Page tree

Contents

This section details the dashboards of Security dashboards category. For more information on operations that can be performed on reporting dashboards, see About Dashboards.

The dashboards covered in this section are as follows:

FireEye Alerts

The FireEye Alerts dashboard lists the FireEye alerts that are received by the NIOS appliance. The dashboard displays the date and time when the alert was generated, mitigation action for the alert, ruleset specified for the blocked domain or IP address, and the name of the FireEye appliance that generated the alert. For more information about FireEye integrated RPZs, see Configuring FireEye RPZs.

Note

To enable this dashboard, you must select the Security check box in the Grid Reporting Properties editor. To select the check boxes, go to the Administration tab -> Reporting tab -> Grid Reporting Properties -> General tab
-> Basic tab -> select the check box Security under Report Category. Note that you can receive this dashboard only on the Grid Master, not on Grid members, even if you have selected Security as a report category on the members.


This dashboard displays the following information in table format:

  • Time: The date and time when the alert was generated.
  • AlertID: The alert type along with the alert ID.
  • LogSeverity: The severity of the alert, which can be CriticalMajor or Minor.
  • AlertType: The type of alert received from the FireEye appliance.
  • FireEyeAppliance: The FireEye appliance that generated the alert.
  • RPZEntry: The RPZ rule specified for the FireEye alert.
  • MitigationAction: The ruleset specified for the blocked domain name or IP address.

DNS Top RPZ Hits

The DNS Top RPZ Hits dashboard lists the top clients who received re-written responses through RPZ. The dashboard displays the total client hits and total rule hits over a given time frame. You can choose to view either the aggregated RPZ hits report or a detailed report of the top RPZ hits. In the Show filter, select Details to view the detailed report or select Aggregated Hits Count to view the aggregated report. When you select the Aggregated Hits Count option, the report data is consolidated based on the client ID, domain name, RPZ entry, RPZ severity, and mitigation action.
The appliance lists the top RPZ hits in table format. You can click a specific row in the table or the Client ID to view the DHCP lease history of a client. For information about DHCP lease history, see DHCP Lease History. Grid Manager displays another report that specifies more detailed information, such as the leased IPs, host name, and MAC addresses for each client. For more information about RPZs, see About Infoblox DNS Firewall. You can click Domain Name or RPZ Entry to view threat details of an RPZ rule. In addition, you can click the client IP address to view login details of the user. For information, see User History for IP Address.
You can compare the domain name and mitigation action in this dashboard with the RPZ rules and mitigation actions in the FireEye Alerts report to determine the RPZ hits received due to FireEye alerts.

Note

To enable this dashboard, you must select the DNS Query and Security check boxes in the Grid Reporting Properties editor. To select the check boxes, to the Administration tab -> Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab -> select the check boxes DNS Query and Security under Report Category.


If you have configured Infoblox Subscriber Services, you can click Subscriber ID to view the sub-dashboard RPZ Details for the Subscriber ID dashboard. For information, see RPZ Details for the Subscriber ID.

This dashboard displays the following information in table format:

  • Client ID: The IP address of the client that queried the domain name that is listed in the RPZ ruleset.
  • Total Client Hits: The total number of hits received for each DNS view from the respective client.
  • Domain Name: The domain name that was queried.
  • Severity: The threat severity level of an RPZ zone associated with the RPZ rule that was triggered.
  • RPZ Entry: The RPZ rule that was triggered based on client queries.
  • Total Rule Hits: The total number of hits received for a specific RPZ rule.
  • Mitigation Action: The ruleset specified for the blocked domain name or IP address.
  • Subscriber ID: The subscriber ID type and the subscriber ID value. This field is displayed only if you have configured Infoblox Subscriber Services.
  • Substitute Addresses: The address which was substituted for the blocked domain.
  • Time: The date and time when the last hit was received. This information is displayed only in the detailed DNS Top RPZ Hits report.

The sub-dashboard Threat Details displays the following information in table format:

Note

Make sure that DNS resolution is enabled and running properly on the reporting member to view Threat Details.


  • RPZ Rule: The RPZ rule that was triggered based on client queries.
  • First Identified: The date and timestamp of the first occasion that the threat was detected.
  • Last Seen: The date and timestamp of the last occasion that the threat was detected.
  • Threat Category: The category to which the threat belongs.
  • Danger Level: The severity level of the threat.
  • Short Description: The brief description of an RPZ rule.
  • Description: The detailed description of an RPZ rule.

User History for IP Address

The User History for IP Address sub-dashboard displays the login details of the active users associated with the IP address of the client.
The default displays the following information in table format:

  • Last Updated: Displays the timestamp when the user information was last updated.
  • User Name: The logon name of the user.
  • Domain: The domain name.
  • IP Address: The IP address of the client.
  • First Seen: The timestamp when the user logged in to the domain for the first time.
  • Logout Time: The log out time of the user. This column displays NA when users are still active on the system.
  • Last Seen: The timestamp when the user was last seen accessing a domain.
  • User Status: Displays the status of the user. This can be one of the following: Active (logged in), Logged OutTimed Out.
    • Active: The user is logged in and active.
    • Logged Out: The user has logged out of the system.
    • Timed Out: The user is logged in but has been idled for a certain period of time. The default is two hours. You can configure the time interval as described in Configuring Active User Timeout Session.

User History for Lease IP

You can view user information associated with the lease IP address.
The default User History for Lease IP sub-dashboard displays the following information in table format:

  • Last Updated: Displays the timestamp when the user information was last updated.
  • User Name: The logon name of the user.
  • Domain: The Active Directory domain name.
  • IP Address: The IP address of the client.
  • First Seen: The timestamp when the user logged in to the domain for the first time.
  • Logout Time: The log out time of the user. This column displays NA when users are active on the system.
  • Last Seen: The timestamp when the user was last seen accessing a domain.
  • User Status: Displays the status of the user. This can be one of the following: Active (logged in), Logged OutTimed Out.
    • Active: The user is logged in and active.
    • Logged Out: The user has logged out of the system.
    • Timed Out: The user is logged in but has been idled for a certain period of time. The default is two hours. You can configure this time interval, as described in Configuring Active User Timeout Session.

DNS Top RPZ Hits by Clients

The DNS Top RPZ Hits by Clients dashboard lists the total number of RPZ hits from a client during an interval, irrespective of the rules and mitigation actions. You can view the IP address of the client, total hits and the date and time during which the hits were received.
The appliance lists the top RPZ hits by clients in table format. You can click a specific row in the table to view the lease history of a client. Grid Manager displays another report that specifies more detailed information, such as the leased IPs, host name, and MAC addresses for each client. For more information about RPZs, see About Infoblox DNS Firewall. In addition, you can click the client IP address to view login details of the user. For information, see User History for IP Address.

If you have configured Infoblox Subscriber Services, you can click Subscriber ID to view the sub-dashboard RPZ Details for the Subscriber ID dashboard. For information, see RPZ Details for the Subscriber ID.

This dashboard displays the following information in table format:

  • Client ID: The IP address of the client that queried the domain name that is listed in the RPZ ruleset.
  • Total Client Hits: The total number of hits received for all DNS view from the respective client.
  • Subscriber ID: The subscriber ID type and the subscriber ID value. This field is displayed only if you have configured Infoblox Subscriber Services.
  • Time: The date and time when the last hit was received.

Top DNS Firewall Hits

The Top DNS Firewall Hits dashboard lists the top RPZ rules triggered over a given time frame. This dashboard lists information such as RPZ rule, percentage of RPZ rule hits, number of hits per RPZ rule, and the description of the threat that triggered the RPZ rule. The default dashboard displays the top 10 RPZ rules triggered within the last week.

Note

To enable this dashboard, you must select the DNS Query and Security check boxes in the Grid Reporting Properties editor. To select the check boxes, go to the Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab, and then select the check boxes DNS Query and Security under Report Category.


The dashboard displays the following information in table format:

  • RPZ Rule: The RPZ rule that was triggered based on client queries.
  • Percentage: The percentage based on the number of hits for the RPZ rule divided by the total number of hits for the top RPZ rules.
  • # Hits: The total number of hits received for the RPZ rule.
  • Description: The detailed description of the threat that triggered the RPZ rule.

DNS RPZ Hits Trend By Mitigation Action

The RPZ Hit Trend by Mitigation Action dashboard provides trends for the total number of RPZ hits for each mitigation action along with the total client hits in a given time frame. You can view this report in either a line chart, a stacked chart, or in table format. You can choose to display the report in all the three formats. The default dashboard displays stacked chart for the RPZ hits by the mitigation action in a given time frame. You can hover your mouse over the graph to view the coordinates in the graph. Note that the values plotted in the stacked chart and line chart are average hits aggregated over time.
The dashboard displays the following information in table format:

  • Time: The date and time when the last hit was received.
  • Block: Total number of queries that triggered a Block (No Data) and Block (No Such Domain) RPZ rule. For information about Block (No Data) and Block (No Such Domain) RPZ rules, see Managing Block (No Data) Rules and Managing Block (No Such Domain) Rules respectively.
  • Passthru: Total number of queries that triggered the Passthru RPZ rule. For information about Passthru RPZ rule, see Managing Passthru Rules.
  • Substitute: Total number of queries that triggered the Substitute (Domain Name) and Substitute (Record) RPZ rule. For information about Substitute (Domain Name) and Substitute (Record) RPZ rules, see Managing Substitute (Domain Name) Rules and Managing Substitute (Record) Rules respectively.
  • Client Hits: Total number of queries that triggered an RPZ policy. The client hits is the sum of Block (No Data)Block (No Such Domain)PassthruSubstitute (Domain Name), and Substitute (Record) RPZ hits. Note that this data is not displayed in the Stacked Chart, but displayed in the Line Chart and in Table format.

Malicious Activity by Client

The Malicious Activity By Client dashboard lists the clients that have the most malicious activities. The default dashboard shows a bar chart that lists clients that have the most total counts of malicious activities that triggered the RPZ rule over the given time frame. The default dashboard displays the top 10 clients within the last week.

Note

To enable this dashboard, you must select the DNS Query and Security check boxes in the Grid Reporting Properties editor. To select the check boxes, go to the Administration tab -> Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab, and then select the check boxes DNS Query and Security under Report Category.


If you have configured Infoblox Subscriber Services, you can click Subscriber ID to view the sub-dashboard RPZ Details for the Subscriber ID dashboard. For information, see RPZ Details for the Subscriber ID.

This dashboard displays the following information:

  • Client ID: The IP address of the client that queried the malicious domains.
  • # Hits: The total number of RPZ hits by the client.
  • Domains: The top three malicious domains queried by the client.
  • Subscriber ID: The subscriber ID type and the subscriber ID value. This field is displayed only if you have configured Infoblox Subscriber Services.
  • Last Active: The timestamp of the last attempt when the client queried a malicious domain.

DNS Firewall Executive Threat Report

The DNS Firewall Executive Threat dashboard is a predefined custom dashboard which consists of the following sub-dashboards:

Note

To enable this dashboard, you must select the DNS Query and Security check boxes in the Grid Reporting Properties editor. To select the check boxes, go to the Administration tab -> Reporting tab -> Grid Reporting Properties -> General tab -> Basic tab, and then select the check boxes DNS Query and Security under Report Category.


Note that you have to use the filters for each of the sub-reports to get specific information. You can also click Download PDF from the Toolbar to download the DNS Firewall Executive Threat dashboard in PDF format which includes the three-panel report in a single PDF.

Threat Protection Event Count Dashboard

The Threat Protection Event Count Dashboard is a predefined custom dashboard which consists of the following sub-dashboards:

Threat Protection Event Count By Severity Trend

The Threat Protection Event Count By Severity Trend sub-dashboard provides event count trends by severity in a given time frame. You can view event counts distributed for the following severity levels: Critical, Major, Warning and Informational. Each of the severity level of an event is represented with a different color.
You can also define alerts in this dashboard to notify administrators when a trend reaches a specified threshold. For information about how to define alerts, see Configuring IP Blocks and IP Block Groups. When you configure alerts for this dashboard and define a threshold value to trigger SNMP traps for a specified reporting event type, the appliance triggers an alert every five minutes based on the filters you select. For information about how to trigger SNMP traps for reporting event types, see Defining Thresholds for Traps.

Threat Protection Event Count By Member Trend

The Threat Protection Event Count By Member Trend sub-dashboard provides event count trends on members that supports Advanced DNS Protection in a given time frame. This dashboard tracks events on a member over a given time frame. By default, this sub-dashboard displays a line chart that shows events trends over the last day on the selected member and also displays the top 5 appliances in descending order.

Threat Protection Event Count By Rule

The Threat Protection Event Count By Rule sub-dashboard displays event counts based on violations of individual rules. The appliance displays event counts by rule in a table format and sorts the records by Total Event Count in descending order. You can click a specific Security ID in the table to view the sub-report for the individual rule that is showing aggregate event instances with timestamps for a specific rule on all members.
The sub-dashboard displays the following information in table format:

  • SID: The unique rule ID.
  • Category: The category to which the rule belongs.
  • Log Severity: The severity of an event, which can be CriticalMajorWarning, or Informational.
  • Event Name: The name and description of the rule.
  • Alert Count: The alert count of an event.
  • Drop Count: The drop count of an event.
  • Total Event Count: The total number of event counts triggered by a match against the rule.

The sub-dashboard Threat Protection Event Count for Rule displays the following information in table format:

Note

The sub-report Threat Protection Event Count for Rule displays all the detected events for a specific SID on all members, regardless of the filters that you apply to the parent Threat Protection Event Count By Rule report.


  • Time: The timestamp of an event.
  • Member: The name of the member that supports threat protection.
  • Category: The category to which the rule belongs.
  • Log Severity: The severity of an event, which can be CriticalMajorWarning, or Informational.
  • Event Name: The name of a rule.
  • Alert Count: The alert count of an event.
  • Drop Count: The drop count of an event.
  • Total Event Count: The total number of event counts triggered by a match against the rule.

Threat Protection Event Count By Time

The Threat Protection Event Count By Time sub-dashboard displays event counts with timestamp in table format. This sub-dashboard helps you track the security events behavior based on the time of occurrence. For example, this dashboard indicates whether security events peaked at specific times or if it has steadily increased over time.
This dashboard displays the following information in table format:

  • Time: The timestamp of an event.
  • SID: The unique rule ID.
  • Member: The name of the member that supports threat protection.
  • Category: The category to which the rule belongs.
  • Log Severity: The severity of an event, which can be CriticalMajorWarning, or Informational.
  • Event Name: The name and description of the rule.
  • Alert Count: The alert count of an event.
  • Drop Count: The drop count of an event.
  • Total Event Count: The total number of event counts of a rule.

Threat Protection Event Count By Category

The Threat Protection Event Count By Category sub-dashboard provides event counts by rule category. You can track rule categories that are under the most pressure from adverse events. This sub-dashboard displays event counts in table format.
This sub-dashboard displays the following information in table format:

  • Category: The category to which a rule belongs.
  • Critical Event Count: The number of critical events in the selected rule category.
  • Major Event Count: The number of major events.
  • Warning Event Count: The number of warning events.
  • Informational Event Count: The number of informational events.
  • Total Event Count: The total number of event counts triggered against a rule category.

Threat Protection Event Count By Member

The Threat Protection Event Count By Member sub-dashboard provides event counts aggregated over time intervals for each member. This sub-dashboard displays event count for each member in table format and sorts the records by Total Event Count in descending order.
This sub-dashboard displays the following information in table format:

  • Member: The name of the member that supports threat protection.
  • Critical Event Count: The number of critical events on a member.
  • Major Event Count: The number of major events detected on a member.
  • Warning Event Count: The number of warning events detected on a member.
  • Informational Event Count: The number of informational events detected on a member.
  • Total Event Count: The total number of event counts detected on a member.

Threat Protection Top Rules Logged Dashboard

The Threat Protection Top Rules Logged Dashboard dashboard has the following sub-dashboards:

Threat Protection Top Rules Logged

The Threat Protection Top Rules Logged sub-dashboard provides the list of the top 10 threat protection rules that are triggered by a source IP in a given time frame. You can also view the threat protection rules triggered by NAT'ed clients in a given time frame. You can view the source IP address, total number of events, rule name, and timestamp of the last event. If a rule is triggered by a NAT'ed client, then you can view the source IP address along with the port block of the NAT'ed client. You can also configure the appliance to display the report data in bar chart or in table form. The default sub-dashboard displays bar chart for the top 10 rules that are triggered within the last seven days. This sub-dashboard allows you to identify the IP address of a client and the rules it triggered.

Note

You can configure the top number of source IP addresses and threat protection rules on the appliance. For information about how to configure threat protection data, see Configuring Threat Protection Data.


This sub-dashboard displays the following information in table format:

  • Rule: The name and description of a rule that is triggered by the source IP. For each threat protection rule, the active count is displayed for the top three source IP addresses.
  • Logged Event Count: The total number of events triggered against the rule.
  • Top Sources: The IP addresses of the top sources that are triggering this rule. By default, the top 3 source IP addresses are displayed.
  • Last Active: The timestamp when the rule was last active.

Threat Protection Top Rules Logged by Source

The Threat Protection Top Rules Logged by Source sub-dashboard provides statistics about the total number of events triggered by the top sources (by client IP addresses) in a given time frame. You can also view the statistics for the total number of events triggered by NAT'ed clients in a given time frame. For example, if you configure a range of ports for a NAT'ed client, and if there are events logged from different port blocks of the NAT'ed client, then each port block is considered as a logical client in the dashboard. You can view the source IP address, total number of events, rule name, and timestamp of an event. If an event is triggered by a NAT'ed client, then you can view the source IP address along with the port block of the NAT'ed client. The default sub-dashboard displays a bar chart for the top 10 source IP addresses that triggered threat protection rules within the last seven days. This sub-dashboard allows you to identify the IP address of the client and the rules it triggered.

Note

You can configure the top number of source IP addresses and threat protection rules on the appliance. For information about how to configure threat protection data, see Configuring Threat Protection Data.


This sub-dashboard displays the following information in table format:

  • Source: The IP address of a source that triggered a threat protection rule.
  • Logged Event Count: The total number of events triggered by a source against the rule.
  • Top Rules: The name of the top rules triggered by each source IP. By default, the top three rules are displayed.
  • Last Active: The timestamp when the source was last active.

DNS Top Tunneling Activity

The DNS Top Tunneling Activity dashboard lists the clients that have the most number of DNS tunneling activities in a given time frame. The default dashboard shows a horizontal bar chart that lists clients that have the most total counts of DNS tunneling events and their percentages over the given time frame. You can also configure the appliance to display this dashboard in table format. The default dashboard displays the top 10 clients within the last week.
You can click the client IP address in the table or click the bar in the bar chart to view a sub-report Rule hits for Client IP for a specific client.
This dashboard displays the following information:

  • Client IP: The source IP address that triggered the DNS tunneling event.
  • Event Count: The total number of DNS tunneling events triggered by the client.

The sub-dashboard Rule hits for Client IP lists the number of events triggered by the selected client for each DNS tunneling category. It displays the following information in table format:

  • Category: The category to which the DNS tunneling activity belongs. Category can include the type of DNS tunneling activities as well as tunneling tools used to generate the activities. A category can be short TTLNXDomainhigh-entropy domainsIodine tool, and others.
  • Event Count: The number of events triggered in each DNS tunneling category.
  • Last Seen: The timestamp when the client was last active.

DNS Tunneling Traffic by Category

The DNS Tunneling Traffic by Category dashboard provides information about DNS tunneling activities by specific categories and the percentage of events by the category of DNS tunneling events in a given time frame. This dashboard helps you track abnormal DNS traffic. The default dashboard shows a pie chart that lists the categories of DNS tunneling events. You can mouse over the pie in the chart to view the DNS tunneling category, event counts, and their percentages. You can also configure the appliance to display this dashboard in table format. The default dashboard displays the top 10 DNS tunneling categories within the last week.
You can click the category in the table or in the pie chart to view the sub-dashboard DNS Top Tunneling Activity
dashboard for the selected category. For more information, see DNS Top Tunneling Activity. This dashboard displays the following information in table format:

  • Category: The category to which the DNS tunneling activity belongs. Category can include the type of DNS tunneling activities as well as tunneling tools used to generate the activities. A category can be short TTLNXDomainhigh-entropy domainsIodine tool, and others.
  • Category%: The percentage based on the number of events in each DNS tunneling category divided by the total number of events in all the DNS tunneling categories.
  • Description: The description about the rule that was triggered based on the client queries.

The sub-dashboard DNS Top Tunneling Activity dashboard displays the following information in table format:

  • Client IP: The IP address of the source that triggered the DNS tunneling event.
  • Rule SID: This field displays the rule ID for ADP rule hits. If you select Detected by Analytics Engine as the category, this field displays the name of the RPZ used for blacklisted domains detected through the analytics service.
  • Event Count: The total number of events triggered by a match against the rule.
  • Rule Description: The description about the rule that was triggered based on the client queries.
  • Last Seen: The timestamp when the client was last active.

Top Malware and DNS Tunneling Events by Client

The Top Malware and DNS Tunneling Events by Client dashboard lists the clients that have the most number of outbound malicious queries (RPZ hits) and DNS tunneling events in a given time frame. This dashboard lists the IP address of the client, total number of outbound malicious queries, total number of DNS tunneling events, and the timestamp when the client was last active. The appliance displays the report data in table format. You can click the client IP in the table to view the sub-report Security Info for Client IP for a specific client.
This dashboard displays the following information in table format:

  • Client IP: The IP address of the client that triggered the most number of outbound malicious queries (RPZ hits) and DNS tunneling events.
  • Total DNS Tunneling Events: The total number of DNS tunneling events triggered by the respective client.
  • Total Outbound malicious queries: The total number of RPZ hits received from the respective client.
  • Last Seen: The timestamp when the client was last active.

The sub-dashboard Security Info for Client IP includes the DHCP and IP address management data along with the RPZ and DNS tunneling activities for the selected client. It displays the following information in table format:

  • Host Name: The host name of the DHCP client.
  • MAC/DUID: The MAC address or the DUID of the client.
  • Lease Start - Lease End: The start and end date of the lease.
  • Fingerprint: The DHCP fingerprint information of the client device.
  • Top 3 RPZ rules: The top three RPZ rules triggered based on the queries from the selected client.
  • Top 3 DNS tunneling events: The top three DNS tunneling events triggered by the selected client.
  • Device Name: The name of the client device.
  • Port/Interface: The name of the port or interface connected to the client device.

Detailed RPZ Violations by Subscriber ID

If you have configured Infoblox Subscriber Services, the Detailed RPZ Violations by Subscriber ID dashboard lists the RPZ hits from the subscribers over a given time frame. You can view the subscriber ID, IP address of the client, total subscriber hits, domain name, RPZ entry, RPZ severity, and mitigation action.
The appliance lists the RPZ Violations by Subscriber ID report in table format. You can click a specific row in the table or the Subscriber ID Value to view sub-report for the selected subscriber, showing the details of the RPZ hits by the subscriber. For information, see RPZ Details for the Subscriber ID.

This dashboard displays the following information in table format:

  • Subscriber ID Value: The subscriber ID. The value is based on the subscriber ID type.
  • Subscriber ID Type: Displays one of the following AVPs: IMSIIMEIMSISDNNAS-Port-IDNAS-Port Calling-Station-IDUser-NameRealm, or Class.
  • Client ID: The IP address of the client that queried the domain name that is listed in the RPZ ruleset.
  • Total Subscriber Hits: Total number of queries that triggered an RPZ policy.
  • Malicious Domains: The domain name queried by the subscriber.
  • RPZ Entries: The total number of RPZ entries for each subscriber.
  • RPZ Severity: The threat severity level of an RPZ zone associated with the RPZ rule that was triggered.
  • Mitigation Action: The ruleset specified for the blocked domain name or IP address.
  • Result: Classification of the RPZ hit. The result can be of types BL (blacklist), PXY (proxy), CAT:17 (parental control policy), RPZ:rpz8.com (RPZ), WRN:0 (warning). For example, an RPZ hit to www.beer.com displays WRN:0 in the Result column. The category number and warning number vary depending on the RPZ hit. 
  • IP Space Discriminator: The name of the IP space discriminator.

RPZ Details for the Subscriber ID

The RPZ Details for the Subscriber ID sub-dashboard displays details of the RPZ hits for a specific subscriber.

This sub-dashboard displays the following information in table format:

  • Subscriber ID: The subscriber ID.
  • Client ID: The IP address of the client that queried the domain name that is listed in the RPZ ruleset.
  • Anchor IP Address: The IPv4 or IPv6 address of the subscriber along with the netmask or prefix.
  • IP Space Discriminator: The name of the IP space discriminator.
  • NAS Contextual Information: The NAS contextual information.
  • Accounting-Session-ID: The subscriber session ID.
  • Domain Name: The domain name queried by the subscriber.
  • RPZ Entry: The RPZ rule that was triggered based on subscriber queries. For parental control related events, this column displays the blocked domain.
  • RPZ Severity: The severity level associated with the RPZ rule that was triggered.
  • Mitigation Action: The ruleset specified for the blocked domain name or IP address.
  • Guest: The guest indicator that identifies unknown Local ID behind a home gateway network. For fixed line or home router deployments, a guest indicator value '1' indicates guest device and '0' indicates subscriber device. 
  • Local ID: The MAC address of the subscriber device. For fixed line or home router deployments, if the guest indicator value in the Guest field displays '1' then the Local ID field displays the MAC address of the guest device.
  • Ancillary field 1: The AVP configured in ancillary position 1 in the ancillary list.
  • Ancillary field 2: The AVP configured in ancillary position 2 in the ancillary list.
  • Ancillary field 3: The AVP configured in ancillary position 3 in the ancillary list.
  • Ancillary field 4: The AVP configured in ancillary position 4 in the ancillary list.
  • Ancillary field 5: The AVP configured in ancillary position 5 in the ancillary list.
  • Time: The date and time when the hit was received.

Query Count Details by Subscriber ID

If you have configured Infoblox Subscriber Services, the Query Count Details by Subscriber ID dashboard provides information about the query count per subscriber ID. You can generate this report only if both the Security option of the reporting server and the Enable DCA Subscriber Query Count logging option are enabled. 

This dashboard displays the following information in table format:

  • Subscriber ID Value: The subscriber ID. The value is based on the subscriber ID type.
  • Subscriber ID Type: Displays one of the following AVPs: IMSIIMEIMSISDNNAS-Port-IDNAS-Port Calling-Station-IDUser-NameRealm, or Class.
  • Client ID: The IP address of the client that queried for the subscriber services.
  • IP Space Discriminator: The name of the IP space discriminator.
  • Event Type: Displays one of the following event types: All, Start, Interim, Stop.
  • Query Count: Total queries made by the subscriber ID.
  • No labels

This page has no comments.