7. NGFW no nā ʻoihana liʻiliʻi. Hoʻokō a me nā ʻōlelo paipai
Ua hiki mai ka manawa e hoʻopau ai i nā ʻatikala e pili ana i ka hanauna hou o SMB Check Point (1500 series). Manaʻo mākou he ʻike maikaʻi kēia no ʻoe a e hoʻomau ʻoe me mākou ma ka TS Solution blog. ʻAʻole i uhi nui ʻia ke kumuhana no ka ʻatikala hope, akā ʻaʻole i emi iki ka mea nui - SMB performance tuning. Ma loko e kūkākūkā mākou i nā koho hoʻonohonoho no ka lako a me nā polokalamu o ka NGFW, e wehewehe i nā kauoha i loaʻa a me nā ʻano o ka pilina.
ʻO nā ʻatikala āpau i ka moʻo e pili ana i ka NGFW no nā ʻoihana liʻiliʻi:
I kēia manawa, ʻaʻole nui nā kumu o ka ʻike e pili ana i ka hoʻokō ʻana i nā hoʻonā SMB ma muli o kaohi ana OS kūloko - Gaia 80.20 Hoʻokomo ʻia. Ma kā mākou ʻatikala e hoʻohana mākou i kahi hoʻolālā me ka hoʻokele kikowaena (Dedicated Management Server) - hiki iā ʻoe ke hoʻohana i nā mea hana hou aku i ka wā e hana pū ai me NGFW.
Pūnaehana
Ma mua o ka hoʻopā ʻana i ka ʻohana ʻohana Check Point SMB, hiki iā ʻoe ke noi mau i kāu hoa e hoʻohana i ka pono Mea Paahana Hoʻonui, e koho i ka hopena maikaʻi loa e like me nā hiʻohiʻona i ʻōlelo ʻia (throughput, helu i manaʻo ʻia o nā mea hoʻohana, etc.).
Nā memo koʻikoʻi i ka wā e launa pū me kāu hāmeʻa NGFW
ʻAʻole hiki i nā ʻōnaehana NGFW o ka ʻohana SMB ke hoʻonui i nā ʻōnaehana ʻōnaehana (CPU, RAM, HDD); ma muli o ke kumu hoʻohālike, aia ke kākoʻo no nā kāleka SD, hiki iā ʻoe ke hoʻonui i ka mana disk, akā ʻaʻole nui.
Pono ka mana o ka hana ʻana o nā kikowaena pūnaewele. ʻAʻohe o Gaia 80.20 Embedded i nā mea hana nānā, akā hiki iā ʻoe ke hoʻohana mau i ke kauoha kaulana i ka CLI ma o ka mode Expert.
# ifconfig
E hoʻolohe i nā laina i kaha ʻia, e ʻae lākou iā ʻoe e hoʻohālikelike i ka helu o nā hewa ma ka interface. Manaʻo nui ʻia e nānā i kēia mau ʻāpana i ka hoʻokō mua ʻana o kāu NGFW, a i kēlā me kēia manawa i ka wā o ka hana.
No kahi Gaia piha he kauoha:
> hōʻike kiʻi
Me kona kōkua hiki ke loaʻa ka ʻike e pili ana i ka mahana o ka hāmeʻa. ʻO ka mea pōʻino, ʻaʻole i loaʻa kēia koho ma 80.20 Embedded; e hōʻike mākou i nā pahele SNMP kaulana loa:
Inoa
hōʻikeʻano
Ua hemo ka pilina
Hoʻopau i ke kikowaena
Wehe ʻia ʻo VLAN
Wehe iā Vlans
Hoʻohana hoʻomanaʻo kiʻekiʻe
Hoʻohana nui RAM
wahi diski haʻahaʻa
ʻAʻole lawa ka wahi HDD
Hoʻohana CPU kiʻekiʻe
Hoʻohana CPU kiʻekiʻe
Kiʻekiʻe CPU interrupts rate
Kiʻekiʻe keʻakeʻa pākēneka
Kiʻekiʻe pili pili
Ke kahe kiʻekiʻe o nā pilina hou
Nā hoʻohui like like kiʻekiʻe
Kiʻekiʻe o nā kau hoʻokūkū
Kiʻekiʻe Firewall throughput
Pākuʻi ahi hoʻokō kiʻekiʻe
Kiʻekiʻe ʻae ʻia ka pākeʻe
Kiʻekiʻe o ka hoʻokipa ʻana i ka ʻeke
Ua hoʻololi ʻia ke aupuni lālā o ka hui
Ke hoʻololi nei i ke kūlana hui
Hoʻopili me ka hewa server log
Nalo ka pilina me Log-Server
Pono ka hana o kāu ʻīpuka e nānā i ka RAM. No Gaia (Linux-like OS) e hana, ʻo ia kēia kūlana maʻamauke piʻi ka hoʻohana ʻana o RAM i 70-80% o ka hoʻohana.
ʻAʻole hāʻawi ka hoʻolālā o nā ʻōnaehana SMB no ka hoʻohana ʻana i ka hoʻomanaʻo SWAP, ʻaʻole like me nā hiʻohiʻona Check Point kahiko. Eia naʻe, ma nā faila ʻōnaehana Linux ua ʻike ʻia , e hōʻike ana i ka hiki ke hoʻololi i ka ʻāpana SWAP.
ʻāpana polokalamu
I ka manawa o ka hoolaha ana o ka atikala ikepili hou āpau Manaʻo Gaia - 80.20.10. Pono ʻoe e ʻike aia nā palena i ka wā e hana ai i ka CLI: ua kākoʻo ʻia kekahi mau kauoha Linux ma ke ʻano Expert. Pono ka loiloi i ka hana a NGFW e loiloi i ka hana o nā daemons a me nā lawelawe, hiki ke loaʻa nā kikoʻī hou aku e pili ana i kēia. 'ōlelo koʻu hoa hana. E nānā mākou i nā kauoha kūpono no SMB.
Ke hana nei me Gaia OS
E nānā i nā hiʻohiʻona SecureXL
#fwaccelstat
E nānā i ka pahu ma ke kumu
# fw ctl multik stat
Nānā i ka helu o nā kau (pili).
# fw ctl pstat
*Nānā i ke kūlana pūʻulu
#cphaprob stat
Kauoha Linux TOP maʻamau
Ke kālai lāʻau
E like me kāu i ʻike mua ai, ʻekolu mau ala e hana ai me nā lāʻau NGFW (hōʻiliʻili, hana ʻana): ma ka ʻāina, ma waena a ma ke ao. ʻO nā koho hope ʻelua e hōʻike ana i ke alo o kahi hui - Management Server.
Hiki i nā papahana hoʻomalu NGFW
ʻO nā faila log waiwai nui
Nā memo pūnaewele (loaʻa ka ʻike liʻiliʻi ma mua o ka Gaia piha)
# huelo -f /var/log/messages2
Nā memo hewa i ka hana ʻana o nā lau (he faila kūpono i ka wā e hoʻoponopono ai i nā pilikia)
# huelo -f /var/log/log/sfwd.elg
E nānā i nā memo mai ka buffer ma ka ʻōnaehana kernel level.
#dmesg
ʻO ka hoʻonohonoho lāʻau
ʻAʻole loaʻa i kēia ʻāpana nā ʻōlelo aʻo piha no ka hoʻonohonoho ʻana i kāu NGFW Check Point; aia wale nō kā mākou mau manaʻo, i koho ʻia e ka ʻike.
Ka Mana Hoʻohana / Kānana URL
Manaʻo ʻia e pale i nā kūlana ANY, ANY (Source, Destination) i nā lula.
Ke kuhikuhi ʻana i kahi kumuwaiwai URL maʻamau, ʻoi aku ka maikaʻi o ka hoʻohana ʻana i nā ʻōlelo maʻamau e like me: (^|..)checkpoint.com
Hōʻalo i ka hoʻohana nui ʻana i ka hoʻopaʻa ʻana i nā lula a me ka hōʻike ʻana i nā ʻaoʻao pale (UserCheck).
E hōʻoia i ka hana pono o ka ʻenehana "SecureXL". Pono e hele ka hapa nui o nā kaʻa ala māmā/medium. Eia kekahi, mai poina e kānana i nā lula e nā mea i hoʻohana nui ʻia (field Hits ).
HTTPS-Nānā
ʻAʻole ia he mea huna i loaʻa mai ka 70-80% o nā mea hoʻohana mai nā pilina HTTPS, ʻo ia ka mea e koi ai i nā kumuwaiwai mai kāu kaʻina hana puka. Eia kekahi, komo ʻo HTTPS-Inspection i ka hana o IPS, Antivirus, Antibot.
E hoʻomaka ana mai ka mana 80.40 aia manawa maopopo e hana me nā lula HTTPS me ka ʻole o ka Legacy Dashboard, eia kekahi ʻōlelo hoʻoponopono kānāwai:
Bypass no kahi hui o nā helu wahi a me nā pūnaewele (Destination).
Kāohi no kahi hui o nā URL.
Bypass no IP kūloko a me nā pūnaewele me ke komo pono (Source).
E nānā no nā pūnaewele pono, nā mea hoʻohana
Bypass no nā mea ʻē aʻe.
* ʻOi aku ka maikaʻi o ke koho lima ʻana i nā lawelawe HTTPS a i ʻole HTTPS Proxy a haʻalele i kekahi. E hoʻopaʻa inoa i nā hanana e like me ka Inspect rules.
IPS
ʻAʻole hiki i ka IPS blade ke hoʻokomo i ke kulekele ma kāu NGFW inā he nui nā pūlima i hoʻohana ʻia. Wahi a 'ōlelo mai Check Point, ʻaʻole i hoʻolālā ʻia ka hoʻolālā mea SMB e holo i ka ʻaoʻao hoʻonohonoho hoʻonohonoho IPS i manaʻo ʻia.
No ka hoʻoponopono a pale ʻana paha i ka pilikia, e hahai i kēia mau ʻanuʻu:
Hoʻopili i ka ʻaoʻao Optimized i kapa ʻia ʻo "Optimized SMB" (a i ʻole kekahi o kāu koho).
E hoʻoponopono i ka ʻaoʻao, e hele i ka IPS → Pre R80.Settings section a hoʻopau i nā Server Protections.
Ma kou manaʻo, hiki iā ʻoe ke hoʻopau i nā CVE i ʻoi aku ma mua o 2010, ʻike pinepine ʻia kēia mau nāwaliwali i nā keʻena liʻiliʻi, akā pili i ka hana. No ka hoʻopau ʻana i kekahi o lākou, e hele i Profile → IPS → Addiction Activation → Protections to deactivate list
Ma kahi o ka hopena
Ma keʻano he mahele o nāʻatikala e pili ana i ka hanauna hou o NGFW o kaʻohana SMB (1500), ua ho'āʻo mākou e hōʻike i nā mana nui o ka hopena a hōʻike i ka hoʻonohonohoʻana i nā mea palekana nui e hoʻohana ana i nā hiʻohiʻona kiko'ī. E hauʻoli mākou e pane i nā nīnau e pili ana i ka huahana ma nā ʻōlelo. Noho mākou me ʻoe, mahalo no kou nānā ʻana!