ããã«ã¡ã¯ãååã§ãïŒ ä»æ¥ã¯ãå€ãã® Check Point 管çè
ã«ãšã£ãŠéåžžã«é¢é£æ§ã®é«ããããã¯ã§ãããCPU ãš RAM ã®æé©åãã«ã€ããŠèª¬æããããšæããŸãã ã²ãŒããŠã§ã€ã管çãµãŒããŒãäºæ³å€ã«å€ãã®ãªãœãŒã¹ãæ¶è²»ããããšã¯çããããšã§ã¯ãªããã©ãã§ãªãœãŒã¹ããæŒæŽ©ãããŠããããç解ããå¯èœã§ããã°ããããããé©åã«äœ¿çšããããšèããŠããŸãã
1.åæ
ããã»ããµãŒã®è² è·ãåæããã«ã¯ããšãã¹ããŒã ã¢ãŒãã§å
¥åãã次ã®ã³ãã³ãã䜿çšãããšäŸ¿å©ã§ãã
top ãã¹ãŠã®ããã»ã¹ãæ¶è²»ããã CPU ããã³ RAM ãªãœãŒã¹ã®é (ããŒã»ã³ã)ã皌åæéãããã»ã¹ã®åªå
床ãããã³
cpwd_admin ãªã¹ã Check Point WatchDog ããŒã¢ã³ããã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ ã¢ãžã¥ãŒã«ããã® PIDãã¹ããŒã¿ã¹ãå®è¡æ°ã衚瀺ããŸãã
cpstat -f CPU OS CPU 䜿çšçããã®æ°ãããã³ããã»ããµæéã®ååž (ããŒã»ã³ã)
cpstat -f ã¡ã¢ãª OS ä»®æ³ RAM ã®äœ¿çšéãã¢ã¯ãã£ã㪠RAM ã®éã空ã RAM ãªã©
æ£ããææã¯ããã¹ãŠã® cpstat ã³ãã³ãã¯ãŠãŒãã£ãªãã£ã䜿çšããŠè¡šç€ºã§ãããšããããšã§ãã cpviewã ãããè¡ãã«ã¯ãSSH ã»ãã·ã§ã³ã®ä»»æã®ã¢ãŒããã cpview ã³ãã³ããå
¥åããã ãã§ãã
ps auxwf ãã¹ãŠã®ããã»ã¹ããã® IDãå æä»®æ³ã¡ã¢ãªãš RAMãCPU å
ã®ã¡ã¢ãªã®é·ããªã¹ã
ã³ãã³ãã®å¥ã®ããªãšãŒã·ã§ã³:
ps-aF æãé«äŸ¡ãªããã»ã¹ã衚瀺ãã
fw ctl ã¢ãã£ãã㣠-l -a ãã¡ã€ã¢ãŠã©ãŒã«ã®ããŸããŸãªã€ã³ã¹ã¿ã³ã¹ã«å¯Ÿããã³ã¢ã®åæ£ãã€ãŸã CoreXL ãã¯ãããžãŒ
FW CTL PSTAT RAM åæãšæ¥ç¶ãCookieãNAT ã®äžè¬çãªã€ã³ãžã±ãŒã¿ãŒ
ããªãŒ-m RAMãããã¡
ãã®ããŒã ã¯ç¹å¥ãªæ³šç®ã«å€ããã ããããµãã ãšãã®ããªãšãŒã·ã§ã³ã äŸãã°ã netstat -i ã¯ãªããããŒãã®ç£èŠã®åé¡ã®è§£æ±ºã«åœ¹ç«ã¡ãŸãã ãã®ã³ãã³ãã®åºåã«ãããã©ã¡ãŒã¿ RX ãããã ãã±ãã (RX-DRP) ã¯ãäžæ£ãªãããã³ã« ãããã (IPv6ãäžæ£ãª / æå³ããªã VLAN ã¿ã°ãªã©) ã«ããèªåçã«å¢å ããåŸåããããŸãã ãã ããå¥ã®çç±ã§ãããããçºçããå Žåã¯ãããã䜿çšããå¿
èŠããããŸã
[ç£èŠ] ãã¬ãŒããæå¹ã«ãªã£ãŠããå Žåããªããžã§ã¯ããã¯ãªãã¯ã㊠[ããã€ã¹ãšã©ã€ã»ã³ã¹æ
å ±] ãéžæãããšãSmartConsole ã§ãããã®ã¡ããªãã¯ãã°ã©ãã£ã«ã«ã«è¡šç€ºã§ããŸãã
ç£èŠãã¬ãŒããç¶ç¶çã«æå¹ã«ããããšã¯ãå§ãã§ããŸãããããã¹ãã®ããã« XNUMX æ¥çšåºŠæå¹ã«ããããšã¯ååã«å¯èœã§ãã
ããã«ãç£èŠçšã®ãã©ã¡ãŒã¿ãããã«è¿œå ã§ããŸãããã®ãã¡ã® XNUMX ã€ã§ãããã€ã ã¹ã«ãŒããã (ã¢ããªã±ãŒã·ã§ã³ã®åž¯åå¹
) ã¯éåžžã«äŸ¿å©ã§ãã
ä»ã«ç¡æã®ç£èŠã·ã¹ãã ãããå Žåã¯ã
2. æéã®çµéãšãšãã« RAM ãããªãŒã¯ããã
å€ãã®å Žåãæéã®çµéãšãšãã«ãã²ãŒããŠã§ã€ãŸãã¯ç®¡çãµãŒããŒã RAM ãæ¶è²»ãå§ããã®ã§ã¯ãªãããšããçåãçããŸãã å®å¿ããŠããã ãããã®ã§ããããã㯠Linux ã®ãããªã·ã¹ãã ã§ã¯éåžžã®è©±ã§ãã
ã³ãã³ãåºåãèŠãŠã¿ããš ããªãŒ-m О cpstat -f ã¡ã¢ãª OS ãšãã¹ããŒã ã¢ãŒãããã¢ããªã©ã€ã³ã§ãRAM ã«é¢é£ãããã¹ãŠã®ãã©ã¡ãŒã¿ãŒãèšç®ããŠè¡šç€ºã§ããŸãã
çŸæç¹ã§ã²ãŒããŠã§ã€äžã§å©çšå¯èœãªã¡ã¢ãªã«åºã¥ã 空ãã¡ã¢ãª + ãããã¡ã¡ã¢ãª + ãã£ãã·ã¥ãããã¡ã¢ãª = ±1.5GBã ãã€ãã®ã
SR ãèšãããã«ãæéã®çµéãšãšãã«ãã²ãŒããŠã§ã€/管çãµãŒããŒã¯æé©åãããã¡ã¢ãªã®äœ¿çšéãå¢å ããæå€§çŽ 80% ã®äœ¿çšçã«éããŠåæ¢ããŸãã ããã€ã¹ãåèµ·åãããšãã€ã³ãžã±ãŒã¿ãŒããªã»ãããããŸãã ã²ãŒããŠã§ã€ããã¹ãŠã®ã¿ã¹ã¯ãå®è¡ããã«ã¯ã1.5 GB ã®ç©ºã RAM ãããã°ééããªãååã§ããã管çããã®ãããªãããå€ã«éããããšã¯ã»ãšãã©ãããŸããã
ãŸããåè¿°ã®ã³ãã³ãã®åºåã«ã¯ãã©ãã ãã®éããããã衚瀺ãããŸãã äœã¡ã¢ãª (ãŠãŒã¶ãŒç©ºéã®RAM)ããã³ ãã€ã¡ã¢ãª (ã«ãŒãã«ç©ºéã® RAM) ã䜿çšãããŸãã
ã«ãŒãã« ããã»ã¹ (Check Point ã«ãŒãã« ã¢ãžã¥ãŒã«ãªã©ã®ã¢ã¯ãã£ããªã¢ãžã¥ãŒã«ãå«ã) ã¯ãäœã¡ã¢ãªã®ã¿ã䜿çšããŸãã ãã ãããŠãŒã¶ãŒ ããã»ã¹ã¯äœã¡ã¢ãªãšé«ã¡ã¢ãªã®äž¡æ¹ã䜿çšã§ããŸãã ããã«ãLow ã¡ã¢ãªã¯æ¬¡ãšã»ãŒåãã§ãã åèšã¡ã¢ãª.
ãã°ã«ãšã©ãŒãããå Žåã®ã¿å¿é ããå¿ èŠããããŸãã ãOOM (ã¡ã¢ãªäžè¶³) ã®ãããã¢ãžã¥ãŒã«ãåèµ·åããããã¡ã¢ãªãåå©çšããããã«ããã»ã¹ã匷å¶çµäºãããŸãããã 次ã«ãã²ãŒããŠã§ã€ãåèµ·åããåèµ·åããŠãåé¡ã解決ããªãå Žåã¯ãµããŒãã«é£çµ¡ããå¿ èŠããããŸãã
å®å
šãªèª¬æã¯æ¬¡ã®å Žæã«ãããŸãã
3. æé©å
以äžã¯ãCPU ãš RAM ã®æé©åã«é¢ãã質åãšåçã§ãã èªåèªèº«ã«å¯ŸããŠæ£çŽã«çããæšå¥šäºé ã«è³ãåŸããå¿ èŠããããŸãã
3.1. ã¢ããã©ã€ã³ã¯æ£ããéžæãããŸããã? ãã€ããããããžã§ã¯ãã¯ãããŸãããïŒ
é©åãªãµã€ãžã³ã°ã«ããããããããããã¯ãŒã¯ãåçŽã«æ¡å€§ããå¯èœæ§ãããããã®æ©åšã§ã¯è² è·ã«å¯ŸåŠã§ããªããªããŸãã XNUMX çªç®ã®ãªãã·ã§ã³ã¯ããã®ãããªãµã€ãºèšå®ããªãã£ãå Žåã§ãã
3.2. HTTPSæ€æ»ã¯æå¹ã«ãªã£ãŠããŸãã? ããã§ããå Žåããã¯ãããžãŒã¯ãã¹ã ãã©ã¯ãã£ã¹ã«åŸã£ãŠæ§æãããŠããŸãã?
åç
§ãã
HTTPS æ€æ»ããªã·ãŒå ã®ã«ãŒã«ã®é åºã¯ãHTTPS ãµã€ãã®éèšãæé©åããäžã§éåžžã«éèŠã§ãã
ã«ãŒã«ã®æšå¥šé åº:
- ã«ããŽãª/URL ã«ãããã€ãã¹ ã«ãŒã«
- ã«ããŽãª/URL ã䜿çšããŠã«ãŒã«ãæ€æ»ãã
- ä»ã®ãã¹ãŠã®ã«ããŽãªã®ã«ãŒã«ãæ€æ»ãã
ãã¡ã€ã¢ãŠã©ãŒã« ããªã·ãŒãšåæ§ã«ãCheck Point ã¯ãã±ããã®äžèŽãäžããäžãŸã§æ€çŽ¢ããããããã®ãã±ãããã¹ãããããå¿
èŠãããå Žåã«ã²ãŒããŠã§ã€ããã¹ãŠã®ã«ãŒã«ãå®è¡ããéã«ãªãœãŒã¹ãç¡é§ã«ããªãããããã€ãã¹ ã«ãŒã«ãå
é ã«é
眮ããã®ãæé©ã§ãã
3.3 ã¢ãã¬ã¹ç¯å²ãªããžã§ã¯ãã¯äœ¿çšãããŠããŸãã?
ãããã¯ãŒã¯ 192.168.0.0 ïœ 192.168.5.0 ãªã©ã®ã¢ãã¬ã¹ç¯å²ãæã€ãªããžã§ã¯ãã¯ã5 ã€ã®ãããã¯ãŒã¯ ãªããžã§ã¯ããããå€§å¹ ã«å€ãã® RAM ãæ¶è²»ããŸãã äžè¬ã«ãSmartConsole ã§æªäœ¿çšã®ãªããžã§ã¯ããåé€ããããšããå§ãããŸããããã¯ãããªã·ãŒãèšå®ããããã³ã«ãã²ãŒããŠã§ã€ãšç®¡çãµãŒããŒããªãœãŒã¹ãè²»ãããæãéèŠãªããšã«ãããªã·ãŒã®æ€èšŒãšé©çšã«æéããããããã§ãã
3.4. è åšå¯Ÿçããªã·ãŒã¯ã©ã®ããã«æ§æãããŸãã?
ãŸããCheck Point ã§ã¯ãIPS ãå¥ã®ãããã¡ã€ã«ã«ç§»åãããã®ãã¬ãŒãã«å¥ã®ã«ãŒã«ãäœæããããšããå§ãããŸãã
ããšãã°ã管çè ã¯ãDMZ ã»ã°ã¡ã³ã㯠IPS ã§ã®ã¿ä¿è·ãããã¹ãã ãšèããŠããŸãã ãããã£ãŠãã²ãŒããŠã§ã€ãä»ã®ãã¬ãŒãã«ãããã±ããã®åŠçã§ãªãœãŒã¹ãç¡é§ã«ããªãããã«ããã«ã¯ãIPS ã®ã¿ãæå¹ãªãããã¡ã€ã«ã䜿çšããŠãã®ã»ã°ã¡ã³ãå°çšã®ã«ãŒã«ãäœæããå¿ èŠããããŸãã
ãããã¡ã€ã«ã®èšå®ã«é¢ããŠã¯ããã®èšäºã®ãã¹ã ãã©ã¯ãã£ã¹ã«åŸã£ãŠèšå®ããããšããå§ãããŸãã
3.5. IPS èšå®ã®æ€åºã¢ãŒãã®ã·ã°ããã£ã¯ããã€ãããŸãã?
æªäœ¿çšã®çœ²åãç¡å¹ã«ãããšããæå³ã§ã眲åã«ç±å¿ã«åãçµãããšããå§ãããŸã (ããšãã°ãAdobe 補åã®æäœã®ããã®çœ²åã«ã¯å€ãã®èšç®èœåãå¿ èŠã§ããã顧客ããã®ãããªè£œåãæã£ãŠããªãå Žåã¯ãç¡å¹ã«ããããšãåççã§ã)眲åïŒã 次ã«ãå¯èœãªå Žå㯠Detect ã§ã¯ãªã Prevent ãèšå®ããŸããããã¯ãã²ãŒããŠã§ã€ã Detect ã¢ãŒãã§ã¯æ¥ç¶å šäœã®åŠçã«ãªãœãŒã¹ãè²»ãããããPrevent ã¢ãŒãã§ã¯æ¥ç¶ãçŽã¡ã«åæããããã±ããã®å®å šãªåŠçã«ãªãœãŒã¹ã浪費ãããŸããã
3.6. è åšãšãã¥ã¬ãŒã·ã§ã³ãè åšæœåºããŠã€ã«ã¹å¯Ÿçãã¬ãŒãã«ãã£ãŠåŠçããããã¡ã€ã«ã¯äœã§ãã?
ãŠãŒã¶ãŒãããŠã³ããŒãããªãæ¡åŒµãã¡ã€ã«ãããããã¯ãŒã¯äžã§äžèŠãšæãããæ¡åŒµãã¡ã€ã«ããšãã¥ã¬ãŒãããŠåæããããšã¯æå³ããããŸãã (ããšãã°ãbat ãã¡ã€ã«ã exe ãã¡ã€ã«ã¯ããã¡ã€ã¢ãŠã©ãŒã« ã¬ãã«ã§ã³ã³ãã³ãèªèãã¬ãŒãã䜿çšããŠç°¡åã«ãããã¯ã§ãããããã²ãŒããŠã§ã€ ãªãœãŒã¹ã¯æ¯åºãæžããŸããïŒã ããã«ãè åšãšãã¥ã¬ãŒã·ã§ã³èšå®ã§ã¯ããµã³ãããã¯ã¹ã§è åšããšãã¥ã¬ãŒãããç°å¢ (ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ) ãéžæãããã¹ãŠã®ãŠãŒã¶ãŒãããŒãžã§ã³ 7 ã§äœæ¥ããŠãããšãã«ç°å¢ Windows 10 ãã€ã³ã¹ããŒã«ã§ããŸããããããæå³ããããŸããã
3.7. ãã¡ã€ã¢ãŠã©ãŒã«ãšã¢ããªã±ãŒã·ã§ã³å±€ã®ã«ãŒã«ã¯ãã¹ã ãã©ã¯ãã£ã¹ã«åŸã£ãŠé 眮ãããŠããŸãã?
ã«ãŒã«ã«å€æ°ã®ããã (äžèŽ) ãããå Žåã¯ãããããäžçªäžã«é 眮ãããããæ°ãå°ãªãã«ãŒã«ã¯äžçªäžã«é 眮ããããšããå§ãããŸãã éèŠãªããšã¯ããããã亀差ããããäºãã«éãªã£ããããªãããã«ããããšã§ãã æšå¥šããããã¡ã€ã¢ãŠã©ãŒã« ããªã·ãŒ ã¢ãŒããã¯ãã£:
説æïŒ
æåã®ã«ãŒã« - æãå€ãäžèŽããã«ãŒã«ãããã«é
眮ãããŸã
ãã€ãº ã«ãŒã« - NetBIOS ãªã©ã®åœã®ãã©ãã£ãã¯ãããããããããã®ã«ãŒã«
ã¹ãã«ã¹ ã«ãŒã« - ã²ãŒããŠã§ã€ãžã®èªèšŒã«ãŒã«ã§æå®ããããœãŒã¹ãé€ããã¹ãŠã®ã²ãŒããŠã§ã€ãžã®ã¢ã¯ã»ã¹ãšç®¡çãçŠæ¢ããŸãã
éåžžãã¯ãªãŒã³ã¢ãã ã«ãŒã«ãã©ã¹ã ã«ãŒã«ãããã³ãããã ã«ãŒã«ã¯ XNUMX ã€ã®ã«ãŒã«ã«çµåããã以åã«èš±å¯ãããªãã£ããã¹ãŠã®ã«ãŒã«ãçŠæ¢ãããŸãã
ãã¹ã ãã©ã¯ãã£ã¹ ããŒã¿ã«ã€ããŠã¯ã次ã®å Žæã§èª¬æãããŠããŸãã
3.8. 管çè ãäœæãããµãŒãã¹ã®èšå®ã¯äœã§ãã?
ããšãã°ãäžéšã® TCP ãµãŒãã¹ãç¹å®ã®ããŒãäžã«äœæãããŠããå Žåããã®ãµãŒãã¹ã®è©³çŽ°èšå®ã§ãMatch for Anyãã®ãã§ãã¯ãå€ãããšãåççã§ãã ãã®å Žåããã®ãµãŒãã¹ã¯ãããã衚瀺ãããã«ãŒã«ã«æ確ã«è©²åœãã[ãµãŒãã¹] åã« [Any] ãå«ãŸããã«ãŒã«ã«ã¯åå ããŸããã
ãµãŒãã¹ã«é¢ããŠèšãã°ãã¿ã€ã ã¢ãŠãã調æŽããå¿
èŠãããå Žåãããããšã«èšåãã䟡å€ããããŸãã ãã®èšå®ã«ãããã²ãŒããŠã§ã€ ãªãœãŒã¹ãããã€ã³ããªãžã§ã³ãã«äœ¿çšã§ããããã«ãªãã倧ããªã¿ã€ã ã¢ãŠããå¿
èŠãšããªããããã³ã«ã®ããã«äœå㪠TCP / UDP ã»ãã·ã§ã³æéãä¿æããããšããªããªããŸãã ããšãã°ã以äžã®ã¹ã¯ãªãŒã³ã·ã§ããã§ã¯ãdomain-udp ãµãŒãã¹ã®ã¿ã€ã ã¢ãŠãã 40 ç§ãã 30 ç§ã«å€æŽããŸããã
3.9. SecureXL ã¯äœ¿çšãããŠããŸãã?ãŸããå éã®å²åã¯ã©ã®ãããã§ãã?
ã²ãŒããŠã§ã€ã®ãšãã¹ããŒã ã¢ãŒãã§ã¡ã€ã³ ã³ãã³ãã䜿çšã㊠SecureXL ã®å質ã確èªã§ããŸãã fwaccelçµ±èš Ðž fw ã¢ã¯ã»ã«çµ±èš -sã 次ã«ãã©ã®ãããªçš®é¡ã®ãã©ãã£ãã¯ãå éããŠããã®ããããã«äœæã§ãããã³ãã¬ãŒã (ãã³ãã¬ãŒã) ãææ¡ããå¿ èŠããããŸãã
ããã©ã«ãã§ã¯ããããã ãã³ãã¬ãŒãã¯æå¹ã«ãªã£ãŠããªããããæå¹ã«ãããš SecureXL ã®åäœã«ãã©ã¹ã®å¹æãçããŸãã ãããè¡ãã«ã¯ãã²ãŒããŠã§ã€èšå®ãš [æé©å] ã¿ãã«ç§»åããŸãã
ãŸããã¯ã©ã¹ã¿ãŒã䜿çšããå ŽåãCPU ãæé©åããããã«ãUDP DNSãICMP ãªã©ã®éèŠã§ã¯ãªããµãŒãã¹ã®åæãç¡å¹ã«ããããšãã§ããŸãã ãããè¡ãã«ã¯ããµãŒãã¹èšå®â詳现âæ¥ç¶ã®åæã«ç§»åããã¯ã©ã¹ã¿ãŒäžã§ç¶æ
åæãæå¹ã«ãªã£ãŠããŸãã
ãã¹ãŠã®ãã¹ã ãã©ã¯ãã£ã¹ã«ã€ããŠã¯ã次ã®ã»ã¯ã·ã§ã³ã§èª¬æãããŠããŸãã
3.10. CoreXlã¯ã©ã®ããã«äœ¿çšãããŸãã?
CoreXL ãã¯ãããžãŒã«ããããã¡ã€ã¢ãŠã©ãŒã« ã€ã³ã¹ã¿ã³ã¹ (ãã¡ã€ã¢ãŠã©ãŒã« ã¢ãžã¥ãŒã«) ã«è€æ°ã® CPU ã䜿çšã§ããããã«ãªããããã€ã¹ã®ããã©ãŒãã³ã¹ã®æé©åã«ç¢ºå®ã«åœ¹ç«ã¡ãŸãã ããŒã ãã¡ãŒã¹ã fw ctl ã¢ãã£ãã㣠-l -a 䜿çšãããŠãããã¡ã€ã¢ãŠã©ãŒã« ã€ã³ã¹ã¿ã³ã¹ãšãå¿
èŠãª SND (ãã¡ã€ã¢ãŠã©ãŒã« ãšã³ãã£ãã£ã«ãã©ãã£ãã¯ãåæ£ããã¢ãžã¥ãŒã«) ã«æž¡ãããããã»ããµã衚瀺ãããŸãã ãã¹ãŠã®ããã»ããµãé¢äžããŠããªãå Žåã¯ã次ã®ã³ãã³ãã䜿çšããŠããã»ããµãè¿œå ã§ããŸãã cpconfig çé¢å
ã§ã
ãŸããè¯ã話ã¯æ¬¡ã®ãšããã§ã
çµè«ãšããŠãããã㯠Check Point ãæé©åããããã®ãã¹ã ãã©ã¯ãã£ã¹ã®ãã¹ãŠã§ã¯ãããŸããããæãäžè¬çãªãã®ã§ãããšèšããããšæããŸãã ã»ãã¥ãªã㣠ããªã·ãŒã®ç£æ»ããªã¯ãšã¹ããããå ŽåããŸã㯠Check Point ã®åé¡ã解決ãããå Žåã¯ããåãåãããã ããã [ã¡ãŒã«ä¿è·].
ããããšãããããŸããïŒ
åºæïŒ habr.com