Search

Page tree

Contents

The NIOS 8.4 release includes the following new features and enhancements:

Enabling DDNS Updates on IPv6-Only DHCP Members (RFE-5118)

The DHCP server can now update host object names and fixed addresses for IPv6-only devices. It can also enable DDNS on an IPv6-only Grid member.

New CLI Command to Set DNS and Anycast Start and Restart (RFE-10176)

This release of NIOS introduces the following commands:

  • set restart_anycast_with_dns_restart: Sets DNS and anycast start and restart sequences. This command brings down the anycast service during the DNS restart or stops and redirects the traffic on the IP address of anycast to another site. You can use this command only on Grid Master.
  • show restart_anycast_with_dns_restart: Displays the status of the set restart_anycast_with_dns_restart command.

For more information about these commands, see the set restart_anycast_with_dns_restart and show restart_anycast_with_dns_restart topics.

Splunk Upgrade

NIOS 8.4.8 uses the upgraded Splunk version 7.2.6

Collecting NIOS Database Performance Data (RFE-9550)

You can now download Ptop log files that comprise database metrics, which you can use to determine the health of the NIOS database and baseline its performance. Based on the database performance, you can ascertain the impact of changes such as adding a Grid member or enabling features such as Grid replication for DNS zones or multi-master DNS, on the database performance. You can download the Ptop log files by using a WAPI call. For more information, see Collecting Database Performance Data.

Caching Threat Category Information from the Cloud Services Portal (RFE-9249)

You can configure the Cloud Services Portal and schedule the entire threat indicator database download from the Cloud Services Portal. The threat category information is then sent to the reporting server to augment RPZ hits and reports are generated. Caching threat category information from the Cloud Services Portal helps enhance the performance of threat reports as data is fetched from the cache that is stored locally. You can also download incremental updates from the threat indicators of the Cloud Services Portal. The incremental threat indicator is downloaded only after the whole threat indicator is downloaded from the Cloud Services Portal.

You can configure threat indicator caching by using the Threat Indicator Caching > Basic tab in the Grid Reporting Properties editor. For more information, see Grid Reporting Properties.

Adding TLSA Records in Unsigned Zones (RFE-10324)

You can now add TLSA records in both DNSSEC signed zones and unsigned zones.

Infoblox IPAM Driver for Red Hat OpenStack Platform version 13 (RFE-9675)

NIOS is now supported on Infoblox IPAM Driver for Red Hat OpenStack Platform version 13. For details about installing Infoblox IPAM Driver for Red Hat OpenStack Platform and configuring Grid Manager on the platform, see the Infoblox IPAM Driver for Red Hat OpenStack Platform 13 documentation.

Infoblox IPAM Driver for OpenStack Neutron Rocky Version (RFE-9453)

NIOS is now supported on Infoblox IPAM Driver for Red Hat OpenStack Rocky version. For details about installing Infoblox IPAM Driver for Red Hat OpenStack Rocky and configuring Grid Manager on the platform, see the IPAM Driver for OpenStack Neutron documentation.

SMTP Authentication Support (RFE-9525)

You can now choose for NIOS to support SMTP authentication over TLS authentication. NIOS authenticates against the SMTP server using the user name you specify. For more information, see Notifying Administrators.

Discovering All Azure Subscriptions from One vDiscovery Job (RFE-7718)

You can specify the same client ID and client secret for a vDiscovery job in which multiple subscriptions are associated with a single application in Microsoft Azure. For more information, see Configuring vDiscovery Jobs.

Specifying Subdomains to be Blocked (RFE-9170)

You can now specify the maximum and minimum levels of subdomains to block tunneling instead of specifying only the top-level domain. For more information and examples, see About Infoblox Threat Insight.

Obtaining the Latest Whitelist Files

You can now view and download the latest whitelist files based on the default or a custom schedule. For more information and examples, see About Infoblox Threat Insight.

Transferring the Database Backup File to a Remote SCP Server (RFE-9001)

This version of NIOS introduces the following new commands that lets you transfer the Grid Manager database backup file to a remote SCP server:

  • set database_transfer scp: Triggers the Grid Manager database backup file to a specified SCP server.
  • show database_transfer_status: Displays the status of the database backup transfer to a specified SCP server.

For more information about these commands, see the set database_transfer scp and show database_transfer_status topics.

Grid-Wide Threat Analytics License

The Threat Analytics license is now applicable to the entire Grid and not just specific members. If you now install the Threat Analytics license, it is applied to all the Grid members. For more information about Grid-Wide Threat Analytics license, see About Infoblox Threat Insight.

New IP Address/Data column in the Global Search Results (RFE-9175)

The IP Address column in the global search results is now updated to IP Address/Data. For resource records that do not have an IP address, this column displays the value that you entered in another field when creating the record. This field varies depending on the type of record. For more information, see Finding and Restoring Data.

Navigating from a VLAN object to its Assigned Network (RFE-9502)

You can now navigate from a VLAN object to the IPAM objects that it is linked to. The IPAM objects are displayed as hyperlinks in the Assigned To column of the VLAN tab. You can click the hyperlink to view the IPAM object details. For more information, see Configuring VLAN Objects.

Specifying a TCP Port when Configuring DNS Queries and Response Captures

You can now specify a Data Connector port number if you have configured a Data Connector as an SCP source into which to send the DNS log files. Specify the port number in the new TCP Port field in the Data Management > Logging tab. You can specify a range between 1 to 65535. The default port number is 22. For more information, see Capturing DNS Queries and Responses.

AWS Support of DHCP (RFE-8087)

You can now use Infoblox vNIOS for AWS to start DHCP services for private networks. For more information, see the online Installation Guide for vNIOS for AWS at Installation Guide for vNIOS for AWS.

REST API for Microsoft Server (RFE-9632)

This version of NIOS introduces a REST API to create a Microsoft server. NIOS supports CREATE, MODIFY, DELETE, and other operations for the Microsoft server. For details, see the NIOS WAPI documentation.

Viewing DTC Configurations from the CLI (RFE-9004)

The show config command has been enhanced with the following new arguments:

  • dtc: Displays the dtc.conf file at /Infoblox/var/idns_conf/
  • healthd: Displays the healthd.conf file at /Infoblox/var/idns_conf/

For more information, see show config.

WAPI Support for Inherited Fields (RFE-7200)

NIOS now supports inherited fields for Network (network or IPv6 network), Range (range or IPv6 range), and Fixed Address (fixed address or IPv6 fixed address) objects using WAPI. For details, see the NIOS WAPI documentation.

Change of Severity in the Syslog (RFE-9247)

The severity of the syslog messages when IP addresses are skipped in a CSV import during a NETMRI and IPAM synchronization has changed from Error to Info/Warning.

New Policy for Subscriber Parental Control (RFE-8665)

NIOS can now receive a new AVP (Attribute Value Pair) called the PCC (Parental Control Category) policy from the RADIUS server. The PCC policy is a 128-bit string, and it defines how to service domains in a particular category. If the PCC category matches a category, then a CEF log message is logged as a warning in the syslog for domains in that category; however, these domains are not blocked.

Reporting Data Retention (RFE 9394)

You can now specify whether you want to retain reporting data and specify the number of days for which you want the data to be retained. You can also configure the delete permission on reporting data for a local admin user who has superuser permissions by running the following new CLI commands:

  • show reporting_user_capabilities
  • set reporting_user_capabilities

For information about this feature, see the Grid Reporting Properties, set reporting_user_capabilities, and the show reporting_user_capabilities topics in the NIOS 8.4 online documentation.

You can also select reporting data that you want to delete after enabling the delete permission for local admin users who have superuser permission. For information about this feature, see the Deleting Reporting Data section in the About Reports topic.

NIOS SPPC Lease2RADIUS Installation (RFE 9520)

You can now add subscribers by using DHCP server logs. This procedure involves creating Python scripts and their associated init scripts in Linux to parse to DHCP log files and send RADIUS accounting request messages to a RADIUS accounting server.

For detailed installation and configuration instructions, see the NIOS SPPC Lease2RADIUS Installation and Configuration Guide at https://drive.google.com/drive/folders/1ym8uzU99LnNyY_MPyc8QXP5rC_XoyKki

Automated Traffic Capture Enhancements (RFE-8277)

You can configure NIOS so that a traffic capture may be triggered for parameters such as outgoing recursive queries, DNS latency, and recursive DNS latency. For more information see Enabling Automated Traffic Capture.

Enabling or Disabling Lazy Loading (SPTYRFE-19)

You can disable lazy loading that was originally implemented to improve memory performance and provide faster load time of objects using the following commands:

  • show disable_lazyload: Displays the status of lazy loading.
  • set disable_lazyload: Enables or disables the lazy loading of objects.

For more information about these commands, see show disable_lazyload and set disable_lazyload.

Backing Up the Reporting Database to an SCP Supported Server (RFE-9636)

You can back up or schedule a backup of the reporting database to an SSH server that supports SCP. For more information, see Managing Reporting Data.

Whitelist Updates

Whitelist sets have been updated. You can synchronize to obtain the latest version of whitelists by selecting the Updates > Configure Automatic Updates check box on the Threat Analytics tab.

VLAN Enhancements (RFE-9499)

You can now select multiple VLAN objects and edit them at a single instance. You can also delete only a VLAN range and not the VLAN objects that belong to the range. For more information, see the Configuring VLAN Objects and Configuring VLAN Ranges topics respectively.

GCP vDiscovery (RFE-8867)

You can use Grid Manager to create a new vDiscovery job for GCP (Google Cloud Platform). For more information, see Configuring vDiscovery Jobs.

Disabling Recursion in DNS Views (RFE-9531)

If the set rpz_recursive_only command is set to no, you can deselect the Enable Recursion check box even if the RPZ zone is configured as the Grid secondary. In a DNS view, if the set rpz_recursive_only command is set to no for one zone and not set to no for another zone, then you cannot disable recursion. For more information, see Configuring DNS Views.

MX Record Enhancement (RFE-6689)

You can now enter a dot (.) in the Mail Exchanger field when creating an MX record. When you enter a dot, it means that the domain is a parked domain and will not receive or send email. For more information, see IPAM Task Pack.

SAML Authentication Support (RFE-1383)

NIOS 8.4 uses SAML (Security Assertion Markup Language) 2.0 authentication support for Single-Sign-On. By enabling SAML, user management is delegated to an external application, thus relieving IT administrators the complexity of maintaining user accounts in all the applications (also known as Service Providers) being used by the organization. Instead, IT administrators need to maintain one account in the Identity Provider (IDP), which can be used across Service Providers (SPs). IDP is the application server that maintains the user accounts of the entire organization. IT administrators can manage users access rights at one place. Users can login to the IDP directly and once logged in, they can be traverse towards the required SP without being prompted for the user ID and password. SAML helps NIOS delegate Identity Management to a third-party SSO application (IDP) and thereby eases administrative efforts.

For more information about SAML authentication, see the Authenticating Admins Using SAML topic.

NIOS UI Revamp

The NIOS UI has been revamped with a lighter color scheme and an updated alignment of UI elements. This is to enhance visibility thereby offering a superior customer experience and at the same time retaining all existing functionality.

Security Features

NIOS 8.4 contains the following security-related enhancements. All these enhancements can be performed only by a superuser:

  • You can set a time duration for the password of each admin group such that the password is valid only for that duration. After the specified duration expires, the password for the users of the admin group expires. For more information, see the Managing Admin Groups and Admin Roles topics. (RFE-4955)
  • You can store the history of used passwords in the NIOS database and specify the number of passwords to be stored. You cannot reuse passwords stored in history. For more information, see the Creating Local Admins. (RFE-8202)
  • You can configure the number of attempts that a user can use to log in to NIOS using the wrong password. After the configured number of attempts, you can choose to lock the user account. For more information, see Managing Admin Groups and Admin Roles. (RFE-8203)
  • You can disallow multiple logins for the same NIOS session. That is, if one user in the group has logged on to a NIOS session, for example https://255.255.255.0, that user cannot log on to the same IP address from another browser or from another system. For more information, see Managing Admin Groups and Admin Roles. (RFE-8204)
  • You can disable a group of users who have not logged in to NIOS for a specified duration of time. For more information, see Managing Admin Groups and Admin Roles. (RFE-8205)

Network Insight Enhancements

NIOS 8.4 contains the following Network Insight enhancements:

  • Advisor assists you in monitoring and maintaining network and security infrastructure based on released Common Vulnerabilities and Exposures (CVEs) as well as vendor product lifecycle announcements. For more information, see Monitoring Device Lifecycle and Vulnerabilities Using Advisor. Currently, the Advisor report and dashboard display lifecycle and vulnerabilities data only for Cisco devices.
  • Network Insight now uses additional techniques to collect information about operating systems of discovered devices. For more information, see the see the OS field description for the IP address list in the Viewing and managing IPv4 Addresses topic.
  • Network Insight Port Channel support: For Cisco devices with virtual port channel configured, the Attached Device Port Name field now displays the list of physical interfaces that form the virtual port channel. For more information, see the
  • Viewing and managing IPv4 Addresses topic. (RFE-6591)

VLAN Management (RFE-4710)

NIOS 8.4 allows you to track the VLAN usage in your network, thereby allowing you to compare an assigned VLAN with VLANs discovered by Network Insight. You can then generate inventory and conflict reports based on this data.

For more information, see VLAN Management.

Upgraded OpenSSH (RFE-8376)

The OpenSSH package in NIOS 8.4 has been upgraded to OpenSSH_7.7p1.

HSTS Support for Infoblox GUI (RFE-7286)

Infoblox has introduced a new browser mechanism called HTTP Strict Transport Security (HSTS) to prevent an attacker from intercepting and modifying network traffic.

Audit Log Enhancement for WAPI Session (RFE-3422)

The audit log has been enhanced to contain more detailed WAPI session log information. The audit log will contain specific WAPI call URI, InData and response time for WAPI PUT, POST, and DELETE queries. For more information, see Monitoring Tools.

Enabling Automated Traffic Capture (RFE-8277)

You can configure NIOS so that a traffic capture may be triggered at set intervals and parameters such as Cache Hit Ratio and Queries Per Seconds. You can then analyze the traffic capture data and use it to gather production data thus reducing the time taken for root cause analysis. You can also attach the traffic capture data to a support case so that Infoblox Support can take the investigation forward. For more information, see Enabling Automated Traffic Capture.

Configuration Changes to Prevent Cross Site Scripting Vulnerability (RFE-8268)

The NIOS web application has been enhanced to contain a few headers in the landing pages that will protect the website from CSRF (sometimes pronounced sea-surf) or XSRF. Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.

Link Selection and DHCP Server Identifier Override (RFE-6874)

In addition to the relay agent IDs, NIOS also supports the Option 82 Link Selection and Server ID Override sub-options, which allow DHCPv4 to operate in a network architecture where direct communication between the DHCP server and DHCP client is undesirable or infeasible. These sub-options can direct DHCP traffic to go through the relay agent and have more control over your DHCP communications. For more information, see About the DHCP Relay Option (Option 82).

Rapid Commit Support for DHCPv6 at Network and Subnet Levels (RFE-7355)

You can now set the dhcp6.rapid-commit (14) option at the network, network container, and shared network levels for IPv6 DHCP options.

SCP Backup Enhancement (RFE-715)

You can now back up system files to an SCP server using Infoblox keys. Only the ECDSA and RSA keys are supported. For more information, see Backing Up and Restoring Configuration Files.

Enable or Disable Timestamps (RFE-1174)

The set tcp_timestamps and the show tcp_timestamps commands have been introduced to determine the status of the TCP timestamps. For more information, see the set tcp_timestamps and show tcp_timestamps topics.

BIND 9.11 Upgrade

NIOS now supports BIND version 9.11.

Support for Unknown Records (RFE-3040)

NIOS now supports a new resource record named Unknown Record. You can define a DNS resource record of an arbitrary type as an Unknown record. NIOS converts the Unknown record to the record type you assign. For more information, see Managing Resource Records.

System Architecture

NIOS now runs in a lightweight runtime Docker container hosted on Alpine Linux.

Google Cloud Platform Support

NIOS is now supported on the Google Cloud platform.

Prefix Length Mode for DHCPv6 (RFE 8836)

You can now set the prefix length mode for DHCPv6 servers. The prefix length mode determines the prefix selection rules employed by the DHCPv6 server when a DHCPv6 client sends an empty prefix with just a prefix length as a hint for the server to specify the required prefix length. For information about the prefix length mode options available, see Setting the Prefix Length Mode for DHCPv6.

Multiple Grid Member Selection in the Traffic Capture Tool (RFE-6088)

Infoblox enables you to capture traffic for a single member or multiple Grid members simultaneously. For more information, see Monitoring Tools.

Ecosystem Enhancements

NIOS 8.4 introduces the following enhancements for the Ecosystem feature:

  • You can configure Syslog Endpoints. For more information, see the Configuring Outbound Endpoints topic in the NIOS 8.4 online documentation.
  • You can add a topic to subscribe to when configuring a DXL endpoint. You can then collect data from the topic to which you subscribed. For more information, see Configuring Outbound Endpoints .
  • You can trigger a notification rule when a DNS record or a DNS zone is added, updated, or deleted. For more information, see Configuring Notification Rules.

Enhancement to DTC Health Checks (RFE-7753)

As per the enhancement, members that are not selected for health checks are not considered when calculating the health status. Only those members that are in the consolidated list, perform the local health check and share the health status across members that are in the non-selected list but are still a part of the DTC pool.

Warning Message when a User Deletes, Disables, or Recovers Zone/Members/View/Network (RFE-2353)

The application is enhanced to display warning messages at the zone, view, network and member levels while deleting and disabling objects to avoid accidental deletion. Similarly, warning messages are displayed while recovering zones, views, and network objects indicating that the process might take a longer time if the amount of data is huge. For more information, see Configuring IPv4 Networks.

Enhanced NIOS Command to Remove Abandoned Leases from the Database (RFE-8825)

A NIOS command has been enhanced to parse the database and remove unwanted abandoned leases.

Splunk Reporting API Calls (RFE-8912)

The proxy server has been enhanced to send API requests from the:

  • Reporting member to the proxy server for threat details.
  • Grid member to the proxy server for threat context details.

For more information, see Configuring Proxy Servers.

Ability to Configure the RPZ Recursive-Only Statement (RFE-9316)

The following two CLI commands that allow you to configure the RPZ recursive-only statement at the zone level or the view-level have been introduced:

  • set rpz_recursive_only zone_name or set rpz_recursive_only view_name
  • show rpz_recursive_only zone_name or show rpz_recursive_only view_name

These commands are available only on the Grid Master. For more information, see the set rpz_recursive_only and the show rpz_recursive_only topics.

Addition of New Interfaces to Send SNMP Traps (RFE-8576)

You can now choose an interface, instead of the default MGMT or LAN1 interface, to send SNMP traps to the trap receivers. This is valid for both Grid member and a standalone Grid. For more information, see Defining Interfaces for SNMP Traps.

Support to Disable Generation of NS Records in a Parent Authoritative Zone (RFE-8950)

A new option is added to disable generation of name server records in a parent authoritative zone that has a subzone, which is conditionally forwarded. The NIOS appliance will not generate name server records and deletes the existing records from the parent authoritative zone when this check box is selected. For more information, see Configuring a Forward Zone.

Local ID Support for DNS Cache Acceleration (RFE-8671)

The subscriber cache in DNS Cache Acceleration has been enhanced to include the Local ID (client_id) for IB-4030 and IB-FLEX appliances. For more information, see Configuring Infoblox Subscriber Insight and Subscriber Policy Enforcement.

Configuring the From Email Address (RFE-1027)

You can now configure the email address from which to send email notifications in the From Email Address field. For more information, see Notifying Administrators.

Including View Names as an EDNS option (RFE 8238)

You can now include DNS view names as an EDNS option in recursive queries forwarded from NIOS. For more information, see the Specifying Forwarders section in the Using Forwarders topic.

Support for Cisco ISE 2.4 (RFE 8858)

NIOS now supports the integration with Cisco Identity Services Engine (ISE) version 2.4.

Support for Cloud Platform Appliance

NIOS now supports the Cloud Platform appliance on the following platforms: CP-V805, CP-V1405, CP-V2205

Infoblox vDiscovery for Google Cloud Platform

You can perform a GCP vDiscovery job to detect and obtain information about virtual entities and interfaces in the GCP. You can discover tenants, subnets, VPCs, and workload VMs through Infoblox vDiscovery for GCP. Infoblox vDiscovery for GCP is available only to Beta customers.

Infoblox Subscriber Services Enhancements (RFE 8995)

  • You can now create service policies that can be associated with specific servers. These are blocking servers through which traffic or web pages that conform to the service policies you create are blocked and are redirected to the blocking VIP addresses. You can specify additional IP addresses that will act as blocking servers. For more information, see Configuring Blocking Server Policies.
  • This NIOS release adds the set subscriber_secure_data never_proxy and the show subscriber_secure_data never_proxy CLI commands. You can use these commands to set and view the hexadecimal characters that represent the list of categories in the global list used to resolve DNS queries without proxying to an MSP (Multi-Services Proxy) server. For more information, see the set subscriber_secure_data never_proxy and the show subscriber_secure_data never_proxy topics.
  • You can now set the Proxy-All setting to 1 to have DNS queries processed by NIOS. The MSP server will process the queries only if NIOS is unable to categorize the DNS queries.
  • Support for termination of all user connections traversing Multi-Services Proxy (MSP) upon activation of the block-all Parental Control Policy (PCP), or any PCP change for subscribers behind the home gateway (CPE) when identified by the EDNS0 local ID. You can re-establish connections depending on the new PCP value.

    Note

    To support proxy subscribers, the configuration must first resolve locally by ensuring that 127.0.0.1 is the first in the list of resolves. You can do this either globally through Grid DNS properties -> DNS Resolver, or locally through Member DNS properties -> DNS Resolver.

  • You can now configure the access token to use the Subscriber Data Repository REST API. You can configure it in application.properties and set to false by default.

Infoblox ADP Performance Improvements

DCA first: You can now configure NIOS such that DNS queries and packets are first passed on to DNS Cache Acceleration (DCA). If the query is valid and the answer is in the cache, the query is answered by DNS Cache Acceleration. To configure this, you must select the Enable DNS responses from acceleration cache before applying Threat Protection rules check box. For more information, see Handling DNS Queries Through DNS Cache Acceleration.

IB-FLEX support on AWS

The IB-FLEX platform is now supported on AWS. For more information, see About IB-FLEX.

CLI Commands to Change the IP Address of the Docker Bridge

NIOS supports the following new CLI commands to change the IP address of the Docker bridge when DNS forwarding proxy is enabled on a member:

  • set docker_bridge: This command changes the current Docker bridge IP address to the IP address that you specify.
  • show docker_bridge: This command displays the current Docker bridge settings.

For more information about these commands, see the show docker_bridge and set docker_bridge topics.

Unique Session ID (RFE-8268)

NIOS now generates a unique session ID and rejects incoming requests that do not have the unique ID. Browser security headers are added to avoid MITM, CSRF, XSS, and MIME attacks.

  • No labels

This page has no comments.