Saucepan

User Tools

Site Tools

Trace: endpoints
infoblox_threat_defense:endpoints

This is an old revision of the document!

Table of Contents

BloxOne Endpoints

Best Practice

Official Best Practice

Internal Host Detection

The endpoint can be configured to detect when it is on the corporate network and thus told to not establish DOT to Cloud because the local DNS server will be BloxOne VM that will do the security.

  • Set under Manage > Endpoints > Endpoint Groups > Bypass mode.
  • Set the FQDN and a TXT record.

Client will then do a TXT query for FQDN. If the result matches the value you put in the TXT record (that the endpoint will have a copy of), then the end point knows it is inside the network and it will not do DOT back to cloud.

BloxOne Config

You should be able to resolve amiawesome.ibrc to 127.0.0.127 if the endpoint is working (local domain on laptop if endpoint is running)

Config file on Windows: 

C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.4
C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.6

The files above are where Internal Domains are configured. Also, this is where BloxOne Endpoint automatically adds internal domains to the “Internal Domain” list as follows:

  • local
  • 10.in-addr.arpa
  • 16.172.in-addr.arpa
  • 17.172.in-addr.arpa
  • 18.172.in-addr.arpa
  • 19.172.in-addr.arpa
  • 20.172.in-addr.arpa
  • 21.172.in-addr.arpa
  • 22.172.in-addr.arpa
  • 23.172.in-addr.arpa
  • 24.172.in-addr.arpa
  • 25.172.in-addr.arpa
  • 26.172.in-addr.arpa
  • 27.172.in-addr.arpa
  • 28.172.in-addr.arpa
  • 29.172.in-addr.arpa
  • 30.172.in-addr.arpa
  • 31.172.in-addr.arpa
  • 168.192.in-addr.arpa
  • c.f.ip6.arpa
  • d.f.ip6.arpa
  • ipv4only.arpa
  • 254.169.in-addr.arpa
  • 8.e.f.ip6.arpa
  • 9.e.f.ip6.arpa
  • a.e.f.ip6.arpa
  • b.e.f.ip6.arpa

The following file is written every few seconds. 

C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Coredns_info.4

Contents are 

{
	"message":"OK",
	"version":"ipv4n3",
	"started_at":"0001-01-01T00:00:00Z",
	"reloaded_at":"2024-02-23T08:04:49.2445042Z",
	"healthy":"healthy",
	"ttl":"2024-02-23 08:15:09:000",
	"health_status":
	[{
		"zone":".",
		"queries":
		{
			"total_count":183,
			"invalid_count":0,
			"invalid_since":"2024-02-23T08:15:01.8066193Z",
			"last_invalid_rcode":"",
			"last_invalid_error":""
		},
	"tests":
	{
		"healthy":"healthy",
		"tests_count":1,
		"failed_tests_count":0,
		"last_tests":
		{
			"tcp":
			{
				"tested_at":"2024-02-23T08:04:52.468004Z",
				"successful":true,
				"domain":"pool.ntp.org.",
				"received_rcode":"NOERROR",
				"received_error":"",
				"intercepted_rcode":"NOERROR",
				"intercepted_error":""
			},
			"udp":
			{
				"tested_at":"2024-02-23T08:04:52.470587Z",
				"successful":true,
				"domain":"pool.ntp.org.",
				"received_rcode":"NOERROR",
				"received_error":"",
				"intercepted_rcode":"NOERROR",
				"intercepted_error":""
			}
		}
	}
	}]
}

Also under C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\ you will find the local file for each network you connect to and it stores the network name and DNS details.

Folder that contains all past and current installation MSI files of B1E as well as join token. 

C:\ProgramData\Infoblox\ActiveTrust Endpoint\download

Logs are in: 

C:\ProgramData\Infoblox\ActiveTrust Endpoint\logs
  • control_app.SERIAL.log
  • msi_autoupgrade.log
  • proxy.4.log
  • proxy.6.log
  • service.log
  • upgrade.log

Supported Versions

Windows/Mac:

  • Apple:
    • macOS Sonoma
    • macOS Ventura
    • macOS Monterey
    • macOS BigSur
  • Microsoft:
    • Windows 11
    • Windows 10
  • Linux:
    • Ubuntu 22.x
    • Ubuntu 20.x
    • Red Hat 8.x

NOTE: (Windows 7 doesn't support required ciphers)

iOS/Android:

  • iPhone (iOS 14.0 or later)
  • iPad (iOS 14.0 or later)
  • Android devices (10.0 and up)

Chrome OS:

  • Chromebook devices in your organization must be running Chrome OS version 88 or later.

Endpoint Auto-Removal

The following describes the expected behavior for endpoints that are in the inactive state for more than 30 days and “Automatically remove endpoints after a period of inactivity” is set to 0 on the group that contains those endpoints.

If the admin changes the “Automatically remove endpoints after a period of inactivity” setting to a value greater than or equal to 30 days but less than the last connected time of endpoint, then the endpoint will be moved automatically to recycle bin in the next cycle (within 24 hours). Hence, it considers the past time of inactivity also when “Automatically remove endpoints after a period of inactivity” is configured.

Palo Alto Networks

When using Palo Alto Networks, if you have a split-tunnel VPN where only internal data goes over the VPN, don't forget to set “Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows only)” to “No” in the Portal config so that the Palo DNS servers are not the default for the endpoint.

Updates

https://s3.amazonaws.com/roaming-client-prod/
customer-downloads/0004241f-23c8-4972-b590-0add06c65366/mac/ActiveTrustEndpoint-1.8.5.zip
https://s3.amazonaws.com/roaming-client-prod/customer-downloads/0004241f-23c8-4972-b590-0add06c65366/mac/ActiveTrustEndpoint-1.8.5.zip.57b95cae2c84bba911e67b169b59b883.md5
infoblox_threat_defense/endpoints.1735312163.txt.gz · Last modified: by bstafford