7. NGFW yemabhizimisi maduku. Performance uye general kurudziro

Yasvika nguva yekupedzisa nhevedzano yezvinyorwa nezve chizvarwa chitsva cheSMB Check Point (1500 nhevedzano). Tinovimba kuti ichi chaive chiitiko chine mubairo kwauri uye kuti ucharamba uinesu paTS Solution blog. Musoro wechinyorwa chekupedzisira hauna kufukidzwa zvakanyanya, asi hazvina kukosha - SMB performance tuning. Mariri tichakurukura sarudzo dzekugadzirisa hardware uye software yeNGFW, tsanangura mirairo iripo uye nzira dzekudyidzana.

Zvese zvinyorwa munhevedzano nezve NGFW yemabhizinesi madiki:

1. Nyowani CheckPoint 1500 Security Gateway Line

2. Unboxing uye Setup

3. Wireless data kutapurirana: WiFi uye LTE

4. VPN

5. Cloud SMP Management

6. Smart-1 Cloud

Parizvino, hapana akawanda masosi eruzivo nezve performance tuning yeSMB mhinduro nekuda kwe zvirambidzo yemukati OS - Gaia 80.20 Embedded. Muchinyorwa chedu tichashandisa dhizaini ine centralized manejimendi (yakatsaurwa Management Server) - inokutendera iwe kushandisa mamwe maturusi paunenge uchishanda neNGFW.

Hardware

Usati wabata iyo Check Point SMB mhuri yekuvaka, unogona kugara uchikumbira mumwe wako kuti ashandise chishandiso Appliance Sizing Tool, kusarudza iyo yakakwana mhinduro zvinoenderana neyakatsanangurwa maitiro (kuburikidza, inotarisirwa nhamba yevashandisi, nezvimwewo).

Manotsi akakosha paunenge uchidyidzana neyako NGFW Hardware

1. NGFW mhinduro dzemhuri yeSMB hadzina kugona kwehardware kusimudzira masisitimu zvikamu (CPU, RAM, HDD); zvichienderana nemuenzaniso, kune tsigiro yemakadhi eSD, izvi zvinokutendera kuti uwedzere dhisiki simba, asi kwete zvakanyanya.

2. Iko kushanda kwe network interfaces kunoda kutonga. Gaia 80.20 Yakamisikidzwa haina akawanda ekutarisa maturusi, asi iwe unogona kugara uchishandisa iyo inozivikanwa kuraira muCLI kuburikidza neNyanzvi maitiro. 

   #ifconfig

   

   Teerera kune mitsara yakatsikiswa, ivo vanokubvumidza iwe kufungidzira huwandu hwekukanganisa pane iyo interface. Zvinokurudzirwa kutarisa aya ma parameter panguva yekutanga kuitiswa kweNGFW yako, uye nguva nenguva panguva yekushanda.

3. Kune Gaia yakazara-yakazara pane murairo:

   > show diag

   Nekubatsira kwayo zvinokwanisika kuwana ruzivo pamusoro pekushisa kwe hardware. Nehurombo, iyi sarudzo haisi kuwanikwa mu80.20 Embedded; isu ticharatidza inonyanya kufarirwa SNMP misungo:

   Title 

   tsananguro

   Interface yadimwa

   Kudzima iyo interface

   VLAN yakabviswa

   Kubvisa Vlans

   High memory kushandiswa

   High RAM kushandiswa

   Yakaderera disk nzvimbo

   Hapana nzvimbo yakakwana yeHDD

   High CPU kushandiswa

   High CPU kushandiswa

   Yakakwira CPU inokanganisa mwero

   High interrupt rate

   High connection rate

   Kuyerera kwakanyanya kwezvibatanidza zvitsva

   High concurrent connections

   High level of competitive sessions

   High Firewall throughput

   High throughput Firewall

   High inogamuchirwa packet rate

   High packet reception rate

   Nyika yenhengo yeCluster yakachinja

   Kuchinja cluster state

   Kubatana nerogi server kukanganisa

   Yakarasika kubatana neLog-Server

4. Kushanda kwegedhi rako kunoda RAM yekutarisa. Kuti Gaia (Linux-like OS) ishande, izvi ndizvo normal situationapo RAM kushandiswa kunosvika 70-80% yekushandiswa.

   Iyo dhizaini yeSMB mhinduro haipe kushandiswa kweSWAP memory, kusiyana nemhando dzekare dzeCheck Point. Nekudaro, muLinux system mafaera zvakaonekwa , iyo inoratidza iyo theoretical mukana wekushandura iyo SWAP parameter.

Software chikamu

Panguva yekuburitswa kwechinyorwa kusvika pari zvino Gaia shanduro - 80.20.10. Iwe unofanirwa kuziva kuti pane zvisingakwanisi kana uchishanda muCLI: mamwe mirairo yeLinux inotsigirwa mune Nyanzvi mode. Kuongorora mashandiro eNGFW kunoda kuongorora mashandiro emadhimoni nemasevhisi, zvimwe zvakawanda pamusoro peizvi zvinogona kuwanikwa mu. chinyorwa shamwari yangu. Tichatarisa mirairo inogona kuitika yeSMB.

Kushanda neGaia OS

1. Bhurawuza SecureXL matemplate

   #fwaccelstat

   

2. Ona boot ne core

   # fw ctl multik stat

   

3. Ona nhamba yezvikamu (zvibatanidza).

   # fw ctl pstat

   

4. * Tarisa chimiro checluster

   #cphaprob stat

   

5. Classic Linux TOP command

Kutema miti

Sezvaunotoziva, kune nzira nhatu dzekushanda nematanda eNGFW (kuchengeta, kugadzirisa): munharaunda, nechepakati uye mugore. Idzo mbiri dzekupedzisira sarudzo dzinoreva kuvepo kwechinhu - Management Server.

Zvinogoneka NGFW kutonga zvirongwa

Mafaira ezvinyorwa anokosha zvikuru

1. Sisitimu meseji (ine ruzivo rushoma pane yakazara Gaia)

   # muswe -f /var/log/messages2

   

2. Mharidzo mameseji mukushanda kwemablades (yakanyatso faira rinobatsira kana matambudziko ekugadzirisa)

   # muswe -f /var/log/log/sfwd.elg

   

3. Wona mameseji kubva kubhafa pane system kernel level.

   #dmesg

   

Blade configuration

Ichi chikamu hachizove nemirairo yakazara yekumisikidza yako NGFW Check Point; inongove nerukudzo, yakasarudzwa neruzivo.

Kudzora Kwekushandisa / URL Kusefa

• Zvinokurudzirwa kudzivirira ANY, CHENYI (Mabviro, Kwekuenda) mamiriro mumitemo.

• Paunenge uchitsanangura tsika yeURL sosi, zvinonyanya kushanda kushandisa matauriro akajairika senge: (^|..)checkpoint.com

• Dzivisa kushandisa zvakanyanya kutema mutemo uye kuratidzwa kwemapeji ekuvharira (UserCheck).

• Ita shuwa kuti tekinoroji inoshanda nemazvo "SecureXL". Yakawanda traffic inofanira kupfuura yakamhanyisa/pakati nzira. Zvakare, usakanganwa kusefa iyo mitemo neanonyanya kushandiswa (munda Hits ).

HTTPS-Kuongorora

Haisi chakavanzika kuti 70-80% yemushandisi traffic inobva kuHTTPS yekubatanidza, zvinoreva kuti izvi zvinoda zviwanikwa kubva kune yako gedhi processor. Mukuwedzera, HTTPS-Inspection inotora chikamu mubasa reIPS, Antivirus, Antibot.

Kutanga kubva kuvhezheni 80.40 kwaivepo mukana kushanda nemitemo yeHTTPS isina Legacy Dashboard, heino imwe yakakurudzirwa mutemo kurongeka:

• Bypass yeboka remakero uye network (Kuenda).

• Bypass yeboka rema URL.

• Bypass yemukati IP uye network ine rombo rekuwana (Mabviro).

• Ongorora kune anodiwa network, vashandisi

• Bypass kune vamwe vese.

* Zvinogara zviri nani kusarudza nemaoko HTTPS kana HTTPS Proxy masevhisi uye wosiya Chero. Log zviitiko maererano nemitemo yeOngorora.

IPS

Iyo IPS blade inogona kutadza kuisa mutemo paNGFW yako kana masiginicha akawanda akashandiswa. Maererano ne chinyorwa kubva kuCheck Point, iyo SMB mudziyo wekuvaka haina kugadzirwa kuti imhanye yakazara yakakurudzirwa IPS yekumisikidza mbiri.

Kugadzirisa kana kudzivirira dambudziko, tevera matanho aya:

1. Clone iyo Yakagadziridzwa mbiri inonzi "Optimized SMB" (kana imwe yesarudzo yako).

2. Rongedza chimiro, enda kuIPS → Pre R80.Settings chikamu uye dzima Server Dziviriro.

   

3. Pakufunga kwako, unogona kudzima maCVE akakura kupfuura 2010, kusazvibata uku kunogona kusawanikwa mumahofisi madiki, asi kunokanganisa mashandiro. Kudzima mamwe acho, enda kuProfaili→IPS→Kuwedzera Activation→Dziviriro yekudzima rondedzero.

   

Pane mhedziso

Sechikamu chenhevedzano yezvinyorwa nezve chizvarwa chitsva cheNGFW yemhuri yeSMB (1500), takaedza kuratidza kugona kukuru kwemhinduro uye takaratidza kugadziridzwa kwezvinhu zvakakosha zvekuchengetedza tichishandisa mienzaniso chaiyo. Tichafara kupindura chero mibvunzo pamusoro pechigadzirwa mumashoko. Tinogara nemi, ndinokutendai nekuteerera kwenyu!

Yakakura kusarudzwa kwezvinhu paCheck Point kubva kuTS Solution. Kuti usapotsa zvinyorwa zvitsva, tevera zvigadziriso pasocial network (teregiramu, Facebook, VK, TS Solution Blog, Yandex Zen).

Source: www.habr.com