Muna ci gaba da jerin labaran kan aiki tare da sabon kewayon samfurin SMB CheckPoint, bari mu tunatar da ku cewa a ciki mun bayyana halaye da damar sabbin samfura, gudanarwa da hanyoyin gudanarwa. A yau za mu kalli yanayin turawa don tsohuwar ƙirar a cikin jerin: CheckPoint 1590 NGFW. Ga taƙaitaccen ɓangaren wannan ɓangaren:
- Buɗe kayan aiki (bayanin abubuwan haɗin gwiwa, haɗin jiki da na cibiyar sadarwa).
- Farkon na'urar farko.
- Saitin farko.
- Ƙimar aiki.
Kayan Aiki
Sanin kayan aikin yana farawa tare da cire kayan aiki daga akwatin, tarwatsa kayan aiki da shigar da sassa; danna kan ɓarna, inda aka gabatar da tsarin a takaice.
Saukewa: NGFW1590
A taƙaice game da sassan:
- NGFW 1590;
- Adaftar wutar lantarki;
- 2 Wifi Eriya (2.4 Hz da 5 Hz);
- 2 LTE eriya;
- Littattafai tare da takardu ( gajeriyar jagora zuwa haɗin farko, yarjejeniyar lasisi, da sauransu)
Dangane da tashar jiragen ruwa na cibiyar sadarwa da musaya, akwai duk damar zamani don watsa zirga-zirga da mu'amala, tashar tashar daban don yankin DMZ, USB 3.0 don aiki tare da PC.
Sigar 1590 ta sami ingantaccen ƙira, zaɓuɓɓukan zamani don sadarwar mara waya da faɗaɗa ƙwaƙwalwar ajiya: 2 ramummuka don aiki tare da Micro/Nano SIM a yanayin LTE. (mun shirya rubuta game da wannan zaɓi daki-daki a cikin ɗaya daga cikin labaranmu na gaba a cikin jerin sadaukar da haɗin kai mara waya); Ramin katin SD.
Kuna iya karanta ƙarin game da iyawar 1590 NGFW da sauran sabbin samfura a ciki daga jerin labarai game da CheckPoint SMB mafita. Za mu ci gaba zuwa farkon farawa na na'urar.
Farko na farko
Ya kamata masu karatun mu na yau da kullun su sani cewa layin 1500 Series SMB yana amfani da sabon 80.20 Embedded OS, wanda ya haɗa da sabunta bayanai da ingantattun iyakoki.
Don fara fara na'urar kuna buƙatar:
- Bada iko ga ƙofa.
- Haɗa kebul na cibiyar sadarwa daga PC ɗinku zuwa LAN-1 akan ƙofa.
- Optionally, za ka iya nan da nan samar da na'urar da Internet access ta hanyar haɗa da dubawa zuwa WAN tashar jiragen ruwa.
- Je zuwa Gaia Embedded portal:
Idan kun bi matakan da aka bayyana a baya, sannan bayan zuwa shafin Gaia portal, kuna buƙatar tabbatar da buɗe shafin tare da takardar shaidar da ba a amince da ita ba, bayan haka mayen saitunan tashar zai buɗe:
Za a gaishe ku da wani shafi da ke nuna ƙirar na'urar ku, kuna buƙatar zuwa sashe na gaba:
Za a tambaye mu don ƙirƙirar asusun don izini, yana yiwuwa a ƙayyade manyan buƙatun kalmar sirri ga mai gudanarwa, kuma muna nuna ƙasar da za mu yi amfani da ƙofar.
Taga na gaba ya shafi saitunan kwanan wata da lokaci; zaku iya saita shi da hannu ko amfani da sabar NTP na kamfanin.
Mataki na gaba ya ƙunshi saita sunan na'urar da ƙayyadaddun yankin kamfanin domin ayyukan ƙofa suyi aiki daidai akan Intanet.
Mataki na gaba ya shafi zaɓin nau'in sarrafa NGFW, a nan ya kamata a lura:
- Gudanar da Gida. Wannan zaɓi ne da ake da shi don sarrafa ƙofar gida ta amfani da shafin yanar gizon Gaia Portal.
- Babban Gudanarwa. Irin wannan gudanarwa ya haɗa da aiki tare tare da keɓaɓɓen uwar garken Gudanar da CheckPoint, aiki tare da gajimare na Smart1-Cloud ko tare da SMP (sabis na gudanarwa don SMB).
A cikin wannan labarin, za mu mayar da hankali kan Hanyar Gudanar da Gida; za ku iya ƙayyade hanyar da ta dace. Don sanin kanku da tsarin aiki tare da keɓaɓɓen uwar garken Gudanarwa, muna ba da shawara daga jerin horon farawa na CheckPoint wanda TS Solution ya shirya.
Bayan haka, za a gabatar da taga wanda ke bayyana yanayin aiki na musaya akan ƙofar:
- Yanayin sauyawa yana nuna samuwar subnet daga mahaɗa guda ɗaya zuwa subnet na wata hanyar sadarwa.
- Yanayin Kashe Canjawa don haka yana hana yanayin Canjawa; kowane tashar tashar jiragen ruwa yana hanyoyin zirga-zirga kamar ga guntun cibiyar sadarwa daban.
An kuma ba da shawarar saka tafki na adiresoshin DHCP waɗanda za a yi amfani da su lokacin haɗawa zuwa musaya na gida na ƙofar.
Mataki na gaba shine saita ƙofa don yin aiki a yanayin mara waya; muna shirin tattauna wannan fanni dalla-dalla a cikin labarin ɗaya a cikin jerin, don haka mun jinkirta daidaita saitunan. Kuna iya ƙirƙirar sabon wurin shiga mara waya, saita kalmar sirri don haɗawa da shi kuma ƙayyade yanayin aiki na tashar mara waya (2.4 Hz ko 5 Hz).
Mataki na gaba shine saita hanyar shiga ga masu gudanar da kamfani. Ta hanyar tsoho, ana ba da izinin samun dama idan haɗin ya fito daga:
- Subnet kamfanin na ciki
- Amintaccen cibiyar sadarwa mara waya
- VPN tunnel
Zaɓin don haɗawa da ƙofar ta hanyar Intanet an kashe shi ta tsohuwa, wannan yana ɗaukar haɗari mai girma kuma dole ne a ba da izini don haɗawa, in ba haka ba ana ba da shawarar barin shi kamar yadda a cikin misalinmu. don haɗi zuwa gateway.
Taga na gaba ya shafi kunna lasisi; a farkon fara na'urar, za a gabatar da ku tare da lokacin gwaji na kwanaki 30. Akwai hanyoyi guda biyu na kunnawa:
- Idan akwai haɗin Intanet, lasisin yana kunna ta atomatik.
- Idan kun kunna lasisin layi, kuna buƙatar yin masu zuwa: zazzage lasisin daga Cibiyar Mai amfani, yi rijistar na'urarku akan na musamman. . Na gaba, don lokuta biyu, kuna buƙatar shigo da lasisin da aka zazzage da hannu.
A ƙarshe, taga na ƙarshe a cikin mayen saiti yana sa ku zaɓi wuƙaƙen da za a kunna; lura cewa ana kunna ruwan QOS bayan farawa na farko. Ya kamata ku ƙare da taga kammalawa wanda ke taƙaita saitunanku.
Saitin farko
Da farko, muna ba da shawarar duba matsayin lasisi; ƙarin daidaitawa zai dogara da wannan. Jeka shafin "GIDA" → "Lasisi":
Idan an kunna lasisin, muna ba da shawarar sabunta kai tsaye zuwa sabon firmware na yanzu; don yin wannan, je zuwa shafin "N'UR'ANI" → "Ayyukan Tsari":
Sabuntawar tsarin suna cikin abun Haɓaka Firmware. A cikin yanayinmu, an shigar da sigar firmware na yanzu da na baya-bayan nan.
Na gaba, Ina ba da shawarar yin magana a taƙaice game da iyawa da saitunan tsarin ruwan wukake. A hankali, ana iya raba su zuwa Access (Firewall, Control Application, URL Filtering) da Barazana Rigakafi (IPS, Antivirus, Anti-Bot, Barazana Emulation) manufofin matakin.
Bari mu je zuwa Manufofin Samun shiga → Sarrafa Wuta:
Ta hanyar tsoho, ana amfani da yanayin STANDARD, yana ba da damar zirga-zirga mai fita zuwa Intanet, zirga-zirga a cikin hanyar sadarwar gida, amma a lokaci guda yana toshe zirga-zirgar shigowa daga Intanet.
Dangane da APPLICATIONS & URL FILTERING blades, ta tsohuwa an saita su don toshe rukunin yanar gizon da ke da babban haɗari, toshe aikace-aikacen musayar musayar (Torrent, Ma'ajiyar Fayil, da sauransu). Hakanan zaka iya toshe nau'ikan rukunin yanar gizo da hannu.
Bari mu bincika zaɓi don zirga-zirgar mai amfani “Ƙiyade aikace-aikacen cinye bandwidth” tare da ikon iyakance saurin zirga-zirgar fita/shigo don ƙungiyoyin aikace-aikacen.
Na gaba, buɗe sashin Manufofin; ta tsohuwa, ana ƙirƙirar ƙa'idodin ta atomatik bisa ga saitunan da aka bayyana a baya.
Sashin NAT ta tsohuwa yana aiki a cikin Global Hide Nat Atomatik, watau duk runduna na ciki za su sami damar shiga Intanet ta hanyar adireshin IP na jama'a. Yana yiwuwa a saita dokokin NAT da hannu don buga aikace-aikacen yanar gizonku ko ayyukanku.
Bayan haka, sashin da ya shafi Tabbatar da Mai amfani akan hanyar sadarwar yana ba da zaɓuɓɓuka guda biyu: Tambayoyin Tambayoyi Masu Aiki (haɗin kai tare da AD ɗin ku), Tabbatarwa-Based-Browser (mai amfani yana shigar da bayanan yanki a cikin tashar).
Yana da daraja ambaton binciken SSL daban; rabon jimlar zirga-zirgar HTTPS akan hanyar sadarwa ta Duniya tana girma sosai. Bari mu kalli abubuwan da CheckPoint ke bayarwa don mafita na SMB Don yin wannan, je zuwa SSL-Inspection → Sashen Manufofin:
A cikin saitunan zaku iya bincika zirga-zirgar HTTPS; kuna buƙatar shigo da takardar shaidar kuma shigar da ita a cikin amintaccen cibiyar takaddun shaida akan injunan mai amfani na ƙarshe.
Muna ɗaukar yanayin BYPASS don ƙayyadaddun ƙayyadaddun ƙayyadaddun ya zama zaɓi mai dacewa; wannan yana adana lokaci mai mahimmanci yayin ba da damar dubawa.
Bayan daidaita ƙa'idodi a matakin Firewall / Aikace-aikacen, yakamata ku ci gaba da daidaita manufofin tsaro (Rigakafin Barazana), don yin wannan, je zuwa sashin da ya dace:
A buɗaɗɗen shafin muna ganin abubuwan da aka kunna, sa hannu da sabunta bayanai. Ana kuma buƙatar mu zaɓi bayanin martaba don kare kewayen cibiyar sadarwa, kuma ana nuna saitunan da suka dace.
Wani sashe na daban "Kariyar IPS" yana ba ku damar saita aikin don takamaiman sa hannu na tsaro.
Ba da dadewa mun yi rubutu a shafinmu ba don Windows Server - SigRed. Bari mu bincika kasancewarsa a Gaia Embedded 80.20 ta shigar da tambayar "CVE-2020-1350"
An gano rikodin don wannan sa hannu wanda za'a iya amfani da ɗayan ayyukan. (ta tsohuwa Hana don matakin haɗari yana da mahimmanci). Saboda haka, samun mafita na SMB, ba za a bar ku ba dangane da sabuntawa da tallafi; wannan cikakkiyar mafita ce ta NGFW ga ofisoshin reshe na mutane 200 daga CheckPoint.
Ƙimar aiki
Ƙarshe labarin, Ina so in lura da kasancewar kayan aiki don magance matsalolin matsala bayan farawa na farko da daidaitawar SMB bayani. Kuna iya zuwa sashin "GIDA" → "Kayan aiki". Zaɓuɓɓuka masu yiwuwa:
- albarkatun tsarin sa ido;
- tebur na tuƙi;
- duba samuwan ayyukan girgije na CheckPoint;
- Ƙirƙirar CPinfo;
Ana kuma samun umarnin hanyar sadarwa da aka gina a ciki: Ping, Traceroute, Kama Traffic.
Don haka, a yau mun sake dubawa kuma mun yi nazarin haɗin farko da daidaitawa na NGFW 1590, za ku yi irin wannan ayyuka ga dukan 1500 SMB Checkpoint jerin. Zaɓuɓɓukan da ke akwai sun nuna mana babban canji don saiti, goyon baya ga hanyoyin zamani na kare zirga-zirga a kan kewayen cibiyar sadarwa.
A yau, mafita na CheckPoint don kare ƙananan ofisoshi da rassan (har zuwa mutane 200) suna da nau'ikan kayan aiki da yawa kuma suna amfani da sabbin fasahohi (sarrafa girgije, tallafin katin SIM, faɗaɗa ƙwaƙwalwar ajiya ta amfani da katunan SD, da sauransu). Ci gaba da kasancewa da sanar da karanta labarai daga TS Solution, muna shirin ƙarin sakin sassa game da NGFW CheckPoint na dangin SMB, gani!
. Ku kasance da mu (, , , , ).
source: www.habr.com