Nangona zonke iingenelo zePalo Alto Networks firewalls, akukho nto ininzi kwi-RuNet ekumiseni ezi zixhobo, kunye neetekisi ezichaza amava okuphunyezwa kwazo. Sagqiba ekubeni sishwankathele izinto esiziqokelele ngexesha lomsebenzi wethu kunye nezixhobo zalo mthengisi kwaye sithethe ngeempawu esiye sadibana nazo ngexesha lokuphunyezwa kweeprojekthi ezahlukeneyo.
Ukukwazisa kwiPalo Alto Networks, eli nqaku liza kujonga uqwalaselo olufunekayo ukucombulula enye yeengxaki eziqhelekileyo ze-firewall - SSL VPN yokufikelela kude. Siza kuthetha nangemisebenzi eluncedo kulungiselelo lomlilo jikelele, ukuchongwa komsebenzisi, usetyenziso, kunye nemigaqo-nkqubo yokhuseleko. Ukuba isihloko sinomdla kubafundi, kwixesha elizayo siya kukhupha izinto ezihlalutya i-Site-to-Site VPN, umzila oguquguqukayo kunye nolawulo oluphakathi usebenzisa iPanorama.
Iifirewall zePalo Alto Networks zisebenzisa inani letekhnoloji ezintsha, eziquka i-App-ID, i-User-ID, i-Content-ID. Ukusetyenziswa kwalo msebenzi kukuvumela ukuba uqinisekise umgangatho ophezulu wokhuseleko. Umzekelo, nge-App-ID kuyenzeka ukuchonga itrafikhi yesicelo esekwe kutyikityo, i-decoding kunye ne-heuristics, kungakhathaliseki ukuba i-port kunye neprotocol esetyenzisiweyo, kubandakanywa ngaphakathi kwetonela ye-SSL. I-ID yomsebenzisi ikuvumela ukuba uchonge abasebenzisi bothungelwano ngokudityaniswa kwe-LDAP. I-Content-ID yenza kube lula ukuskena i-traffic kunye nokuchonga iifayile ezithunyelwayo kunye nomxholo wazo. Eminye imisebenzi ye-firewall ibandakanya ukukhuselwa kokungena, ukukhuselwa kubuthathaka kunye nokuhlaselwa kwe-DoS, i-anti-spyware eyakhelwe ngaphakathi, ukuhluza i-URL, ukudibanisa, kunye nolawulo oluphakathi.
Umboniso, siya kusebenzisa isigxina esizimeleyo, kunye noqwalaselo olufana nelo lokwenyani, ngaphandle kwamagama esixhobo, igama lesizinda se-AD kunye needilesi ze-IP. Enyanisweni, yonke into inzima kakhulu - kunokubakho amasebe amaninzi. Kule meko, endaweni ye-firewall enye, i-cluster iya kufakwa kwimida yeziza ezisembindini, kwaye umzila oguqukayo unokufuneka.
Isetyenziswe kwindawo yokumisa I-PAN-OS 7.1.9. Njengobumbeko oluqhelekileyo, qwalasela inethiwekhi enePalo Alto Networks firewall emphethweni. I-firewall ibonelela nge-SSL ekude ye-VPN ukufikelela kwi-ofisi eyintloko. I-Active Directory domain iya kusetyenziswa njengesiseko sedatha yomsebenzisi (Umfanekiso 1).
Umzobo 1 - Umzobo webhloko yenethiwekhi
Ukuseta amanyathelo:
- Uqwalaselo lwangaphambili lwesixhobo. Ukuseta igama, idilesi ye-IP yolawulo, iindlela ezingatshintshiyo, iiakhawunti zomlawuli, iiprofayili zolawulo
- Ukufakela iilayisensi, ukuqwalasela kunye nokufakela uhlaziyo
- Ukuqwalasela iindawo zokhuseleko, ujongano lwenethiwekhi, imigaqo-nkqubo yetrafikhi, uguqulelo lwedilesi
- Ukuqwalasela iProfayili yoQinisekiso ye-LDAP kunye neNkalo yoSazisi woMsebenzisi
- Ukuseta i-SSL VPN
1. Seta kwangaphambili
Esona sixhobo siphambili sokuqwalasela i-firewall yePalo Alto Networks lujongano lwewebhu; ulawulo nge-CLI lunokwenzeka. Ngokungagqibekanga, ujongano lolawulo lusetelwe kwidilesi ye-IP 192.168.1.1/24, ngena: admin, password: admin.
Ungayitshintsha idilesi mhlawumbi ngokuqhagamshela kujongano lwewebhu ukusuka kuthungelwano olufanayo, okanye usebenzisa umyalelo cwangcisa inkqubo ye-deviceconfig ye-ip-idilesi <> i-netmask <>. Yenziwa kwimo yoqwalaselo. Ukutshintshela kwimowudi yoqwalaselo, sebenzisa umyalelo configures. Lonke utshintsho kwi-firewall lwenzeka kuphela emva kokuba izicwangciso ziqinisekisiwe ngumyalelo zibophe, kokubini kwindlela yomgca womyalelo kunye nakujongano lwewebhu.
Ukutshintsha useto kujongano lwewebhu, sebenzisa icandelo Isixhobo -> Useto oluphangaleleyo kunye neDivaysi -> Iisetingi zesiNxulumanisi soLawulo. Igama, iibhanile, izowuni yexesha kunye nezinye izicwangciso zingasetwa kwicandelo leeSetingi Jikelele (Umfanekiso 2).
Umzobo 2 - Iiparamitha zolawulo lolawulo
Ukuba usebenzisa i-firewall ebonakalayo kwimeko-bume ye-ESXi, kwicandelo lezicwangciso Jikelele kufuneka wenze usebenziso lwedilesi ye-MAC eyabelwe yi-hypervisor, okanye uqwalasele iidilesi ze-MAC ezichazwe kwi-firewall interfaces kwi-hypervisor, okanye utshintshe izicwangciso ze iiswitshi zenyani ukuvumela iidilesi zokutshintsha kweMAC. Ngaphandle koko, i-traffic ayiyi kudlula.
Ujongano lolawulo luqwalaselwe ngokwahlukeneyo kwaye aluboniswa kuluhlu lwemidibaniso yenethiwekhi. Kwisahluko Iisetingi zeNdibaniselwano yoLawulo ixela isango elingagqibekanga lojongano lolawulo. Ezinye iindlela ezimileyo ziqwalaselwe kwicandelo leerotha ezinenyani; oku kuya kuxoxwa kamva.
Ukuvumela ukufikelela kwisixhobo ngolunye ujongano, kufuneka wenze iprofayile yolawulo Iprofayile yoLawulo kwicandelo Inethiwekhi -> Iiprofayili zeNethiwekhi -> Ujongano lweMgmt kwaye yabele ujongano olufanelekileyo.
Okulandelayo, kufuneka uqwalasele i-DNS kunye ne-NTP kwicandelo Isixhobo -> Iinkonzo ukufumana uhlaziyo kunye nokubonisa ixesha ngokuchanekileyo (Umfanekiso 3). Ngokungagqibekanga, yonke i-traffic eyenziwa yi-firewall isebenzisa idilesi ye-IP yojongano lolawulo njengedilesi ye-IP yomthombo wayo. Unganika ujongano olwahlukileyo kwinkonzo nganye ethile kwicandelo Uqwalaselo lweNdlela yeNkonzo.
Umzobo we-3 - i-DNS, i-NTP kunye neeparamitha zenkonzo yeendlela zenkqubo
2. Ukufakela iilayisensi, ukuseta kunye nokufaka uhlaziyo
Ukuze usebenze ngokupheleleyo kuyo yonke imisebenzi ye-firewall, kufuneka ufake ilayisensi. Ungasebenzisa ilayisenisi yovavanyo ngokuyicela kumaqabane ePalo Alto Networks. Ixesha lokuqinisekisa liyientsuku ezingama-30. Iphepha-mvume livulwa ngefayile okanye kusetyenziswa iAuth-Code. Iilayisensi ziqwalaselwe kwicandelo Isixhobo -> Iilayisensi (Umfanekiso 4).
Emva kokufaka ilayisenisi, kufuneka uqwalasele ukufakwa kohlaziyo kwicandelo Isixhobo-> Uhlaziyo olunamandla.
Kulo candelo Isixhobo -> Isoftware unokukhuphela kwaye ufake iinguqulelo ezintsha zePAN-OS.
Umzobo 4 β Iphaneli yolawulo lwelayisensi
3. Ukuqwalasela iindawo zokhuseleko, ujongano lwenethiwekhi, imigaqo-nkqubo yetrafikhi, ukuguqulelwa kwedilesi
Iifirewall zePalo Alto Networks zisebenzisa ingqiqo yendawo xa uqwalasela imithetho yenethiwekhi. Unxibelelwano lwenethiwekhi lunikezelwe kwindawo ethile, kwaye lo mmandla usetyenziswa kwimithetho yendlela. Le ndlela ivumela kwixesha elizayo, xa utshintsha izicwangciso ze-interface, ukuba ungatshintshi imithetho yendlela yokuhamba, kodwa endaweni yoko unikeze kwakhona ukudibanisa okufunekayo kwiindawo ezifanelekileyo. Ngokungagqibekanga, itrafikhi phakathi kwendawo ivumelekile, itrafikhi phakathi kweendawo akuvumelekanga, imithetho echazwe kwangaphambili inoxanduva loku. i-intrazone-default ΠΈ i-interzone-ehlala ikho.
Umzobo 5 β Iindawo zokhuseleko
Kulo mzekelo, i-interface kwinethiwekhi yangaphakathi yabelwe ummandla lwangaphakathi, kwaye ujongano olujongene ne-Intanethi lunikezelwe kwindawo ngaphandle. Kwi-SSL VPN, i-tunnel interface yenziwe kwaye yabelwa ummandla Vpn (Umfanekiso 5).
Unxibelelwano lwePalo Alto Networks firewall network inokusebenza ngeendlela ezintlanu ezahlukeneyo:
- Thepha - esetyenziselwa ukuqokelela i-traffic ngenjongo yokubeka iliso kunye nohlalutyo
- HA β isetyenziselwa ukusebenza kweqela
- Ucingo olubonakalayo -Kule ndlela, iPalo Alto Networks idibanisa ujongano ezimbini kwaye idlula ngokucacileyo itrafikhi phakathi kwabo ngaphandle kokutshintsha idilesi ye-MAC kunye ne-IP.
- Uluhlu2 β tshintsha imo
- Uluhlu3 -imowudi yerouter
Umzobo 6 - Ukumisela imo yokusebenza yojongano
Kulo mzekelo, i-Layer3 mode iya kusetyenziswa (Umfanekiso 6). Iiparamitha zojongano lwenethiwekhi zibonisa idilesi ye-IP, imo yokusebenza kunye nendawo yokhuseleko ehambelanayo. Ukongeza kwindlela yokusebenza ye-interface, kufuneka unikeze i-Virtual Router ye-virtual router, le yi-analogue yomzekelo weVRF kwi-Palo Alto Networks. Iirotha ezibonakalayo zibekwe zodwa enye kwenye kwaye zineetafile zazo zomzila kunye nesetingi zeprotocol yenethiwekhi.
Iisetingi zerouter enenyani zikhankanya iindlela ezingatshintshiyo kunye nezicwangciso zeprotocol. Kulo mzekelo, kuphela umzila ongagqibekanga owenziweyo wokufikelela kumanethiwekhi angaphandle (umzobo 7).
Umzobo 7 - Ukumisela i-router ebonakalayo
Inqanaba elilandelayo loqwalaselo yimigaqo-nkqubo yendlela, icandelo Imigaqo-nkqubo -> Ukhuseleko. Umzekelo woqwalaselo uboniswe kuMfanekiso 8. Ingqiqo yemigaqo iyafana nakuzo zonke iindonga zomlilo. Imithetho ihlolwe ukusuka phezulu ukuya ezantsi, ukuhla ukuya kumdlalo wokuqala. Inkcazo emfutshane yemithetho:
1. I-SSL VPN Ukufikelela kwi-Web Portal. Ivumela ukufikelela kwi-portal yewebhu ukungqinisisa imidibaniso ekude
2. I-VPN ye-traffic - ivumela i-traffic phakathi koqhagamshelwano olukude kunye ne-ofisi enkulu
3. I-Intanethi esisiseko β ivumela i-dns, i-ping, i-traceroute, ii-aplikeshini ze-ntp. I-firewall ivumela usetyenziso olusekwe kutyikityo, i-decoding, kunye ne-heuristics kuneenombolo zezibuko kunye neeprothokholi, yiyo loo nto icandelo leNkonzo lisithi isicelo-esihlala sihleli. Izibuko/umgaqo omiselweyo wesi sicelo
4. Ukufikelela kwiWebhu - ukuvumela ukufikelela kwi-Intanethi nge-HTTP kunye ne-HTTPS protocol ngaphandle kokulawulwa kwesicelo
5,6. Imithetho ehlala ikho yezinye iitrafikhi.
Umzobo 8 β Umzekelo wokumisela imithetho yenethiwekhi
Ukuqwalasela i-NAT, sebenzisa icandelo Imigaqo-nkqubo -> NAT. Umzekelo woqwalaselo lwe-NAT uboniswe kuMfanekiso 9.
Umzobo 9 - Umzekelo woqwalaselo lwe-NAT
Kuyo nayiphi na i-traffic evela ngaphakathi ukuya yangaphandle, ungatshintsha idilesi yomthombo kwidilesi yangaphandle ye-IP ye-firewall kwaye usebenzise idilesi ye-port eguquguqukayo (PAT).
4. Ukuqwalasela iProfayili yoQinisekiso lwe-LDAP kunye nomsebenzi wokuchongwa koMsebenzisi
Ngaphambi kokudibanisa abasebenzisi nge-SSL-VPN, kufuneka uqwalasele indlela yokuqinisekisa. Kulo mzekelo, ukuqinisekiswa kuya kwenzeka kumlawuli wesizinda se-Active Directory ngokusebenzisa i-Palo Alto Networks ujongano lwewebhu.
Umfanekiso we-10 - iprofayili ye-LDAP
Ukuze ungqinisiso lusebenze, kufuneka uqwalasele Iprofayile ye-LDAP ΠΈ Iprofayile yoQinisekiso. Kwicandelo Isixhobo -> Iiprofayili zeseva -> LDAP (Umfanekiso we-10) kufuneka uchaze idilesi ye-IP kunye nechweba lomlawuli wendawo, uhlobo lwe-LDAP kunye ne-akhawunti yomsebenzisi ebandakanyiwe kumaqela. AbaSebenzi beseva, Abafundi belog yesiganeko, Abasebenzisi abasasazwayo beCOM. Emva koko kwicandelo Isixhobo -> Iprofayile yoQinisekiso yenza iprofayile yokuqinisekisa (Umfanekiso 11), phawula into eyenziwe ngaphambili Iprofayile ye-LDAP kwaye kwi-Advanced tab sibonisa iqela labasebenzisi (umzobo 12) abavunyelwe ukufikelela kude. Kubalulekile ukuqaphela iparameter kwiprofayile yakho Umsebenzisi Domain, kungenjalo ugunyaziso olusekelwe kwiqela aluyi kusebenza. Umhlaba kufuneka ubonise igama lesizinda seNetBIOS.
Umzobo 11 - Iprofayili yokuqinisekisa
Umzobo we-12 - ukhetho lweqela le-AD
Inqanaba elilandelayo kukuseta Isixhobo-> Ukuchongwa komsebenzisi. Apha kufuneka ucacise idilesi ye-IP yomlawuli wendawo, iziqinisekiso zoqhagamshelwano, kwaye uqwalasele izicwangciso Vula iLog yoKhuseleko, Vula iSeshini, Nika amandla ukuPhonononga (Umfanekiso 13). Kwisahluko Imephu yeQela (Umfanekiso 14) kufuneka uqaphele iiparamitha zokuchonga izinto kwi-LDAP kunye noluhlu lwamaqela aya kusetyenziselwa ukugunyazisa. Kanye njengakwiProfayile yoQinisekiso, apha kufuneka usete iparamitha yeDomain yoMsebenzisi.
Umzobo 13 - Iiparamitha zeMaphu yomsebenzisi
Umzobo we-14 - iiparamitha zeMaphu yeQela
Isinyathelo sokugqibela kwesi sigaba kukudala indawo ye-VPN kunye ne-interface yaloo ndawo. Kufuneka wenze ukhetho kwi-interface Vulela uchongo lomsebenzisi (Umfanekiso 15).
Umzobo 15 - Ukumisela indawo yeVPN
5. Ukumisela i-SSL VPN
Ngaphambi kokuxhuma kwi-SSL VPN, umsebenzisi okude kufuneka aye kwi-portal yewebhu, aqinisekise kwaye akhuphele i-Global Protect client. Okulandelayo, lo mxhasi uya kucela iziqinisekiso kwaye aqhagamshele kwinethiwekhi yoshishino. I-portal yewebhu isebenza kwimodi ye-https kwaye, ngokufanelekileyo, kufuneka uyifakele isatifikethi. Sebenzisa isatifikethi sikawonke-wonke ukuba kunokwenzeka. Emva koko umsebenzisi akayi kufumana isilumkiso malunga nokungasebenzi kwesatifikethi kwisayithi. Ukuba akunakwenzeka ukusebenzisa isatifikethi sikawonke-wonke, ngoko kufuneka ukhuphe eyakho, eya kusetyenziswa kwiphepha lewebhu le-https. Inokuthi isayine ngokwayo okanye ikhutshwe ngogunyaziwe wesatifikethi sendawo. Ikhompyuter ekude kufuneka ibe nengcambu okanye isatifikethi esizisayinileyo kuluhlu lwamagunya athembekileyo athembekileyo ukuze umsebenzisi angafumani mpazamo xa eqhagamshela kwiwebhu portal. Lo mzekelo uya kusebenzisa isatifikethi esikhutshwe ngeeNkonzo zeSatifikethi se-Active Directory.
Ukukhupha isatifikethi, kufuneka wenze isicelo sesatifikethi kwicandelo Isixhobo -> Ulawulo lweSatifikethi -> Iziqinisekiso -> Yenza. Kwisicelo sibonisa igama lesatifikethi kunye nedilesi ye-IP okanye i-FQDN ye-portal yewebhu (Umfanekiso we-16). Emva kokwenza isicelo, khuphela .csr ifayile kwaye ikhuphele imixholo yayo kwindawo yesicelo sesatifikethi kwi-AD CS Web Enrollment web form. Kuxhomekeka kwindlela igunya lesatifikethi liqulunqwe ngayo, isicelo sesatifikethi masivunywe kwaye isatifikethi esikhutshiweyo kufuneka sikhutshelwe kwifomathi. Isatifikethi esiKhowudwe se-Base64. Ukongeza, kufuneka ukhuphele ingcambu isatifikethi segunya lesatifikethi. Emva koko kufuneka ungenise zombini izatifikethi kwi-firewall. Xa ungenisa isatifikethi sewebhu portal, kufuneka ukhethe isicelo kwisimo esilindileyo kwaye ucofe ukungenisa. Igama lesatifikethi kufuneka lingqinelane negama elichazwe ngaphambili kwisicelo. Igama lesatifikethi esiyingcambu lingachazwa ngokungenamkhethe. Emva kokungenisa isatifikethi, kufuneka udale Iprofayili yeNkonzo ye-SSL/TLS kwicandelo Isixhobo -> Ulawulo lwesatifikethi. Kwiprofayile sibonisa isatifikethi esingeniswe ngaphandle.
Umzobo 16 β Isicelo sesatifikethi
Inyathelo elilandelayo kukuseta izinto I-Global Protect Gateway ΠΈ I-Global Protect Portal kwicandelo Uthungelwano -> uKhuseleko lweHlabathi. Kwiisetingi I-Global Protect Gateway bonisa idilesi ye-IP yangaphandle ye-firewall, njengoko yenziwe ngaphambili Iprofayile ye-SSL, Iprofayile yoQinisekiso, ujongano lwetonela kunye nesethingi ye-IP yomxhasi. Kufuneka ukhankanye i-pool yeedilesi ze-IP apho idilesi iya kwabelwa umxhasi, kunye neNdlela yokuFikelela - ezi zii-subnets apho umxhasi uya kuba nendlela. Ukuba umsebenzi kukugubungela yonke i-traffic yomsebenzisi nge-firewall, ngoko kufuneka uchaze i-subnet 0.0.0.0/0 (Umfanekiso 17).
Umzobo 17 - Ukuqwalasela i-pool yeedilesi ze-IP kunye neendlela
Emva koko kufuneka uqwalasele I-Global Protect Portal. Chaza idilesi ye-IP yomlilo, Iprofayile ye-SSL ΠΈ Iprofayile yoQinisekiso kunye noluhlu lweedilesi ze-IP zangaphandle ze-firewall apho umxhasi uya kudibanisa. Ukuba kukho i-firewall ezininzi, unokuseta okuphambili kwinto nganye, ngokungqinelana nokuba abasebenzisi baya kukhetha i-firewall abaza kuqhagamshelwa kuyo.
Kulo candelo Isixhobo-> i-GlobalProtect Client kufuneka ukhuphele unikezelo lomxhasi weVPN kwiiseva zePalo Alto Networks kwaye uyivule. Ukuxhuma, umsebenzisi kufuneka aye kwiphepha lewebhu le-portal, apho uya kucelwa ukuba akhuphe GlobalProtect Client. Nje ukuba ukhutshelwe kwaye ufakwe, ungafaka iinkcukacha zakho kwaye uqhagamshele kwinethiwekhi yakho yenkampani nge-SSL VPN.
isiphelo
Oku kugqiba iPalo Alto Networks inxalenye yokuseta. Siyathemba ukuba ulwazi lwaluluncedo kwaye umfundi ufumene ukuqonda kobuchwepheshe obusetyenziswa kwi-Palo Alto Networks. Ukuba unemibuzo malunga nokusekwa kunye neengcebiso kwizihloko zamanqaku azayo, zibhale kumazwana, siya kuvuya ukuphendula.
umthombo: www.habr.com