Pasinei nezvose zvakanakira Palo Alto Networks firewalls, hapana zvakawanda zvinyorwa paRuNet pakugadzirisa midziyo iyi, pamwe chete nemagwaro anotsanangura ruzivo rwekuita kwavo. Isu takasarudza kupfupikisa zvinhu zvatakaunganidza panguva yebasa redu nemidziyo yemutengesi uyu uye kutaura nezve maficha atakasangana nawo panguva yekuitwa kwezvirongwa zvakasiyana.
Kukuzivisa iwe kuPalo Alto Networks, chinyorwa ichi chinotarisa kugadziridzwa kunodiwa kugadzirisa imwe yeanonyanya kunetsa firewall matambudziko - SSL VPN yekuwana kure. Isu tichazotaurawo nezve utility mabasa eyakajairwa firewall kumisikidzwa, kuzivikanwa kwemushandisi, maapplication, uye mitemo yekuchengetedza. Kana musoro wacho uchifarira vaverengi, mune ramangwana tichaburitsa zvinyorwa zvinoongorora Site-to-Site VPN, dhizaini routing uye nepakati manejimendi uchishandisa Panorama.
Palo Alto Networks firewalls anoshandisa akati wandei matekinoroji, anosanganisira App-ID, User-ID, Content-ID. Kushandiswa kwekushanda uku kunokubvumira kuti uve nechokwadi chekuchengetedzwa kwepamusoro. Semuyenzaniso, neApp-ID zvinogoneka kuona traffic yekushandisa zvichienderana nemasiginicha, decoding uye heuristics, zvisinei nechiteshi uye protocol inoshandiswa, kusanganisira mukati meSSL tunnel. Mushandisi-ID inobvumidza iwe kuona vashandisi venetiweki kuburikidza neLDAP kubatanidzwa. Zvemukati-ID inoita kuti zvikwanise kuongorora traffic uye kuona mafaera anofambiswa uye zviri mukati. Mamwe mabasa efirewall anosanganisira kuchengetedzwa kwekupinda, kuchengetedzwa kubva panjodzi uye kurwiswa neDoS, yakavakirwa-mukati anti-spyware, URL kusefa, kubatanidza, uye centralized manejimendi.
Kuratidziro, isu tichashandisa yakasarudzika stand, ine gadziriso yakafanana neicho chaicho, kunze kwemazita emudziyo, AD domain zita uye IP kero. Muchokwadi, zvese zvakanyanya kuomarara - panogona kuve nematavi mazhinji. Muchiitiko ichi, panzvimbo yeimwe firewall, chikwata chichaiswa pamiganhu yenzvimbo dzepakati, uye nzira ine simba inogonawo kudiwa.
Inoshandiswa pachigadziko PAN-OS 7.1.9. Seyakajairwa gadziriso, funga network ine Palo Alto Networks firewall kumucheto. Iyo firewall inopa kure SSL VPN kupinda kuhofisi yepamusoro. Iyo Active Directory domain ichashandiswa semushandisi dhatabhesi (Mufananidzo 1).
Mufananidzo 1 - Network block diagram
Setup matanho:
- Device pre-configuration. Kuseta zita, manejimendi IP kero, static nzira, maneja maakaundi, manejimendi profiles
- Kuisa marezinesi, kugadzirisa uye kuisa zvigadziriso
- Kugadzirisa nzvimbo dzekuchengetedza, network, marongero emigwagwa, kududzira kero
- Kugadzirisa LDAP Yekusimbisa Mbiri uye Mushandisi Identification Feature
- Kugadzira SSL VPN
1. Preset
Chishandiso chikuru chekugadzirisa iyo Palo Alto Networks firewall ndiyo yewebhu interface; manejimendi kuburikidza neCLI zvakare inogoneka. Nekumisikidza, iyo manejimendi interface yakaiswa kuIP kero 192.168.1.1/24, login: admin, password: admin.
Unogona kushandura kero kana nekubatanidza kune web interface kubva kune imwecheteyo network, kana kushandisa murairo set deviceconfig system ip-address <> netmask <>. Inoitwa mukugadzirisa mode. Kuti uchinje kune configuration mode, shandisa murairo configure. Shanduko dzese pafirewall dzinoitika chete mushure mekunge zvigadziriso zvasimbiswa nemurairo Commit, zvose zviri mumutsara wemirairo mode uye muwebhu interface.
Kuti uchinje marongero muwebhu interface, shandisa chikamu Chishandiso -> General Settings uye Chishandiso -> Management Interface Settings. Zita, mabhanhire, nguva yenguva uye mamwe marongero anogona kuiswa muChikamu Chese Zvirongwa (Fig. 2).
Mufananidzo 2 - Management interface parameters
Kana iwe ukashandisa chaiyo firewall munzvimbo yeESXi, muChikamu Chese Zvirongwa unofanirwa kugonesa kushandiswa kwekero yeMAC yakapihwa ne hypervisor, kana kugadzirisa kero dzeMAC dzakatsanangurwa pane firewall interfaces pa hypervisor, kana kushandura marongero e iyo chaiyo inoshandura kubvumira MAC kuchinja kero. Zvikasadaro, traffic haingapfuuri.
Iyo manejimendi interface inogadziriswa zvakasiyana uye haina kuratidzwa mune rondedzero yetiweki interfaces. Muchitsauko Management Interface Settings inotsanangura gedhi rekutanga reiyo manejimendi interface. Dzimwe nzira dzakasimba dzakagadziridzwa muchikamu cheiyo ma routers; izvi zvichakurukurwa gare gare.
Kuti ubvumire kupinda kune mudziyo kuburikidza nemamwe mainterface, unofanirwa kugadzira iyo manejimendi nhoroondo Management Profile muchikamu Network -> Network Profiles -> Interface Mgmt uye ugozvipa kune yakakodzera interface.
Tevere, unofanirwa kugadzirisa DNS uye NTP muchikamu Chishandiso -> Masevhisi kugamuchira zvigadziridzo uye kuratidza nguva yacho nenzira kwayo (Fig. 3). Nekumisikidza, traffic yese inogadzirwa nefirewall inoshandisa iyo manejimendi IP kero seyayo sosi IP kero. Iwe unogona kugovera akasiyana interface kune yega yega sevhisi muchikamu Service Route Configuration.
Mufananidzo 3 - DNS, NTP uye system nzira sevhisi paramita
2. Kuisa marezinesi, kuseta nekuisa zvigadziriso
Kuti uite zvizere kushanda kwese firewall mabasa, unofanirwa kuisa rezinesi. Unogona kushandisa rezinesi rekuyedza nekuikumbira kubva kuPalo Alto Networks vanobatana. Nguva yekushanda kwayo mazuva makumi matatu. Rezinesi rinoitwa kuburikidza nefaira kana kushandisa Auth-Code. Marezenisi akagadziriswa muchikamu Chishandiso -> Marezinesi (fig. 4).
Mushure mekuisa rezinesi, unofanirwa kugadzirisa kuisirwa kwezvigadziriso muchikamu Chishandiso -> Dynamic Updates.
chidimbu Chishandiso -> Software unogona kudhawunirodha uye kuisa shanduro itsva dzePAN-OS.
Mufananidzo 4 - License control panel
3. Kugadzirisa nzvimbo dzekuchengetedza, nzvimbo dze network, mitemo yetraffic, kududzira kero
Palo Alto Networks firewalls inoshandisa zone logic pakugadzirisa mitemo yetiweki. Network interfaces inopihwa kune yakatarwa zone, uye iyi zone inoshandiswa mumitemo yetraffic. Iyi nzira inobvumira mune ramangwana, painoshandura zvigadziriso zvekugadzirisa, kwete kushandura mitemo yemigwagwa, asi panzvimbo yekudzorera nzvimbo dzinodiwa kune nzvimbo dzakakodzera. Nekutadza, traffic mukati menzvimbo inotenderwa, traffic pakati penzvimbo inorambidzwa, mitemo yakafanotsanangurwa inokonzera izvi. intrazone-default ΠΈ interzone-default.
Mufananidzo 5 - Nzvimbo dzekuchengetedza
Mumuenzaniso uyu, iyo interface pane yemukati network inopihwa iyo zone zvemukati, uye iyo interface yakatarisana neInternet inopihwa kune iyo zone zvekunze. YeSSL VPN, tunnel interface yakagadzirwa uye yakagoverwa kunharaunda Vpn (fig. 5).
Palo Alto Networks firewall network interfaces inogona kushanda nenzira shanu dzakasiyana:
- pombi - inoshandiswa kuunganidza traffic yekutarisa uye yekuongorora zvinangwa
- HA - inoshandiswa pakushanda kwechikwata
- Virtual Wire - mune iyi modhi, Palo Alto Networks inosanganisa maviri mainterface uye pachena inopfuudza traffic pakati pavo pasina kuchinja MAC uye IP kero.
- Rukoko2 - chinja maitiro
- Rukoko3 - router mode
Mufananidzo 6 - Kuisa iyo interface yekushandisa mode
Mumuenzaniso uyu, Layer3 mode ichashandiswa (Fig. 6). Iyo network interface parameter inoratidza iyo IP kero, inoshanda maitiro uye inoenderana chengetedzo zone. Pamusoro peiyo inoshanda maitiro eiyo interface, iwe unofanirwa kuigovera kuVirtual Router virtual router, iyi analogue yemuenzaniso weVRF muPalo Alto Networks. Virtual routers akaparadzaniswa kubva kune mumwe nemumwe uye ane ega matafura enzira uye network protocol marongero.
Iwo chaiwo router marongero anotsanangura static nzira uye routing protocol marongero. Mumuenzaniso uyu, nzira chete yakasikwa yakasikwa yekuwana kunze network (Fig. 7).
Mufananidzo 7 - Kugadzira virtual router
Iyo inotevera nhanho yekumisikidza ndiyo traffic traffic, chikamu Mitemo -> Chengetedzo. Muenzaniso wekugadzirisa unoratidzwa muMufananidzo 8. Kurongeka kwemitemo kwakafanana neyese firewalls. Mitemo inotariswa kubva kumusoro kusvika pasi, kusvika pamutambo wekutanga. Tsanangudzo pfupi yemitemo:
1. SSL VPN Kuwana kuWeb Portal. Inobvumira kupinda paweb portal kuti iite chokwadi chekubatanidza kure
2. VPN traffic - kubvumira traffic pakati pekubatanidza kure uye hofisi yemusoro
3. Basic Internet - kubvumira dns, ping, traceroute, ntp zvikumbiro. Iyo firewall inobvumira maapplication anoenderana nemasiginecha, decoding, uye heuristics kwete nhamba dzechiteshi uye mapuroteni, ndosaka chikamu cheSevhisi chichiti application-default. Default port/protocol yechishandiso ichi
4. Web Access - kubvumira kuwana Indaneti kuburikidza neHTTP neHTTPS mitemo pasina kushandiswa kwekushandisa
5,6. Default mitemo yeimwe traffic.
Mufananidzo 8 - Muenzaniso wekugadzirisa mitemo yetiweki
Kugadzirisa NAT, shandisa chikamu Mitemo -> NAT. Muenzaniso wekugadziriswa kweNAT unoratidzwa muMufananidzo 9.
Mufananidzo 9 - Muenzaniso weNAT kugadzirisa
Kune chero traffic kubva mukati kuenda kunze, unogona kushandura iyo sosi kero kune yekunze IP kero ye firewall uye shandisa ine simba port kero (PAT).
4. Kugadzira LDAP Authentication Profile uye User Identification Basa
Usati wabatanidza vashandisi kuburikidza neSSL-VPN, unofanirwa kugadzirisa nzira yekusimbisa. Mumuenzaniso uyu, huchokwadi huchaitika kune Active Directory domain controller kuburikidza nePalo Alto Networks web interface.
Mufananidzo 10 - LDAP mbiri
Kuti chokwadi chishande, unofanirwa kugadzirisa LDAP Profile ΠΈ Authentication Profile... Muchitsauko Chishandiso -> Server Profiles -> LDAP (Fig. 10) unofanira kutsanangura IP address uye port yedomeine controller, LDAP mhando uye user account inosanganisirwa mumapoka. Server Operators, Chiitiko Log Vaverengi, Yakagoverwa Vashandisi veCOM. Zvadaro muchikamu Chishandiso -> Kusimbisa Profile gadzira chimiro chechokwadi (Fig. 11), maka iyo yakagadzirwa kare LDAP Profile uye muAdvanced tab tinoratidza boka revashandisi (Fig. 12) vanobvumirwa kusvika kure. Izvo zvakakosha kuti ucherechedze iyo parameter mune yako mbiri User Domain, zvikasadaro mvumo yeboka haishande. Iyo munda inofanirwa kuratidza iyo NetBIOS domain zita.
Mufananidzo 11 - Chiratidzo chechokwadi
Mufananidzo 12 - AD boka rekusarudza
Nhanho inotevera ndeye setup Chishandiso -> Chiziviso chemushandisi. Pano iwe unofanirwa kutsanangura iyo IP kero yeiyo domain controller, yekubatanidza zvitupa, uye zvakare kugadzirisa marongero Gonesa Security Log, Bvumira Session, Gonesa Probing (Mufananidzo 13). Muchitsauko Group Mapping (Fig. 14) unofanira kucherechedza parameters yekuziva zvinhu muLDAP uye rondedzero yemapoka achashandiswa kubvumidzwa. Sezvakangoita muAuthentication Profile, pano iwe unofanirwa kuseta iyo Mushandisi Domain paramende.
Mufananidzo 13 - Mushandisi Mapping parameters
Mufananidzo 14 - Group Mapping parameters
Nhanho yekupedzisira muchikamu ichi kugadzira VPN zone uye interface yenzvimbo iyoyo. Iwe unofanirwa kugonesa sarudzo pane iyo interface Gonesa User Identification (fig. 15).
Mufananidzo 15 - Kugadzira nzvimbo yeVPN
5. Kugadzira SSL VPN
Usati wabatana neSSL VPN, mushandisi ari kure anofanira kuenda kuwebhu portal, simbisa uye kurodha mutengi weGlobal Protect. Tevere, mutengi uyu anokumbira zvitupa uye obatanidza kune network yekambani. Iyo webhu portal inoshanda mu https modhi uye, maererano, iwe unofanirwa kuisa chitupa chayo. Shandisa chitupa cheruzhinji kana zvichiita. Ipapo mushandisi haagamuchire yambiro nezve kusashanda kwechitupa pane saiti. Kana zvisingaite kushandisa chitupa cheruzhinji, saka unofanirwa kuburitsa yako, iyo ichashandiswa pawebhu peji ye https. Inogona kuzvisaina kana kupihwa kuburikidza nechiremera chenzvimbo. Komputa iri kure inofanirwa kuve nemudzi kana kuzvisaina chitupa mune yakavimbika midzi zviremera kuitira kuti mushandisi asagamuchire chikanganiso kana akabatana newebhu portal. Uyu muenzaniso uchashandisa chitupa chakapihwa kuburikidza neActive Directory Certificate Services.
Kuti ubudise chitupa, unofanirwa kugadzira chikumbiro chetifiketi muchikamu Chishandiso -> Chitupa Chekutungamira -> Zvitupa -> Gadzira. Muchikumbiro tinoratidza zita rechitupa uye IP kero kana FQDN yewebhu portal (Fig. 16). Mushure mekuita chikumbiro, dhawunirodha .csr faira uye kopira zvirimo mundima yekukumbira chitupa muAD CS Web Kunyoresa fomu rewebhu. Zvichienderana nekuti chiremera chetifiketi chinogadziriswa sei, chikumbiro chetifiketi chinofanira kubvumidzwa uye chitupa chakapihwa chinofanirwa kutorwa mufomati. Base64 Encoded Chitupa. Pamusoro pezvo, iwe unofanirwa kudhawunirodha midzi chitupa chechiremera chechitupa. Ipapo iwe unofanirwa kupinza ese maviri zvitupa mu firewall. Paunenge uchiunza kunze chitupa chewebhu portal, iwe unofanirwa kusarudza chikumbiro mune yakamirira chimiro uye tinya pinza. Zita retifiketi rinofanira kuenderana nezita rataurwa kare muchikumbiro. Zita rechitupa remudzi rinogona kutaurwa zvisina tsarukano. Mushure mekutumira kunze chitupa, unofanirwa kugadzira SSL/TLS Service Profile muchikamu Chishandiso -> Chitupa Management. Muprofile tinoratidza chitupa chakatengeswa kunze kwenyika.
Mufananidzo 16 - Chikumbiro cheSitifiketi
Nhanho inotevera ndeyekugadzirisa zvinhu Global Dzivirira Gedhi ΠΈ Global Dzivirira Portal muchikamu Network -> Global Protect... Muzvirongwa Global Dzivirira Gedhi ratidza yekunze IP kero ye firewall, pamwe neyakagadzirwa kare SSL Profile, Authentication Profile, tunnel interface uye mutengi IP marongero. Iwe unofanirwa kutsanangura dziva rekero dzeIP kubva kuchazopihwa kero kumutengi, uye Access Route - aya ndiwo ma subnets ayo mutengi achave nenzira. Kana basa racho nderekuputira zvose zvevashandisi kuburikidza nefirewall, saka unoda kutsanangura subnet 0.0.0.0/0 (Fig. 17).
Mufananidzo 17 - Kugadzirisa dziva re IP kero uye nzira
Ipapo unofanira kugadzirisa Global Dzivirira Portal. Taura iyo IP kero ye firewall, SSL Profile ΠΈ Authentication Profile uye runyoro rwekunze IP kero dze firewall uko mutengi achabatana. Kana paine akati wandei mafirewall, unogona kuseta zvakakosha kune yega yega, zvinoenderana neapi vashandisi vachasarudza firewall yekubatanidza nayo.
chidimbu Chishandiso -> GlobalProtect Client iwe unofanirwa kudhawunirodha iyo VPN mutengi kugovera kubva kuPalo Alto Networks maseva uye kuimisa. Kuti ubatanidze, mushandisi anofanira kuenda kune peji rewebhu peji, kwaanozokumbirwa kurodha GlobalProtect Client. Kana wangodhawunirodha uye waiswa, unogona kuisa zvitupa zvako uye ubatanidze kune yako yekambani network kuburikidza neSSL VPN.
mhedziso
Izvi zvinopedzisa iyo Palo Alto Networks chikamu chekuseta. Tinovimba kuti ruzivo rwacho rwaibatsira uye muverengi akawana nzwisiso yetekinoroji inoshandiswa paPalo Alto Networks. Kana uine mibvunzo pamusoro pekugadzirisa uye mazano pamusoro pemisoro yezvinyorwa zvenguva yemberi, zvinyore mumashoko, tichafara kupindura.
Source: www.habr.com