To ensure that blocking certain DNS queries and packets through threat protection rules does not cause unintended effect on your appliance, you can set the threat protection service in monitor mode. You can also put your appliance in this mode to rule out the possibility that the DNS server is dropping DNS queries. When monitor mode is enabled, the appliance logs DNS packets (instead of dropping them) that would have been blocked by threat protection rules. This information is recorded in the syslog.
When the Threat Protection service is in monitor mode, the service status changes from Threat Protection Service is working to Threat Protection is working in monitor mode and the status color changes from green to yellow. The status appears in both the Data Management tab -> Security tab -> Members tab and in the Grid tab -> Grid Manager tab -> Services tab. Note that when one of the members is in monitor mode, the overall status for the Threat Protection service changes from green to yellow. For more information about viewing service status, see Monitoring Services.
You can enable or disable the monitor mode for individual Grid members through the CLI command set smartnic monitor-mode. You cannot set this configuration at the Grid level. To enable or disable monitor mode for both hardware and Software ADP profiles, you can use the command set adp monitor-mode on/off. The show adp command displays the status of the monitor mode. Grid Manager displays a warning if the threat protection profile is running in monitor mode.
For more information about this command, refer to the Infoblox CLI Guide. Note that the set smartnic monitor-mode command is recorded in the audit log while the threat protection events are recorded in the syslog. For information about the audit log and syslog, see Monitoring Tools.
This page has no comments.