[toc] 下列程序為新安裝 2 台 Infoblox 虛擬機器或重置 Infoblox 虛擬機器後執行。 # 佈署準備 ## 架構資訊 根據 [[Infoblox DNS 安全解決方案測試需求及說明]](https://hackmd.io/@farmer87/infoblox_poc) 內容進行 POC 環境佈署。 ## 版本資訊 | 項目 | 版本 | | --- | --- | | VMware ESXi | 7.0.3 build-20036589 | | Infoblox NIOS | nios-9.0.3-50212-ee11d5834df9-2023-11-23-00-01-55-fixed-500G.ova | | NIOS Grid Master VM | TE-V1516 | | NIOS Reporting VM | TR-V5005 | # 佈署流程 由於佈署程序會採用 OVFTools 及 GOVC 工具,在 OVA 佈署階段會同時完成: 1. 虛擬主機(Infoblox DNS & Reporting)佈署。 2. 配置虛擬主機網路設定。 3. 指派測試用基礎授權-NIOS,GRID,DNS/DHCP,RPZ。 :::warning 目前沒有 **Threat Analytics** 及 **Reporting** 授權的引用方式,所以無法直接完成,有點遺憾! ::: 4. 新增 Infoblox Reporting 虛擬主機的第二顆虛擬磁碟(250GB)。 5. 調整 Infoblox Reporting 虛擬主機的記憶體大小為 32 GB。 > 因為測試資源受限,故調整虛擬主機記憶體。 6. 虛擬主機網路及授權資訊確認 (**透過 SSH 連線使用 NIOS CLI 執行**)。 - 確認網路配置: **`show network`**。 - Infoblox DNS 虛擬主機指派 Threat Analytics 授權: **`set temp_license`**。 - 確認授權配置: **`show license`**, **`show license gridwide`** 和 **`show license all`**。 7. 完成 建立叢集/配置成員/加入叢集 相關任務。 - Infoblox Reporting 虛擬主機指派 Reporting 授權。 > Reporting 授權必須在成員加入叢集後才能進行指派。 8. 啟用服務 - 啟用 DNS 服務 - 建立 RPZ Feeds - 啟用 Threat Analytics 服務 9. 配置 Reporting 服務 ```mermaid graph LR; id1([佈署虛擬機器])-->id2([配置網路<br>指派授權<br>調整硬體配置]); id2([配置網路<br>指派授權<br>調整硬體配置])-->id3(虛擬主機<br>組態確認); id3(虛擬主機<br>組態確認)-->id4([建立叢集<br>配置成員<br>加入叢集]); id4([建立叢集<br>配置成員<br>加入叢集])-->id5(啟用基礎服務); id5(啟用基礎服務)-->id6([配置Reporting服務]); id6([配置Reporting服務])-->id7[(完成)]; ``` # 佈署步驟 ## 準備 ### 工具 以下佈署步驟利用 [**OVFTools**](https://developer.vmware.com/web/tool/ovf/) 及 [**GOVC**](https://github.com/vmware/govmomi/tree/main/govc) 工具,另外搭配 **BASH** 執行腳本完成半自動化佈署。 ### NIOS OVA 請至 [Infoblox Customer Support Portal](https://support.infoblox.com/) 的 Download Center 下載 vNIOS for VMware OVA 檔。 ![image](https://hackmd.io/_uploads/ryoE4bpu6.png) ### 環境組態檔 使用環境組態檔 **`grid.conf`**,可以將要建置環境的相關參數集中宣告,後續若要調整直接編輯該組態檔即可。[[參考範本]](#gridconf-範本) ## 執行 ### 佈署虛擬機器 使用 OVFTools 和 GOVC 工具可以輕鬆完成 [[**佈署流程 1 ~ 5**]](#佈署流程) - 虛擬主機(Infoblox DNS & Reporting)佈署。 - 配置虛擬主機網路設定。 - 指派測試用基礎授權-NIOS,GRID,DNS/DHCP,RPZ。 - 新增 Infoblox Reporting 虛擬主機的第二顆虛擬磁碟(250GB)。 - 調整 Infoblox Reporting 虛擬主機的記憶體大小為 32 GB <font color=green>[測試資源若無限制,可忽略]</font>。 使用 [**`00_setup_poc.sh`**](#00_setup_pocsh) 腳本檔,可以自動化完成上述佈署目標。 - 執行畫面 ![螢幕快照 2024-01-12 12-47-30](https://hackmd.io/_uploads/Bk9eUrR_a.png) - **Grid Master: TE-V1516** ![螢幕快照 2024-01-11 08-32-34](https://hackmd.io/_uploads/SJ9nDh2ua.png) - **Reporting: TR-V5005** ![螢幕快照 2024-01-11 08-35-27](https://hackmd.io/_uploads/HJZPu3h_6.png) ### 連線確認 佈署完成後,透過 SSH 連線登入 Infoblox 虛擬機器,確認先前佈署狀態。 - **Grid Master: TE-V1516** ![螢幕快照 2024-01-12 13-04-20](https://hackmd.io/_uploads/HyXwFSAu6.png) - **Reporting: TR-V5005** ![螢幕快照 2024-01-12 13-10-08](https://hackmd.io/_uploads/r1mrqrCuT.png) ### 叢集和服務組態 接著設定 Infoblox Grid 叢集及相關服務功能。 - **建立叢集**: 執行 **`01_config_grid.sh`** 腳本檔完成。 ![image](https://hackmd.io/_uploads/H1r2CS0dT.png) - **啟用 DNS 服務**: 執行 **`02_enable_dns_service.sh`** 腳本檔完成。 ![image](https://hackmd.io/_uploads/rkas1L0uT.png) - **增加 Threat Analytics(TA) 及 Reporting 授權(手動)** :::warning 目前此階段必須要透過**手動組態**,因為不知道佈署時這兩個服務授權的代號,無法像其他授權在虛擬機佈署時完成,殘念! ::: - **TE-V1516 增加 TA 授權** ![螢幕快照 2024-01-12 13-43-28](https://hackmd.io/_uploads/rka2WU0dp.png) - **TR-V5005 增加 Reporting 授權** ![螢幕快照 2024-01-12 13-37-22](https://hackmd.io/_uploads/B1TLeL0up.png) - **確認新增授權狀態** ![螢幕快照 2024-01-12 13-46-32](https://hackmd.io/_uploads/HJmiGUAOp.png) - **確認 TR-V5005 第二顆硬碟空間** ![image](https://hackmd.io/_uploads/HkqMQLRdp.png) ### 建立 RPZ Feeds 執行 **`03_create_rpz_feed.sh`** 腳本檔完成。其中包含: - 建立 Name Server Group - 加入 Infoblox RPZ Feeds 情資資訊 - 啟用 Logging RPZ ![image](https://hackmd.io/_uploads/Sy94DLC_p.png) ![image](https://hackmd.io/_uploads/SyB9PUAu6.png) ### 啟用 TA 服務 執行 **`04_enable_ta_service.sh`** 腳本檔。 ![image](https://hackmd.io/_uploads/Sk5Sq8Cd6.png) ### 建立 Forward Zone 執行 **`05_create_forward_zone_to_query_internal_zone.sh`** 腳本檔。 ![螢幕快照 2024-01-12 14-23-36](https://hackmd.io/_uploads/r1lNjI0OT.png) :::warning 測試前期終端使用者並不調整 DNS 設定至 Infoblox DNS,所以欲查詢內部網域則使用 Forward Zone 組態。 ::: ### 完成 Reporting 配置(手動) :::warning 這個部份似乎沒有 API 支援,所以只好透過手動配置! ::: ![image](https://hackmd.io/_uploads/r1HsnU0_T.png) ![image](https://hackmd.io/_uploads/HkCTh8A_p.png) ![image](https://hackmd.io/_uploads/SJEKCLR_p.png) # 最終狀態確認 - **Grid** > **Grid Manager** - **DNS Service** ![image](https://hackmd.io/_uploads/S1fzbDROa.png) - **Grid DNS Properties** > **Queries** > **Allow recursion** ![螢幕快照 2024-01-12 15-03-05](https://hackmd.io/_uploads/SJQF4w0uT.png) - **Grid DNS Properties** > **Loggin** > **rpz** ![螢幕快照 2024-01-12 15-04-43](https://hackmd.io/_uploads/ryS04wAdT.png) - **Reporting Service** ![image](https://hackmd.io/_uploads/ByxXZDCdT.png) - **Threat Analytics Service** ![image](https://hackmd.io/_uploads/BkRmWD0d6.png) - **Grid** > **Licenses** - **Member** ![image](https://hackmd.io/_uploads/rkALWPA_6.png) - **Gridwide** ![image](https://hackmd.io/_uploads/BJZuWDCOT.png) - **Data Management** > **DNS** - **Zones** ![螢幕快照 2024-01-12 14-52-19](https://hackmd.io/_uploads/SkU1zPAuT.png) - **Name Server Groups** ![image](https://hackmd.io/_uploads/BkmZfwRda.png) - **Response Policy Zones** ![image](https://hackmd.io/_uploads/SJF3zD0uT.png) - **Data Management** > **Threat Analytics** - **Members** ![image](https://hackmd.io/_uploads/BykbXvRdp.png) ![image](https://hackmd.io/_uploads/r1QEmwAd6.png) - Dashboards > Status ![image](https://hackmd.io/_uploads/S1b5HDRdp.png) ![image](https://hackmd.io/_uploads/SyuhHP0_6.png) ![image](https://hackmd.io/_uploads/r1WRHP0uT.png) ![image](https://hackmd.io/_uploads/Syx-IPAdp.png) # 清除環境 使用 [**`99_clean_poc.sh`**](#99_clean_pocsh) 腳本檔,輕鬆將先前佈署的虛擬機器關閉電源及移除。 ![image](https://hackmd.io/_uploads/rJWmdNRuT.png) # 附錄 ## grid.conf 範本 以下為組態 Infoblox Grid 範本,請根據實際狀況自行調整組態參數。 ```bash= ###### SECTION: OVFTools & GOVC ## NIOS OVA Information nios_ova_basePath="{{ OVA_STORE_DIRECTORY }}" nios_ova_file="{{ NIOS_OVA_FILENAME }}" source_lactor="${nios_ova_basePath}/${nios_ova_file}" # Deployment Options diskmode='thin' portgroup='VM Network' ## Infoblox DNS & Grid Master (VM1) ## Infoblox Reporting (VM2) ib_dns_ip="{{ INFOBLOX_VM1_IP_ADDRESS }}" ib_reporting_ip="{{ INFOBLOX_VM2_IP_ADDRESS }}" ib_network_gateway="{{ DEFAULT_GATEWAY }}" ib_network_netmask="{{ NETMASK }}" ## Please check the model & deployment option from NIOS OVA via OVFTools ## Infoblox DNS: Model | Network | Temp_Licenses ib_dns_model='IB-V1516' ib_dns_vmname='TE-V1516' ib_dns_deployment_option='1516' ib_dns_gateway="${ib_network_gateway}" ib_dns_temp_license="nios ${ib_dns_model} enterprise dns dhcp rpz" ## Infoblox Reporting: Model | Network | Temp_Licenses ib_reporting_model='IB-V5005' ib_reporting_vmname='TR-V5005' ib_reporting_deployment_option='otherModel' ib_reporting_gateway="${ib_network_gateway}" ib_reporting_temp_license="nios ${ib_reporting_model} enterprise" ## 250GB vDisk for reporting disk_name='disk-1000-1' disk_size='250G' ## Enable Remote Console ssh_enabled='True' ###### ESXi Information for GOVC ## Please modify the following variables if you want to use vCenter Server target_ip="{{ ESXI_IP_ADDRESS }}" target_user='root' target_pass="{{ PASSWORD }}" target_datacenter='ha-datacenter' target_datastore='datastore1' target_locator="$(urlencode ${target_user}):$(urlencode ${target_pass})@${target_ip}" ###### SECTION: Infoblox API ## API LOGIN login="${grid_master_user}:${grid_master_pass}" auth_token=$(echo -ne "${login}" | base64 --wrap 0) api_version='v2.12.3' api_baseurl="https://${grid_master}/wapi/${api_version}" ## Infoblox Grid Information grid_node1="${ib_dns_ip}" grid_node2="${ib_reporting_ip}" grid_node_user='admin' grid_node_pass='infoblox' gateway="${ib_network_gateway}" grid_master="${grid_node1}" grid_master_user="${grid_node_user}" grid_master_pass="${grid_node_pass}" grid_master_hostname='gm.infoblox.localdomain' grid_member="${grid_node2}" grid_member_hostname='rp.infoblox.localdomain' grid_name='Infoblox' grid_shared_secret='test' # DEFAULT grid_session_timeout='28800' grid_remote_console_access='enable' ## NTP Settings ntp_server1='216.239.35.0' ntp_server2='216.239.35.4' ## Name Server Groups ns_group_name='rpz-group' ### External Primary DNS external_primary_name='infoblox' external_primary_address="{{ INFOBLOX_DB_IP_ADDRESS }}" external_primary_tsigkey_name="{{ TSIGKEY_NAME }}" external_primary_tsigkey_alg='HMAC-SHA256' external_primary_tsigkey="{{ TSIGKEY_STRING }}" ### Grid Secondary DNS grid_master_hostname="${grid_master_hostname}" ### Options ns_default_grid='false' ns_use_external_primary='true' ## Infoblox RPZ Feeds rpz_feed_file='rpz_feed.csv' rpz_policy='NODATA' rpz_severity='WARNING' ## Local RPZ for Threat Analytics(TA) ta_rpz_fqdn='ta-mitigation.rpz' ta_rpz_comment='mitigation blacklist feed for TA service' ta_rpz_policy='NXDOMAIN' ta_rpz_severity='MAJOR' ## Local RPZ for Customizing, eg: Customized Block Domain # local_rpz_fqdn='local-block-domain.rpz' # local_rpz_comment="Client Blacklist Feed for Local RPZ via API" # local_rpz_policy='NXDOMAIN' # local_rpz_severity='MAJOR' ``` ## 00_setup_poc.sh ```bash= #!/bin/bash function init_poc () { echo -e "\n[TASK] Initial POC Environment" configFile='grid.conf' configPath='./config' gridConfig="${PWD}/${configPath}/${configFile}" if [ ! -f "${gridConfig}" ]; then echo -e "<!> ${gridConfig} is NOT FOUND" exit fi source ${gridConfig} } function init_govc () { echo -e "\n[TASK] Initial GOVC Environment [${target_ip}]" export GOVC_URL="https://${target_ip}" export GOVC_USERNAME="${target_user}" export GOVC_PASSWORD="${target_pass}" export GOVC_INSECURE="true" export GOVC_DATACENTER="${target_datacenter}" export GOVC_DATASTORE="${target_datastore}" } function deploy_vnios () { vm_name="${1}" model="${2}" deployOption="${3}" lan1_v4_ipaddr="${4}" lan1_v4_netmask="${5}" lan1_v4_gateway="${6}" temp_license="${7}" echo -e "\n[TASK] Deploying Infoblox VM \"${vm_name}\"" /usr/bin/ovftool \ --acceptAllEulas \ --allowExtraConfig \ --noSSLVerify \ --skipManifestCheck \ --X:disableHostnameResolve \ --X:ignoreLinkLocalIp \ --X:injectOvfEnv \ --parallelThreads=22 \ --name="${vm_name}" \ --datastore="${target_datastore}" \ --diskMode="${diskmode}" \ --net:"VM Network"="${portgroup}" \ --deploymentOption="${deployOption}" \ --prop:temp_license="${temp_license}" \ --prop:lan1-v4_addr="${lan1_v4_ipaddr}" \ --prop:lan1-v4_netmask="${lan1_v4_netmask}" \ --prop:lan1-v4_gw="${lan1_v4_gateway}" \ --prop:remote_console_enabled="${ssh_enabled}" \ --powerOn \ "${source_lactor}" \ vi://"${target_locator}" } function add_disk () { vm_name=${1} govc vm.disk.create -vm ${vm_name} -name ${vm_name}/${disk_name} -size ${disk_size} } function power_off () { vm_name=${1} echo -e "\n[TASK] Power off VM \"${vm_name}\"" govc vm.power -off ${vm_name} } function power_on () { vm_name=${1} echo -e "\n[TASK] Power on VM \"${vm_name}\"" govc vm.power -on ${vm_name} } function check_connectivity () { count=1 ip=${1} vm_name=${2} echo -e "\n[TASK] Check the Connectivity of \"${vm_name}\"" ping -c ${count} ${ip} > /dev/null 2>&1 while [ ! $? -eq 0 ]; do echo -e "<!> Can not touch [${ip}] now" echo -e "> waiting for 180 seconds" sleep 180 ping -c ${count} ${ip} > /dev/null 2>&1 done } function change_memory_size () { vm_name=${1} ## check the connectivity check_connectivity ${ib_reporting_ip} ${ib_reporting_vmname} ## power off infoblox vm power_off ${ib_reporting_vmname} govc vm.change -vm ${vm_name} -m 32768 ## power on infoblox vm power_on ${ib_reporting_vmname} } ###### ## initial POC & GOVC environment init_poc init_govc ## deploy infoblox grid master deploy_vnios ${ib_dns_vmname} \ ${ib_dns_model} \ ${ib_dns_deployment_option} \ ${ib_dns_ip} \ ${ib_network_netmask} \ ${ib_network_gateway} \ "${ib_dns_temp_license}" ## deploy infoblox reporting deploy_vnios ${ib_reporting_vmname} \ ${ib_reporting_model} \ ${ib_reporting_deployment_option} \ ${ib_reporting_ip} \ ${ib_network_netmask} \ ${ib_network_gateway} \ "${ib_reporting_temp_license}" ###### modify infoblox reporting ## create 250GB disk for infoblox reporting echo -e "\n[TASK] Create 250GB vDisk and attach to VM \"${vm_name}\"" echo -e "\n[TASK] Resize the Memory Size of \"${vm_name}\" to 32 GB" add_disk ${ib_reporting_vmname} ## resize memory size to 32 GB for infoblox reporting change_memory_size ${ib_reporting_vmname} echo -e "\n[RESULT] DONE!\n" ``` ## RPZ Feeds ## 99_clean_poc.sh ```bash= #!/bin/bash function init_poc () { echo -e "\n[TASK] Initial POC Environment" configFile='grid.conf' configPath='./config' gridConfig="${PWD}/${configPath}/${configFile}" if [ ! -f "${gridConfig}" ]; then echo -e "<!> ${gridConfig} is NOT FOUND" exit fi source ${gridConfig} } function init_govc () { echo -e "\n[TASK] Initial GOVC Environment [${target_ip}]" export GOVC_URL="https://${target_ip}" export GOVC_USERNAME="${target_user}" export GOVC_PASSWORD="${target_pass}" export GOVC_INSECURE="true" export GOVC_DATACENTER="${target_datacenter}" export GOVC_DATASTORE="${target_datastore}" } function destroyVm () { vmName=${1} echo -e "\n[TASK] Power Off and destroy Infoblox VM \"${vmName}\"" if govc find / -type m | grep ${vmName}; then echo -e " > Deleteing ......" govc vm.destroy ${vmName} else echo -e " > VM \"${vmName}\" NOT FOUND" fi } ## initial POC & GOVC environment init_poc init_govc ## delete infoblox poc environment destroyVm ${ib_dns_vmname} destroyVm ${ib_reporting_vmname} ```