Page tree

Contents

To publish dynamic data, such as DHCP lease and IPAM information, make sure that you approve Infoblox_DHCP and Infoblox_IPAM on the Cisco ISE, and then configure notification rules as described in Configuring Notification Rules.
To publish RPZ and threat protection notifications to the Cisco ISE server, you must first set up an external syslog server and then configure notification rules, as follows:

  1. Configure an external syslog server that listens on port 2000, as described in Specifying Syslog Server for Notifications.
  2. Set up notification rules, as described in Configuring Notification Rules.

Specifying Syslog Server for Notifications

Before you can publish RPZ and threat protection notifications to the Cisco ISE, you must first configure the syslog server to which the appliance logs RPZ and threat protection events. The appliance generate notifications about these events and analyze the data before sending it to the Cisco ISE. When setting up the syslog server, ensure that you select DNS RPZ and Threat Protection logging categories so all events related to RPZ and threat protection hits are logged to the syslog.

Note

For Cisco ISE to take appropriate action to quarantine malicious IP addresses, ensure that the EPSStatus (Endpoint Protection Status) in the Authorization Policy is set to "Quarantine." This is set by default.


To specify an external syslog server in NIOS, complete the following:

  1. From the Grid tab, select the Grid Manager tab -> Members tab, and then click Grid Properties -> Edit from the Toolbar.
  2. In the Grid Properties editor, select the Monitoring tab, and then follow the procedures described in Specifying Syslog Servers using the following settings:
    • Address: Enter the loopback address 127.0.0.1 so that the appliance sends notifications to itself.
    • Transport: Select UDP.
    • Interface: Select LAN. The appliance uses the LAN1 port to send syslog messages.
    • Source: Select Any. The appliance sends both internal and external syslog messages.
    • Port: Enter 2000 as the port number.
    • Logging Category: Select DNS RPZ and Threat Protection.
  3. Save the configuration.

Configuring Notification Rules

You can configure notification rules after you have configured Cisco ISE on the NIOS appliance. For information, see Configuring Cisco ISE on NIOS. To publish data and notifications from NIOS to Cisco ISE, you must configure notification rules. You can create notification rules for the following event types: DNS RPZ, Security ADP, IPAM, and DHCP Lease. Note that the DNS RPZ and Security ADP event types are available only if you have installed RPZ and Threat Protection licenses in the Grid. Each notification rule specifies the target Cisco ISE, the Grid member on which you wish to run this rule, notification rule criteria, and the action to be taken for the matching events. NIOS publishes information, such as DHCP lease information, IPAM data, and quarantine events, when the triggered events matches the notification rule criteria. Note that the DHCP Lease and IPAM event types are available only for the Cisco ISE 2.0 and 2.2 target servers.

Note

Quarantine events are published to the Cisco ISE whenever the first rule matches the trigger criteria and it ignores all other rules.


To add notification rules:

  1. From the Grid tab, select the Ecosystem tab -> Notification tab, and then click the Add icon.
    Or
    From the Grid tab, select the Ecosystem tab, and click Add Notification Rule from the Toolbar.
  2. In the Add Notification wizard, complete the following.
    • Name: Enter the name of the rule.
    • Target: Select the IP address of the target server on which you want to publish from NIOS. This field displays all the IP addresses of the Infoblox servers and the PT servers that you added.
    • Comment: Enter useful information about the notification rule.
    • Disable: Select this option to disable the notification rule.
  3. Click Next and complete the following:
    • Event: The appliance displays the list of event types based on the licenses installed. The values in the drop-down list are:
      • DNS RPZ: Select this to create notification rules for the DNS RPZ events.
      • Security ADP: Select this to create notification rules for Security ADP threat events.
      • IPAM Type: Select this to send IPAM data. No notification rule is required for this event type.
      • DHCP Leases: Select this to create notification rules for DHCP Lease events. This is available for Cisco ISE 2.0 and 2.2 servers.
    • In the Match the following rule section, select filters, operators and values from the drop-down lists for the selected event type. You can use the + icon to construct nested expressions within an event category.

Event Type

Filters

Operators

Value

DNS RPZ

Query Name

equals, begins with, and ends with

Enter the value that you want your rule to match


Rule Name

equals, begins with, and ends with

Enter the value that you want your rule to match


Action Policy

equals

Log Only, None, Block No Data, Block No Such Domain, Passthru, Substitute Domain Name


Source IP

equals, matches CIDR, matches range

Enter the value that you want your rule to match

Security ADP

Rule Severity

equals, equal to or more severe, equal to or less severe

Information, Major, Critical, Warning


SID

contains, equals, begins with and ends with

Enter the value that you want your rule to match


Rule Message

contains, equals, begins with and ends with

Enter the value that you want your rule to match


Source IP

equals, matches CIDR, matches range

Enter the value that you want your rule to match

DHCP Leases

Lease State

equals

Started, Renewed, and Expired


You can override your Publish settings configured for the Cisco ISE server.



    • For IPAM and DHCP Lease events: In the Notify the target section, there are predefined data types in the Available table you can publish. Click Override and use the arrows to move data types from the Available table to the Selected table and vice versa. The appliance sends information for all data types that are added to the Selected table. If you do not override, the publication settings is inherited from those configured while adding the Cisco ISE server. Note that you can configure only one IPAM rule per Cisco ISE server.
    • Action: The action to be taken for various events. Displays Quarantine the end host for DNS RPZ and Security ADP events. The Quarantine the end host action and Notify target data action are published through the subscribing member. Only the subscribing member can publish data to the Cisco pxGrid node.

4. Click Next to select Grid members. You can apply this notification rule on specific Grid members or apply this notification rule on all the Grid members.

    • Apply rule to relevant members: Select this option to apply notification rule to all relevant Grid members.
    • Select Member(s): Select this option to select a Grid member for applying the notification rule. If there are multiple members, the Member Selector dialog box is displayed, from which you can select a member. Click the required member name in the dialog box. You can also click Clear to clear the displayed member and select a new one.

5. Click Save to save the Cisco ISE configuration.

Examples

The following illustrations show sample notification rules and how the information is displayed in Grid Manager and the Cisco ISE:

Figure 44.1 Sample Notification Rule for RPZ Events


Figure 44.2 Matching DNS RPZEvents

This page has no comments.