Txawm hais tias tag nrho cov txiaj ntsig ntawm Palo Alto Networks firewalls, tsis muaj ntau cov ntaub ntawv ntawm RuNet ntawm kev teeb tsa cov cuab yeej no, nrog rau cov ntawv piav qhia txog qhov kev paub ntawm lawv qhov kev siv. Peb tau txiav txim siab los sau cov ntaub ntawv uas peb tau sau thaum peb ua haujlwm nrog cov neeg muag khoom cov khoom siv no thiab tham txog cov yam ntxwv uas peb tau ntsib thaum siv ntau yam haujlwm.
Txhawm rau qhia koj txog Palo Alto Networks, tsab xov xwm no yuav saib cov teeb tsa yuav tsum tau daws ib qho teeb meem feem ntau ntawm firewall - SSL VPN rau cov chaw taws teeb nkag. Peb kuj tseem yuav tham txog kev siv hluav taws xob rau kev teeb tsa hluav taws xob dav dav, kev txheeb xyuas tus neeg siv, kev siv, thiab kev ruaj ntseg cov cai. Yog tias lub ntsiab lus txaus siab rau cov neeg nyeem, yav tom ntej peb yuav tso tawm cov ntaub ntawv txheeb xyuas Site-to-Site VPN, dynamic routing thiab centralized tswj siv Panorama.
Palo Alto Networks firewalls siv ntau cov thev naus laus zis tshiab, suav nrog App-ID, Tus Neeg Siv-ID, Cov Ntsiab Lus-ID. Kev siv cov haujlwm no tso cai rau koj kom muaj kev ruaj ntseg siab. Piv txwv li, nrog App-ID nws muaj peev xwm txheeb xyuas daim ntawv thov kev khiav tsheb raws li kos npe, txiav txim siab thiab heuristics, tsis hais qhov chaw nres nkoj thiab cov txheej txheem siv, suav nrog hauv SSL qhov. Tus neeg siv-ID tso cai rau koj txheeb xyuas cov neeg siv network los ntawm kev koom ua ke LDAP. Cov ntsiab lus-ID ua rau nws muaj peev xwm luam theej duab thiab txheeb xyuas cov ntaub ntawv xa mus thiab lawv cov ntsiab lus. Lwm cov haujlwm firewall suav nrog kev tiv thaiv kev nkag mus, tiv thaiv qhov tsis zoo thiab kev tawm tsam DoS, tsim-hauv kev tiv thaiv spyware, URL lim, pawg, thiab kev tswj hwm hauv nruab nrab.
Rau kev ua qauv qhia, peb yuav siv qhov chaw nyob ib leeg, nrog rau kev teeb tsa zoo ib yam li tus neeg tiag tiag, tshwj tsis yog cov npe khoom siv, AD sau npe thiab IP chaw nyob. Hauv kev muaj tiag, txhua yam yog qhov nyuaj dua - tuaj yeem muaj ntau ceg. Nyob rau hauv cov ntaub ntawv no, es tsis txhob ntawm ib tug firewall, ib pawg yuav raug ntsia rau ntawm ciam teb ntawm lub hauv paus chaw, thiab dynamic routing kuj yuav tsum tau.
Siv rau ntawm qhov muag PAN-OS 7.1.9. Raws li kev teeb tsa ib txwm, xav txog lub network nrog Palo Alto Networks firewall ntawm ntug. Lub firewall muab tej thaj chaw deb SSL VPN nkag mus rau lub hauv paus chaw ua haujlwm. Lub Active Directory domain yuav siv los ua tus neeg siv database (Daim duab 1).
Daim duab 1 β Network block diagram
Teeb tsa cov kauj ruam:
- Ntaus preconfiguration. Teem lub npe, tswj IP chaw nyob, txoj hauv kev zoo li qub, tus thawj tswj hwm tus account, tswj profiles
- Txhim kho cov ntawv tso cai, teeb tsa thiab txhim kho cov hloov tshiab
- Configuring security zones, network interfaces, traffic policy, address translation
- Configuring LDAP Authentication Profile thiab User Identification Feature
- Teeb tsa SSL VPN
1. Preset
Cov cuab yeej tseem ceeb rau kev teeb tsa Palo Alto Networks firewall yog lub vev xaib interface; kev tswj hwm ntawm CLI kuj tseem ua tau. Los ntawm lub neej ntawd, kev tswj hwm interface yog teem rau IP chaw nyob 192.168.1.1/24, nkag mus: admin, password: admin.
Koj tuaj yeem hloov qhov chaw nyob los ntawm kev txuas mus rau lub vev xaib interface los ntawm tib lub network, lossis siv cov lus txib teem deviceconfig system ip-chaw nyob <> netmask <>. Nws yog ua nyob rau hauv configuration hom. Hloov mus rau hom kev teeb tsa, siv cov lus txib configure. Txhua qhov kev hloov pauv ntawm lub firewall tshwm sim tsuas yog tom qab cov chaw tau lees paub los ntawm cov lus txib cog lus, ob qho tib si hauv hom kab hais kom ua thiab hauv web interface.
Txhawm rau hloov chaw hauv web interface, siv ntu Ntaus -> General Settings and Device -> Management Interface Settings. Lub npe, banners, lub sij hawm zone thiab lwm qhov chaw tuaj yeem teeb tsa hauv ntu General Settings (Fig. 2).
Daim duab 2 β Management interface parameters
Yog tias koj siv lub firewall virtual hauv ESXi ib puag ncig, hauv ntu General Settings koj yuav tsum tau ua kom siv MAC chaw nyob uas tau muab los ntawm tus neeg saib xyuas, lossis teeb tsa MAC chaw nyob uas tau teev tseg ntawm firewall interfaces ntawm lub hypervisor, lossis hloov cov chaw ntawm lub virtual keyboards tso cai rau MAC hloov chaw nyob. Txwv tsis pub, tsheb yuav tsis hla.
Cov kev tswj xyuas interface tau teeb tsa nyias thiab tsis pom nyob rau hauv daim ntawv teev cov network interfaces. Hauv tshooj Management Interface Settings qhia lub qhov rooj default rau kev tswj interface. Lwm txoj hauv kev zoo li qub tau teeb tsa hauv ntu virtual routers; qhov no yuav tau tham tom qab.
Txhawm rau tso cai rau kev nkag mus rau lub cuab yeej los ntawm lwm cov interfaces, koj yuav tsum tsim kom muaj kev tswj hwm profile Tswj Profile seem Network -> Network Profiles -> Interface Mgmt thiab muab nws rau qhov tsim nyog interface.
Tom ntej no, koj yuav tsum teeb tsa DNS thiab NTP hauv ntu Device -> Services kom tau txais kev hloov tshiab thiab tso saib lub sijhawm kom raug (Daim duab 3). Los ntawm lub neej ntawd, tag nrho cov tsheb tsim los ntawm firewall siv kev tswj hwm interface IP chaw nyob raws li nws qhov chaw nyob IP. Koj tuaj yeem muab qhov sib txawv sib txawv rau txhua qhov kev pabcuam tshwj xeeb hauv ntu Service Route Configuration.
Daim duab 3 - DNS, NTP thiab cov kab ke kev pabcuam kev pabcuam
2. Txhim kho cov ntawv tso cai, teeb tsa thiab txhim kho cov hloov tshiab
Txhawm rau kom ua tiav tag nrho cov haujlwm ntawm firewall, koj yuav tsum nruab ib daim ntawv tso cai. Koj tuaj yeem siv daim ntawv tso cai sim los ntawm kev thov los ntawm Palo Alto Networks cov neeg koom tes. Nws lub sijhawm siv tau yog 30 hnub. Daim ntawv tso cai yog qhib los ntawm cov ntaub ntawv lossis siv Auth-Code. Daim ntawv tso cai raug teeb tsa hauv ntu Ntaus -> Daim ntawv tso cai (daim duab 4).
Tom qab txhim kho daim ntawv tso cai, koj yuav tsum tau teeb tsa lub installation ntawm kev hloov tshiab hauv ntu Ntaus -> Dynamic Updates.
seem Ntaus -> Software Koj tuaj yeem rub tawm thiab nruab tshiab versions ntawm PAN-OS.
Daim duab 4 β Daim ntawv tso cai tswj vaj huam sib luag
3. Configuring kev ruaj ntseg zones, network interfaces, tsheb txoj cai, chaw nyob txhais lus
Palo Alto Networks firewalls siv zone logic thaum teeb tsa cov cai hauv network. Network interfaces raug xa mus rau ib cheeb tsam tshwj xeeb, thiab cheeb tsam no yog siv nyob rau hauv txoj cai tsheb. Txoj hauv kev no tso cai rau yav tom ntej, thaum hloov pauv kev teeb tsa interface, tsis yog hloov txoj cai tsheb, tab sis hloov pauv qhov tsim nyog interfaces rau thaj chaw tsim nyog. Los ntawm lub neej ntawd, kev khiav tsheb nyob rau hauv ib cheeb tsam raug tso cai, kev tsheb khiav ntawm thaj chaw raug txwv, cov kev cai ua ntej yog lub luag haujlwm rau qhov no intrazone-default ΠΈ interzone-default.
Daim duab 5 - thaj chaw nyab xeeb
Hauv qhov piv txwv no, ib qho kev sib txuas ntawm lub network sab hauv yog muab rau thaj tsam nrog, thiab lub interface ntsib hauv Is Taws Nem yog muab rau thaj tsam lwm. Rau SSL VPN, qhov tunnel interface tau tsim thiab muab rau thaj tsam vpn (daim duab 5).
Palo Alto Networks firewall network interfaces tuaj yeem ua haujlwm hauv tsib hom sib txawv:
- kais - siv los sau cov tsheb thauj mus los rau kev saib xyuas thiab tshuaj xyuas lub hom phiaj
- HA - siv rau kev ua haujlwm hauv pawg
- Virtual Hlau - nyob rau hauv hom no, Palo Alto Networks sib txuas ob qhov kev sib txuas thiab pob tshab hla kev tsheb khiav ntawm lawv yam tsis hloov MAC thiab IP chaw nyob
- Txheej txheej 2 - Hloov hom
- Txheej txheej 3 - router hom
Daim duab 6 β Teem lub interface kev khiav hauj lwm hom
Hauv qhov piv txwv no, Layer3 hom yuav raug siv (Fig. 6). Lub network interface tsis qhia qhov chaw nyob IP, hom kev ua haujlwm thiab thaj chaw muaj kev nyab xeeb. Ntxiv rau hom kev khiav hauj lwm ntawm lub interface, koj yuav tsum muab nws rau Virtual Router virtual router, qhov no yog ib qho piv txwv ntawm VRF piv txwv hauv Palo Alto Networks. Virtual routers raug cais tawm ntawm ib leeg thiab muaj lawv tus kheej routing tables thiab network raws tu qauv.
Kev teeb tsa virtual router qhia txog txoj hauv kev zoo li qub thiab kev teeb tsa raws tu qauv. Hauv qhov piv txwv no, tsuas yog ib txoj hauv kev tau tsim los rau kev nkag mus rau lwm lub network (Fig. 7).
Daim duab 7 - teeb tsa lub router virtual
Tom ntej no configuration theem yog txoj cai tsheb, seem Txoj Cai -> Kev Ruaj Ntseg. Ib qho piv txwv ntawm kev teeb tsa tau pom nyob rau hauv daim duab 8. Lub logic ntawm cov kev cai yog tib yam li txhua qhov firewalls. Cov kev cai raug kuaj los ntawm sab saum toj mus rau hauv qab, nqes mus rau thawj qhov sib tw. Cov lus piav qhia luv luv ntawm cov cai:
1. SSL VPN Nkag mus rau Web Portal. Tso cai rau kev nkag mus rau lub vev xaib portal txhawm rau txheeb xyuas cov chaw taws teeb sib txuas
2. VPN kev khiav tsheb - tso cai rau kev khiav ntawm kev sib txuas ntawm cov chaw taws teeb thiab lub hauv paus chaw ua haujlwm
3. Basic Internet β cia dns, ping, traceroute, ntp daim ntaub ntawv. Lub firewall tso cai rau cov ntawv thov raws li kos npe, txiav txim siab, thiab heuristics es tsis yog cov lej chaw nres nkoj thiab cov txheej txheem, uas yog vim li cas Pawg Pabcuam hais tias daim ntawv thov-default. Default port/protocol rau daim ntawv thov no
4. Web Access β tso cai rau kev nkag mus hauv Internet ntawm HTTP thiab HTTPS raws tu qauv yam tsis muaj daim ntawv thov tswj
5,6. Default cai rau lwm yam tsheb.
Daim duab 8 β Piv txwv ntawm kev teeb tsa cov cai hauv lub network
Txhawm rau teeb tsa NAT, siv ntu Txoj Cai -> NAT. Ib qho piv txwv ntawm NAT configuration yog qhia nyob rau hauv daim duab 9.
Daim duab 9 β Piv txwv ntawm NAT configuration
Rau ib qho kev khiav tsheb los ntawm sab hauv mus rau sab nraud, koj tuaj yeem hloov qhov chaw nyob mus rau sab nraud IP chaw nyob ntawm firewall thiab siv qhov chaw nres nkoj dynamic (PAT).
4. Configuring LDAP Authentication Profile thiab User Identification Function
Ua ntej txuas cov neeg siv los ntawm SSL-VPN, koj yuav tsum tau teeb tsa cov txheej txheem kev lees paub. Hauv qhov piv txwv no, authentication yuav tshwm sim rau Active Directory domain controller los ntawm Palo Alto Networks web interface.
Daim duab 10 β LDAP profile
Txhawm rau kom paub tseeb ua haujlwm, koj yuav tsum teeb tsa LDAP Profile ΠΈ Kev lees paub qhov profileCov. Hauv seem Ntaus -> Server Profiles -> LDAP (Fig. 10) koj yuav tsum tau qhia kom meej tus IP chaw nyob thiab chaw nres nkoj ntawm tus thawj tswj, LDAP hom thiab tus neeg siv tus account suav nrog hauv pawg Server Operators, Event Log Readers, Distributed COM Cov neeg siv. Tom qab ntawd hauv seem Ntaus -> Authentication Profile tsim ib qho kev lees paub qhov profile (Fig. 11), kos tus tsim yav dhau los LDAP Profile thiab nyob rau hauv Advanced tab peb qhia cov pab pawg neeg siv (Fig. 12) uas tau tso cai rau tej thaj chaw deb nkag. Nws yog ib qho tseem ceeb kom nco ntsoov qhov parameter hauv koj qhov profile Tus neeg siv Domain, txwv tsis pub kev tso cai los ntawm pab pawg yuav tsis ua haujlwm. Daim teb yuav tsum qhia lub npe NetBIOS.
Daim duab 11 - Kev lees paub qhov profile
Daim duab 12 β AD pawg xaiv
Cov theem tom ntej yog kev teeb tsa Device -> User Identification. Ntawm no koj yuav tsum tau qhia kom meej tus IP chaw nyob ntawm tus tswj tswj, kev sib txuas cov ntaub ntawv pov thawj, thiab tseem teeb tsa Qhib Kev Ruaj Ntseg Log, Qhib Session, Qhib Kev Tshawb Fawb (Daim duab 13). Hauv tshooj Pab pawg Mapping (Daim duab 14) koj yuav tsum nco ntsoov cov kev txwv rau kev txheeb xyuas cov khoom hauv LDAP thiab cov npe ntawm pawg uas yuav raug siv rau kev tso cai. Ib yam li hauv Cov Ntawv Pov Thawj Pov Thawj, ntawm no koj yuav tsum tau teeb tsa Tus Neeg Siv Domain parameter.
Daim duab 13 β Tus neeg siv daim ntawv qhia tsis
Daim duab 14 β Pawg Kev Ua Haujlwm Pab Pawg
Cov kauj ruam kawg hauv theem no yog los tsim ib cheeb tsam VPN thiab ib qho kev sib tshuam rau thaj tsam ntawd. Koj yuav tsum tau pab kom cov kev xaiv ntawm lub interface Pab kom User Identification (daim duab 15).
Daim duab 15 - Teeb tsa thaj chaw VPN
5. Teeb tsa SSL VPN
Ua ntej txuas rau SSL VPN, cov neeg siv nyob deb yuav tsum mus rau lub vev xaib portal, txheeb xyuas thiab rub tawm Cov Neeg Siv Khoom Ntiaj Teb Tiv Thaiv. Tom ntej no, tus neeg siv khoom no yuav thov daim ntawv pov thawj thiab txuas mus rau lub tuam txhab network. Lub vev xaib portal ua haujlwm hauv https hom thiab, raws li, koj yuav tsum tau nruab ib daim ntawv pov thawj rau nws. Siv daim ntawv pov thawj pej xeem yog ua tau. Tom qab ntawd tus neeg siv yuav tsis tau txais lus ceeb toom txog qhov tsis raug ntawm daim ntawv pov thawj ntawm lub xaib. Yog tias nws tsis tuaj yeem siv daim ntawv pov thawj pej xeem, koj yuav tsum tau muab koj tus kheej, uas yuav siv rau ntawm nplooj ntawv web rau https. Nws tuaj yeem kos npe rau tus kheej lossis muab los ntawm lub chaw pov thawj hauv zos. Lub khoos phis tawj tej thaj chaw deb yuav tsum muaj lub hauv paus lossis daim ntawv pov thawj tus kheej kos npe hauv daim ntawv teev npe ntawm cov tub ceev xwm ntseeg siab kom tus neeg siv tsis tau txais qhov yuam kev thaum txuas rau lub vev xaib portal. Qhov piv txwv no yuav siv daim ntawv pov thawj uas muab los ntawm Active Directory Certificate Services.
Txhawm rau muab daim ntawv pov thawj, koj yuav tsum tsim daim ntawv thov daim ntawv pov thawj hauv ntu Device -> Certificate Management -> Certificate -> Tsim. Hauv kev thov peb qhia lub npe ntawm daim ntawv pov thawj thiab qhov chaw nyob IP lossis FQDN ntawm lub vev xaib portal (Daim duab 16). Tom qab tsim qhov kev thov, download tau .csr ib cov ntaub ntawv thiab luam nws cov ntsiab lus rau hauv daim ntawv thov daim ntawv pov thawj hauv AD CS Web Enrollment web form. Nyob ntawm seb txoj cai daim ntawv pov thawj tau teeb tsa li cas, daim ntawv thov daim ntawv pov thawj yuav tsum tau pom zoo thiab daim ntawv pov thawj yuav tsum tau rub tawm hauv hom Base64 Encoded Certificate. Tsis tas li ntawd, koj yuav tsum rub tawm daim ntawv pov thawj hauv paus ntawm cov ntawv pov thawj txoj cai. Tom qab ntawd koj yuav tsum tau import ob daim ntawv pov thawj rau hauv firewall. Thaum importing ib daim ntawv pov thawj rau lub web portal, koj yuav tsum xaiv qhov kev thov nyob rau hauv cov txheej xwm tseem tos thiab nias import. Lub npe daim ntawv pov thawj yuav tsum phim lub npe teev ua ntej hauv qhov kev thov. Lub npe ntawm daim ntawv pov thawj hauv paus tuaj yeem teev arbitrarily. Tom qab importing daim ntawv pov thawj, koj yuav tsum tsim SSL/TLS Service Profile seem Ntaus -> Certificate Management. Hauv qhov profile peb qhia txog daim ntawv pov thawj uas tau xa tawm yav dhau los.
Daim duab 16 β Daim ntawv thov
Cov kauj ruam tom ntej yog teeb tsa cov khoom Ntiaj teb no tiv thaiv rooj vag ΠΈ Ntiaj teb no tiv thaiv Portal seem Network -> Ntiaj teb no tiv thaiv... Hauv qhov chaw Ntiaj teb no tiv thaiv rooj vag qhia tus IP chaw nyob sab nraud ntawm firewall, nrog rau yav tas los tsim SSL Profile, Kev lees paub qhov profile, qhov interface thiab tus neeg siv IP chaw. Koj yuav tsum tau qhia ib lub pas dej ntawm IP chaw nyob los ntawm qhov chaw nyob yuav raug muab rau cov neeg siv khoom, thiab Kev Nkag Mus - cov no yog cov subnets uas tus neeg siv yuav muaj txoj hauv kev. Yog tias txoj haujlwm yog los qhwv tag nrho cov neeg siv tsheb khiav los ntawm firewall, ces koj yuav tsum tau hais kom meej subnet 0.0.0.0/0 (Fig. 17).
Daim duab 17 β Configuring ib pas dej ua ke ntawm IP chaw nyob thiab txoj kev
Ces koj yuav tau configure Ntiaj teb no tiv thaiv Portal. Qhia tus IP chaw nyob ntawm firewall, SSL Profile ΠΈ Kev lees paub qhov profile thiab ib daim ntawv teev cov chaw nyob IP sab nraud ntawm firewalls uas tus neeg siv yuav txuas. Yog tias muaj ntau lub firewalls, koj tuaj yeem teeb tsa qhov tseem ceeb rau txhua tus, raws li cov neeg siv yuav xaiv lub firewall los txuas rau.
seem Ntaus -> GlobalProtect Client Koj yuav tsum rub tawm VPN tus neeg siv khoom faib tawm los ntawm Palo Alto Networks servers thiab qhib nws. Txhawm rau txuas, tus neeg siv yuav tsum mus rau nplooj ntawv web portal, qhov twg nws yuav raug nug kom rub tawm GlobalProtect Client. Thaum rub tawm thiab nruab, koj tuaj yeem nkag mus rau koj daim ntawv pov thawj thiab txuas rau koj lub koom haum network ntawm SSL VPN.
xaus
Qhov no ua tiav Palo Alto Networks ib feem ntawm kev teeb tsa. Peb cia siab tias cov ntaub ntawv tseem ceeb thiab cov neeg nyeem tau nkag siab txog cov thev naus laus zis siv ntawm Palo Alto Networks. Yog tias koj muaj lus nug txog kev teeb tsa thiab cov lus qhia ntawm cov ncauj lus rau cov lus yav tom ntej, sau rau hauv cov lus, peb yuav zoo siab los teb.
Tau qhov twg los: www.hab.com