0.1 TXT my-ip.debug.infoblox.com
To see what region you are using
dig @52.119.41.100 TXT my-ip.debug.infoblox.com | grep TXT | grep 0 | awk -F "\"" '{print $2}' | awk -F "/" '{print $2}'
dig @52.119.41.100 google.com.debug.infoblox.com ch txt
;; ANSWER SECTION:
csp.infoblox.com.debug.infoblox.com. 0 CH TXT "Ident: eu-west-2/coredns-5dc6c84d54-nmzjs" "Passthrough: yes"
dig @52.119.41.100 ntp.ubuntu.com.debug.infoblox.com ch txt
;; ANSWER SECTION:
ntp.ubuntu.com.debug.infoblox.com. 0 CH TXT "Ident: eu-west-2/coredns-c75744d56-n8xbb" "Passthrough: yes"
NSlookup is
nslookup
server 52.119.40.100
set class=chaos
set type=txt
login.microsoftonline.com.debug.infoblox.com
==== Office365.com ====
dig @52.119.41.100 outlook.office365.com.debug.infoblox.com ch txt
to get
Ident: eu-west-2/coredns-c123123aa-aaaaa
PDP response
{
Effect: Permit,
Obligations:
[
policy_action: allow,
ttype: 1,
tag: APP_Microsoft Outlook,
policy_id: 012345ab,
customer_id: 123456780abcdefg1234567890abcdef,
revision: 01234,
ecs: 1,
all_tags: \"CAT_Web-based Email\",\"APP_Microsoft Outlook\"
]
}
Domain resolution: resolved
PDP response
{
Effect: Permit,
Obligations:
[
policy_action: allow,
ttype: 1,
tag: APP_Microsoft Outlook,
policy_id: 012345ab,
customer_id: 123456780abcdefg1234567890abcdef,
revision: 01234,
ecs: 1,
all_tags: \"APP_Uncategorized\"
]
}
PDP response
{
Effect: Permit
Obligations:
[
policy_action: allow,
ttype: 1,
tag: APP_Microsoft Outlook,
policy_id: 012345ab,
customer_id: 123456780abcdefg1234567890abcdef,
revision: 01234,
ecs: 1,
all_tags: \"APP_Uncategorized\"
]
}
PDP response
{
Effect: Permit,
Obligations:
[
policy_action: allow,
ttype: 1,
tag: APP_Microsoft Outlook,
policy_id: 012345ab,
customer_id: 123456780abcdefg1234567890abcdef,
revision: 01234,
ecs: 1,
all_tags: \"APP_Uncategorized\"
]
}
PDP response
{
Effect: Permit,
Obligations:
[
policy_action: allow,
ttype: 1,
tag: APP_Microsoft Outlook,
policy_id: 012345ab,
customer_id: 123456780abcdefg1234567890abcdef,
revision: 01234,
ecs: 1,
all_tags: \"APP_Uncategorized\"
]
}
and
tracert -d 52.119.41.100
===== Count Number of Members =====
In a tech support file, run the following on iptables.txt (note the two spaces). to find the list of Grid Members that are not the GM.
cat iptables.txt | grep "LOGACCEPT all"
===== HA =====
Disable STP, Trunking, EtherChannel, IGMP Snooping, DHCP Snooping, Port Channeling.
===== Looking for Threats =====
To show detected DNS threats in the NIOS Logs (Administration > Logs > Syslog > View Member), apply the following filters
* Server equals DNS
* Message contains CEF
To show DNS queries that worked from a specific client
* IN AAAA response: NOERROR
* IN A response: NOERROR
* client 192.168.99.216
To show DNS queries that worked from a specific client
* IN AAAA response: NXDOMAIN
* IN A response: NXDOMAIN
* client 192.168.99.216
To Show Dynamic DNS
* Added reverse map
* Added reverse map
To Show Renew Requests
* RENEW
===== DHPC With Dynamic DNS =====
DHCPDISCOVER from 10:0b:a9:11:11:11 via TransID 13c8cab7
DHCPOFFER on to 10:0b:a9:11:11:11 (HOSTNAME) via eth1 relay lease-duration 119 offered-duration 3600
r-l-e:192.168.1.123,Issued,HOSTNAME,10:0b:a9:11:11:11,1644784034,1644787634,505,$default,192.168.99.192,27,192.168.99.194-192.168.99.222
DHCPREQUEST for from 10:0b:a9:11:11:11 (HOSTNAME) via TransID 13c8cab7
DHCPACK on to 10:0b:a9:bc:11:11 (HOSTNAME) via eth1 relay lease-duration 3600
Added reverse map from 11.1.168.192.in-addr.arpa. to hostname.example.com
Added new forward map from hostname.example.com to 192.168.1.11
===== What DHCP Peer Sees =====
DHCPDISCOVER from 10:0b:a9:11:11:11 via TransID 13c8c111: load balance to peer NAME-OF-FAILOVER-ASSOCIATION (1601720004ps)
DHCPREQUEST for (IP of DHCP Peer Server) from 10:0b:a9:11:11:11 via TransID 13c8cab7 uid 01:00:04:30:11:11:11: lease owned by peer
===== DHCP Renew =====
DHCPREQUEST for 192.168.1.11 from c6:38:38:11:11:11 (HOSTNAME) via eth1 TransID b1e9a111 uid 01:c6:38:38:11:11:11 (RENEW)
DHCPACK on 192.168.1.11 to c6:38:38:11:11:11 (HOSTNAME) via eth1 relay eth1 lease-duration 3600 (RENEW) uid 01:c6:38:38:11:11:11
===== Dynamic DNS Update Failure =====
Reverse map update for 192.168.1.11 abandoned because of non-retryable failure: REFUSED
Unable to add forward map from hostname.domain.com to 192.168.1.11: REFUSED
===== Dynamic DNS Update Failure =====
Reverse map update for 192.168.1.11 abandoned because of non-retryable failure: NXRRSET
Forward map from hostname.domain.com to 192.168.1.11 FAILED: Has an address record but no DHCID, not mine.
===== DHPC Release =====
DHCPRELEASE of 192.168.11.11 from 10:0b:a9:11:11:11 (HOSTNAME) via eth1 (found) TransID 21881111