×
Infoblox DDI
Infoblox

Overview

The Security Flow Infoblox Plugin provides Infoblox DDI functionality for management of Response Policy Zones to block domains and IP addresses and retrieval of DHCP lease information.

Functionality

This plugin supports operations, which allow one to:

  • Retrieve RPZ entries
  • Block a domain via a RPZ
  • Unblock a domain via a RPZ
  • Block an IP Address via a RPZ
  • Unblock an IP Address via a RPZ
  • Retrieve DHCP lease information
  • Retrieve DHCP lease information for an IP address

Instance Configuration Parameters

Property
Description
Instance Name

Name for Infoblox instance.

Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.

Server

Infoblox server IP address or host name.

Server Port

Port number Infoblox is running on; typically this will be port 443.

Username

Valid username for the Infoblox server.

Password

Valid password for the username on the Infoblox server.

Password Confirmation

Confirmation password for the username on the Infoblox server.

WAPI Version

Infoblox WAPI version number for the RESTful web API. Do not include the v character.

Response Policy Zone (RPZ)

The default Response Policy Zone, RPZ, modified by direct requests and broadcast requests.

RPZ Policy

The default behavior for RPZ entries added by direct requests and broadcast requests. The options are as follows:

  • Block (No Data)
  • Block (No Such Domain)
Extensible Attribute

Optional field containing the name of the Extensible Attribute, with a type of String, to assign the Security Flow Incident number. This setting is used for both direct requests and broadcast requests. If left blank, no Extensible Attribute is set.

Broadcast Settings
Domain Block Events

Listen for Domain Block broadcast events.

Domain Unblock Events

Listen for Domain Unblock broadcast events.

IP Block Events

Listen for IP Block broadcast events.

IP Unblock Events

Listen for IP Unblock broadcast events.

Flow Nodes

Node which controls the Nevelex Labs Infoblox DDI Plugin Instance to manage Response Policy Zone (RPZ) entries and retrieve DHCP lease information.
Property
Description
Name

The display name of the node within the flows.

Unique ID

System-wide unique ID of the plugin instance.

Action

Configuration option determining the type of Infoblox WAPI calls to make:

  • Get RPZ Entries – Retrieve all records in the Plugin Instance’s RPZ.
  • Block Within – Dynamically search in the message and perform block operations based on the IoC type found.
  • Unblock Within – Dynamically search in the message and perform unblock operations based on the IoC type found.
  • Block Domain – Add a domain to the the Plugin Instance’s RPZ.
  • Block URL – Add a domain, obtained from the URL, to the the Plugin Instance’s RPZ.
  • Block IP – Add an IP Address to the the Plugin Instance’s RPZ.
  • Unblock Domain – Remove a domain from the the Plugin Instance’s RPZ.
  • Unblock URL – Remove a domain, obtained from the URL, from the the Plugin Instance’s RPZ.
  • Get Lease Information – Retrieve current DHCP lease information from Infoblox.
  • Get IP Lease Information – Retrieve current DHCP lease information from Infoblox for a specific IP address.
Block Within / Unblock Within / Domain / URL / IP Address

These fields define the location from a constant, message, flow, global, or JavaScript expression to use as the data source for the operation.

Result Size Limit

When an Action of Get RPZ Entries or Get Lease Information is selected, this field is used to limit the total number of results returned.

Learn More

Configuring Infoblox

The Configuring Infoblox page shows the steps necessary to configure Infoblox for use with Security Flow. Watch the following video to quickly learn how to configure Infoblox, configure an Infoblox DDI Plugin Instance, and add entries to a RPZ using a basic flow.

JSON Message Format

The following samples show the JSON content added to the message payload, which conforms to Node Messaging Format. The content exists within the infoblox object. The following examples use infoblox1 for the Unique Id of the plugin:

Get RPZ Entries and Get Lease Information Success

The italicized, green text is inserted into the message payload upon a successful request. 

"payload": {
  "infoblox":
    "infoblox1": {
      "response": {
        "result": [{
          "rpz_rule":"BlockNoDataDomain",
          "_ref":"allrpzrecords/ZG5zLnpvbmVfc2VhcmNoX2luZGV4JGRucy5iaW5kX2NuYW1lJC5fZGVmYXVsdC5zZWN1cml0eWZsb3cuY29tLmJhZGRvbWFpbg:baddomain.com",
          "name":"baddomain.com",
          "view":"default"
        }]
      }
    }
}

Other Operations Success

The italicized, green text is inserted into the message payload upon a successful request. 

"payload": {
  "infoblox":
    "infoblox1": {
      "response": {
        "_ref": "allrpzrecords/ZG5zLnpvbmVfc2VhcmNoX2luZGV4JGRucy5iaW5kX2NuYW1lJC5fZGVmYXVsdC5zZWN1cml0eWZsb3cuY29tLmJhZGRvbWFpbg:baddomain.com",
        "name": "baddomain.com",
        "view": "default",
        "rpz_rule": "BlockNoDataDomain"
      }
    }
}

Error

The italicized, maroon text is inserted into the message payload upon a failed request.

"payload": {
    "infoblox": {
      "infoblox1": {
        "error": {
            "error_code": 5,
            "error_message": "Error text"
        }
      }
    }
}
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.

EULA