To configure On-Prem DNS Firewall service, complete the following:
From the Cloud Services Portal, go to Policies -> On-Prem DNS Firewall and complete the four-step process to configure the On-Prem DNS Firewall.
Step 1: Download and read the Infoblox Threat Intelligence Feed Deployment Guide. The deployment guide will walk you through the step-by-step process of setting up and configuring the On-Prem DNS Firewall. When you have reviewed the information in the guide, click Close to proceed to the next step.
Step 2: Click Feed Configurations Values to configure NIOS feeds with the provided feed addresses. The DNS Firewall Configuration displays the threat intelligence feeds that are provided in your subscription. Organizations having their own custom feed will see it listed at the bottom of the feeds list.
To configure your NIOS feeds, perform the following:
- In the Threat Feed Details dialog, review the list and copy the feed information to your favorite text editor. Save this information for subsequent NIOS configuration.
- Click Close to continue to proceed to the next step.
Step 3: Click Distribution Server Configuration Values to view the distribution servers. In the Distribution Server Details dialog, copy the following information so you can use it to configure the DNS Firewall client. You must configure a DNS server to act as a lead secondary that receives feed updates from the threat intelligence data server and redistributes the updates to other servers.
- Distribution Server – US West IPv4: Displays the IPv4 address of the distribution server for US West.
- Distribution Server – US East IPv4: Displays the IPv4 address of the distribution server for US East.
- Distribution Server – US West IPv6: Displays the IPv6 address of the distribution server for US West.
- Distribution Server – US East IPv6: Displays the IPv6 address of the distribution server for US East.
- Key Algorithm: Displays the key algorithm in use. On-Prem Firewall Service supports the HMAC_MD5 (512-bit) and HMAC_SHA256 (256-bit) algorithms for generating TSIG keys.
- Key Name: Displays the name of the TSIG key. A TSIG key is required for RPZ zone transfers for the On-Prem Firewall. For more information on selecting TSIG key options for On-Prem DNS Firewall, see .
TSIG Key: Displays the TSIG key, which is used for authentication when downloading information about threat intelligence feeds. If you have a complex configuration, such as using standalone Infoblox appliances, or Infoblox Grids that receive threat intelligence feeds from other standalone appliances or Grids and not directly from the Infoblox distribution servers, ensure that you use the same TSIG key for the feed zone transfers. You can modify the TSIG key format to a different TSIG type by selecting from among the drop-down list of supported TSIG key types.
It may take up to one hour for newly created TSIG keys to become active. Once the key becomes active, you can add the new key name and the TSIG key to your on-prem devices.
- For more information on selecting TSIG key options for On-Prem DNS Firewall, see .
Once you have made your distribution server selections, click Close to proceed to the next step.
When changing the TSIG key format, the new key will need to be entered into NIOS.
Step 4: Click Configure Members to create and configure members that will retrieve the threat feeds. To configure a new member, complete the following:
- Click Add to configure a member.
- In the Configure Members dialog, enter the Name and IP Address to add a client to the Members table.
- Click Save & Close to save the configuration.
This page has no comments.