Kwaziwai! Kugamuchirwa kuchidzidzo chechitanhatu chekosi ... Vhura isu takagona izvo zvekutanga zvekushanda neNAT tekinoroji pa , uye zvakare yakaburitsa mushandisi wedu webvunzo paInternet. Iye zvino yave nguva yekutarisira kuchengetedza kwemushandisi munzvimbo dzake dzakavhurika. Muchidzidzo chino tichatarisa kune anotevera ekuchengetedza profiles: Webhu Sefa, Kudzora Kwekushandisa, uye kuongorora kweHTTPS.
Kuti utange nemaprofile ekuchengetedza, isu tinofanirwa kunzwisisa chimwe chinhu: yekuongorora modes.
Iyo default ndeye Flow Based mode. Inotarisa mafaera sezvaanopfuura nepaFortiGate pasina buffer. Kana pakiti yasvika, inogadziriswa uye inotumirwa, pasina kumirira kuti faira yose kana peji yewebhu igamuchirwe. Inoda zviwanikwa zvishoma uye inopa kuita zviri nani pane Proxy mode, asi panguva imwe chete, kwete ese Chengetedzo mashandiro anowanikwa mairi. Semuenzaniso, Data Leak Prevention (DLP) inogona kushandiswa chete muProxy mode.
Proxy mode inoshanda zvakasiyana. Iyo inogadzira maviri TCP kubatana, imwe pakati pemutengi neFortiGate, yechipiri pakati peFortiGate uye sevha. Izvi zvinoibvumira kuchengetedza traffic, kureva kugamuchira faira rakazara kana peji rewebhu. Kutarisa mafaera ekutyisidzira kwakasiyana kunotanga chete mushure mekunge faira rese ravharwa. Izvi zvinokutendera kuti ushandise mamwe maficha asiri kuwanikwa muFlow based mode. Sezvauri kuona, iyi modhi inoita seyakapesana neFlow Based - chengetedzo inoita basa rakakura pano, uye kuita kunotora chigaro chekumashure.
Vanhu vanowanzobvunza: ndeipi nzira iri nani? Asi hapana general recipe pano. Zvose zvinogara zviri zvega uye zvinoenderana nezvido zvako nezvinangwa. Gare gare mukosi ini ndichaedza kuratidza mutsauko pakati pekuchengetedza profiles muFlow uye Proxy modes. Izvi zvichakubatsira iwe kuenzanisa kushanda uye kusarudza izvo zvakakunakira iwe.
Ngatifambei takananga kumaprofiles ekuchengetedza uye tanga tatarisa kuWebhu Sefa. Inobatsira kutarisa kana kutarisa kuti ndeapi mawebhusaiti anoshanyira. Ndinofunga kuti hapana chikonzero chekuenda zvakadzama mukutsanangura kudiwa kwechimiro chakadaro mumamiriro ezvinhu aripo. Ngatinzwisise zviri nani kuti zvinoshanda sei.
Pakangotangwa kubatana kweTCP, mushandisi anoshandisa chikumbiro cheGET kukumbira zvirimo zveimwe webhusaiti.
Kana sevha yewebhu inopindura zvakanaka, inotumira ruzivo nezve webhusaiti kumashure. Apa ndipo panopinda webhu sefa. Inoongorora zviri mumhinduro iyi.Panguva yekuongorora, FortiGate inotumira chikumbiro chenguva chaiyo kuFortiGuard Distribution Network (FDN) kuti ione chikamu chewebhusaiti yakapihwa. Mushure mekutarisa chikamu cheimwe webhusaiti, iyo webhu sefa, zvichienderana nemagadzirirwo, inoita chaiyo chiitiko.
Pane zviito zvitatu zvinowanikwa muFlow mode:
- Bvumira - bvumidza kupinda kune webhusaiti
- Block - vhara kupinda kune webhusaiti
- Monitor - bvumidza kupinda kune webhusaiti uye kurekodha mumatanda
MuProxy mode, zvimwe zviito zviviri zvinowedzerwa:
- Yambiro - ipa mushandisi yambiro kuti ari kuyedza kushanyira imwe sosi uye kupa mushandisi sarudzo - enderera kana kusiya webhusaiti.
- Tevedzera - Kumbira magwaro emushandisi - izvi zvinobvumira mamwe mapoka kuti awane zvikamu zvisingabvumirwe zvemawebhusaiti.
Panzvimbo iwe unogona kuona ese mapoka uye madiki ewebhu sefa, uye zvakare tsvaga kuti ndeipi chikamu cheimwe webhusaiti. Uye kazhinji, iyi inzvimbo yakanaka inobatsira yevashandisi veFortinet mhinduro, ini ndinokupa zano kuti uizive zvirinani munguva yako yemahara.
Pane zvishoma zvingataurwa nezve Application Control. Sezvinoratidzwa nezita racho, inokubvumira kudzora kushanda kwezvikumbiro. Uye anoita izvi achishandisa mapatani kubva kune akasiyana-siyana maapplication, anonzi masaini. Achishandisa masiginecha aya, anogona kuona imwe application uye oisa chimwe chiitiko kwairi:
- Bvumira - bvumira
- Monitor - bvumidza uye nyora izvi
- Kuvhara - kurambidza
- Quarantine - rekodha chiitiko mumatanda uye vhara iyo IP kero kwenguva yakati
Iwe unogona zvakare kuona masaini aripo pawebhusaiti .
Zvino ngatitarisei nzira yekuongorora yeHTTPS. Zvinoenderana nehuwandu pakupera kwa2018, chikamu cheHTTPS traffic chakapfuura 70%. Kureva kuti, pasina kushandisa HTTPS yekuongorora, isu tichakwanisa kuongorora chete inosvika makumi matatu muzana yetraffic inopfuura nepanetiweki. Chekutanga, ngatitarisei kuti HTTPS inoshanda sei mukukasharara kufungidzira.
Mutengi anotanga chikumbiro cheTLS kuwebhu server uye anogamuchira mhinduro yeTLS, uye zvakare anoona chitupa chedhijitari chinofanira kuvimbwa nacho kumushandisi uyu. Uhwu ndihwo hushoma hushoma hwatinoda kuziva nezve mashandiro eHTTPS; kutaura zvazviri, nzira yainoshanda nayo yakanyanya kuoma. Mushure mekubudirira kweTLS kubata maoko, kufambisa data kwakavharidzirwa kunotanga. Uye izvi zvakanaka. Hapana anogona kuwana iyo data yaunochinjana newebhu server.
Nekudaro, kuvashandi vekuchengetedza kambani iyi musoro chaiwo, sezvo vasingakwanise kuona traffic iyi uye kutarisa zvirimo kungave neantivirus, kana intrusion yekudzivirira system, kana DLP masisitimu, kana chero chinhu. Izvi zvinokanganisawo kunaka kwetsanangudzo yezvishandiso uye zviwanikwa zvewebhu zvinoshandiswa mukati metiweki - chaizvo zvine chekuita nemusoro wechidzidzo. HTTPS yekuongorora tekinoroji yakagadzirirwa kugadzirisa dambudziko iri. Hunhu hwayo hwakareruka - kutaura zvazviri, chishandiso chinoita HTTPS ongororo inoronga Murume Mukati kurwisa. Zvinotaridzika seizvi: FortiGate inobata chikumbiro chemushandisi, inoronga kubatana kweHTTPS nayo, yobva yavhura musangano weHTTPS nechishandiso icho mushandisi akawana. Muchiitiko ichi, chitupa chakapihwa neFortiGate chichaonekwa pakombuta yemushandisi. Inofanirwa kuvimbwa kuti browser ibvumire kubatana.
Muchokwadi, kuongorora kweHTTPS chinhu chakaoma uye chine zvakawanda zvinogumira, asi isu hatingatarise izvi mune ino kosi. Ini ndinongowedzera kuti kuita HTTPS yekuongorora haisi nyaya yemaminetsi; zvinowanzotora mwedzi. Izvo zvinodikanwa kuunganidza ruzivo pamusoro pezvinosarudzika zvinodikanwa, ita marongero akakodzera, kuunganidza mhinduro kubva kune vashandisi, uye kugadzirisa marongero.
Dzidziso yakapihwa, pamwe nechikamu chinoshanda, inoratidzwa muchidzidzo chevhidhiyo ichi:
Muchidzidzo chinotevera tichatarisa mamwe maprofile ekuchengetedza: antivirus uye intrusion kudzivirira system. Kuti usarasikirwe, tevera zvigadziriso pazviteshi zvinotevera:
Source: www.habr.com