Search

Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

      • POST indicates the WAPI call
      • v2.9/zone_auth is the URI
      • {"fqdn":"foo.com"} represents InData
      • 2.233 is the response time.
Note
titleNote

...

There might be a slight impact on the device performance as the session log information, such as URI, InData, and response time, are captured for all the successful WAPI calls. The audit log file size increases as the log entries increase, which may impact the storage capacity. Infoblox recommends that you select

...

the Copy Audit Log Messages to

...

Syslog check box in

...

the Grid Properties Editor

...

 to move audit log information to the syslog and to an external server for longer retention. For more information,

...

see Specifying Syslog Servers. All Cloud WAPI, via Cloud Network Automation (CNA) or Cloud Platform (CP) appliances, related events are logged to syslog instead of the audit log. For more information,

...

see Cloud Network Automation.


Anchor
bookmark2814
bookmark2814
Viewing the Audit Log

...

    • Timestamp: The date, time, and time zone the task was performed. The time zone is the time zone configured on the member.
    • Admin: The admin user who performed the task.
Note
titleNote

...

The admin user displayed as $admin group name$ represents an internal user. You can create

...

admin

...

 filter with “matches expression”

...

 equals ^[^$]

...

 to filter out internal users.


    • Action: The action performed. This can be CALLED, CREATED, DELETED, LOGIN_ALLOWED, LOGIN_DENIED, MESSAGE, MODIFIED, POST, PUT, and DELETE.
    • Object Type: The object type of the object involved in this task. This field is not displayed by default. You can select this for display.
    • Object Name: The name of the object involved in this task.
    • Execution Status: The execution status of the task. Possible values are Executed, Normal, Pending Approval and Scheduled.
    • URI: A certain part of the incoming WAPI request.
    • InData: Input data fields of the incoming WAPI request.
    • Response Time: The processing time of the incoming WAPI request.
    • Message: Detailed information about the performed task.

...

  1. From the Administration tab, select the Logs tab -> Audit Log tab, and then click the Download icon.
  2. Navigate to a directory where you want to save the file, optionally change the file name (the default name is auditLog.tar.gz), and then click OK. If you want to download multiple audit log files to the same location, rename each downloaded file before downloading the next.
Note
titleNote

...

If your browser has a pop-up blocker enabled, you must turn off the pop-up blocker or configure your browser to allow pop-ups for downloading files.


Anchor
Viewing the Replication Status
Viewing the Replication Status
Anchor
bookmark2817
bookmark2817
Anchor
bookmark2816
bookmark2816
Viewing the Replication Status

...

  • Start and stop actions performed on the members for traffic capture.
  • If the traffic capture file was transferred to a server or downloaded to a local directory. For more information about the audit log, see Using the Audit Log.
Note
titleNote

...

This feature captures traffic of all the direct responses received from the cache accelerator on the IB-4030.


This section explains the process of capturing traffic, and how to download the traffic capture file to your management system. After that, you can extract the traffic capture file and view it with a third-party traffic analyzer application. The traffic capture file is shared between admin users.

You can also configure Grid Manager to trigger a traffic capture at set intervals and parameters. If Grid Manager detects that a parameter has breached a configured threshold or crossed the configured duration of time, it triggers a traffic capture. For more information about automated traffic capture, see Enabling Automated Traffic Capture.

Note
titleNote

...

The NIOS appliance always saves a traffic capture file as <member name>_<timestamp>_tcpdumpLog.tar.gz. Example:

...

 infoblox.localdo_0_2018-10-15-03-47-53_tcpdumpLog.tar.gz. For FTP and TFTP transfers, the name of the file is added as a prefix. Example: filename.infoblox.localdo_0_2018-11-09-09-30-07_tcpdumpLog.tar.gz


For a single member, you can also capture traffic on the NIOS appliance through the Infoblox CLI using the set traffic_capture command. However, you cannot use this command to capture traffic for multiple members. NIOS displays the traffic capture status and it allows you to download the captured traffic, irrespective of whether the traffic capture is initiated from the Infoblox CLI or from Grid Manager.
To capture traffic for a single member or multiple Grid members:

  1. From the Grid tab, select the Grid Manager tab -> Members tab, and then click Traffic Capture from the Toolbar.
    OR
    From the Administration tab, select the Logs tab → Syslog tab, and then click Traffic Capture from the Toolbar.
  2. In the Traffic Capture dialog box, complete the following:

Members

    • Name: Click the Add icon to add either a single or multiple Grid members for which you want to capture traffic. When you click the Add icon, Grid Manager displays the Member Selector dialog box from which you can select one or multiple members. Use SHIFT+click to select multiple contiguous rows or use CTRL+click to select multiple non-contiguous rows. Click OK. The selected members are added to the list of members in the Members table. You cannot add offline members to the list or capture traffic on an offline member.

      Note
      titleNote
      :

      Selecting members in

      the

      the Grid Manager

       → Members

      tab

       tab does not capture traffic for the selected member. To capture traffic, you must select members from

      the

      the Member Selector

      dialog

       dialog box.

    • Interface: Select the port on which you want to capture traffic. You can view the selected interface while the traffic capture is in progress. Note that if you enabled the LAN2 failover feature, the LAN and LAN2 ports generate the same output and Grid Manager displays the interface as BOND while the traffic capture is in progress. By default the interface is set to ALL after the traffic capture process stops. For information about the LAN2 failover feature, see About Port Redundancy.

      • LAN: Select this to capture all the traffic the LAN port receives and transmits.
      • MGMT: Select this to capture all the traffic the MGMT port receives and transmits.
      • LAN2: Select to capture all the traffic the LAN2 port (if enabled) receives and transmits.
      • ALL: Select this to capture the traffic addressed to all ports. Note that the NIOS appliance only captures traffic that is addressed to it.
      • LANxnnnn: If you have configured VLANs on the LAN1 or LAN2 port, the appliance displays the VLANs in the format LANx nnnn, where x represents the port number and nnnn represents the associated VLAN ID.

        Note
        titleNote
      :
      • Riverbed virtual appliances support capturing traffic only on the LAN port.

    • File Size: Displays the size of the traffic capture log file, in kilobytes, for the respective member.
    • Status: Displays the status of the traffic capture session on the member. The status can be one of the following: 
      • STOPPED: Indicates that the traffic capture session has stopped.
      • RUNNING: Indicates that the traffic capture session is in progress. 
      • NOT STARTED: Indicates that the traffic capture session has not started.
    • Transfer Status: Displays the status of the traffic capture file transfer. The status can be one of the following:
      • NOT STARTED: Indicates that the file transfer has not started. 
      • STARTED: Indicates that the file transfer has started.
      • COMPLETED: Indicates that the file transfer has been completed.
      • FAILED: Indicates that the file transfer has failed.

...

5. Transfer To: Select the destination to transfer the traffic capture file. You can select My Computer, TFTP, FTP, or SCP from the drop-down list.

    • My Computer: Transfer the traffic capture file to a local directory on your computer. This is the default.

      Note
      titleNote

...

    • To avoid consumption of the Grid Master disk space, NIOS restricts downloading the traffic capture files from multiple members to a local directory on your computer.

    • TFTP: Transfer the traffic capture file to a TFTP server.
      • Filename: Enter the directory path and the file name of the traffic capture file. For example, you can enter /home/test/traffic_capture_filename where traffic_capture_filename is the name of the file. 
      • IP Address of TFTP Server: Enter the IP address of the TFTP server to which you want to transfer the traffic capture file.
    • FTP: Transfer the traffic capture file to an FTP server.
      • Filename: Enter the directory path and the file name of the traffic capture file. For example, you can enter /home/test/traffic_capture_filename where traffic_capture_filename is the name of the file.
      • IP Address of FTP Server: The IP address of the FTP server.
      • Username: Enter the username of your FTP account.
      • Password: Enter the password of your FTP account.
    • SCP: Transfer the traffic capture file to an SCP server.
      • Filepath: Enter the directory path of the traffic capture file. For example, you can enter /home/test/.
      • IP Address of SCP Server: The IP address of the SCP server.
      • Username: Enter the username of your SCP account.
      • Password: Enter the password of your SCP account.

6. Uncompressed Capture File Size: Select the members for which you want to download the traffic capture file and then click Download to download the captured traffic. You can download and save the file only after the capture stops, but not when the tool is running. You can rename the file if you want. NIOS updates the size of the report when the capture tool is running.

Note
titleNote

...

The NIOS appliance must have free disk space of at least 500MB + size of the traffic capture file (2 GB/1 GB, depending on the appliance model) to download the traffic capture file.

7. Last updated: The timestamp of the last traffic capture process.

...

Both invalid ports and invalid TXIDs could be indicators of DNS cache poisoning, although a small number of them is considered normal in situations where valid DNS responses arrive after the DNS queries have timed out. You can configure the appliance to track these indicators, and you can view their status. You can also configure thresholds for them. When the number of invalid ports or invalid TXIDs exceeds the thresholds, the appliance logs an event in the syslog file and sends an SNMP trap and e-mail notification, if you enable them. You can then configure rate limiting rules to limit incoming traffic or completely block connections from primary sources that send the invalid DNS responses.

Rate limiting is a token bucket system that accepts packets from a source based on the rate limit. You can configure the number of packets per minute that the Infoblox DNS server accepts from a specified source. You can also configure the number of packets for burst traffic, which is the maximum number of packets that the token bucket can accept. Once the bucket reaches the limit for burst traffic, it discards the packets and starts receiving new packets according to the rate limit.
The appliance monitors only UDP traffic from remote port 53 for the following reasons:

...

set monitor dns off
set monitor dns alert off

Note
titleNote

...

When you restart DNS network monitoring, you also reset the SNMP counters for DNS alerts.


You can then view the alert status to identify the primary source of invalid DNS responses. For information, see Viewing DNS Alert Indicator Status.

...

You can configure thresholds for DNS alerts to control when the appliance tracks DNS attacks on UDP port 53 and issues SNMP traps and e-mail notifications.

Note
titleNote

...

Ensure that you enable SNMP traps and e-mail notifications. For information,

...

see Configuring SNMP.


You can configure thresholds for both invalid ports and invalid TXIDs. The default thresholds for both invalid ports and TXIDs are 50%. When the number of invalid ports or invalid TXIDs exceeds the thresholds, the appliance logs the event and sends SNMP traps and notifications. You can configure the thresholds either as absolute packet counts or as percentages of the total traffic during a one minute time interval.
To configure DNS alert thresholds:

...

Enabling rate limiting will discard packets and may degrade performance.

Are you sure? (y or n):

Note
titleNote

...

When you enable rate limiting, the appliance discards packets based on the configured rate limiting rules.
This might affect the DNS performance when the appliance discards valid DNS responses.


3. Enter y to enable rate limiting.

...