Page tree

Contents

After you configure a Grid Master and add members, you might need to perform the following tasks:

Changing Grid Properties

You can change a Grid name, its shared secret, and the port number of the VPN tunnels that the Grid uses for communications. Note that changing the VPN port number, time zone, date or time requires a product restart.
To modify the properties of a Grid:

  1. From the Grid tab, select the Grid Manager tab.
  2. Expand the Toolbar and select Grid Properties -> Edit.
  3. In the Grid Properties editor, select the General tab -> click the Basic tab, and then modify any of the following:
    • Grid Name: Type the name of a Grid. The default name is Infoblox.
    • Shared Secret: Type a shared secret that all Grid members use to authenticate themselves when joining the Grid. The default shared secret is test.
    • Shared Secret Retype: Type the shared secret again to confirm its accuracy.
    • Time Zone: Choose the applicable time zone from the drop-down list.
    • Date: Click the calendar icon to select a date or enter the date in YYYY/MM/DD format.
    • Time: Click the clock icon to select a time or enter the time in HH:MM:SS format.
    • VPN Port: Type the port number that the Grid members use when communicating with the Grid Master through encrypted VPN tunnels. The default port number is 1194. For more information, see Port Numbers for Grid Communication.
    • Enable Recycle Bin: Select the check box to enable the Recycle Bin. The Recycle Bin stores deleted items when the user deletes Grid, DNS, or DHCP configuration items. Enabling the Recycle Bin allows you to undo deletions and to restore the items on the appliance at a later time. If you do not enable this feature, deleted items from the GUI are permanently removed from the database.
    • Audit Logging: Select one of the following:
      • Detailed: This is the default type. It is automatically selected. It provides detailed information on all administrative changes such as the date and time stamp of the change, administrator name, changed object name, and the new values of all properties.
      • Brief: Provides information on administrative changes such as the date and time stamp of the change, administrator name, and the changed object name. It does not show the new value of the object.
    • In the Grid Properties editor, select the General tab -> click the Advanced tab (or click Toggle Advanced Mode) and modify any of the following:
      • Enable GUI Redirect from Member: Select this check box to allow the appliance to redirect the Infoblox GUI from a Grid member to the Grid Master.

      Note: If read-only API access is enabled for a Grid Master Candidate, then selecting the Enable GUI Redirect from Member check box for the Grid Master Candidate does not redirect the Infoblox GUI from the Grid Master Candidate to the Grid Master. For more information about enabling read-only API access on a Grid Master Candidate, see Enabling Read-only API Access on the Grid Master Candidate.

    • Enable GUI/API Access via both MGMT and LAN1/VIP: Select this check box to allow access to the Infoblox GUI and API using both the MGMT and LAN1 ports for standalone appliances and MGMT and VIP ports for an HA pair. This feature is valid only if you have enabled the MGMT port. For information about enabling the MGMT port, see Appliance Management.

      Note: The appliance uses the MGMT port only to redirect the Infoblox GUI from a Grid member to the Grid Master even after you enable the Enable GUI/API Access via both MGMT and LAN1/VIP feature. 

    • Show Restart Banner: Select this check box to enable the appliance to display the Restart Banner at the top of Grid Manager whenever the appliance notifies you that a service restart is required.
    • Require Name: Select this check box to prompt the administrator to input the user name before performing the service restart. When you select this check box, the appliance displays the Confirm Restart Services dialog box. Enter the user name in the Name field and click Restart Services.For information about restarting service, see Restarting Services.
  4. Save the configuration.

If you changed the VPN port number, time zone, date or time, Grid Manager displays a warning indicating that a product restart is required. Click Yes to continue, and then log back in to Grid Manager after the application restarts.

Configuring Security Level Banner

You can publish a security banner that indicates the security level of the Infoblox Grid. It appears on the header and footer of all pages of Grid Manager. The security level can be Top Secret, Secret, Confidential, Restricted, and Unclassified. Each message type is associated with a predefined security level color. You can modify this color at any point of time. Grid Manager automatically uses an appropriate contrasting text font color that goes with the banner color. Only superusers can configure and enable this feature.
To configure the advanced security level banner for a Grid:

  1. From the Grid tab, select the Grid Manager tab.
  2. Expand the Toolbar and select Grid Properties -> Edit.
  3. In the Grid Properties editor, select the Security tab -> Advanced tab.
  4. Complete the following:
    • Enable Security Banner: Select this to enable the display of the security banner.
    • Security Level: From the drop-down list, select the security level for the banner.
    • Security Level Color: The default color is displayed in the drop-down. If necessary using the drop-down list, select the required color for the security level banner. When you change the security level, Grid Manager resets default color for that level.
    • Classification Message: Enter the message you want to display in the security banner. You can enter up to 190 characters.
  5. Save the configuration.

Security banner appears on the header and footer of the Grid Manager screen including the Login screen.

Configuring Notice and Consent Banner

You can configure and publish a notice and consent banner as the first login screen that includes specific terms and conditions you want end users to accept before they log in to the Infoblox Grid. When an end user tries to access Grid Manager, this banner is displayed as the first screen. The user must accept the terms and conditions displayed on the consent screen before accessing the login screen of Grid Manager. Only superusers can configure and enable this feature.
To configure the notice and consent banner:

  1. From the Grid tab, select the Grid Manager tab.
  2. Expand the Toolbar and select Grid Properties -> Edit.
  3. In the Grid Properties editor, select the Security tab -> Advanced tab, and then complete the following:
    • Enable Notice and Consent Banner: Select the check box to enable the display of the notice and consent banner. In the text field, enter the message that you want to be included in the banner. The message cannot exceed 10,000 characters.
  4. Save the configuration.

This banner appears as the first screen when users access Grid Manager. Users must read the terms and conditions and then click Accept on the consent screen before they can access the login screen of Grid Manager.

Configuring Informational Level Banner

You can publish the informational banner for multiple uses, such as to indicate whether the Infoblox Grid is in production or a lab system. The banner can also be used for issuing messages of the day. The informational level banner appears on the header of the Grid Manager screen. You can publish the banner information you want and set the banner color. Grid Manager automatically uses an appropriate contrasting text font color that goes with the banner color. Only superusers can configure and enable this feature.
To configure the advanced informational banner for a Grid:

  1. From the Grid tab, select the Grid Manager tab.
  2. Expand the Toolbar and select Grid Properties -> Edit.
  3. In the Grid Properties editor, select the General tab -> Advanced tab
  4. Complete the following:
    • Enable informational GUI Banner: Select the check box to enable the display of the informational banner message.
    • Banner Color: The default color is displayed in the drop-down. If necessary using the drop-down list, select the required color for the informational level banner.
    • Message: Enter the message you want to display in the informational banner. You can enter up to 190 characters.
  5. Save the configuration.
    Informational banner appears on the header of the Grid Manager screen.

Configuring Recursive Deletions of Networks and Zones

Through Grid Manager, you can configure the group of users that are allowed to delete or schedule the deletion of a network container and its child objects as well as a zone and its child objects. For information about how to delete a network container or zone, see Deleting Network Containers and Removing Zones.
When you select All Users or Superusers, these users can choose to delete a parent object and reparent its child objects, or they can choose to delete a parent object and all its child objects. These options appear only if a network container or a zone has child objects. For information about scheduling recursive deletion of network containers and zones, see Scheduling Recursive Deletions of Network Containers and Zones.
When you select Nobody, all the users can delete the parent object only. All the child objects, if any, are re-parented. For information about scheduling deletions, see Scheduling Deletions. Note that you can restrict specific users to perform recursive deletions of network containers and zones only through Grid Manager. These settings do not prevent other users from performing recursive deletions through the API.


Note: You must have Read/Write permission to all the child objects in order to delete a parent object. Recursive deletion is applicable to all zone types except stub and forward-mapping zones.


The appliance puts all deleted objects in the Recycle Bin, if enabled. You can restore the objects if necessary. When you restore a parent object from the Recycle Bin, all its contents, if any, are re-parented to the restored parent object. For information about the Recycle Bin, see Using the Recycle Bin.
To configure the group of users to perform recursive deletions:

  1. From the Grid tab, select the Grid Manager tab.
  2. Expand the Toolbar and select Grid Properties -> Edit.
  3. In the Grid Properties editor, select the General tab -> Advanced tab.
  4. Under Present the option of recursive deletion of networks or zones to, select one of the following:
    • All Users: Select this to allow all users, including superusers and limited-access users, to choose whether they want to delete the parent object and its contents or the parent object only when they delete a network container/network or a zone. This is selected by default.
    • Superuser: Select this to allow only superusers to choose whether they want to delete the parent object and its contents or the parent object only when they delete a network container/network or a zone.
    • Nobody: When you select this, users can only delete the parent object (network container or zone). All child objects, if any, are re-parented.
  5. Save the configuration.

Setting the MTU for VPN Tunnels

You can configure the VPN MTU (maximum transmission unit) for any appliance with a network link that does not support the default MTU size (1500 bytes) and that cannot join a Grid because of this limitation. If an appliance on such a link attempts to establish a VPN tunnel with a Grid Master to join a Grid, the appliance receives a PATH-MTU error, indicating that the path MTU discovery process has failed. For information about the MTU discovery process, see RFC 1191, Path MTU Discovery.
To avoid this problem, you can set a VPN MTU value on the Grid Master for any appliance that cannot link to it using a 1500-byte MTU. When the appliance contacts the master during the key exchange handshake that occurs during the Grid-joining operation, the master sends the appliance the MTU setting to use.
To set the VPN MTU for a Grid member:

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box -> Edit icon.
  2. Select the Network -> Advanced tab of the Grid Member Properties editor.
  3. In the VPN MTU field, enter a value between 600 and 1500.
  4. Save the configuration and click Restart if it appears at the top of the screen.

Removing a Grid Member

You might want or need to remove a member from a Grid, perhaps to disable it or to make it an independent appliance or an independent HA pair. Before you remove a member, make sure that it is not assigned to serve any zones or networks.
To remove a Grid member, from the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box, and click the Delete icon.

Promoting a Master Candidate

  • Immediately notify all Grid members about the promotion.
  • Set a sequential notification to provide wait time for Grid members to join the new Grid Master. Staggering the restarts of Grid members can minimize DNS outages. The sequential order for Grid members to join the new Grid Master begins with the old Grid Master and then the Grid members in FQDN order. The default delay time is 120 seconds. You can configure the delay time from a minimum of 30 seconds up to 600 seconds.

Note: During a Grid Master promotion, ensure that you do not designate a Grid member as a Grid Master Candidate or promote a Master Candidate. In addition, wait up to two hours since the last promotion to perform another Grid Master promotion. Otherwise, you might experience unnecessary member reboots. Whenever possible, separate any operations that require product restarts by at least an hour.


To promote a Master Candidate, do the following:

  1. Establish a serial connection (through a serial console or remote access using SSH) to the Master Candidate. For information about making a serial connection, see Method 2 Using the CLI.
  2. At the CLI prompt, use the command set promote_master to promote the Master Candidate and send notifications to all Grid members immediately, or promote the Master Candidate to the Grid Master immediately and specify the delay time for the Grid members to join the new Grid Master. For more information about the command, refer to the Infoblox CLI Guide.
  3. To verify the new master is operating properly, log in to the Infoblox Grid Manager on the new master using the VIP address for an HA master or the IP address of the LAN1 port for a single master.
  4. Check the icons in the Status column. Also, select the master, and then click the Detailed Status icon in the table toolbar. You can also check the status icons of the Grid members to verify that all Grid members have connected to the new master. If you have configured delay time for Grid member notification, it will take some time for some members to connect to the new master. You can also check your firewall rules and log in to the CLI to investigate those members.

Note: Note that when you promote the Master Candidate to a Grid Master, the IP address will change accordingly. If you have configured a FireEye appliance, then any changes in the Grid Master IP address, FireEye zone name, associated network view or the DNS view will affect the Server URL that is generated for a FireEye appliance. The FireEye appliance will not be able to send alerts to the updated URL when there is a change in the IP address. You must update the URL in the FireEye appliance to send alerts to the NIOS appliance. For more information, see Configuring FireEye RPZs.


Enabling Read-only API Access on the Grid Master Candidate

You can enable read-only API access on the Grid Master Candidate to provide additional scalability of read/write API requests on the Grid Master, which in turn improves the performance of the Grid Master. The read-only API access is disabled by default for new installations. When you enable read-only API access on an HA Grid Master Candidate, you can access the API service only on the active node. If the API service is disabled for an admin group, the users in the admin group cannot access read-only API service on the Grid Master Candidate, even though read-only API access is enabled for the Grid Master Candidate. Also, the users in the admin group should have at least read-only permission to access the API service.


Note: When you upgrade the Grid Master Candidate to NIOS 7.1 and later, read-only API access is disabled. But when you upgrade the Grid Master Candidate from NIOS 7.1 to a later release with read-only API access enabled, then this setting is retained after the upgrade is completed.


The appliance logs all API logins in the audit log and syslog. You can view the audit log and syslog of the Grid Master Candidate under the Administration -> Logs tab.
To enable read-only API access on the Grid Master Candidate:

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_Master_Candidate check box, and then click the Edit icon.
    • In the Grid Member Properties editor, select the General tab -> Basic tab, and then do the following:
      Read Only API access: This field is displayed only when the Grid member is designated as a Master Candidate. Select this check box to enable read-only API access on the Grid Master Candidate. Enabling this check box will only allow read-only API access and not write API access. Note that if you enable this check box, you cannot access the GUI using the IP address of the Grid Master Candidate.
  2. Save the configuration.
  • No labels

This page has no comments.