Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

DNS DHCP IPAM

Reply
Highlighted
Accepted Solution

Alert on IP used

[ Edited ]
selta
Techie
Posts: 12
24167     0

Edit: For the newcomers, and those wondering why this is at the top... There's a (somewhat) useful Powershell script I posted below.

 

Good morning,

I'm thinking this is something that is simple to do, and I'm just not looking in the right place. My company is presently evaluating the free DDI appliance. I have a bit of infoblox experience, so I went ahead and volunteered to get it up and running to demo it to the teams and leadership.

Overall, the basics are there and easy enough to do. We'd likely just use the IPAM to start, with an eye towards eventually using DNS as well. It's unlikely that we'd do NTP, DHCP or anything else.

 

I have one stumbling block though. For example... in Data Management, I have added several networks and performed the discovery on them. We also have networks that we want to ensure no IP address is ever assigned on. I had thought the Reporting module would be able to do this, but so far I'm not able to find out how to do that. I've looked through all the pre-built Searches and Reports - nada. I also tried to create my own, but none of the pre-defined categories seem to include the data points necessary.

Essentially, if I have Network A, B and C in Data Management, I would like to be alerted (preferably by email) when any single IP has a discovered device in Network B (discovery is going to be setup to recur every hour). This is simplified, as there will end up being several networks we'd like to monitor in that fashion, but I think gets the point across Smiley Happy.

I hope I explained the issue clearly. Thank you for any help/guidance you can provide.

 

Edit: Just adding that I know under the Advanced options for the Network there is the "IPv4 IPAM Utilization Notification" option. That is based on % utilization though, and these are large networks (where 1 IP used will not cross the smallest Trigger possible, 1%).

Re: Alert on IP used

GHorne Community Manager
Community Manager
Posts: 248
24168     0

We don't have any triggers built into the product, so there is no way to get an alert of this kind. (other than a % threshold trap, which you already mentioned)

 

your only option is to run an API script that pulls the used/unused IP Address information or the discovery information for a network. Then use you script to manually generate alerts as desired.

Re: Alert on IP used

selta
Techie
Posts: 12
24168     0

Thanks for the info. I did peek at APIs briefly, but that stuff is somewhat beyond me at the moment. If there were PowerShell tie-ins, that would be awesome. I'll dig into the API documentation a bit more and see if I can figure it out.

Re: Alert on IP used

Expert
Posts: 232
24168     0

If you find the API a bit daunting (I know I do) you could try ibcli, I'm not sure how well maintained it is but if you Google it you should find it and it may help to do what you need.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Alert on IP used

selta
Techie
Posts: 12
24168     0

Thank you for that tip! I will look into that as well Smiley Happy. This is a pretty big oversight for us... not show stopper, but has us looking at other products more closely now. ("this" being not only the lacking ability of reporting, but the API's shortcomings). Hopefully I can get what I need with ibcli. Thank you again.

Re: Alert on IP used

Expert
Posts: 232
24168     0

I've got a bit of experience with other IPAM products and off the top of my head I'm not sure if any of them will do exactly what you want out of the box, they'll all probably require some scripting of some sort. I do have a developer that works for me so if you are struggling and need something writing just drop me a pm.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Alert on IP used

selta
Techie
Posts: 12
24168     0

Yeah. The other ones fall short in their scaling for us... but, a couple of the others we demoed at least have PowerShell modules, which is super familiar ground for me. Can't hurt to learn Perl/Python, but that's time Smiley Happy. I'll give ibcli a whirl and go from there.

Re: Alert on IP used

Expert
Posts: 232
24168     0

If it's PowerShell you need, take a look at this....

 

http://community.infoblox.com/t5/API-Integration/Powershell-Infoblox-ps1/m-p/1150#U1150

 

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Alert on IP used

Adviser
Posts: 86
24168     0

i'm wondering if that might work. Assuming you've set up recurring discovery, there is a useful Smartfolder filter you can create that displays hosts discovered within the last X days/week/month. 

 

Could you possibly create the smartfolder and run an API query to see if it returns any result that matches it in Network A, B or C? 

Re: Alert on IP used

selta
Techie
Posts: 12
24168     0

Well, the PowerShell framework is decent. It's been a long while since it's been updated, so I'm having to go through and fix some of it.

Even then, I'm not sure I can accomplish the goal I have in mind with the functions that are present in it. I'll have to spend more time with it to see.

 

@jchik - I found the smartfolder filter you mentioned. That is a good step in the right direction! It'd be nice if I could just put an EA on the smartfolder, and then have a report search setup for that EA. But that seems to not be possible. Looping back to the API discussion... it'd be great if there were a function that would look at a set of smartfolders and report on those, but, I don't know the API near well enough to get anywhere with that (and the PoSh framework, from what I'm seeing, won't either).

Re: Alert on IP used

selta
Techie
Posts: 12
24168     0

I made a quick and dirty PowerShell script to do what I need. I've attached it here in case anyone else runs into a similar need. It's not fancy or even what i'd call complete, but it isn't worth spending a lot of time on right now since we're still evaluating InfoBlox.

 

<#
.SYNOPSIS
	This script will search a given network in InfoBlox for the presence of discovered devices. Upon finding some, it will send an email notification out.
.DESCRIPTION
	InfoBlox does not natively have a report like this, but it does have an API that can be tapped.
	In our environment, we have "gaps" of /16 networks that should never be used. We need a method to monitor those gaps for a device.
	InfoBlox will run a discovery on those networks periodically. This script will run after that and act accordingly.
.NOTES
	File-Name: Check-NetworksForDevices.ps1
	Date: 08 Oct 2015
	Version: 1.0
.OUTPUTS
	1) ip.$networks.csv -> This is the raw data read from InfoBlox, stored in a CSV to be emailed out. Only created if IPs are found
	2) Email output to defined parties
.LINK
	Coming Soon.
.PARAMETER networks
	A list (or single) network to be polled
.PARAMETER grid_master
	FQDN of the grid master
.PARAMETER username
	InfoBlox user with API access granted. Defaulted to admin.
.EXAMPLE
	PS > .\Check-NetworksForDevices.ps1 -networks "10.40.20.0/24","10.40.21.0/24"
	This example would query the InfoBlox API to look for devices discovered in the 10.40.20.0/24 and 10.40.41.0/24 networks. If any are found, an email would be sent out.
	
#>
param($networks, $grid_master, $username = "admin")

#Nifty little way to hardcode password, without exposing the password
#Run: PS> read-host -assecurestring | convertfrom-securestring | out-file C:\cred.txt
#Type in the password for the username this script will use and hit enter
#That will store the credentials, as a secure string, in a text file - place this text file somewhere the script can access
#Then we just grab that secure string with get-content
$secure_pw = get-content D:\Temp\cred.txt | convertto-securestring

#And then create the entire credential object:
$credential = New-Object System.Management.Automation.PSCredential ($username, $secure_pw)

#Report is the array with the information we wanted to see (ipaddress, network, status)
$Global:report = @()
$counter = 0  #Simply used to skip outputs if no IPs found

#Loop through the given networks and add the network objects from the API to a variable
foreach ($network in $networks) {
	$url="https://$grid_master/wapi/v1.2/ipv4address?network=$network"
	$ip_list += Invoke-RestMethod -Uri $url -Method Get -Credential $credential
}

#Loop through each IP Object - if it's status is "USED", we make note of it in the resultobject and report array, and increment the counter
foreach ($ip in $ip_list) {
	#Checking if the status is "USED", and the IP is not x.x.x.255 or x.x.x.0 (network and broadcast addresses)
	if ($ip.status -eq "USED" -and !$ip.ip_address.EndsWith('.0') -and !$ip.ip_address.EndsWith('255') ) {
			$resultObj = "" | select IP, network, status
			Write-Host "Found one!" $ip.ip_address " is in use"
			$resultObj.IP = $ip.ip_address
			$resultObj.network = $ip.network
			$resultObj.status = $ip.status
			#List of possible properties:
			# ip_address, is_conflict, mac_address, names, network, network_view, objects, status, types, usage
			$Global:report += $resultObj
			$counter++
	} 	
}
#If we found at least one device in the queried network, we export the report object to a CSV, then email that CSV out to the team in a pretty, formatted email
if ($counter -gt 0) {
	$Global:report | Export-CSV D:\Temp\ips.csv -NoType
	Write-Host "CSV created, sending email"
	.\Send-HTMLEmail.ps1 -InputObject (ipcsv "D:\Temp\ips.csv") -Subject "Device found in unallowed IP range"
	Write-Host "Email sent"
} else { #Otherwise, since no devices were found, we just exit somewhat gracefully
	Write-Host "No IPs found. Skipping all output actions."
}

If you intend to use this, there's a few things to note:

1) It takes parameter input - you need to supply the network, grid master and username to connect with

2) For the connection you need a credential object, which is created with username/password. The username is a parameter you input, but the password is something you can handle in various ways. I tackle it by storing a secure version of the password in a text file, which is then imported to create the credential object. This is probably not the best method to handle the password, but it at least avoids all plain-text handling of it.

3) The output calls another script I made long ago and use in several script (it emails a CSV as HTML with nice CSS formatting). You'll need to alter the output to your own needs.

4) Check the paths... for the password and the output CSV.

 

Like I said, it's quick and dirty, but it gets us a decent answer to the need we had. Thankfully, it's just a GET from API... I don't know API, but reading information seems super simple. Updating and inserting new is probably beyond me Smiley Very Happy.

Showing results for 
Search instead for 
Do you mean 

Recommended for You

Businesses are investing heavily into securing company resources from cyber-attacks form cybercrimin