Saucepan

User Tools

Site Tools

Trace: dfp endpoints
infoblox_threat_defense:endpoints

This is an old revision of the document!

Table of Contents

BloxOne Endpoints

Best Practice

Official Best Practice

Internal Host Detection

The endpoint can be configured to detect when it is on the corporate network and thus told to not establish DOT to Cloud because the local DNS server will be BloxOne VM that will do the security.

  • Set under Manage > Endpoints > Endpoint Groups > Bypass mode.
  • Set the FQDN and a TXT record.

Client will then do a TXT query for FQDN. If the result matches the value you put in the TXT record (that the endpoint will have a copy of), then the end point knows it is inside the network and it will not do DOT back to cloud.

BloxOne Config

You should be able to resolve amiawesome.ibrc to 127.0.0.1 (which goes to 127.0.0.127) if the endpoint is working (local domain on laptop if endpoint is running)

Config file on Windows: 

C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.4
C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.6

The files above are where Internal Domains are configured. Also, this is where BloxOne Endpoint automatically adds internal domains to the “Internal Domain” list as follows:

  • local
  • 10.in-addr.arpa
  • 16.172.in-addr.arpa
  • 17.172.in-addr.arpa
  • 18.172.in-addr.arpa
  • 19.172.in-addr.arpa
  • 20.172.in-addr.arpa
  • 21.172.in-addr.arpa
  • 22.172.in-addr.arpa
  • 23.172.in-addr.arpa
  • 24.172.in-addr.arpa
  • 25.172.in-addr.arpa
  • 26.172.in-addr.arpa
  • 27.172.in-addr.arpa
  • 28.172.in-addr.arpa
  • 29.172.in-addr.arpa
  • 30.172.in-addr.arpa
  • 31.172.in-addr.arpa
  • 168.192.in-addr.arpa
  • c.f.ip6.arpa
  • d.f.ip6.arpa
  • ipv4only.arpa
  • 254.169.in-addr.arpa
  • 8.e.f.ip6.arpa
  • 9.e.f.ip6.arpa
  • a.e.f.ip6.arpa
  • b.e.f.ip6.arpa

The following file is written every few seconds. 

C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Coredns_info.4

Contents are 

{
	"message":"OK",
	"version":"ipv4n3",
	"started_at":"0001-01-01T00:00:00Z",
	"reloaded_at":"2024-02-23T08:04:49.2445042Z",
	"healthy":"healthy",
	"ttl":"2024-02-23 08:15:09:000",
	"health_status":
	[{
		"zone":".",
		"queries":
		{
			"total_count":183,
			"invalid_count":0,
			"invalid_since":"2024-02-23T08:15:01.8066193Z",
			"last_invalid_rcode":"",
			"last_invalid_error":""
		},
	"tests":
	{
		"healthy":"healthy",
		"tests_count":1,
		"failed_tests_count":0,
		"last_tests":
		{
			"tcp":
			{
				"tested_at":"2024-02-23T08:04:52.468004Z",
				"successful":true,
				"domain":"pool.ntp.org.",
				"received_rcode":"NOERROR",
				"received_error":"",
				"intercepted_rcode":"NOERROR",
				"intercepted_error":""
			},
			"udp":
			{
				"tested_at":"2024-02-23T08:04:52.470587Z",
				"successful":true,
				"domain":"pool.ntp.org.",
				"received_rcode":"NOERROR",
				"received_error":"",
				"intercepted_rcode":"NOERROR",
				"intercepted_error":""
			}
		}
	}
	}]
}

Also under C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\ you will find the local file for each network you connect to and it stores the network name and DNS details.

Folder that contains all past and current installation MSI files of B1E as well as join token. 

C:\ProgramData\Infoblox\ActiveTrust Endpoint\download

Logs are in: 

C:\ProgramData\Infoblox\ActiveTrust Endpoint\logs
  • control_app.SERIAL.log
  • msi_autoupgrade.log
  • proxy.4.log
  • proxy.6.log
  • service.log
  • upgrade.log

Supported Versions

Windows/Mac:

  • Apple:
    • macOS Sonoma
    • macOS Ventura
    • macOS Monterey
    • macOS BigSur
  • Microsoft:
    • Windows 11
    • Windows 10
  • Linux:
    • Ubuntu 22.x
    • Ubuntu 20.x
    • Red Hat 8.x

NOTE: (Windows 7 doesn't support required ciphers)

iOS/Android:

  • iPhone (iOS 14.0 or later)
  • iPad (iOS 14.0 or later)
  • Android devices (10.0 and up)

Chrome OS:

  • Chromebook devices in your organization must be running Chrome OS version 88 or later.

Endpoint Auto-Removal

The following describes the expected behavior for endpoints that are in the inactive state for more than 30 days and “Automatically remove endpoints after a period of inactivity” is set to 0 on the group that contains those endpoints.

If the admin changes the “Automatically remove endpoints after a period of inactivity” setting to a value greater than or equal to 30 days but less than the last connected time of endpoint, then the endpoint will be moved automatically to recycle bin in the next cycle (within 24 hours). Hence, it considers the past time of inactivity also when “Automatically remove endpoints after a period of inactivity” is configured.

Follow Query Logs

This will print the entire query log file and then publish queries live as they are made. 

Get-Content "C:\ProgramData\Infoblox\ActiveTrust Endpoint\logs\proxy.4.log" -wait

Palo Alto Networks

When using Palo Alto Networks, if you have a split-tunnel VPN where only internal data goes over the VPN, don't forget to set “Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows only)” to “No” in the Portal config so that the Palo DNS servers are not the default for the endpoint.

Updates

KB Article on Endpoint update policy. 

https://s3.amazonaws.com/roaming-client-prod/
customer-downloads/0004241f-23c8-4972-b590-0add06c65366/mac/ActiveTrustEndpoint-1.8.5.zip
https://s3.amazonaws.com/roaming-client-prod/customer-downloads/0004241f-23c8-4972-b590-0add06c65366/mac/ActiveTrustEndpoint-1.8.5.zip.57b95cae2c84bba911e67b169b59b883.md5

PowerShell Scripts

Scripts that extract data from the Endpoint config. Courtesy of CoPilot.

Show Local IP

Show the local DNS server IP issued by DHCP. This isn't visible via ipconfig when Infoblox Endpoint has overridden that setting. 

# Define the path to the input file
$filePath = "C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.4"

# Read the file line by line
Get-Content $filePath | ForEach-Object {
    # Check if the line contains "alternate SERVFAIL,REFUSED"
    if ($_ -match "alternate SERVFAIL,REFUSED\s+\.\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})") {
        # Extract the IP address using a regular expression
        $ipAddress = $matches[1]
        # Print the IP address to the screen
        Write-Output "Found IP address: $ipAddress"
    }
}

Show Local Domains

Read the file and extract the local domains. Ignore the default ones from Infoblox. You may want to ignore local domains. This will then give you the list of Application domains that are configured “Allow - Local Resolution”. 

# Define the path to the input file
$filePath = "C:\ProgramData\Infoblox\ActiveTrust Endpoint\config\Corefile.4"
# List of words to ignore
$ignoreWords = @(
    "activetrust.net", "inca.infoblox.com", "infoblox.com", "inuk.infoblox.com", 
    "local", "10.in-addr.arpa", 
    "16.172.in-addr.arpa", "17.172.in-addr.arpa", "18.172.in-addr.arpa", 
    "19.172.in-addr.arpa", "20.172.in-addr.arpa", "21.172.in-addr.arpa", 
    "22.172.in-addr.arpa", "23.172.in-addr.arpa", "24.172.in-addr.arpa", 
    "25.172.in-addr.arpa", "26.172.in-addr.arpa", "27.172.in-addr.arpa", 
    "28.172.in-addr.arpa", "29.172.in-addr.arpa", "30.172.in-addr.arpa", 
    "31.172.in-addr.arpa", "168.192.in-addr.arpa", "c.f.ip6.arpa", "d.f.ip6.arpa", 
    "ipv4only.arpa", "254.169.in-addr.arpa", "8.e.f.ip6.arpa", "9.e.f.ip6.arpa", 
    "a.e.f.ip6.arpa", "b.e.f.ip6.arpa", "{"
)

# Read the file line by line
$fileContent = Get-Content -Path $filePath

# Initialize a flag to indicate if the target line is found
$found = $false

# Iterate over each line in the file
foreach ($line in $fileContent) {
    if ($line -match "activetrust.net") {
        # If the line contains the target word, split it into words
        $words = $line -split "\s+"
        
        # Print each word on a new line, ignoring specified words
        foreach ($word in $words) {
            if ($ignoreWords -notcontains $word) {
                Write-Output $word
            }
        }
        
        # Set the flag to true and break the loop
        $found = $true
        break
    }
}
# If the target line was not found, print a message
if (-not $found) {
    Write-Output "No line containing 'activetrust.net' was found."
}

Show SSID History

Show all SSID connected to and DNS IP addresses 

# Define the path to the folder containing the files
$folderPath = "C:\ProgramData\Infoblox\ActiveTrust Endpoint\config"


# Define the regex pattern for the file names (GUID format)
$guidPattern = "^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}"


# Define the regex pattern to match the template
$pattern = "^\{([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})\}(.+?)\|(DHCP(?:,DHCPv6)?)((?:,\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})+)$"



# Get all files in the folder
$files = Get-ChildItem -Path $folderPath

# Iterate over each file
foreach ($file in $files) {
    # Check if the file name matches the GUID pattern
    if ($file.Name -match $guidPattern) {
        # Read the content of the file
        $fileContent = Get-Content -Path $file.FullName
        

        # Iterate over each line in the file
        foreach ($line in $fileContent) {
			# Check if the line matches the pattern
			if ($line -match $pattern) {
				$guid = $matches[1]
				$ssid = $matches[2]
				$dhcp = $matches[3]
				$ips = $matches[4] -split ","

				# Print the extracted data
				Write-Output ""
				#Write-Output "GUID: $guid"
				Write-Output "	SSID: $ssid"
				#Write-Output "	Type: $dhcp"
				foreach ($ip in $ips) {
					if ($ip -ne "") {
						Write-Output "		$ip"
					}
				}
			} 
        }

    }
}
infoblox_threat_defense/endpoints.1739756080.txt.gz · Last modified: by bstafford