Lokaci ya yi da za a kammala jerin labarai game da sabon ƙarni na SMB Check Point (jeri 1500). Muna fatan wannan ƙwarewa ce mai lada a gare ku kuma za ku ci gaba da kasancewa tare da mu akan TS Magani blog. Ba a cika batun labarin ƙarshe ba, amma ba ƙaramin mahimmanci ba - kunna aikin SMB. A ciki za mu tattauna zaɓuɓɓukan daidaitawa don kayan aiki da software na NGFW, bayyana umarnin da ke akwai da hanyoyin hulɗa.
Duk labarai a cikin jerin game da NGFW don ƙananan kasuwanci:
A halin yanzu, babu tushen bayanai da yawa game da daidaita ayyukan don hanyoyin SMB saboda na ciki OS - Gaia 80.20 Embedded. A cikin labarinmu, za mu yi amfani da shimfidar wuri tare da gudanarwa ta tsakiya (Server Management Server) - yana ba ku damar amfani da ƙarin kayan aiki yayin aiki tare da NGFW.
Kayan aiki
Kafin a taɓa tsarin gine-ginen iyali na Check Point SMB, koyaushe kuna iya tambayar abokin tarayya ya yi amfani da abin amfani Kayan aikin Girman Kayan Aiki, don zaɓar mafi kyawun bayani bisa ga ƙayyadaddun halaye (fitarwa, adadin masu amfani da ake tsammanin, da dai sauransu).
Muhimmin bayanin kula yayin hulɗa tare da kayan aikin NGFW ɗinku
-
Hanyoyin NGFW na dangin SMB ba su da ikon haɓaka kayan haɓaka kayan aikin kayan aikin (CPU, RAM, HDD); dangane da ƙirar, akwai tallafi don katunan SD, wannan yana ba ku damar faɗaɗa ƙarfin faifai, amma ba mahimmanci ba.
-
Ayyukan hanyoyin sadarwa na cibiyar sadarwa yana buƙatar sarrafawa. Gaia 80.20 Embedded ba shi da kayan aikin sa ido da yawa, amma koyaushe kuna iya amfani da sanannen sanannen umarni a cikin CLI ta yanayin Kwararru.
# ifconfig
Kula da layin da aka yi la'akari, za su ba ku damar kimanta adadin kurakurai akan ƙirar. Ana ba da shawarar sosai don bincika waɗannan sigogi yayin fara aiwatar da NGFW ɗin ku, da kuma lokaci-lokaci yayin aiki.
-
Ga cikakken Gaia akwai umarni:
> nuna diag
Tare da taimakonsa yana yiwuwa a sami bayani game da zafin jiki na kayan aiki. Abin takaici, wannan zaɓin baya samuwa a cikin 80.20 Embedded; za mu nuna mafi mashahuri tarkon SNMP:
Title
Description
An katse hanyar sadarwa
Kashe mai dubawa
An cire VLAN
Cire Vlans
Babban amfani da ƙwaƙwalwar ajiya
Babban amfani da RAM
Ƙananan sarari diski
Bai isa HDD sarari ba
Babban amfani da CPU
Babban amfani da CPU
Babban adadin katsewar CPU
Yawan katsewa
Babban haɗin haɗin gwiwa
Babban kwarara na sabbin hanyoyin sadarwa
Haɗin haɗin kai mai girma
Babban matakin zaman gasa
Babban kayan aikin Firewall
Wutar Wuta mai girma
Babban ƙimar fakitin da aka karɓa
Yawan liyafar fakiti
Ƙasar ƙungiyar ta canza
Canza jihar tari
Haɗi tare da kuskuren uwar garken log
Haɗin da ya ɓace tare da Log-Server
-
Yin aikin ƙofa yana buƙatar saka idanu na RAM. Don Gaia (Linux-kamar OS) yayi aiki, wannan shine Lokacin amfani da RAM ya kai 70-80% na amfani.
Gine-ginen hanyoyin SMB baya samar da amfani da ƙwaƙwalwar SWAP, sabanin tsofaffin samfuran Check Point. Koyaya, a cikin fayilolin tsarin Linux an lura dashi , wanda ke nuna yuwuwar ka'idar canza ma'aunin SWAP.
Bangaren software
A lokacin buga labarin Sigar Gaia - 80.20.10. Kuna buƙatar sanin cewa akwai iyakoki lokacin aiki a cikin CLI: ana tallafawa wasu umarnin Linux a yanayin Kwararru. Yin la'akari da aikin NGFW yana buƙatar kimanta aikin daemons da ayyuka, ƙarin cikakkun bayanai game da wannan za a iya samu a abokin aikina. Za mu duba yiwuwar umarni don SMB.
Yin aiki tare da Gaia OS
-
Bincika samfuran SecureXL
#fwaccelstat
-
Duba boot ta ainihin
# fw ctl multik stat
-
Duba adadin zaman (haɗi).
# fw ctl pstat
-
*Duba matsayin tari
#cphaprob stat
-
Classic Linux TOP umurnin
Shiga
Kamar yadda kuka riga kuka sani, akwai hanyoyi guda uku don yin aiki tare da rajistan ayyukan NGFW (ajiye, sarrafawa): a gida, tsakiya da cikin gajimare. Zaɓuɓɓukan biyu na ƙarshe suna nuna kasancewar wani mahaluƙi - Sabar Gudanarwa.
Shirye-shiryen sarrafa NGFW mai yiwuwa
Fayilolin log ɗin mafi mahimmanci
-
Saƙonnin tsarin (ya ƙunshi ƙarancin bayanai fiye da cikakken Gaia)
# wutsiya -f /var/log/messages2
-
Kuskuren saƙonni a cikin aikin ruwan wukake (fayil mai amfani sosai lokacin magance matsalolin)
# wutsiya -f /var/log/log/sfwd.elg
-
Duba saƙonni daga buffer a matakin kernel na tsarin.
#dmesg
Tsarin ruwa
Wannan sashe ba zai ƙunshi cikakkun umarni don kafa wurin Dubawa na NGFW ba; ya ƙunshi shawarwarinmu kawai, zaɓi ta gwaninta.
Ikon Aikace-aikacen / Tacewar URL
-
Ana ba da shawarar ku guji KOWANE, KOWANE (Source, Destination) yanayi a cikin dokoki.
-
Lokacin ƙayyade albarkatun URL na al'ada, zai fi tasiri don amfani da maganganu na yau da kullun kamar: (^|...) duba.com
-
Guji yin amfani da wuce gona da iri na shigar doka da nunin shafukan toshewa (UserCheck).
-
Tabbatar cewa fasahar tana aiki daidai "SecureXL". Yawancin zirga-zirga ya kamata su bi ta hanzari/matsakaici hanya. Hakanan, kar a manta da tace ƙa'idodin ta waɗanda aka fi amfani da su (filin Hits ).
HTTPS-Inspection
Ba asiri ba ne cewa 70-80% na zirga-zirgar mai amfani ya fito daga haɗin HTTPS, wanda ke nufin cewa wannan yana buƙatar albarkatu daga na'ura mai sarrafa ƙofa. Bugu da ƙari, HTTPS-Inspection yana shiga cikin aikin IPS, Antivirus, Antibot.
An fara daga sigar 80.40 don aiki tare da ka'idojin HTTPS ba tare da Legacy Dashboard ba, ga wasu shawarwarin ƙa'ida:
-
Kewaya don rukunin adireshi da cibiyoyin sadarwa (Manufa).
-
Ketare don rukunin URLs.
-
Kewaya don IP na ciki da cibiyoyin sadarwa tare da samun dama (Source).
-
Bincika don cibiyoyin sadarwar da ake buƙata, masu amfani
-
Kewaya ga kowa.
* Yana da kyau koyaushe don zaɓar HTTPS ko sabis na wakili na HTTPS da hannu kuma barin kowane. Shiga abubuwan da suka faru bisa ga dokokin Dubawa.
IPS
Wurin IPS na iya kasa shigar da manufofin akan NGFW ɗinku idan an yi amfani da sa hannun da yawa. Bisa lafazin daga Check Point, ba a tsara gine-ginen na'urar SMB don gudanar da cikakken shawarar bayanin martabar IPS da aka ba da shawarar ba.
Don warware ko hana matsalar, bi waɗannan matakan:
-
Clone Ingantattun bayanan martaba da ake kira "Eptimized SMB" (ko wani zaɓi na ku).
-
Shirya bayanin martaba, je zuwa sashin IPS → Pre R80.Settings kuma kashe Kariyar uwar garke.
-
Bisa ga ra'ayin ku, zaku iya musaki CVEs waɗanda suka girmi 2010, ana iya samun waɗannan raunin a ƙananan ofisoshi, amma suna shafar aiki. Don kashe wasu daga cikinsu, je zuwa Profile →IPS→Ƙarin Kunnawa → Kariya don kashe lissafin.
Maimakon a ƙarshe
A matsayin wani ɓangare na jerin labaran game da sabon ƙarni na NGFW na dangin SMB (1500), mun yi ƙoƙari mu haskaka babban damar da za a iya magancewa kuma mun nuna tsarin daidaitawa na mahimman abubuwan tsaro ta amfani da takamaiman misalai. Za mu yi farin cikin amsa kowane tambayoyi game da samfurin a cikin sharhi. Muna tare da ku, mun gode da kulawar ku!
. Domin kar a rasa sababbin wallafe-wallafe, bi abubuwan sabuntawa akan hanyoyin sadarwar mu (, , , , ).
source: www.habr.com