Sawubona, lesi isihloko sesibili mayelana nesixazululo se-NGFW esivela enkampanini . Inhloso yalesi sihloko ukukhombisa indlela yokufaka i-firewall ye-UserGate kusistimu ebonakalayo (ngizosebenzisa isofthiwe ye-VMware Workstation virtualization) futhi ngenze ukumisa kwayo kokuqala (vumela ukufinyelela kusuka kunethiwekhi yendawo ngokusebenzisa isango le-UserGate le-Inthanethi).
1. Isingeniso
Ukuqala, ngizochaza izindlela ezahlukahlukene zokwenza leli sango kunethiwekhi. Ngingathanda ukuqaphela ukuthi kuye ngokuthi inketho yokuxhuma ekhethiwe, ukusebenza okuthile kwesango kungase kungatholakali. Isixazululo se-UserGate sisekela izindlela zokuxhuma ezilandelayo:
I-firewall ye-L3-L7
L2 ibhuloho esobala
L3 ibhuloho esobala
Cishe phakathi kwegebe, kusetshenziswa iphrothokholi ye-WCCP
Cishe kugebe, kusetshenziswa i-Policy Based Routing
Irutha ku-Stick
Ummeleli we-WEB ocaciswe ngokusobala
I-UserGate njengesango elizenzakalelayo
Isibuko sokuqapha imbobo
I-UserGate isekela izinhlobo ezi-2 zamaqoqo:
Ukucushwa kweqoqo. Amanodi ahlanganiswe abe yiqoqo lokucushwa agcina izilungiselelo ezingaguquki kulo lonke iqoqo.
Iqoqo le-Failover. Kufika ku-4 ama-cluster node wokucushwa angahlanganiswa abe iqoqo le-failover elisekela ukusebenza kumodi e-Active-Active noma e-Active-Passive. Kungenzeka ukuhlanganisa amaqoqo amaningana e-failover.
2. Ukufakwa
Njengoba kushiwo esihlokweni esandulele, i-UserGate ihlinzekwa njenge-hardware nephakheji yesofthiwe noma isetshenziswe endaweni ebonakalayo. Kusuka ku-akhawunti yakho yomuntu siqu kuwebhusayithi landa isithombe nge-OVF (Open Virtualization Format), le fomethi ifanele abathengisi be-VMWare kanye ne-Oracle Virtualbox. Izithombe zomshini wediski obonakalayo zinikezwe iMicrosoft Hyper-v ne-KVM.
Ngokusho kwewebhusayithi ye-UserGate, ukuze umshini obonakalayo usebenze kahle, kunconywa ukuthi usebenzise okungenani i-8Gb ye-RAM kanye ne-2-core virtual processor. I-hypervisor kufanele isekele amasistimu wokusebenza angama-64-bit.
Ukufakwa kuqala ngokungenisa isithombe ku-hypervisor ekhethiwe (VirtualBox ne-VMWare). Endabeni ye-Microsoft Hyper-v ne-KVM, udinga ukudala umshini obonakalayo futhi ucacise isithombe esilandiwe njengediski, bese ukhubaza izinsizakalo zokuhlanganisa kuzilungiselelo zomshini obonakalayo odaliwe.
Ngokuzenzakalelayo, ngemuva kokungenisa ku-VMWare, umshini obonakalayo uyakhiwa onalezi zilungiselelo ezilandelayo:
Njengoba kulotshiwe ngenhla, kufanele okungenani kube ne-RAM engu-8Gb futhi ngaphezu kwalokho udinga ukungeza i-1Gb kubo bonke abasebenzisi abayi-100. Usayizi ozenzakalelayo we-hard drive ngu-100Gb, kodwa lokhu ngokuvamile akwanele ukugcina wonke amalogi nezilungiselelo. Usayizi onconywayo ngu-300Gb noma ngaphezulu. Ngakho-ke, ezindaweni zomshini we-virtual, sishintsha usayizi wediski kulowo oyifunayo. Ekuqaleni, i-virtual UserGate UTM iza nezindawo ezine ezinikezwe izindawo:
Ukuphatha - isixhumi esibonakalayo sokuqala somshini obonakalayo, indawo yokuxhuma amanethiwekhi athembekile lapho ukuphathwa kwe-UserGate kuvunyelwe khona.
Okuthenjwayo ukusebenzelana kwesibili komshini obonakalayo, indawo yokuxhuma amanethiwekhi athembekile, isibonelo, amanethiwekhi e-LAN.
Okungathenjwa isixhumi esibonakalayo sesithathu somshini obonakalayo, indawo yezixhumi ezibonakalayo ezixhunywe kumanethiwekhi angathembekile, isibonelo, ku-inthanethi.
I-DMZ isixhumi esibonakalayo sesine somshini obonakalayo, indawo yokuxhumana exhunywe kunethiwekhi ye-DMZ.
Okulandelayo, sethula umshini we-virtual, nakuba imanuwali ithi udinga ukukhetha Amathuluzi Wokusekela futhi wenze i-Factory reset UTM, kodwa njengoba ubona, kunenketho eyodwa kuphela (UTM First Boot). Phakathi nalesi sinyathelo, i-UTM ilungisa ama-adaptha enethiwekhi futhi ikhulise usayizi we-hard drive partition kuya kusayizi wediski ogcwele:
Ukuze uxhume ku-interface yewebhu ye-UserGate, udinga ukungena nge-Management zone, isixhumi esibonakalayo se-eth0 sinesibopho salokhu, esilungiselelwe ukuthola ikheli le-IP ngokuzenzakalelayo (DHCP). Uma kungenakwenzeka ukunikeza ikheli lesixhumi esibonakalayo Sokuphatha ngokuzenzakalela usebenzisa i-DHCP, khona-ke singasethwa ngokusobala kusetshenziswa i-CLI (Command Line Interface). Ukuze wenze lokhu, udinga ukungena ku-CLI usebenzisa igama lomsebenzisi nephasiwedi enamalungelo omlawuli ogcwele (Umphathi onohlamvu olukhulu ngokuzenzakalelayo). Uma idivayisi ye-UserGate ingakaqaliswa, khona-ke ukuze ufinyelele i-CLI kufanele usebenzise u-Admin njengegama lomsebenzisi ne-utm njengephasiwedi. Bese uthayipha umyalo ofana ne-iface config -name eth0 -ipv4 192.168.1.254/24 -vumela i-true -mode static. Kamuva siya ku-UserGate web console ekhelini elishiwo, kufanele libukeke kanje:https://UserGateIPaddress:8001:
Kukhonsoli yewebhu siqhubeka nokufaka, sidinga ukukhetha ulimi lwesixhumi esibonakalayo (okwamanje isiRashiya noma isiNgisi), indawo yesikhathi, bese ufunda futhi uvumelane nesivumelwano selayisense. Setha igama lokungena nephasiwedi ukuze ungene kusixhumi esibonakalayo sokuphatha iwebhu.
3. Setha
Ngemuva kokufakwa, nansi indlela iwindi lokuphathwa kwewebhu elibukeka ngayo:
Bese udinga ukumisa izixhumi zenethiwekhi. Ukuze wenze lokhu, esigabeni "Izikhombimsebenzisi" udinga ukuzinika amandla, setha amakheli e-IP alungile futhi unikeze izindawo ezifanele.
Isigaba esithi "Izikhombimsebenzisi" sibonisa zonke izixhumanisi ezibonakalayo nezibonakalayo ezitholakala ohlelweni, zikuvumela ukuthi uguqule izilungiselelo zazo futhi wengeze izixhumanisi ze-VLAN. Iphinde ibonise zonke izixhumanisi ze-cluster node ngayinye. Izilungiselelo zesixhumi esibonakalayo ziqondile endaweni ngayinye, okungukuthi, azikho emhlabeni jikelele.
Ku-interface izakhiwo:
Nika amandla noma vala isixhumi esibonakalayo
Cacisa uhlobo lwesixhumi esibonakalayo - Ungqimba 3 noma Isibuko
Yabela indawo kusixhumi esibonakalayo
Yabela iphrofayela ye-Netflow ukuthumela idatha yezibalo kumqoqi we-Netflow
Shintsha imingcele ebonakalayo yesixhumi esibonakalayo - ikheli le-MAC nosayizi we-MTU
Khetha uhlobo lokunikezwa kwekheli le-IP - alikho ikheli, ikheli le-IP elimile noma elitholwe nge-DHCP
Lungiselela i-DHCP edluliselwe kusixhumi esibonakalayo esikhethiwe.
Inkinobho ethi "Engeza" ikuvumela ukuthi ungeze izinhlobo ezilandelayo zezixhumi ezibonakalayo ezinengqondo:
IVLAN
isibopho
Ibhuloho
I-PPPoE
i-VPN
Umhubhe
Ngokungeziwe kuzindawo ezifakwe ohlwini lwangaphambilini isithombe se-Usergate esihamba nazo, kunezinhlobo ezintathu ezichazwe ngaphambilini:
Iqoqo - indawo yokusebenzelana esetshenziselwa ukusebenza kweqoqo
I-VPN ye-Site-to-Site - indawo lapho wonke amaklayenti e-Office-Office axhunywe ku-UserGate nge-VPN abekwe khona
I-VPN yokufinyelela kude - indawo ehlanganisa bonke abasebenzisi beselula abaxhumeke ku-UserGate nge-VPN
Abaphathi be-UserGate bangashintsha izilungiselelo zezindawo ezizenzakalelayo futhi badale nezindawo ezengeziwe, kodwa njengoba kushiwo encwadini yenguqulo yesi-5, kungadalwa umkhawulo wezindawo eziyi-15. Ukuze uziguqule noma uzidale, udinga ukuya esigabeni sezoni. Ngezoni ngayinye, ungasetha umkhawulo wokudonsa iphakethe; I-SYN, i-UDP, i-ICMP iyasekelwa. Ukulawulwa kokufinyelela kumasevisi we-Usergate nakho kuyalungiswa, futhi ukuvikela ekukhohliseni kunikwe amandla.
Ngemva kokumisa i-interfaces, udinga ukumisa umzila ozenzakalelayo esigabeni esithi "Gateways". Labo. Ukuze uxhume i-UserGate ku-inthanethi, kufanele ucacise ikheli le-IP lesango elilodwa noma amaningi. Uma usebenzisa abahlinzeki abambalwa ukuxhuma ku-inthanethi, kufanele ucacise amasango amaningana. Ukucushwa kwesango kuhlukile kunodi ngayinye yeqoqo. Uma kucaciswe amasango amabili noma ngaphezulu, izinketho ezi-2 zingenzeka:
Ukulinganisa ithrafikhi phakathi kwamasango.
Isango elikhulu elishintshela kwelinye eliyisipele.
Isimo sesango (esitholakalayo - esiluhlaza, asitholakali - esibomvu) sinqunywa ngale ndlela elandelayo:
Ukuhlola inethiwekhi kukhutshaziwe - isango libhekwa njengelifinyelelekayo uma i-UserGate ingathola ikheli layo le-MAC isebenzisa isicelo se-ARP. Alikho isheke lokufinyelela i-inthanethi ngaleli sango. Uma ikheli le-MAC lesango linganqunywa, isango libhekwa njengelingafinyeleleki.
Ukuhlola inethiwekhi kunikwe amandla - isango libhekwa njengelifinyelelekayo uma:
I-UserGate ingathola ikheli layo le-MAC isebenzisa isicelo se-ARP.
Ukuhlola ukufinyelela ku-inthanethi ngaleli sango kuqedwe ngempumelelo.
Uma kungenjalo, isango lithathwa njengelingatholakali.
Esigabeni esithi “DNS” udinga ukwengeza amaseva e-DNS azosetshenziswa yi-UserGate. Lesi silungiselelo sicaciswe endaweni Yamaseva Esistimu ye-DNS. Ngezansi kunezilungiselelo zokuphatha izicelo ze-DNS ezivela kubasebenzisi. I-UserGate ikuvumela ukuthi usebenzise ummeleli we-DNS. Isevisi yommeleli we-DNS ikuvumela ukuthi ubambe izicelo ze-DNS ezivela kubasebenzisi futhi uziguqule kuye ngezidingo zomlawuli. Imithetho yommeleli we-DNS ingasetshenziswa ukucacisa amaseva e-DNS lapho izicelo zezizinda ezithile zithunyelwa khona. Ngaphezu kwalokho, usebenzisa ummeleli we-DNS, ungasetha amarekhodi amile ohlobo lomsingathi (irekhodi A).
Esigabeni "se-NAT Nomzila" udinga ukudala imithetho edingekayo ye-NAT. Ukuze uthole ukufinyelela ku-inthanethi ngabasebenzisi benethiwekhi Ethenjwayo, umthetho we-NAT usuvele udaliwe - “Othenjwayo->Ongathenjwa”, okusele ukuwunika amandla. Imithetho isetshenziswa ukusuka phezulu kuye phansi ngokulandelana ezisohlwini lwekhonsoli. Umthetho wokuqala kuphela lapho izimo ezishiwo kumthetho ofanayo zisetshenziswa njalo. Ukuze lo mthetho ucushwe, yonke imibandela eshiwo kumapharamitha womthetho kufanele ifane. I-UserGate incoma ukudala imithetho evamile ye-NAT, isibonelo, umthetho we-NAT kusuka kunethiwekhi yendawo (imvamisa indawo Ethenjwayo) ukuya ku-inthanethi (imvamisa indawo Engathenjwa), futhi ikhawulele ukufinyelela kwabasebenzisi, amasevisi, nezinhlelo zokusebenza ezisebenzisa imithetho yokuvikela umlilo.
Kungenzeka futhi ukudala imithetho ye-DNAT, ukudlulisa ngembobo, umzila osuselwe kunqubomgomo, imephu yenethiwekhi.
Ngemva kwalokhu, esigabeni "Firewall" udinga ukudala imithetho firewall. Ukuze uthole ukufinyelela okungenamkhawulo ku-inthanethi kwabasebenzisi benethiwekhi Ethembekile, umthetho we-firewall nawo usuvele udaliwe - "I-inthanethi Yokuthenjwa" futhi kufanele ivulwe. Esebenzisa imithetho ye-firewall, umlawuli angavumela noma anqabele noma yiluphi uhlobo lwethrafikhi yenethiwekhi yezokuthutha edlula ku-UserGate. Izimo zomthetho zingabandakanya izindawo kanye namakheli e-IP womthombo/indawo, abasebenzisi namaqembu, amasevisi nezinhlelo zokusebenza. Imithetho isebenza ngendlela efanayo naleyo esesigabeni "se-NAT Nomzila", i.e. i-Top Down. Uma kungekho mithetho edaliwe, noma iyiphi ithrafikhi yezokuthutha nge-UserGate ayivunyelwe.
4. Isiphetho
Lokhu kuphetha isihloko. Sifake i-firewall ye-UserGate emshinini obonakalayo futhi senza izilungiselelo ezidingekayo ukuze i-inthanethi isebenze kunethiwekhi Ethenjwayo. Sizocubungula okunye ukumisa ezihlokweni ezilandelayo.
Hlala ubukele ukuze uthole izibuyekezo eziteshini zethu (, , , )!
Source: www.habr.com
