After you configure a Grid Master and add members, you might need to perform the following tasks:
You can change a Grid name, its shared secret, and the port number of the VPN tunnels that the Grid uses for communications. Note that changing the VPN port number, time zone, date or time requires a product restart.
To modify the properties of a Grid:
Enable GUI Redirect from Member: Select this check box to allow the appliance to redirect the Infoblox GUI from a Grid member to the Grid Master.
If read-only API access is enabled for a Grid Master Candidate, then selecting the Enable GUI Redirect from Member check box for the Grid Master Candidate does not redirect the Infoblox GUI from the Grid Master Candidate to the Grid Master. For more information about enabling read-only API access on a Grid Master Candidate, see Enabling Read-only API Access on the Grid Master Candidate.
Enable GUI/API Access via both MGMT and LAN1/VIP: Select this check box to allow access to the Infoblox GUI and API using both the MGMT and LAN1 ports for standalone appliances and MGMT and VIP ports for an HA pair. This feature is valid only if you have enabled the MGMT port. For information about enabling the MGMT port, see Appliance Management.
The appliance uses the MGMT port only to redirect the Infoblox GUI from a Grid member to the Grid Master even after you enable the Enable GUI/API Access via both MGMT and LAN1/VIP feature.
If you changed the VPN port number, time zone, date or time, Grid Manager displays a warning indicating that a product restart is required. Click Yes to continue, and then log back in to Grid Manager after the application restarts.
You can publish a security banner that indicates the security level of the Infoblox Grid. It appears on the header and footer of all pages of Grid Manager. The security level can be Top Secret, Secret, Confidential, Restricted, and Unclassified. Each message type is associated with a predefined security level color. You can modify this color at any point of time. Grid Manager automatically uses an appropriate contrasting text font color that goes with the banner color. Only superusers can configure and enable this feature.
To configure the advanced security level banner for a Grid:
Security banner appears on the header and footer of the Grid Manager screen including the Login screen.
You can configure and publish a notice and consent banner as the first login screen that includes specific terms and conditions you want end users to accept before they log in to the Infoblox Grid. When an end user tries to access Grid Manager, this banner is displayed as the first screen. The user must accept the terms and conditions displayed on the consent screen before accessing the login screen of Grid Manager. Only superusers can configure and enable this feature.
To configure the notice and consent banner:
This banner appears as the first screen when users access Grid Manager. Users must read the terms and conditions and then click Accept on the consent screen before they can access the login screen of Grid Manager.
You can publish the informational banner for multiple uses, such as to indicate whether the Infoblox Grid is in production or a lab system. The banner can also be used for issuing messages of the day. The informational level banner appears on the header of the Grid Manager screen. You can publish the banner information you want and set the banner color. Grid Manager automatically uses an appropriate contrasting text font color that goes with the banner color. Only superusers can configure and enable this feature.
To configure the advanced informational banner for a Grid:
Through Grid Manager, you can configure the group of users that are allowed to delete or schedule the deletion of a network container and its child objects as well as a zone and its child objects. For information about how to delete a network container or zone, see Deleting Network Containers and Removing Zones.
When you select All Users or Superusers, these users can choose to delete a parent object and reparent its child objects, or they can choose to delete a parent object and all its child objects. These options appear only if a network container or a zone has child objects. For information about scheduling recursive deletion of network containers and zones, see Scheduling Recursive Deletions of Network Containers and Zones.
When you select Nobody, all the users can delete the parent object only. All the child objects, if any, are re-parented. For information about scheduling deletions, see Scheduling Deletions. Note that you can restrict specific users to perform recursive deletions of network containers and zones only through Grid Manager. These settings do not prevent other users from performing recursive deletions through the API.
You must have Read/Write permission to all the child objects in order to delete a parent object. Recursive deletion is applicable to all zone types except stub and forward-mapping zones.
The appliance puts all deleted objects in the Recycle Bin, if enabled. You can restore the objects if necessary. When you restore a parent object from the Recycle Bin, all its contents, if any, are re-parented to the restored parent object. For information about the Recycle Bin, see Using the Recycle Bin.
To configure the group of users to perform recursive deletions:
You can configure the VPN MTU (maximum transmission unit) for any appliance with a network link that does not support the default MTU size (1500 bytes) and that cannot join a Grid because of this limitation. If an appliance on such a link attempts to establish a VPN tunnel with a Grid Master to join a Grid, the appliance receives a PATH-MTU error, indicating that the path MTU discovery process has failed. For information about the MTU discovery process, see RFC 1191, Path MTU Discovery.
To avoid this problem, you can set a VPN MTU value on the Grid Master for any appliance that cannot link to it using a 1500-byte MTU. When the appliance contacts the master during the key exchange handshake that occurs during the Grid-joining operation, the master sends the appliance the MTU setting to use.
To set the VPN MTU for a Grid member:
You might want or need to remove a member from a Grid, perhaps to disable it or to make it an independent appliance or an independent HA pair. Before you remove a member, make sure that it is not assigned to serve any zones or networks.
To remove a Grid member, from the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box, and click the Delete icon.
During a Grid Master promotion, ensure that you do not designate a Grid member as a Grid Master Candidate or promote a Master Candidate. In addition, wait up to two hours since the last promotion to perform another Grid Master promotion. Otherwise, you might experience unnecessary member reboots. Whenever possible, separate any operations that require product restarts by at least an hour.
To promote a Master Candidate, do the following:
set promote_masterto promote the Master Candidate and send notifications to all Grid members immediately, or promote the Master Candidate to the Grid Master immediately and specify the delay time for the Grid members to join the new Grid Master. For more information about the command, refer to the Infoblox CLI Guide.
Check the icons in the Status column. Also, select the master, and then click the Detailed Status icon in the table toolbar. You can also check the status icons of the Grid members to verify that all Grid members have connected to the new master. If you have configured delay time for Grid member notification, it will take some time for some members to connect to the new master. You can also check your firewall rules and log in to the CLI to investigate those members.
Note that when you promote the Master Candidate to a Grid Master, the IP address will change accordingly. If you have configured a FireEye appliance, then any changes in the Grid Master IP address, FireEye zone name, associated network view or the DNS view will affect the Server URL that is generated for a FireEye appliance. The FireEye appliance will not be able to send alerts to the updated URL when there is a change in the IP address. You must update the URL in the FireEye appliance to send alerts to the NIOS appliance. For more information, see ConfiguringFireEye RPZs.
You can enable read-only API access on the Grid Master Candidate to provide additional scalability of read/write API requests on the Grid Master, which in turn improves the performance of the Grid Master. The read-only API access is disabled by default for new installations. When you enable read-only API access on an HA Grid Master Candidate, you can access the API service only on the active node. If the API service is disabled for an admin group, the users in the admin group cannot access read-only API service on the Grid Master Candidate, even though read-only API access is enabled for the Grid Master Candidate. Also, the users in the admin group should have at least read-only permission to access the API service.
When you upgrade the Grid Master Candidate to NIOS 7.1 and later, read-only API access is disabled. But when you upgrade the Grid Master Candidate from NIOS 7.1 to a later release with read-only API access enabled, then this setting is retained after the upgrade is completed.
The appliance logs all API logins in the audit log and syslog. You can view the audit log and syslog of the Grid Master Candidate under the Administration -> Logs tab.
To enable read-only API access on the Grid Master Candidate:
This page has no comments.