Table of Contents
Infoblox Ecosystem
The Infoblxo Ecosystem licence is a single, Grid wide licence that gets applied to the Grid Master. It enables the Infoblox appliances to initiate API calls to third party vendor appliances (e.g. Palo Alto Networks firewalls).
Initial Setup with Palo Alto Networks
Set the extensible attributes
Grid Manager > Administration > Network Views > default > edit
Add Extensible Attributes default values
- PaloAlto_Asset_Sync true
- PaloAlto_Asset_Tag allow
- PaloAlto_Security_Sync true
- PaloAlto_Security_Tag deny
- PaloAlto_Timeout 30
PaloAlto_Asset_SyncedAt and PaloAlto_Security_SyncedAt have no default value
PaloAlto_Asset_Sync and PaloAlto_Security_Sync should have the following list of options
- true
- false
To create the Extensible Attributes Grid Manager > Administration > Extenisble Attributes
(No default values)
| Name | TYPE | REQUIRED | INHERITANCE | COMMENT |
|---|---|---|---|---|
| PaloAlto_Asset_Sync | List | No | Yes | Whether or not syncing asset events with PAN is desired. |
| PaloAlto_Asset_SyncedAt | String | No | No | Timestamp for when the asset is synced with PAN. |
| PaloAlto_Asset_Tag | String | No | Yes | Tag that attaches to an IP to polulate it in a Dynamic Address Group (allow). |
| PaloAlto_Security_Sync | List | No | Yes | Whether or not syncing security events with PAN is desired. |
| PaloAlto_Security_SyncedAt | String | No | No | Timestatmp for when the security event is synced with PAN. |
| PaloAlto_Security_Tag | String | No | Yes | Tag that attaches to an IP to populate it in a Dynamic Address Group (deny). |
| PaloAlto_Timeout | Integer | No | Yes | Starting |
with PAN-OS 9.0 a tag can contain an optional timeout attribute. The default is 0 (never expires) or a timeout value in seconds for the tag. The maximum timeout is 2592000 (30 days).
Palo Alto Networks
Remember, you need to create the address groups and tags on teh firewall before configuring infoblox. Also, it is best practice to create a dummy address in each address group as each address group must have at least one object to be valid. The main difference between this code and Infoblox template code is that this code doesn't put objects into “shared”. it assumes no multi-vsys and will put things into /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/ instead of /config/shared/
There are two types of templates - session managment and event. Session managment may use event types for some actions (e.g. device login and logout). Session managment templates are assigned to “Outbound Endpoint” configs. This is also where you define variables that can be used in Event types. Event types are assigned to “Notification” configs.
The reason all the Infoblox guides say that you have to enable Multi VSYS is that they inject into “shared” which only exists on Multi VSYS system.
vendor_identifier (e.g. “vendor_identifier”:“Palo Alto”,) has to match a predifined list from Infobox
JSON PATH is at the bottom of the event file.
192.168.99.0/27
Variables in templates (e.g. ${S::infoblox-created-objects}) are deffined in PAN_Session.txt
When you edit PAN_Session.txt, you need to reimport it into Infoblox Grid and then check it under Grid > Ecosystem > Outbound Endpoint > (firewall endpoint) > Session Management.
Then re-import the template that you are editing with the new variable name.
To update the firewall with new host records (IP) when new hosts are added, create the following
PAN_Host_IPv4
Event = Object Change Host Address IPv4 Match the following rule IPv4 Address matches CIDR 192.168.99.0/27 (This does not have to match a specific subnet, 192.168.0.0/16 would match all subnets within 192.168.0.0/16) Template = Palo Alto Static Assets
By default, this will create an Address object named after the IP (e.g. IP = 192.168.1.1 Name = 192.168.1.1). No tags. It will be added to the Address Group Iblox_Host_Allow)
FROM DEMO
This is from the Cloud based partner Demo system that Infoblox offers.
The following are the rules for triggers.
PAN_Lease:
Template = Palo Alto Dynamic Assets Event = DHCP Leases Match = ANY Rules: Network View equals default Lease State equals Active Lease State equals Expired Lease State equals Free Lease State equals Released IP Address matches CIDR 172.0.0.0/24
PAN_RPZ:
Template = Palo Alto Dynamic Security Event = DNS RPZ Match = ANY Rules: Action Policy equals Local Data Action Policy equals NXDOMAIN Action Policy equals No Data Action Policy equals Passthru Rule Name contains . Source IP matches CIDR 127.0.1.0/24
PAN_Tunnel:
Template = Palo Alto Dynamic Security Event = DNS Tunneling Match = ANY Source IP matches CIDR 172.0.0.0/8 Source IP matches CIDR 10.0.0.0/24 Source IP matches CIDR fc01::/64
PAN_ADP:
Template = Palo Alto Dynamic Security Event = Security ADP Match = ANY Hits Count is creter than 5 Rule Action equals Alert Rule Action equals Drop Rule Action equals Pass Rule Severity equals Critical Rule Severity equals Major Rule Severity equals Warning Rule Severity equals Informational
PAN_Fixed_IPv6
Template = Palo Alto Dynmaic Assets Event = Object Change Fixed Address Ipv6 Match the following rule: Network View contains default
PAN_Host_IPv6
Template = Palo Alto Dynmaic Assets Event = Object Change Host Address Ipv6 Match the following rule: Network View contains default
PAN_Fixed_IPv4_Static
Template = Palo Alto Static Assets Event = Object Change Fixed Address IPv4 Match the following rule: IPv4 Address matches CIDR 172.0.0.0/24
PAN_Fixed_IPv4_Dynamic
Template = Palo Alto Dynmaic Assets Event = Object Change Fixed Address IPv4 Match the following rule: IPv4 Address matches CIDR 10.0.0.0/24
PAN_Host_IPv4_Static
Template = Palo Alto Static Assets Event = Object Change Host Address IPv4 Match the following rule: IPv4 Address match CIDR 172.0.0.0/24
PAN_Host_IPv4_Dynamic
Template = Palo Alto Dynamic Assets Event = Object Change Host Address IPv4 Match the following rule: IPv4 Address match CIDR 10.0.0.0/24
PAN_Records
Template = Palo Alto Static Records Event = Object Change DNS Records Match = ANY Rules: Networks View contains default Zone Name contains .