7. NGFW no nā ʻoihana liʻiliʻi. Hoʻokō a me nā ʻōlelo paipai

Ua hiki mai ka manawa e hoʻopau ai i nā ʻatikala e pili ana i ka hanauna hou o SMB Check Point (1500 series). Manaʻo mākou he ʻike maikaʻi kēia no ʻoe a e hoʻomau ʻoe me mākou ma ka TS Solution blog. ʻAʻole i uhi nui ʻia ke kumuhana no ka ʻatikala hope, akā ʻaʻole i emi iki ka mea nui - SMB performance tuning. Ma loko e kūkākūkā mākou i nā koho hoʻonohonoho no ka lako a me nā polokalamu o ka NGFW, e wehewehe i nā kauoha i loaʻa a me nā ʻano o ka pilina.

ʻO nā ʻatikala āpau i ka moʻo e pili ana i ka NGFW no nā ʻoihana liʻiliʻi:

1. ʻO ka Laina ʻīpuka Palekana 1500 hou

2. Unboxing a hoʻonohonoho

3. ʻO ka lawe ʻana i ka ʻikepili uila: WiFi a me LTE

4. VPN

5. Manao SMP Cloud

6. Kapua-1 Kapua

I kēia manawa, ʻaʻole nui nā kumu o ka ʻike e pili ana i ka hoʻokō ʻana i nā hoʻonā SMB ma muli o kaohi ana OS kūloko - Gaia 80.20 Hoʻokomo ʻia. Ma kā mākou ʻatikala e hoʻohana mākou i kahi hoʻolālā me ka hoʻokele kikowaena (Dedicated Management Server) - hiki iā ʻoe ke hoʻohana i nā mea hana hou aku i ka wā e hana pū ai me NGFW.

Pūnaehana

Ma mua o ka hoʻopā ʻana i ka ʻohana ʻohana Check Point SMB, hiki iā ʻoe ke noi mau i kāu hoa e hoʻohana i ka pono Mea Paahana Hoʻonui, e koho i ka hopena maikaʻi loa e like me nā hiʻohiʻona i ʻōlelo ʻia (throughput, helu i manaʻo ʻia o nā mea hoʻohana, etc.).

Nā memo koʻikoʻi i ka wā e launa pū me kāu hāmeʻa NGFW

1. ʻAʻole hiki i nā ʻōnaehana NGFW o ka ʻohana SMB ke hoʻonui i nā ʻōnaehana ʻōnaehana (CPU, RAM, HDD); ma muli o ke kumu hoʻohālike, aia ke kākoʻo no nā kāleka SD, hiki iā ʻoe ke hoʻonui i ka mana disk, akā ʻaʻole nui.

2. Pono ka mana o ka hana ʻana o nā kikowaena pūnaewele. ʻAʻohe o Gaia 80.20 Embedded i nā mea hana nānā, akā hiki iā ʻoe ke hoʻohana mau i ke kauoha kaulana i ka CLI ma o ka mode Expert. 

   # ifconfig

   

   E hoʻolohe i nā laina i kaha ʻia, e ʻae lākou iā ʻoe e hoʻohālikelike i ka helu o nā hewa ma ka interface. Manaʻo nui ʻia e nānā i kēia mau ʻāpana i ka hoʻokō mua ʻana o kāu NGFW, a i kēlā me kēia manawa i ka wā o ka hana.

3. No kahi Gaia piha he kauoha:

   > hōʻike kiʻi

   Me kona kōkua hiki ke loaʻa ka ʻike e pili ana i ka mahana o ka hāmeʻa. ʻO ka mea pōʻino, ʻaʻole i loaʻa kēia koho ma 80.20 Embedded; e hōʻike mākou i nā pahele SNMP kaulana loa:

   Inoa 

   hōʻikeʻano

   Ua hemo ka pilina

   Hoʻopau i ke kikowaena

   Wehe ʻia ʻo VLAN

   Wehe iā Vlans

   Hoʻohana hoʻomanaʻo kiʻekiʻe

   Hoʻohana nui RAM

   wahi diski haʻahaʻa

   ʻAʻole lawa ka wahi HDD

   Hoʻohana CPU kiʻekiʻe

   Hoʻohana CPU kiʻekiʻe

   Kiʻekiʻe CPU interrupts rate

   Kiʻekiʻe keʻakeʻa pākēneka

   Kiʻekiʻe pili pili

   Ke kahe kiʻekiʻe o nā pilina hou

   Nā hoʻohui like like kiʻekiʻe

   Kiʻekiʻe o nā kau hoʻokūkū

   Kiʻekiʻe Firewall throughput

   Pākuʻi ahi hoʻokō kiʻekiʻe

   Kiʻekiʻe ʻae ʻia ka pākeʻe

   Kiʻekiʻe o ka hoʻokipa ʻana i ka ʻeke

   Ua hoʻololi ʻia ke aupuni lālā o ka hui

   Ke hoʻololi nei i ke kūlana hui

   Hoʻopili me ka hewa server log

   Nalo ka pilina me Log-Server

4. Pono ka hana o kāu ʻīpuka e nānā i ka RAM. No Gaia (Linux-like OS) e hana, ʻo ia kēia kūlana maʻamauke piʻi ka hoʻohana ʻana o RAM i 70-80% o ka hoʻohana.

   ʻAʻole hāʻawi ka hoʻolālā o nā ʻōnaehana SMB no ka hoʻohana ʻana i ka hoʻomanaʻo SWAP, ʻaʻole like me nā hiʻohiʻona Check Point kahiko. Eia naʻe, ma nā faila ʻōnaehana Linux ua ʻike ʻia , e hōʻike ana i ka hiki ke hoʻololi i ka ʻāpana SWAP.

ʻāpana polokalamu

I ka manawa o ka hoolaha ana o ka atikala ikepili hou āpau Manaʻo Gaia - 80.20.10. Pono ʻoe e ʻike aia nā palena i ka wā e hana ai i ka CLI: ua kākoʻo ʻia kekahi mau kauoha Linux ma ke ʻano Expert. Pono ka loiloi i ka hana a NGFW e loiloi i ka hana o nā daemons a me nā lawelawe, hiki ke loaʻa nā kikoʻī hou aku e pili ana i kēia. 'ōlelo koʻu hoa hana. E nānā mākou i nā kauoha kūpono no SMB.

Ke hana nei me Gaia OS

1. E nānā i nā hiʻohiʻona SecureXL

   #fwaccelstat

   

2. E nānā i ka pahu ma ke kumu

   # fw ctl multik stat

   

3. Nānā i ka helu o nā kau (pili).

   # fw ctl pstat

   

4. *Nānā i ke kūlana pūʻulu

   #cphaprob stat

   

5. Kauoha Linux TOP maʻamau

Ke kālai lāʻau

E like me kāu i ʻike mua ai, ʻekolu mau ala e hana ai me nā lāʻau NGFW (hōʻiliʻili, hana ʻana): ma ka ʻāina, ma waena a ma ke ao. ʻO nā koho hope ʻelua e hōʻike ana i ke alo o kahi hui - Management Server.

Hiki i nā papahana hoʻomalu NGFW

ʻO nā faila log waiwai nui

1. Nā memo pūnaewele (loaʻa ka ʻike liʻiliʻi ma mua o ka Gaia piha)

   # huelo -f /var/log/messages2

   

2. Nā memo hewa i ka hana ʻana o nā lau (he faila kūpono i ka wā e hoʻoponopono ai i nā pilikia)

   # huelo -f /var/log/log/sfwd.elg

   

3. E nānā i nā memo mai ka buffer ma ka ʻōnaehana kernel level.

   #dmesg

   

ʻO ka hoʻonohonoho lāʻau

ʻAʻole loaʻa i kēia ʻāpana nā ʻōlelo aʻo piha no ka hoʻonohonoho ʻana i kāu NGFW Check Point; aia wale nō kā mākou mau manaʻo, i koho ʻia e ka ʻike.

Ka Mana Hoʻohana / Kānana URL

• Manaʻo ʻia e pale i nā kūlana ANY, ANY (Source, Destination) i nā lula.

• Ke kuhikuhi ʻana i kahi kumuwaiwai URL maʻamau, ʻoi aku ka maikaʻi o ka hoʻohana ʻana i nā ʻōlelo maʻamau e like me: (^|..)checkpoint.com

• Hōʻalo i ka hoʻohana nui ʻana i ka hoʻopaʻa ʻana i nā lula a me ka hōʻike ʻana i nā ʻaoʻao pale (UserCheck).

• E hōʻoia i ka hana pono o ka ʻenehana "SecureXL". Pono e hele ka hapa nui o nā kaʻa ala māmā/medium. Eia kekahi, mai poina e kānana i nā lula e nā mea i hoʻohana nui ʻia (field Hits ).

HTTPS-Nānā

ʻAʻole ia he mea huna i loaʻa mai ka 70-80% o nā mea hoʻohana mai nā pilina HTTPS, ʻo ia ka mea e koi ai i nā kumuwaiwai mai kāu kaʻina hana puka. Eia kekahi, komo ʻo HTTPS-Inspection i ka hana o IPS, Antivirus, Antibot.

E hoʻomaka ana mai ka mana 80.40 aia manawa maopopo e hana me nā lula HTTPS me ka ʻole o ka Legacy Dashboard, eia kekahi ʻōlelo hoʻoponopono kānāwai:

• Bypass no kahi hui o nā helu wahi a me nā pūnaewele (Destination).

• Kāohi no kahi hui o nā URL.

• Bypass no IP kūloko a me nā pūnaewele me ke komo pono (Source).

• E nānā no nā pūnaewele pono, nā mea hoʻohana

• Bypass no nā mea ʻē aʻe.

* ʻOi aku ka maikaʻi o ke koho lima ʻana i nā lawelawe HTTPS a i ʻole HTTPS Proxy a haʻalele i kekahi. E hoʻopaʻa inoa i nā hanana e like me ka Inspect rules.

IPS

ʻAʻole hiki i ka IPS blade ke hoʻokomo i ke kulekele ma kāu NGFW inā he nui nā pūlima i hoʻohana ʻia. Wahi a 'ōlelo mai Check Point, ʻaʻole i hoʻolālā ʻia ka hoʻolālā mea SMB e holo i ka ʻaoʻao hoʻonohonoho hoʻonohonoho IPS i manaʻo ʻia.

No ka hoʻoponopono a pale ʻana paha i ka pilikia, e hahai i kēia mau ʻanuʻu:

1. Hoʻopili i ka ʻaoʻao Optimized i kapa ʻia ʻo "Optimized SMB" (a i ʻole kekahi o kāu koho).

2. E hoʻoponopono i ka ʻaoʻao, e hele i ka IPS → Pre R80.Settings section a hoʻopau i nā Server Protections.

   

3. Ma kou manaʻo, hiki iā ʻoe ke hoʻopau i nā CVE i ʻoi aku ma mua o 2010, ʻike pinepine ʻia kēia mau nāwaliwali i nā keʻena liʻiliʻi, akā pili i ka hana. No ka hoʻopau ʻana i kekahi o lākou, e hele i Profile → IPS → Addiction Activation → Protections to deactivate list

   

Ma kahi o ka hopena

Ma keʻano he mahele o nāʻatikala e pili ana i ka hanauna hou o NGFW o kaʻohana SMB (1500), ua ho'āʻo mākou e hōʻike i nā mana nui o ka hopena a hōʻike i ka hoʻonohonohoʻana i nā mea palekana nui e hoʻohana ana i nā hiʻohiʻona kiko'ī. E hauʻoli mākou e pane i nā nīnau e pili ana i ka huahana ma nā ʻōlelo. Noho mākou me ʻoe, mahalo no kou nānā ʻana!

He koho nui o nā mea ma Check Point mai TS Solution. I ʻole e poina i nā paʻi hou, e hahai i nā mea hou ma kā mākou ʻoihana pūnaewele (Telegram, Facebook, VK, TS Solution Blog, ʻO Yandex Zen).

Source: www.habr.com