Ngakhale zabwino zonse za Palo Alto Networks zowotcha moto, palibe zambiri pa RuNet pakukhazikitsa zida izi, komanso zolemba zomwe zimafotokoza zomwe zidachitika. Tinaganiza zofotokozera mwachidule zipangizo zomwe tapeza panthawi ya ntchito yathu ndi zida za wogulitsa uyu ndikukamba za zomwe tidakumana nazo panthawi ya ntchito zosiyanasiyana.
Kuti ndikudziwitseni ku Palo Alto Networks, nkhaniyi iwona masinthidwe ofunikira kuti athetse vuto limodzi lodziwika bwino la firewall - SSL VPN yofikira kutali. Tikambirananso za ntchito zofunikira pakusintha ma firewall, kuzindikiritsa ogwiritsa ntchito, kugwiritsa ntchito, ndi mfundo zachitetezo. Ngati mutuwo uli wosangalatsa kwa owerenga, mtsogolomu tidzatulutsa zida zosanthula Site-to-Site VPN, mayendedwe osinthika ndi kasamalidwe kapakati pogwiritsa ntchito Panorama.
Ma firewall a Palo Alto Networks amagwiritsa ntchito matekinoloje angapo, kuphatikiza App-ID, User-ID, Content-ID. Kugwiritsiridwa ntchito kwa ntchitoyi kumakulolani kuti muwonetsetse chitetezo chapamwamba. Mwachitsanzo, ndi App-ID ndizotheka kuzindikira kuchuluka kwa magalimoto ogwiritsira ntchito potengera siginecha, decoding ndi heuristics, mosasamala kanthu za doko ndi protocol yomwe imagwiritsidwa ntchito, kuphatikiza mkati mwa ngalande ya SSL. User-ID imakupatsani mwayi wodziwa ogwiritsa ntchito ma netiweki kudzera mu kuphatikiza kwa LDAP. Content-ID imatheketsa kusanthula kuchuluka kwa magalimoto ndi kuzindikira mafayilo omwe amatumizidwa ndi zomwe zili. Ntchito zina za firewall zimaphatikizapo chitetezo cholowera, kutetezedwa ku zovuta ndi kuukira kwa DoS, anti-spyware, kusefa kwa URL, kusanja, ndi kasamalidwe kapakati.
Pachionetserocho, tidzagwiritsa ntchito malo akutali, ndi masinthidwe ofanana ndi enieni, kupatulapo mayina a chipangizo, AD domain name ndi IP adilesi. Zowona, zonse ndizovuta kwambiri - pangakhale nthambi zambiri. Pankhaniyi, m'malo mwa firewall imodzi, gulu lidzakhazikitsidwa pamalire a malo apakati, ndipo njira yosinthira ingafunikirenso.
Amagwiritsidwa ntchito poyimilira PAN-OS 7.1.9. Monga kasinthidwe wamba, lingalirani za netiweki yokhala ndi Palo Alto Networks firewall m'mphepete. Firewall imapereka mwayi wakutali wa SSL VPN kupita ku ofesi yayikulu. Domain Active Directory idzagwiritsidwa ntchito ngati nkhokwe ya ogwiritsa ntchito (Chithunzi 1).
Chithunzi 1 - Chithunzi cha block block
Kukhazikitsa:
- Chipangizo chisanadze kasinthidwe. Kukhazikitsa dzina, kasamalidwe ka adilesi ya IP, njira zokhazikika, maakaunti owongolera, mbiri yoyang'anira
- Kuyika zilolezo, kukonza ndi kukhazikitsa zosintha
- Kukonza madera achitetezo, zolumikizira netiweki, mfundo zamagalimoto, kumasulira maadiresi
- Kukonza Mbiri Yotsimikizika ya LDAP ndi Chidziwitso Chogwiritsa Ntchito
- Kukhazikitsa SSL VPN
1. Kukonzekeratu
Chida chachikulu chosinthira moto wa Palo Alto Networks ndi mawonekedwe a intaneti; kuwongolera kudzera pa CLI ndikothekanso. Mwachikhazikitso, mawonekedwe oyang'anira amayikidwa ku IP adilesi 192.168.1.1/24, lowani: admin, password: admin.
Mutha kusintha adilesiyo polumikizana ndi intaneti kuchokera pa netiweki yomweyo, kapena kugwiritsa ntchito lamulo set deviceconfig system ip-address <> netmask <>. Imachitidwa mu mode kasinthidwe. Kuti musinthe kumachitidwe osinthika, gwiritsani ntchito lamulo sungani. Zosintha zonse pa firewall zimachitika pokhapokha zosintha zitatsimikiziridwa ndi lamulo chitani, zonse mu mzere wolamula komanso pa intaneti.
Kuti musinthe makonda pa intaneti, gwiritsani ntchito gawoli Chipangizo -> Zikhazikiko Zonse ndi Chipangizo -> Zokonda Zoyang'anira. Dzina, zikwangwani, zone ya nthawi ndi zosintha zina zitha kukhazikitsidwa mugawo la General Settings (mkuyu 2).
Chithunzi 2 - Mawonekedwe a mawonekedwe a Management
Ngati mugwiritsa ntchito firewall pafupifupi mu chilengedwe ESXi, mu General Zikhazikiko gawo muyenera athe kugwiritsa ntchito adiresi MAC anapatsidwa ndi hypervisor, kapena sintha maadiresi MAC anatchula pa interfaces firewall pa hypervisor, kapena kusintha makonda a ma switch omwe amalola kuti MAC isinthe ma adilesi. Apo ayi, magalimoto sangadutse.
Mawonekedwe a kasamalidwe amakonzedwa mosiyana ndipo samawonetsedwa pamndandanda wa ma network. Mu mutu Zikhazikiko za Interface Yoyang'anira imatchula khomo lokhazikika la mawonekedwe oyang'anira. Njira zina zosasunthika zimakonzedwa mugawo la ma routers; izi zidzakambidwa pambuyo pake.
Kuti mulole mwayi wopeza chipangizochi kudzera m'malo ena, muyenera kupanga mbiri yoyang'anira Mbiri Yoyang'anira gawo Network -> Network Profiles -> Interface Mgmt ndikuyipereka ku mawonekedwe oyenera.
Kenako, muyenera sintha DNS ndi NTP mu gawo Chipangizo -> Services kulandira zosintha ndikuwonetsa nthawi moyenera (mkuyu 3). Mwachikhazikitso, magalimoto onse opangidwa ndi firewall amagwiritsa ntchito mawonekedwe a IP adilesi monga magwero ake a IP. Mukhoza kugawa mawonekedwe osiyana pa ntchito iliyonse yomwe ili m'gawolo Kukonzekera kwa Njira Yothandizira.
Chithunzi 3 - DNS, NTP ndi magawo a utumiki wa mayendedwe
2. Kuyika zilolezo, kukhazikitsa ndi kukhazikitsa zosintha
Kuti mugwiritse ntchito zonse za firewall, muyenera kukhazikitsa chilolezo. Mutha kugwiritsa ntchito laisensi yoyeserera poyipempha kwa anzawo a Palo Alto Networks. Nthawi yake yovomerezeka ndi masiku 30. Layisensi imatsegulidwa kudzera pa fayilo kapena kugwiritsa ntchito Auth-Code. Zilolezo zakonzedwa mugawoli Chipangizo -> Zilolezo (mkuyu 4).
Pambuyo kukhazikitsa chilolezo, muyenera sintha kukhazikitsa zosintha mu gawo Chipangizo -> Zosintha Zamphamvu.
gawo Chipangizo -> Mapulogalamu mutha kutsitsa ndikuyika mitundu yatsopano ya PAN-OS.
Chithunzi 4 - License control panel
3. Kukonza zone zachitetezo, zolumikizira netiweki, mfundo zamagalimoto, kumasulira maadiresi
Ma firewall a Palo Alto Networks amagwiritsa ntchito zone logic pokonza malamulo a netiweki. Malo ochezera a pa intaneti amaperekedwa kudera linalake, ndipo chigawochi chimagwiritsidwa ntchito m'malamulo apamsewu. Njirayi imalola m'tsogolomu, posintha mawonekedwe a mawonekedwe, kuti asasinthe malamulo apamsewu, koma m'malo mwake agawirenso magawo ofunikira kumadera oyenera. Mwachikhazikitso, magalimoto mkati mwa chigawo amaloledwa, magalimoto pakati pa zigawo ndizoletsedwa, malamulo okonzedweratu ndi omwe amachititsa izi. intrazone-osakhazikika ΠΈ interzone-default.
Chithunzi 5 - Malo otetezeka
Mu chitsanzo ichi, mawonekedwe pa netiweki wamkati amaperekedwa ku zone mkati, ndipo mawonekedwe omwe akuyang'ana pa intaneti amaperekedwa kumalo kunja. Kwa SSL VPN, mawonekedwe a ngalande adapangidwa ndikuperekedwa kuderali Vpn (mkuyu 5).
Palo Alto Networks firewall network interfaces imatha kugwira ntchito m'njira zisanu:
- Dinani - amagwiritsidwa ntchito kusonkhanitsa magalimoto kuti awonedwe ndi kuwunika
- HA - yogwiritsidwa ntchito pamagulu
- Virtual Waya - munjira iyi, Palo Alto Networks imaphatikiza mawonekedwe awiri ndikudutsa magalimoto pakati pawo popanda kusintha ma adilesi a MAC ndi IP.
- Layer2 - kusintha mode
- Layer3 - njira ya rauta
Chithunzi 6 - Kukhazikitsa mawonekedwe ogwiritsira ntchito mawonekedwe
Mu chitsanzo ichi, Layer3 mode idzagwiritsidwa ntchito (mkuyu 6). Mawonekedwe amtundu wa netiweki akuwonetsa adilesi ya IP, mawonekedwe ogwiritsira ntchito ndi malo otetezedwa. Kuphatikiza pa mawonekedwe ogwiritsira ntchito mawonekedwe, muyenera kuyika ku Virtual Router pafupifupi rauta, ichi ndi chithunzi cha VRF mu Palo Alto Networks. Ma routers odziwika amakhala olekanitsidwa kwa wina ndi mnzake ndipo amakhala ndi matebulo awo omwe amawongolera ndi ma protocol a network.
Zokonda pa router zimatchula njira zosasunthika komanso makonda a protocol. Mu chitsanzo ichi, njira yokhayo yokhazikika yapangidwa kuti ipeze maukonde akunja (mkuyu 7).
Chithunzi 7 - Kukhazikitsa rauta yeniyeni
Gawo lotsatira lokonzekera ndi ndondomeko zamagalimoto, gawo Ndondomeko -> Chitetezo. Chitsanzo cha kasinthidwe chikuwonetsedwa mu Chithunzi 8. Malingaliro a malamulowa ndi ofanana ndi ma firewall onse. Malamulo amafufuzidwa kuchokera pamwamba mpaka pansi, mpaka machesi oyambirira. Kufotokozera mwachidule malamulowa:
1. SSL VPN Kufikira ku Web Portal. Amalola mwayi wofikira pa intaneti kuti atsimikizire zolumikizira zakutali
2. Kuthamanga kwa VPN - kulola magalimoto pakati pa kugwirizana kwakutali ndi ofesi yaikulu
3. Internet Basic - kulola dns, ping, traceroute, ntp mapulogalamu. Chowotcha moto chimalola kugwiritsa ntchito kutengera siginecha, decoding, ndi heuristics m'malo mwa manambala adoko ndi ma protocol, ndichifukwa chake gawo la Service limati application-default. Pofikira/ndondomeko ya pulogalamuyi
4. Kufikira pa Webusaiti - kulola intaneti kudzera pa ma protocol a HTTP ndi HTTPS popanda kuwongolera pulogalamu
5,6. Malamulo ofikira pamayendedwe ena.
Chithunzi 8 - Chitsanzo cha kukhazikitsa malamulo a pa intaneti
Kuti mukonze NAT, gwiritsani ntchito gawoli Ndondomeko -> NAT. Chitsanzo cha kasinthidwe ka NAT chikuwonetsedwa mu Chithunzi 9.
Chithunzi 9 - Chitsanzo cha kasinthidwe ka NAT
Pamsewu uliwonse kuchokera mkati kupita kunja, mutha kusintha adilesi yoyambira ku adilesi yakunja ya IP ya firewall ndikugwiritsa ntchito adilesi yosinthira (PAT).
4. Kukonza Mbiri Yotsimikizika ya LDAP ndi Ntchito Yozindikiritsa Wogwiritsa
Musanalumikizane ndi ogwiritsa ntchito kudzera pa SSL-VPN, muyenera kukonza makina otsimikizira. Muchitsanzo ichi, kutsimikizika kudzachitika kwa woyang'anira domain Active Directory kudzera pa intaneti ya Palo Alto Networks.
Chithunzi 10 - mbiri ya LDAP
Kuti chitsimikiziro chigwire ntchito, muyenera kukonza Mbiri ya LDAP ΠΈ Mbiri Yotsimikizika. Mu gawo Chipangizo -> Mbiri Zaseva -> LDAP (Mkuyu 10) muyenera kufotokoza adilesi ya IP ndi doko la woyang'anira madambwe, mtundu wa LDAP ndi akaunti ya ogwiritsa yomwe ili m'magulu. Othandizira Seva, Owerenga Log ya Zochitika, Ogwiritsa Ntchito Ogawidwa a COM. Ndiye mu gawo Chipangizo -> Mbiri Yotsimikizika pangani mbiri yotsimikizika (mkuyu 11), lembani zomwe zidapangidwa kale Mbiri ya LDAP ndi tabu Yotsogola tikuwonetsa gulu la ogwiritsa ntchito (mkuyu 12) omwe amaloledwa kupita kutali. Ndikofunikira kuzindikira parameter mu mbiri yanu User Domain, apo ayi chilolezo chamagulu sichingagwire ntchito. Mundawu uyenera kuwonetsa dzina la domain la NetBIOS.
Chithunzi 11 - Mbiri yotsimikizika
Chithunzi 12 - AD kusankha gulu
Gawo lotsatira ndikukhazikitsa Chipangizo -> Chizindikiritso cha Wogwiritsa. Apa muyenera kufotokoza adilesi ya IP ya woyang'anira dera, zidziwitso zolumikizira, komanso sinthani zoikamo Yambitsani Security Log, Yambitsani Gawo, Yambitsani Kuyesa (Mkuyu 13). Mu mutu Mapu a Gulu (Mkuyu 14) muyenera kuzindikira magawo ozindikiritsa zinthu mu LDAP ndi mndandanda wamagulu omwe adzagwiritsidwe ntchito pakuvomerezeka. Monga momwe zilili mu Mbiri Yotsimikizika, apa muyenera kukhazikitsa gawo la User Domain.
Chithunzi 13 - Magawo a Mapu a Ogwiritsa
Chithunzi 14 - Magawo a Mapu a Gulu
Gawo lomaliza mu gawoli ndikupanga malo a VPN ndi mawonekedwe a chigawo chimenecho. Muyenera athe njira pa mawonekedwe Yambitsani Kuzindikiritsa Wogwiritsa (mkuyu 15).
Chithunzi 15 - Kukhazikitsa zone ya VPN
5. Kukhazikitsa SSL VPN
Musanalumikizane ndi SSL VPN, wogwiritsa ntchito kutali ayenera kupita pa intaneti, kutsimikizira ndikutsitsa kasitomala wa Global Protect. Kenako, kasitomalayu adzapempha zidziwitso ndikulumikizana ndi netiweki yamakampani. Tsamba lawebusayiti limagwira ntchito mu https ndipo, chifukwa chake, muyenera kuyiyika satifiketi. Gwiritsani ntchito chiphaso chapagulu ngati nkotheka. Ndiye wosuta sadzalandira chenjezo ponena za kusavomerezeka kwa satifiketi pamalopo. Ngati sizingatheke kugwiritsa ntchito satifiketi yapagulu, ndiye kuti muyenera kutulutsa yanu, yomwe idzagwiritsidwe ntchito patsamba la https. Itha kudzisainira yokha kapena kuperekedwa kudzera muulamuliro wa satifiketi yakomweko. Kompyuta yakutali iyenera kukhala ndi mizu kapena satifiketi yodzisainira yokha pamndandanda wamalo odalirika kuti wogwiritsa ntchito asalandire cholakwika polumikizana ndi intaneti. Chitsanzochi chigwiritsa ntchito satifiketi yoperekedwa kudzera mu Active Directory Certificate Services.
Kuti mupereke satifiketi, muyenera kupanga pempho la satifiketi mu gawoli Chipangizo -> Kuwongolera Sitifiketi -> Zikalata -> Pangani. Mu pempholo tikuwonetsa dzina la satifiketi ndi adilesi ya IP kapena FQDN yapa intaneti (mkuyu 16). Pambuyo kupanga pempho, download .csr file ndi kukopera zomwe zili mu gawo lopempha satifiketi mu AD CS Web Enrollment web fomu. Kutengera momwe ulamuliro wa satifiketi umapangidwira, pempho la satifiketi liyenera kuvomerezedwa ndipo satifiketi yoperekedwayo iyenera kutsitsidwa momwemo. Base64 Encoded Certificate. Kuphatikiza apo, muyenera kutsitsa chiphaso chaulamuliro wa certification. Ndiye muyenera kulowetsa satifiketi zonse mu firewall. Mukatumiza satifiketi yapaintaneti, muyenera kusankha pempho lomwe likudikirira ndikudina kulowetsa. Dzina la satifiketi liyenera kufanana ndi dzina lomwe lanenedwa poyambirira pa pempholo. Dzina la chiphaso cha mizu likhoza kufotokozedwa mosasamala. Pambuyo kuitanitsa satifiketi, muyenera kulenga Mbiri Yautumiki wa SSL/TLS gawo Chipangizo -> Kuwongolera Sitifiketi. Mu mbiri tikuwonetsa satifiketi yomwe idatumizidwa kale.
Chithunzi 16 - Pempho la satifiketi
Chotsatira ndikukhazikitsa zinthu Global Protect Gateway ΠΈ Global Protect Portal gawo Network -> Global Protect... M'makonzedwe Global Protect Gateway onetsani adilesi yakunja ya IP ya firewall, komanso yomwe idapangidwa kale Mbiri ya SSL, Mbiri Yotsimikizika, mawonekedwe a tunnel ndi makina a IP kasitomala. Muyenera kufotokoza dziwe la ma adilesi a IP komwe adilesi idzaperekedwa kwa kasitomala, ndi Njira Yofikira - awa ndi ma subnets omwe kasitomala adzakhala ndi njira. Ngati ntchitoyo ndi kukulunga magalimoto onse ogwiritsira ntchito pa firewall, ndiye kuti muyenera kufotokoza subnet 0.0.0.0/0 (mkuyu 17).
Chithunzi 17 - Kukonza dziwe la ma adilesi a IP ndi njira
Ndiye muyenera sintha Global Protect Portal. Nenani adilesi ya IP ya firewall, Mbiri ya SSL ΠΈ Mbiri Yotsimikizika ndi mndandanda wa ma adilesi akunja a IP a ma firewall omwe kasitomala angalumikizane nawo. Ngati pali ma firewall angapo, mutha kukhazikitsa chofunikira pa chilichonse, malinga ndi zomwe ogwiritsa ntchito angasankhe chowotcha moto kuti alumikizane nacho.
gawo Chipangizo -> GlobalProtect Client muyenera kutsitsa kugawa kwamakasitomala a VPN kuchokera pa seva za Palo Alto Networks ndikuyambitsa. Kuti agwirizane, wogwiritsa ntchitoyo ayenera kupita ku tsamba lawebusayiti, komwe adzafunsidwa kuti atsitse GlobalProtect Client. Mukatsitsa ndikuyika, mutha kuyika zidziwitso zanu ndikulumikizana ndi netiweki yanu kudzera pa SSL VPN.
Pomaliza
Izi zimamaliza gawo la Palo Alto Networks pakukhazikitsa. Tikukhulupirira kuti chidziwitsochi chinali chothandiza ndipo wowerenga adamvetsetsa matekinoloje omwe amagwiritsidwa ntchito pa Palo Alto Networks. Ngati muli ndi mafunso okhudza kukhazikitsidwa ndi malingaliro pamitu yankhani zamtsogolo, zilembeni mu ndemanga, tidzakhala okondwa kuyankha.
Source: www.habr.com