Isu tinoenderera mberi nenyaya yedu yezvinyorwa nezve NGFW zvemabhizinesi madiki, rega ndikuyeuchidze kuti tiri kuongorora iyo itsva 1500 yakatevedzana modhi renji. IN
- VPN kugona kweSMB.
- Sangano reRemote Access yehofisi diki.
- Maclients aripo ekubatanidza.
1. VPN sarudzo dzeSMB
Kuti agadzirire zvinhu zvanhasi, mukuru
- Site-To-Site. Kugadzira VPN tunnel pakati pemahofisi ako, uko vashandisi vanogona kushanda sekunge vari pane imwechete "yenzvimbo" network.
- Remote Access. Remote yekubatanidza kune yako hofisi zviwanikwa uchishandisa mushandisi ekupedzisira zvishandiso (PC, nharembozha, nezvimwewo). Pamusoro pezvo, kune SSL Network Extender, inobvumidza iwe kuburitsa maapplication ega uye woamhanyisa uchishandisa Java Applet, ichibatanidza kuburikidza neSSL. Cherechedza: kwete kuvhiringika neMobile Access Portal (hapana rutsigiro rweGaia Embedded).
Mukuwedzera Ini ndinokurudzira zvikuru kosi yemunyori TS Solution -
2. Remote Access yehofisi diki
Tichatanga kuronga yekubatanidza kure kuhofisi yako:
- Kuti vashandisi vavake VPN tunnel ine gedhi, iwe unofanirwa kuve neruzhinji IP kero. Kana iwe watopedza kuseta kwekutanga (
2 chinyorwa kubva kutenderera), saka, sekutonga, Yekunze Link yatoshanda. Ruzivo runogona kuwanikwa nekuenda kuGaia Portal: Chishandiso β Network β Internet
Kana kambani yako ikashandisa ine simba yeruzhinji IP kero, saka unogona kuseta Dynamic DNS. Enda ku mudziyo β DDNS & Device Access
Parizvino pane rutsigiro kubva kune vaviri vanopa: DynDns uye no-ip.com. Kuti uite sarudzo yaunoda kuisa zvitupa zvako (login, password).
- Tevere, ngatigadzirei mushandisi account, ichave inobatsira pakuyedza marongero: VPN β Remote Access β Remote Access Users
Muboka (semuenzaniso: remoteaccess) isu tichagadzira mushandisi achitevera mirairo iri pascreenshot. Kumisikidza account kwakajairika, kuseta yekupinda uye password, uye nekuwedzera gonesa iyo Remote Access mvumo sarudzo.
Kana iwe wakabudirira kushandisa marongero, zvinhu zviviri zvinofanirwa kuoneka: mushandisi wenzvimbo, boka renzvimbo yevashandisi.
- Nhanho inotevera ndeye kuenda VPN β Remote Access β Blade Control. Ita shuwa kuti blade yako yakavhurwa uye traffic kubva kune vashandisi vari kure inobvumidzwa.
- *Iyo iri pamusoro yaive yakaderera seti yematanho ekumisikidza Remote Access. Asi tisati tayedza kubatana, ngationgororei zvigadziriso zvepamberi nekuenda kune iyo tab VPN β Remote Access β Yepamberi
Zvichienderana nezvirongwa zvazvino, tinoona kuti kana vashandisi vari kure vabatana, vanogamuchira IP kero kubva kune network 172.16.11.0/24, nekuda kweiyo Office Mode sarudzo. Izvi zvakakwana nechengetedzo yekushandisa mazana maviri emakwikwi marezinesi (akaratidzwa 200 NGFW Check Point).
Sarudzo "Route Internet traffic kubva kune vatengi vakabatana kuburikidza negedhi iri" ndeyekusarudza uye ine basa rekufambisa traffic yese kubva kumushandisi ari kure kuburikidza negedhi (kusanganisira Internet yekubatanidza). Izvi zvinokutendera kuti utarise traffic yemushandisi uye kudzivirira nzvimbo yake yekushandira kubva kune dzakasiyana siyana kutyisidzira uye malware.
- *Kushanda nemitemo yekuwana yeRemote Access
Mushure mekunge tagadzirisa Remote Access, mutemo wekuwana otomatiki wakagadzirwa paFirewall level, kuti uuone unofanirwa kuenda kune iyo tab: Kupinda Policy β Firewall β Policy
Muchiitiko ichi, vashandisi vari kure vari nhengo dzeboka rakambogadzirwa vachakwanisa kuwana zvese zvemukati zvekambani zviwanikwa; cherechedza kuti mutemo uri muchikamu chese. "Inouya, Yemukati uye VPN traffic". Kuti ubvumire VPN mushandisi traffic kuInternet, iwe unozofanirwa kugadzira mutemo wakasiyana muchikamu chese "Kubuda kuenda kuInternet".
-
Chekupedzisira, isu tinongoda kuve nechokwadi chekuti mushandisi anogona kubudirira kugadzira mugero weVPN kune yedu NGFW gedhi uye kuwana mukana wezviwanikwa zvemukati zvekambani. Kuti uite izvi, unofanirwa kuisa VPN mutengi pane muenzi ari kuedzwa, rubatsiro runopiwa
ΡΡΡΠ»ΠΊΠ° Zvekurodha. Mushure mekuisa, iwe unozofanirwa kuita yakajairwa maitiro ekuwedzera saiti nyowani (ratidza iyo yeruzhinji IP kero yegedhi rako). Kuti zvive nyore, maitiro acho anoratidzwa muGIF fomu
Kana iyo yekubatanidza yatosimbiswa, ngatitarise iyo yakagamuchirwa IP kero pamushini wekutambira tichishandisa murairo muCMD: ipconfig
Isu takava nechokwadi chekuti chaiyo network adapta yakagamuchira IP kero kubva kuHofisi Modhi yeNGFW yedu, mapaketi akatumirwa zvinobudirira. Kupedzisa, tinogona kuenda kuGaia Portal: VPN β Remote Access β Yakabatanidzwa Kure Vashandisi
Mushandisi "ntuser" inoratidzwa seyakabatana, ngatitarisei chiitiko chekutema nekuenda Marogi & Monitoring β Chengetedza Logs
Kubatana kwacho kunoshandiswa uchishandisa IP kero senzvimbo: 172.16.10.1 - iyi ndiyo kero yakagamuchirwa nemushandisi wedu kuburikidza neHofisi Mode.
3. Vanotsigirwa vatengi veRemote Access
Mushure mekunge taongorora maitiro ekumisikidza chinongedzo chiri kure kuhofisi yako uchishandisa NGFW Check Point yemhuri yeSMB, ndinoda kunyora nezverutsigiro rwevatengi kune akasiyana midziyo:
Endpoint VPN yeWindows/Mac OS - Mobile Client (
Android /IOS ) - L2TP Native Client (Tarisa Poindi inotsigira tsigiro yeMicrosoft yemuno VPN app).
Iwo akasiyana-siyana anotsigirwa masisitimu anoshanda uye zvishandiso zvinokutendera iwe kutora mukana wakazara werezinesi rako rinouya neNGFW. Kuti ugadzirise mudziyo wakasiyana pane sarudzo yakanakira "Kubatana sei"
Iyo inongogadzira nhanho zvinoenderana neako marongero, ayo anozobvumira vatariri kuisa vatengi vatsva pasina matambudziko.
Mhedziso: Kupfupisa chinyorwa ichi, takatarisa kugona kweVPN kweNGFW Check Point SMB mhuri. Tevere, takatsanangura matanho ekumisikidza Remote Access, kana iri kure kubatana kwevashandisi kuhofisi, uye ndokudzidza maturusi ekutarisa. Pakupera kwechinyorwa takataura nezve vatengi varipo uye sarudzo dzekubatanidza dzeRemote Access. Nekudaro, hofisi yako yebazi ichakwanisa kuve nechokwadi kuenderera uye chengetedzo yebasa revashandi vachishandisa VPN matekinoroji, kunyangwe akasiyana ekunze kutyisidzira uye zvinhu.
Yakakura kusarudzwa kwezvinhu paCheck Point kubva kuTS Solution . Ramba wakatarisa (teregiramu ,Facebook ,VK ,TS Solution Blog ,Yandex Zen ).
Source: www.habr.com