Duk da fa'idodin Palo Alto Networks Firewalls, babu wani abu da yawa akan RuNet akan kafa waɗannan na'urori, da kuma rubutun da ke kwatanta kwarewar aiwatar da su. Mun yanke shawarar taƙaita abubuwan da muka tara yayin aikinmu tare da kayan aikin wannan mai siyarwa da kuma yin magana game da abubuwan da muka fuskanta yayin aiwatar da ayyuka daban-daban.
Don gabatar da ku zuwa Palo Alto Networks, wannan labarin zai dubi tsarin da ake buƙata don magance ɗaya daga cikin matsalolin wuta na yau da kullum - SSL VPN don samun dama mai nisa. Za mu kuma yi magana game da ayyukan amfani don daidaitawar bangon bango na gabaɗaya, tantance mai amfani, aikace-aikace, da manufofin tsaro. Idan batun yana da ban sha'awa ga masu karatu, nan gaba za mu saki kayan da ke nazarin Yanar Gizo-zuwa-Shafukan VPN, kewayawa mai ƙarfi da gudanarwa ta tsakiya ta amfani da Panorama.
Palo Alto Networks Firewalls suna amfani da sabbin fasahohi da dama, gami da App-ID, ID mai amfani, ID na abun ciki. Yin amfani da wannan aikin yana ba ku damar tabbatar da babban matakin tsaro. Misali, tare da App-ID yana yiwuwa a gano zirga-zirgar aikace-aikacen bisa sa hannun sa hannu, yanke hukunci da ilimin lissafi, ba tare da la'akari da tashar jiragen ruwa da ƙa'idar da aka yi amfani da su ba, gami da cikin rami na SSL. User-ID yana ba ku damar gano masu amfani da hanyar sadarwa ta hanyar haɗin LDAP. Abun ciki-ID yana ba da damar bincika zirga-zirga da gano fayilolin da aka watsa da abinda ke ciki. Sauran ayyukan Tacewar zaɓi sun haɗa da kariya ta kutse, kariya daga lahani da hare-haren DoS, ginanniyar rigakafin kayan leƙen asiri, tace URL, tari, da gudanarwa ta tsakiya.
Don zanga-zangar, za mu yi amfani da keɓaɓɓen tsayawa, tare da tsari mai kama da na ainihi, ban da sunayen na'ura, sunan yankin AD da adiresoshin IP. A gaskiya, duk abin da ya fi rikitarwa - ana iya samun rassa da yawa. A wannan yanayin, maimakon bangon wuta guda ɗaya, za a shigar da gungu a kan iyakokin rukunin yanar gizo na tsakiya, kuma ana iya buƙatar hanya mai ƙarfi.
An yi amfani da shi akan tsayawa PAN-OS 7.1.9. A matsayin tsari na yau da kullun, la'akari da hanyar sadarwa tare da Tacewar zaɓi na Palo Alto Networks a gefen. Tacewar zaɓi yana ba da damar SSL VPN mai nisa zuwa babban ofishin. Za a yi amfani da yankin Active Directory azaman bayanan mai amfani (Hoto 1).
Hoto 1 - Tsarin toshe hanyar sadarwa
Saita matakai:
- Na'urar riga-kafi. Saita suna, adireshin IP na gudanarwa, hanyoyin a tsaye, asusun gudanarwa, bayanan martaba na gudanarwa
- Shigar da lasisi, daidaitawa da shigar da sabuntawa
- Yana daidaita yankunan tsaro, mu'amalar hanyar sadarwa, manufofin zirga-zirga, fassarar adireshi
- Ƙirƙirar Fayil ɗin Tabbacin LDAP da Fasalin Gano Mai Amfani
- Saita SSL VPN
1. Saiti
Babban kayan aiki don daidaitawa Palo Alto Networks Tacewar zaɓi shine haɗin yanar gizo; gudanarwa ta hanyar CLI kuma yana yiwuwa. Ta hanyar tsoho, an saita ƙirar gudanarwa zuwa adireshin IP 192.168.1.1/24, shiga: admin, kalmar sirri: admin.
Kuna iya canza adireshin ko dai ta hanyar haɗawa da mahaɗin yanar gizo daga wannan hanyar sadarwa, ko amfani da umarnin saita deviceconfig tsarin ip-address <> netmask <>. Ana yin shi a yanayin sanyi. Don canzawa zuwa yanayin sanyi, yi amfani da umarnin saita. Duk canje-canje akan Tacewar zaɓi yana faruwa ne kawai bayan an tabbatar da saitunan ta hanyar umarnin aikata, duka a yanayin layin umarni da kuma a cikin mahallin yanar gizo.
Don canza saituna a cikin mahaɗin yanar gizo, yi amfani da sashin Na'ura -> Gabaɗaya Saituna da Na'ura -> Saitunan Interface Mai Gudanarwa. Sunan, banners, yankin lokaci da sauran saitunan za a iya saita su a cikin Babban Saitunan Saituna (Fig. 2).
Hoto 2 - Ma'anar dubawar gudanarwa
Idan kuna amfani da bangon wuta mai kama-da-wane a cikin yanayin ESXi, a cikin sashin Saitunan Gabaɗaya kuna buƙatar ba da damar amfani da adireshin MAC da aka sanya ta hypervisor, ko saita adiresoshin MAC da aka ƙayyade akan musaya na Tacewar zaɓi akan hypervisor, ko canza saitunan. da kama-da-wane sauya don ba da damar MAC canza adireshi. In ba haka ba, zirga-zirga ba zai wuce ta ba.
An saita ƙirar gudanarwa daban kuma ba a nunawa a cikin jerin mu'amalar cibiyar sadarwa. A cikin babi Saitunan Fannin Gudanarwa yana ƙayyadad da tsohowar ƙofa don ƙirar gudanarwa. Ana saita sauran tsayayyen hanyoyi a cikin sashin masu amfani da hanyar sadarwa; za'a tattauna wannan daga baya.
Don ba da damar shiga na'urar ta wasu mu'amala, dole ne ka ƙirƙiri bayanin martabar gudanarwa Bayanan Gudanarwa sashe Network -> Bayanan martaba na hanyar sadarwa -> Interface Mgmt kuma sanya shi zuwa wurin da ya dace.
Na gaba, kuna buƙatar saita DNS da NTP a cikin sashin Na'ura -> Sabis don karɓar sabuntawa da nuna lokacin daidai (Fig. 3). Ta hanyar tsohuwa, duk zirga-zirgar da aka samar ta hanyar Tacewar zaɓi na amfani da adireshin IP na gudanarwa azaman adireshin IP ɗin sa. Kuna iya keɓance keɓancewar keɓantacce don kowane takamaiman sabis a cikin sashin Kanfigareshan Hanyar Sabis.
Hoto 3 - DNS, NTP da sigogin sabis na hanyoyin hanyoyin
2. Shigar da lasisi, kafawa da shigar da sabuntawa
Domin cikakken aiki na duk ayyukan Tacewar zaɓi, dole ne ka shigar da lasisi. Kuna iya amfani da lasisin gwaji ta nemansa daga abokan hulɗar Palo Alto Networks. Lokacin tabbatarwarsa kwanaki 30 ne. Ana kunna lasisi ta hanyar fayil ko ta amfani da Auth-Code. Ana saita lasisi a cikin sashin Na'ura -> Lasisi (fig. 4).
Bayan shigar da lasisi, kuna buƙatar saita shigarwa na sabuntawa a cikin sashin Na'ura -> Sabuntawa Mai ƙarfi.
sashe Na'ura -> Software za ka iya saukewa kuma shigar da sababbin nau'ikan PAN-OS.
Hoto 4 - Kwamitin kula da lasisi
3. Haɓaka yankunan tsaro, mu'amalar hanyar sadarwa, manufofin zirga-zirga, fassarar adireshi
Palo Alto Networks Tacewar zaɓi na amfani da dabarun yanki lokacin daidaita dokokin cibiyar sadarwa. Ana sanya hanyoyin sadarwa na cibiyar sadarwa zuwa takamaiman yanki, kuma ana amfani da wannan yanki a cikin dokokin zirga-zirga. Wannan tsarin yana ba da izini a nan gaba, lokacin canza saitunan dubawa, ba don canza ka'idodin zirga-zirga ba, amma a maimakon haka don sake tsara hanyoyin da ake buƙata zuwa yankunan da suka dace. Ta hanyar tsoho, ana ba da izinin zirga-zirga a cikin yanki, an hana zirga-zirga tsakanin shiyyoyi, ƙayyadaddun ƙa'idodin ke da alhakin wannan intrazone-default и interzone-default.
Hoto 5 - Yankunan tsaro
A cikin wannan misali, an sanya maɓalli akan hanyar sadarwa ta ciki zuwa yankin ciki, kuma an sanya mahaɗin da ke fuskantar Intanet zuwa yankin external. Don SSL VPN, an ƙirƙiri hanyar sadarwa ta rami kuma an sanya shi zuwa yankin VPN (fig. 5).
Hanyoyin sadarwa na Palo Alto Networks Tacewar zaɓi na iya aiki ta hanyoyi daban-daban guda biyar:
- tap - ana amfani da shi don tattara zirga-zirga don saka idanu da dalilai na bincike
- HA – amfani da gungu aiki
- Wutar Wuta - a cikin wannan yanayin, Palo Alto Networks yana haɗa nau'ikan musaya guda biyu kuma a bayyane yake wucewa tsakanin su ba tare da canza adireshin MAC da adireshin IP ba.
- Mafarin2 – canza yanayin
- Mafarin3 – na'ura mai ba da hanya tsakanin hanyoyin sadarwa
Hoto 6 - Saita yanayin aiki na dubawa
A cikin wannan misali, za a yi amfani da yanayin Layer3 (Fig. 6). Ma'aunin mu'amalar cibiyar sadarwa yana nuna adireshin IP, yanayin aiki da yankin tsaro mai dacewa. Baya ga yanayin aiki na dubawa, dole ne ku sanya shi zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa na Virtual Router, wannan kwatankwacin misalin VRF ne a cikin hanyoyin sadarwa na Palo Alto. Masu ba da hanya tsakanin hanyoyin sadarwa sun keɓanta da juna kuma suna da nasu tebur na tuƙi da saitunan tsarin sadarwa.
Saitunan na'ura mai ba da hanya tsakanin hanyoyin sadarwa suna ƙayyadad da tsayayyen hanyoyi da saitunan ladabi. A cikin wannan misali, kawai hanyar da aka riga aka ƙirƙira don shiga hanyoyin sadarwar waje (Fig. 7).
Hoto 7 - Saita na'ura mai ba da hanya tsakanin hanyoyin sadarwa
Matakin daidaitawa na gaba shine manufofin zirga-zirga, sashe Manufofin -> Tsaro. An nuna misali na daidaitawa a cikin Hoto 8. Ma'anar ƙa'idodin daidai yake da duk firewalls. Ana duba ƙa'idodin daga sama zuwa ƙasa, har zuwa wasan farko. Takaitaccen bayanin dokokin:
1. Samun damar SSL VPN zuwa Gidan Yanar Gizo. Yana ba da damar isa ga tashar yanar gizo don tabbatar da haɗin kai mai nisa
2. VPN zirga-zirga - ba da izinin zirga-zirga tsakanin hanyoyin sadarwa mai nisa da babban ofishin
3. Intanet na asali - bada izinin dns, ping, traceroute, aikace-aikacen ntp. Tacewar zaɓi yana ba da damar aikace-aikace dangane da sa hannu, yanke hukunci, da ilimin lissafi maimakon lambobi da ka'idoji na tashar jiragen ruwa, wanda shine dalilin da ya sa sashin Sabis ya ce aikace-aikacen-tsoho. Tsohuwar tashar jiragen ruwa/ yarjejeniya don wannan aikace-aikacen
4. Samun Yanar Gizo - ƙyale damar Intanet ta hanyar HTTP da HTTPS ladabi ba tare da sarrafa aikace-aikace ba
5,6. Dokokin da suka dace don sauran zirga-zirga.
Hoto 8 - Misalin kafa dokokin cibiyar sadarwa
Don saita NAT, yi amfani da sashin Manufofin -> NAT. Ana nuna misalin daidaitawar NAT a hoto na 9.
Hoto 9 - Misalin tsarin NAT
Ga kowane zirga-zirga daga ciki zuwa waje, zaku iya canza adireshin tushen zuwa adireshin IP na waje na Tacewar zaɓi kuma amfani da adireshin tashar tashar jiragen ruwa mai ƙarfi (PAT).
4. Haɓaka Bayanan Tabbacin LDAP da Ayyukan Gane Mai Amfani
Kafin haɗa masu amfani ta SSL-VPN, kuna buƙatar saita hanyar tantancewa. A cikin wannan misalin, tabbatarwa zai faru ga mai kula da yanki na Active Directory ta hanyar haɗin yanar gizon Palo Alto Networks.
Hoto 10- LDAP bayanin martaba
Don tantancewa ya yi aiki, kuna buƙatar daidaitawa Bayanan Bayani na LDAP и Bayanan Tabbatarwa. A sashen Na'ura -> Bayanan martaba na uwar garken -> LDAP (Fig. 10) kuna buƙatar ƙayyade adireshin IP da tashar jiragen ruwa na mai sarrafa yanki, nau'in LDAP da asusun mai amfani da aka haɗa a cikin ƙungiyoyi. Ma'aikatan Sabar, Masu Karatun Matsala, Masu amfani da COM Rarraba. Sannan a cikin sashin Na'ura -> Bayanin Tabbaci ƙirƙiri bayanin martaba (Fig. 11), yiwa wanda aka ƙirƙira a baya Bayanan Bayani na LDAP kuma a cikin Advanced shafin muna nuna ƙungiyar masu amfani (Fig. 12) waɗanda aka ba da izinin shiga nesa. Yana da mahimmanci a lura da siga a cikin bayanan martaba Yankin mai amfani, in ba haka ba izini na tushen rukuni ba zai yi aiki ba. Dole ne filin ya nuna sunan yankin NetBIOS.
Hoto na 11 - Bayanan Tabbatarwa
Hoto 12 - Zaɓin ƙungiyar AD
Mataki na gaba shine saitin Na'ura -> Gano Mai amfani. Anan kuna buƙatar saka adireshin IP na mai sarrafa yanki, bayanan haɗin kai, da kuma saita saituna. Kunna Log din Tsaro, Kunna Zama, Kunna Bincike (Hoto 13). A cikin babi Taswirar Rukuni (Fig. 14) kuna buƙatar lura da sigogi don gano abubuwa a cikin LDAP da jerin ƙungiyoyin da za a yi amfani da su don izini. Kamar dai a cikin Fayil na Tabbaci, anan kuna buƙatar saita siginar Domain mai amfani.
Hoto 13 - Ma'aunin Taswirar Mai amfani
Hoto 14 - Ma'auni na Taswirar Ƙungiya
Mataki na ƙarshe a cikin wannan lokaci shine ƙirƙirar yankin VPN da abin dubawa don wannan yanki. Kuna buƙatar kunna zaɓi akan dubawa Kunna Shaidar Mai Amfani (fig. 15).
Hoto na 15 – Kafa yankin VPN
5. Saita SSL VPN
Kafin haɗi zuwa SSL VPN, mai amfani mai nisa dole ne ya je tashar yanar gizo, tantancewa kuma zazzage abokin ciniki na Kare Duniya. Bayan haka, wannan abokin ciniki zai nemi takaddun shaida kuma ya haɗa zuwa cibiyar sadarwar kamfani. Gidan yanar gizon yana aiki a yanayin https kuma, saboda haka, kuna buƙatar shigar da takaddun shaida don shi. Yi amfani da takardar shaidar jama'a idan zai yiwu. Sa'an nan mai amfani ba zai sami gargadi game da rashin ingancin takaddun shaida a kan shafin ba. Idan ba zai yiwu a yi amfani da takardar shaidar jama'a ba, to kuna buƙatar bayar da naku, wanda za a yi amfani da shi akan shafin yanar gizon https. Yana iya zama mai sanya hannu ko bayar da shi ta hanyar hukuma takardar shaidar gida. Dole ne kwamfutar mai nisa ta kasance tana da tushe ko takardar shedar sa hannu a cikin jerin amintattun hukumomin tushen don kada mai amfani ya sami kuskure yayin haɗawa da tashar yanar gizo. Wannan misalin zai yi amfani da takardar shedar da aka bayar ta Sabis na Takaddun Takaddun Active Directory.
Don bayar da takaddun shaida, kuna buƙatar ƙirƙirar buƙatar takaddun shaida a cikin sashin Na'ura -> Gudanar da Takaddun shaida -> Takaddun shaida -> Ƙirƙira. A cikin buƙatar muna nuna sunan takardar shaidar da adireshin IP ko FQDN na tashar yanar gizo (Fig. 16). Bayan samar da buƙatar, zazzage .csr fayil kuma kwafe abubuwan da ke cikinsa cikin filin buƙatar takardar shedar a cikin gidan yanar gizo na AD CS rajista. Ya danganta da yadda aka tsara ikon takardar shedar, dole ne a amince da buƙatar takardar shaidar kuma dole ne a sauke takardar shaidar da aka bayar a cikin tsari. Takaddun shaida na Base64. Bugu da ƙari, kuna buƙatar zazzage tushen takaddun shaida na ikon tabbatarwa. Sannan kuna buƙatar shigo da takaddun takaddun biyu a cikin Tacewar zaɓi. Lokacin shigo da takaddun shaida don tashar yanar gizo, dole ne ku zaɓi buƙatar a cikin halin da ake jira kuma danna shigo da kaya. Dole ne sunan takardar shaidar ya dace da sunan da aka ƙayyade a baya a cikin buƙatar. Sunan tushen takardar shaidar za a iya kayyade sabani. Bayan shigo da takardar shaidar, kuna buƙatar ƙirƙirar Bayanan Sabis na SSL/TLS sashe Na'ura -> Gudanar da Takaddun shaida. A cikin bayanin martaba mun nuna takardar shaidar da aka shigo da ita a baya.
Hoto 16 - Buƙatar Takaddun shaida
Mataki na gaba shine saita abubuwa Ƙofar Kare Duniya и Tashar Kariya ta Duniya sashe Network -> Kariyar Duniya... A cikin saituna Ƙofar Kare Duniya nuna adireshin IP na waje na Tacewar zaɓi, kamar yadda aka ƙirƙira a baya Bayanan martaba na SSL, Bayanan Tabbatarwa, Tunnel interface da abokin ciniki IP saituna. Kuna buƙatar ƙayyade wuraren adiresoshin IP daga inda za a ba da adireshin ga abokin ciniki, da Access Route - waɗannan su ne subnets wanda abokin ciniki zai sami hanya. Idan aikin shine kunsa duk zirga-zirgar mai amfani ta hanyar Tacewar zaɓi, to kuna buƙatar ƙayyade subnet 0.0.0.0/0 (Fig. 17).
Hoto na 17 - Haɓaka tafkin adiresoshin IP da hanyoyi
Sannan kuna buƙatar saitawa Tashar Kariya ta Duniya. Ƙayyade adireshin IP na Tacewar zaɓi, Bayanan martaba na SSL и Bayanan Tabbatarwa da jerin adiresoshin IP na waje na firewalls wanda abokin ciniki zai haɗa su. Idan akwai tawul ɗin wuta da yawa, zaku iya saita fifiko ga kowannensu, gwargwadon abin da masu amfani za su zaɓi bangon wuta don haɗawa da su.
sashe Na'ura -> Abokin Kariyar Duniya kuna buƙatar zazzage rarrabawar abokin ciniki na VPN daga sabar Palo Alto Networks kuma kunna shi. Don haɗawa, mai amfani dole ne ya je shafin yanar gizon portal, inda za a nemi ya zazzage shi Abokin ciniki na GlobalProtect. Da zarar zazzagewa kuma shigar, zaku iya shigar da takaddun shaidarku kuma ku haɗa zuwa cibiyar sadarwar ku ta SSL VPN.
ƙarshe
Wannan yana kammala sashin Palo Alto Networks na saitin. Muna fatan bayanin ya kasance da amfani kuma mai karatu ya sami fahimtar fasahar da ake amfani da su a Palo Alto Networks. Idan kuna da tambayoyi game da saitin da shawarwari kan batutuwa don labarai na gaba, rubuta su a cikin sharhi, za mu yi farin cikin amsawa.
source: www.habr.com