Kutshanje, iCheck Point ibonise iqonga elitsha elinokwehla . Sele sipapashe inqaku elipheleleyo malunga . Ngamafutshane, ikuvumela ukuba uphantse wandise ukusebenza kwesango lokhuseleko ngokudibanisa izixhobo ezininzi kunye nokulinganisa umthwalo phakathi kwazo. Okumangalisa kukuba, kusekho intsomi yokuba eli qonga elinokutshatyalaliswa lifanelekile kuphela kumaziko amakhulu edatha okanye amanethiwekhi amakhulu. Oku akuyonyani ngokupheleleyo.
I-Check Point Maestro yaphuhliswa kwiindidi ezininzi zabasebenzisi ngexesha elinye (siya kuzijonga kamva), kubandakanywa amashishini aphakathi. Kolu luhlu lufutshane lwamanqaku ndiya kuzama ukubonakalisa Izibonelelo zobugcisa kunye nezoqoqosho ze-Check Point Maestro kwimibutho ephakathi (ukusuka kubasebenzisi abangama-500) kwaye kutheni olu khetho lunokuba ngcono kuneqela leklasikhi..
Jonga iPoint Maestro ekujoliswe kuyo
Okokuqala, makhe sijonge amacandelo abasebenzisi ukuba i-Check Point Maestro yenzelwe yona. Kukho aba-4 kuphela kubo:
1. Iinkampani ezazingenabuchule be-chassis. I-Check Point Maestro ayilona qonga lokuqala lokujonga indawo ye-Check Point. Sele sibhale ukuba ngaphambili bekukho imifuziselo efana ne-64000 kunye ne-44000. Nangona bebenentsebenzo OMKHULU, bekukho iinkampani ekungekho kwaneleyo kuzo. I-Maestro iyayiphelisa le ngxaki, kuba... ikuvumela ukuba udibanise ukuya kuthi ga kwizixhobo ezingama-31 kwiqela elinye elisebenza kakhulu. Kwangaxeshanye, unokudibanisa iqela ukusuka kwizixhobo eziphezulu (23900, 26000), ngaloo ndlela ufezekise impumelelo enkulu.
Enyanisweni, kwintsimi yamasango okhuseleko, i-Check Point okwangoku kuphela yokuphumeza isakhono esinjalo.
2. Iinkampani ezifuna ukukwazi ukukhetha ihardware yazo. Enye yezinto ezingeloncedo kumaqonga amadala ahlaziywayo yimfuneko yokusebenzisa ngokungqongqo "iimodyuli ze-blade" (Khangela i-SGM). Iqonga elitsha le-Check Point Maestro likuvumela ukuba usebenzise inani elikhulu lezixhobo ezahlukeneyo. Unokukhetha zombini iimodeli ukusuka kwinqanaba eliphakathi (5600, 5800, 5900, 6500, 6800) kunye necandelo le-High End (15000 series, 23000 series, 26000 series). Ngaphezu koko, unokuzihlanganisa, kuxhomekeke kwimisebenzi.
Oku kulungele kakhulu ukusuka kwindawo yokujonga ukusetyenziswa kwemithombo yobutyebi. Unokuthenga kuphela ukusebenza okufunayo ngokukhetha imodeli efanelekileyo.
3. Iinkampani apho i-chassis ininzi kakhulu, kodwa i-scalability isadingeka. Enye "ingxaki" yamaqonga amadala ahlaziywayo (i-64000, i-44000) yayiyinqanaba eliphezulu lokungena (ukusuka kwimbono yezoqoqosho). Ixesha elide, iiplatifomu ezinobungozi zazifumaneka kuphela kumashishini amakhulu kunye nohlahlo lwabiwo-mali lwe-IT "olulungileyo". Ngokufika kweCheck Point Maestro, yonke into itshintshile. Iindleko zeyona bundle encinci (i-orchestrator + ezimbini zamasango) iyathelekiseka (kwaye ngamanye amaxesha iphantsi) kunye neqela elisebenzayo eliqhelekileyo / elilindileyo. Ezo. umda wokungena wehle kakhulu. Xa ukhetha isisombululo, inkampani inokubeka ngokukhawuleza i-architecture ye-scalable, ngaphandle kokuhlawula ngokunyuka okunokwenzeka okulandelayo kwiimfuno. Ngaba kukho abasebenzisi abaninzi ngonyaka emva kokuqaliswa kweCheck Point Maestro? Wongeza nje isango elinye okanye amabini, ngaphandle kokutshintshwa kwezinto ezikhoyo. Akunyanzelekanga nokuba utshintshe itopology. Qhagamshela ngokulula amasango amatsha kwiokhestra kwaye usebenzise useto kubo ngocofa nje olubini.
4. Iinkampani ezifuna ukusebenzisa ngokupheleleyo izixhobo ezikhoyo. Ndicinga ukuba abantu abaninzi baqhelene nenkqubo yoRhwebo. Xa ukusebenza kwezixhobo ezikhoyo akusekho ngokwaneleyo kwaye i-hardware kufuneka ihlaziywe ukuhlangabezana neemfuno zangoku. Inkqubo ebiza kakhulu. Kwaye, rhoqo kukho imeko xa umthengi enamaqela amaninzi e-Check Point kwimisebenzi eyahlukeneyo. Ngokomzekelo, i-cluster yokukhusela i-perimeter, i-cluster yokufikelela kude (i-RA VPN), i-cluster ye-VSX, njl. Ngaphezu koko, elinye iqela lisenokungabi namithombo yaneleyo, ngelixa elinye linobuninzi babo. Khangela i-Maestro lithuba elihle kakhulu lokwandisa ukusetyenziswa kwezi zixhobo ngokusabalalisa umthwalo phakathi kwabo.
Ezo. ufumana ezi zibonelelo zilandelayo:
- Akukho mfuneko yokuba "ulahle" izixhobo ezikhoyo. Ungathenga isango elinye okanye ezimbini ezongezelelweyo, okanye...
- Qwalasela ulungelelwaniso lomthwalo oguqukayo phakathi kwamanye amasango akhoyo osetyenziso olulolona luphezulu lwezibonelelo. Ukuba umthwalo kwisango lomjikelezo ukhula ngokukhawuleza, ngoko i-orchestrator iya kukwazi ukusebenzisa izixhobo "ezinesithukuthezi" zamasango okufikelela okude kunye nokunye. Oku kunceda ukugudisa iincopho zomthwalo zamaxesha onyaka (okanye okwethutyana).
Njengoko uyaqonda, amacandelo amabini okugqibela anxibelelene ngokukodwa namashishini aphakathi, anokuthi ngoku akwazi ukusebenzisa amaqonga okhuseleko anomngcipheko. Noko ke, kusenokuphakama umbuzo osengqiqweni: βKutheni iCheck Point Maestro ingcono kuneqela eliqhelekileyo?βSiza kuzama ukuwuphendula lo mbuzo.
Iqela leClassic vs Jonga iNdawo Maestro
Ukuba sithetha malunga neklasi ye-Check Point cluster, ke iindlela ezimbini zokusebenza zixhaswa: Ukufumaneka okuphezulu (oko kukuthi i-Active / Standby) kunye noKwabelana ngoMthwalo (oko kukuthi i-Active / Active). Siza kuchaza ngokufutshane intsingiselo yawo yomsebenzi, kunye neenzuzo kunye neengxaki zabo.
Ukufumaneka okuphezulu (Kuyasebenza/kulindile)
Njengoko igama libonisa, kule ndlela yokusebenza, enye i-node idlula yonke i-traffic ngokwayo, kwaye okwesibini ikwimo yokulinda kwaye ithatha i-traffic ukuba i-node esebenzayo iqala ukufumana nayiphi na ingxaki.
Iinkonzo:
- Eyona ndlela izinzile;
- I-proprietary SecureXL mechanism ixhaswa ukukhawulezisa ukusetyenzwa kwezithuthi;
- Ukuba i-node esebenzayo ayiphumelelanga, isibini siqinisekisiwe ukuba siyakwazi "ukugaya" yonke i-traffic (kuba ifana ncamashi).
Umgcini:
Enyanisweni, kukho uthabatha enye kuphela - indawo enye ayisebenzi ngokupheleleyo. Emva koko, ngenxa yoku, sinyanzeliswa ukuba sithenge i-hardware enamandla ngakumbi ukuze ikwazi ukuphatha i-traffic yodwa.
Ewe kunjalo, imowudi ye-HA ithembeke ngakumbi kunoLwabelwano loMlayisho, kodwa ukwenziwa ngcono kwezixhobo kushiya okuninzi ekufuneka kunqwenelwe.
Ukwabelana ngomthwalo (Kuyasebenza/Kuyasebenza)
Kule modi, zonke ii-nodes kwi-cluster process traffic. Unokudibanisa ukuya kuthi ga kwizixhobo ezisi-8 kwiqela elinjalo (ngaphezu kwe-4 ).
Iinkonzo:
- Unokusasaza umthwalo phakathi kwee-nodes, ezifuna izixhobo ezingaphantsi kwamandla;
- Ukunokwenzeka kokulinganisa okugudileyo (ukongeza ukuya kwii-nodes ezi-8 kwiqela).
Umgcini:
- Ngokungaqhelekanga, ii-pros ngokukhawuleza zijika zibe yi-cons. Bathanda ukusebenzisa imowudi yoKwabelana ngoMlayisho nokuba inkampani ineendawo ezimbini kuphela. Ukufuna ukugcina imali, bathenga izixhobo, nganye yazo ilayishwe kwi-40-50%. Kwaye yonke into ibonakala ilungile. Kodwa ukuba enye i-node iyasilela, sifumana imeko apho wonke umthwalo udluliselwa kwelinye eliseleyo, elingenakukwazi ukujamelana nayo. Ngenxa yoko, akukho kunyamezelwa kwesiphoso njengaloo nkqubo.
- Yongeza kule nqwaba yezithintelo zoKwabelana ngoMlayisho (). Kwaye owona mda ubalulekileyo kukuba i-SecureXL ayixhaswanga, indlela ekhawuleza kakhulu ukusetyenzwa kwezithuthi;
- Ngokumalunga nokukala ngokongeza iindawo ezintsha kwiqela, ngelishwa Ukwabelwa ngoMlayisho kude nelungileyo apha. Ukuba izixhobo ezingaphezu kwe-4 zongezwa kwiqela, ngoko ukusebenza kuyaqala .
Ukuqwalasela izinto ezimbi ezimbini zokuqala, ukuphumeza ukunyamezela kweempazamo xa kusetyenziswa i-nodes ezimbini, siphinde sinyanzeliswe ukuba sithenge i-hardware evelisa ngakumbi ukwenzela ukuba "ikugaya" i-traffic kwimeko enzima. Ngenxa yoko, asinayo nayiphi na inzuzo yezoqoqosho, kodwa sifumana isixa esikhulu . Ngaphezu koko, kuyafaneleka ukuba uqaphele ukuba ukuqala kwinguqulo ye-R80.20, imowudi yoKwabelana ngoMlayisho ayixhaswanga. Oku kunciphisa abasebenzisi kuhlaziyo olufunekayo. Akukaziwa ukuba ngaba iSabelo soMlayisho siza kuxhaswa kukhupho olutsha.
Jonga iPoint Maestro njengenye indlela
Ukusuka kwindawo yokujonga yeqela, i-Check Point Maestro ithathe iingenelo eziphambili zokuFumana okuPhezulu kunye neendlela zoKwabelana ngoMlayisho:
- Amasango aqhagamshelwe kwi-orchestrator angasebenzisa i-SecureXL, eqinisekisa ubuninzi besantya sokuhamba kwezithuthi. Azikho ezinye izithintelo ezikhoyo kuLwabelo loMlayisho;
- I-Traffic isasazwa phakathi kwamasango kwiQela loKhuseleko elinye (isango eliqiqiweyo elibandakanya ezininzi ezibonakalayo). Enkosi koku, sinokufaka izixhobo ezivelisa kancinci, kuba asisenawo amasango angasebenziyo, njengakwimowudi yokuFumana okuphezulu. Kwangaxeshanye, amandla anokunyuswa phantse ngokulandelelana, ngaphandle kwelahleko enzulu njengakwimowudi yoKwabelana ngoMlayisho (iinkcukacha ezongezelelekileyo kamva).
Konke oku kuhle, kodwa makhe sijonge imizekelo emibini ekhethekileyo.
Umzekelo # 1
Vumela inkampani X ijonge ukufaka iqela lamasango kumjikelezo womnatha. Basele beqhelana nazo zonke izithintelo zoLwabiwo loMthwalo (ezingamkelekanga kubo) kwaye baqwalasela iMowudi yokuFumana okuPhezulu ngokukodwa. Emva kokulinganisa, kuvela ukuba isango le-6800 lifanelekile kubo, elingafanele lilayishwe ngaphezu kwe-50% (ukwenzela ukuba ubuncinane ube nokugcinwa kwentsebenzo). Ekubeni oku kuya kuba yimbumba, kufuneka uthenge isixhobo sesibini, esiya kuthi "ukutshaya" umoya kwimodi yokulinda. Yindlu yokutshaya ebiza kakhulu.
Kodwa kukho enye indlela. Thatha inqwaba kwi-orchestrator kunye namasango amathathu e-6500. Kule meko, i-traffic iya kuhanjiswa phakathi kwazo zonke izixhobo ezintathu. Ukuba ujonga i-specs yeemodeli ezimbini, uya kubona ukuba amasango amathathu angama-6500 anamandla ngakumbi kune-6800 enye.
Ke, xa ukhetha iCheck Point Maestro, inkampani X ifumana ezi zinto zilandelayo:
- Inkampani ngokukhawuleza ibeka iqonga elinokunyuka. Ukunyuka okulandelayo ekusebenzeni kuya kuhla ekongezeni nje enye inxalenye ye-hardware ye-6500. Yintoni enokuba lula?
- Isisombululo sisenokunyamezela iimpazamo, kuba Ukuba enye i-node iyasilela, ezimbini eziseleyo ziya kukwazi ukujamelana nomthwalo.
- Inzuzo ebaluleke ngokulinganayo neyothusayo kukuba itshiphu! Ngelishwa, andikwazi ukuthumela amaxabiso esidlangalaleni, kodwa ukuba unomdla, unako
Umzekelo # 2
Vumela inkampani Y sele ineqela le-HA leemodeli ze-6500. I-node esebenzayo ilayishwe kwi-85%, leyo ngexesha lomthwalo ophezulu ukhokelela ekulahlekeni kwi-traffic traffic. Isisombululo esinengqiqo kwingxaki sibonakala sihlaziya i-hardware. Imodeli elandelayo yi-6800. inkampani iya kufuna ukubuyisela amasango ngeprogram ye-Trade-In kwaye ithenge izixhobo ezimbini ezintsha (ezibiza kakhulu).
Kodwa kukho enye indlela. Thenga iokhestra kunye nenye indawo efanayo ngqo (6500). Hlanganisa iqoqo lezixhobo ezithathu kwaye "usasaze" le 85% yomthwalo kumasango amathathu. Ngenxa yoko, uya kufumana umda omkhulu wokusebenza (izixhobo ezithathu ziya kulayishwa kuphela nge-30% kumyinge). Nokuba enye yeenodi ezintathu iyafa, ezimbini eziseleyo ziya kujongana ne-traffic kunye nomthwalo ophakathi kwama-45%. Ngaphezu koko, kwimithwalo ephezulu, iqoqo lamasango amathathu asebenzayo angama-6500 aya kuba namandla ngaphezu kwesango elilodwa le-6800, elikwi-HA cluster (okt active/standby). Ukongeza, ukuba ngonyaka okanye ezimbini iimfuno zenkampani ye-Y zanda kwakhona, ngoko konke abaya kufuneka bakwenze kukongeza enye okanye ezimbini ii-nodes ze-6500. Ndicinga ukuba inzuzo yezoqoqosho apha icacile.
isiphelo
Ewe, Jonga iPoint Maestro ayisosisombululo se-SMB. Kodwa nangona ishishini eliphakathi lingakwazi ukucinga ngeli qonga kwaye ubuncinane uzame ukubala ukusebenza kakuhle kwezoqoqosho. Uya kumangaliswa kukufumanisa ukuba iiplatifomu ezinokunyuka zinokuba nenzuzo ngakumbi kuneqela leklasikhi. Ngexesha elifanayo, akukho nzuzo kuphela kwezoqoqosho, kodwa kunye nobugcisa. Nangona kunjalo, siya kuthetha ngabo kwinqaku elilandelayo, apho, ngaphezu kwamaqhinga obugcisa, ndiya kuzama ukubonisa iimeko ezininzi eziqhelekileyo (i-topology, iimeko).
Ungarhuma kumaphepha ethu oluntu (, , , ), apho unokulandela ukuvela kwezinto ezintsha kwi-Check Point kunye nezinye iimveliso zokhuseleko.
umthombo: www.habr.com