The Infoblox Subscriber Services provides a scalable, enterprise-grade solution that provides visibility to subscriber activities and complete filtering capabilities by combining advanced DNS services with subscriber identification, threat protection policies, and MSP (Multi-Services Proxy). The Infoblox Subscriber Services solution includes the following:
- Infoblox Subscriber Insight - Infoblox Subscriber Insight automates the process of identifying infected subscriber devices that are trying to connect to malicious domains. This solution augments the malware incident logs with the subscriber identity information received via RADIUS accounting messages and generates a report to display RPZ violations per subscriber ID. You can also identify subscribers who access specific domains for purposes other than security.
- Infoblox Subscriber Policy Enforcement - Infoblox Subscriber Policy Enforcement enables the selection of applicable policies for the subscriber. Policies are any combinations of RPZs. You can use this product to create value-added service plans or packages for different subscribers.
- Infoblox Subscriber Parental Control - Infoblox Subscriber Parental Control enables subscribers to manage Internet access and content for their mobility devices, houses, families, or corporations. Subscribers can restrict or allow access to content based on content categories and domains.
When you define an access control list (ACL) for allow_query / match_clients, Infoblox recommends that you add the following addresses part "169.254.252.12" and "FC::3" of the ACL as allow-list to support the parent control policy Pre-fetch. This is mandatory when Subscriber Service Policy is enabled.
Limitations of MSP
- Every 20 seconds MSP closes the TCP IDLE connection as a security feature.
- When client connection status shows connected to MSP, the PXY_ALL responses are from DCA. When the client connection status shows disconnected, the first PROXY-ALL request is sent to BIND and subsequent all requests ( < 20 seconds idle time) are responded from DCA.
To check the PXY-ALL Client status, use the fp-cli fp ib_dca get pxyall_hash_stat CLI command.
This section includes the following topics:
This page has no comments.