I-ProHoster > Блог > Ukuphatha > Hlola i-Point Gaia R80.40. Yini entsha?

Hlola i-Point Gaia R80.40. Yini entsha?

Hlola i-Point Gaia R80.40. Yini entsha?

Ukukhishwa okulandelayo kwesistimu yokusebenza kuyasondela IGaia R80.40. Emasontweni ambalwa edlule Uhlelo lokufinyelela ngaphambi kwesikhathi luqalile, lapho ungafinyelela khona ukuze uhlole ukusatshalaliswa. Njengokuvamile, sishicilela ulwazi mayelana nokuthi yini entsha, futhi sigqamisa amaphuzu athakazelisa kakhulu ngokubuka kwethu. Uma ngibheka phambili, ngingasho ukuthi izinto ezintsha zibalulekile ngempela. Ngakho-ke, kufanelekile ukulungiselela inqubo yokuvuselela kusenesikhathi. Ngaphambili sesinayo kakade ishicilele isihloko ukuthi ungakwenza kanjani lokhu (ukuthola ulwazi olwengeziwe, sicela uvakashele xhumana lapha). Asingene esihlokweni...

Yini entsha

Ake sibheke izinto ezintsha ezimenyezelwe ngokusemthethweni lapha. Ulwazi oluthathwe kusayithi Hlola Mates (umphakathi osemthethweni we-Check Point). Ngemvume yakho, ngeke ngihumushe lo mbhalo, ngenhlanhla izethameli ze-Habr ziyakuvumela. Kunalokho, ngizoshiya imibono yami yesahluko esilandelayo.

1. Ukuphepha kwe-IoT. Izici ezintsha ezihlobene ne-inthanethi Yezinto

  • Qoqa amadivayisi we-IoT kanye nezici zethrafikhi ezivela ezinjini zokutholwa ze-IoT eziqinisekisiwe (okwamanje zisekela i-Medigate, i-CyberMDX, i-Cynerio, i-Claroty, i-Indegy, i-SAM ne-Armis).
  • Lungiselela Isendlalelo Senqubomgomo esizinikele se-IoT esisha ekuphathweni kwenqubomgomo.
  • Lungiselela futhi uphathe imithetho yokuphepha esekelwe kuzibaluli zamadivayisi we-IoT.

2. Ukuhlolwa kwe-TLSI-HTTP/2:

  • I-HTTP/2 iyisibuyekezo sephrothokholi ye-HTTP. Isibuyekezo sihlinzeka ngokuthuthukiswa kwesivinini, ukusebenza kahle kanye nokuphepha kanye nemiphumela enolwazi olungcono lomsebenzisi.
  • Isango Lokuvikeleka Le-Check Point manje lisekela i-HTTP/2 futhi lizuza isivinini esingcono nokusebenza kahle kuyilapho uthola ukuvikeleka okugcwele, ngawo wonke ama-Threat Prevention and Access Control blades, kanye nokuvikela okusha kwephrothokholi ye-HTTP/2.
  • Ukusekelwa kuko kokubili ithrafikhi ebethelwe ecacile ne-SSL futhi ihlanganiswe ngokugcwele ne-HTTPS/TLS
  • Amakhono okuhlola.

Isendlalelo Sokuhlola se-TLS. Okuqanjiwe mayelana nokuhlolwa kwe-HTTPS:

  • Isendlalelo Senqubomgomo esisha ku-SmartConsole esinikezelwe ekuhloleni kwe-TLS.
  • Izendlalelo ezihlukene zokuhlola i-TLS zingasetshenziswa kumaphakheji enqubomgomo ahlukene.
  • Ukwabelana kwesendlalelo sokuhlola i-TLS kuwo wonke amaphakheji enqubomgomo.
  • I-API yemisebenzi ye-TLS.

3. Ukuvimbela Usongo

  • Sekukonke ukuthuthukiswa kokusebenza kahle kwezinqubo nezibuyekezo Zokuvimbela Usongo.
  • Izibuyekezo ezizenzakalelayo ze-Treat Extraction Engine.
  • Izinto Ezinamandla, Isizinda kanye Nezibuyekezwayo manje zingasetshenziswa Kuzinqubomgomo Zokuvimbela Usongo kanye Nezokuhlola I-TLS. Izinto ezibuyekezwayo yizinto zenethiwekhi ezimele isevisi yangaphandle noma uhlu olwaziwayo oluguquguqukayo lwamakheli e-IP, isibonelo - amakheli e-Office365 / Google / Azure / AWS IP kanye nezinto ze-Geo.
  • I-Anti-Virus manje isebenzisa izinkomba zokusongela ze-SHA-1 ne-SHA-256 ukuze ivimbe amafayela ngokusekelwe kumahashi awo. Ngenisa izinkomba ezintsha kusukela ekubukweni kwe-SmartConsole Threat Indicators noma i-Custom Intelligence Feed CLI.
  • I-Anti-Virus kanye Ne-SandBlast Threat Emulation manje isekela ukuhlolwa kwethrafikhi ye-imeyili ngephrothokholi ye-POP3, kanye nokuhlolwa okuthuthukisiwe kwethrafikhi ye-imeyili ngephrothokholi ye-IMAP.
  • I-Anti-Virus kanye Ne-SandBlast Threat Emulation manje zisebenzisa isici sokuhlola esisanda kwethulwa se-SSH ukuze uhlole amafayela adluliswe ngezivumelwano ze-SCP ne-SFTP.
  • I-Anti-Virus kanye Ne-SandBlast Threat Emulation manje ihlinzeka ngosekelo oluthuthukisiwe lokuhlola i-SMBv3 (3.0, 3.0.2, 3.1.1), okuhlanganisa nokuhlolwa kokuxhumeka kweziteshi eziningi. I-Check Point manje isiwukuphela komthengisi ongasekela ukuhlolwa kokudluliswa kwefayela ngamashaneli amaningi (isici esizenzakalelayo ngokuzenzakalelayo kuzo zonke izindawo zeWindows). Lokhu kuvumela amakhasimende ukuthi ahlale evikelekile ngenkathi esebenza ngalesi sici esithuthukisa ukusebenza.

4. Ukuqwashisa ngobunikazi

  • Usekelo lokuhlanganiswa kwephothali yabathunjiweyo ne-SAML 2.0 kanye nabahlinzeki be-Identity benkampani yangaphandle.
  • Ukusekelwa Kwe-Identity Broker ngokwabelana okuhlaziywayo nokuncane kolwazi lobuwena phakathi kwama-PDP, kanye nokwabelana kwesizinda.
  • Izithuthukisi ku-ejenti Yeseva Yesikhumulo ukuze kufakwe isikali esingcono nokuhambisana.

5. IPsec VPN

  • Lungiselela izizinda ezihlukene zokubethela ze-VPN kuSango Lokuphepha eliyilungu lemiphakathi eminingi ye-VPN. Lokhu kunikeza:
  • Ubumfihlo obuthuthukisiwe - Amanethiwekhi angaphakathi awadalulwa ezingxoxweni zephrothokholi ye-IKE.
  • Ukuvikeleka okuthuthukisiwe nobumbudumbudu - Cacisa ukuthi imaphi amanethiwekhi afinyeleleka kumphakathi othile we-VPN.
  • Ukusebenzisana okuthuthukisiwe - Izincazelo ze-VPN ezenziwe lula ezisekelwe emzileni (kunconyiwe uma usebenza nesizinda sokubethela se-VPN esingenalutho).
  • Dala futhi usebenze ngaphandle komthungo ngendawo ye-Large Scale VPN (LSV) ngosizo lwamaphrofayela e-LSV.

6. Ukuhlunga kwe-URL

  • Ukukhula okuthuthukisiwe nokuqina.
  • Amakhono anwetshiwe okuxazulula izinkinga.

7.NAT

  • Indlela yokwabiwa kwembobo ethuthukisiwe ye-NAT - Kumasango Okuvikela anezimo eziyisi-6 noma ngaphezulu ze-CoreXL Firewall, zonke izimo zisebenzisa iphuli efanayo yezimbobo ze-NAT, ezithuthukisa ukusetshenziswa kwembobo nokuphinda zisetshenziswe.
  • Ukuqapha ukusetshenziswa kwembobo ye-NAT ku-CPView kanye ne-SNMP.

8. Izwi nge-IP (VoIP)Izimo eziningi ze-CoreXL Firewall ziphatha iphrothokholi ye-SIP ukuze kuthuthukiswe ukusebenza.

9. I-VPN yokufinyelela kudeSebenzisa isitifiketi somshini ukuze uhlukanise phakathi kwezimpahla zebhizinisi nezingezona ezebhizinisi futhi usethe inqubomgomo ephoqelela ukusetshenziswa kwezimpahla zebhizinisi kuphela. Ukuphoqelela kungase kube i-logon yangaphambili (ukufakazela ubuqiniso bedivayisi kuphela) noma i-post-logon (idivayisi nokuqinisekisa komsebenzisi).

10. I-Mobile Access Portal AgentUkuvikeleka Kwephoyinti Lokugcina Okuthuthukisiwe Kwesidingo Ngaphakathi Kwe-Mobile Access Portal Agent ukuze kusekelwe zonke iziphequluli zewebhu ezinkulu. Ukuze uthole ulwazi olwengeziwe, bheka ku-sk113410.

11.I-CoreXL ne-Multi-Queue

  • Usekelo lokunikezwa okuzenzakalelayo kwe-CoreXL SNDs nezimo ze-Firewall ezingadingi ukuqalisa phansi kwe-Security Gateway.
  • Ukuzizwisa okuthuthukisiwe ngaphandle kwebhokisi — Isango Lokuvikeleka lishintsha ngokuzenzakalelayo inombolo yezenzakalo ze-CoreXL SND kanye ne-Firewall kanye nokucushwa kwe-Multi-Queue okusekelwe ekulayisheni kwamanje kwethrafikhi.

12. Ukuhlanganisa

  • Usekelo lwe-Cluster Control Protocol kumodi ye-Unicast eqeda isidingo se-CCP

Izindlela zokusakaza noma zokusakaza okuningi:

  • Ukubethela kwe-Cluster Control Protocol manje sekunikwe amandla ngokuzenzakalela.
  • Imodi entsha ye-ClusterXL -Iyasebenza/Iyasebenza, esekela Amalungu Eqoqo ezindaweni ezihlukene ezitholakala kuma-subnet ahlukene futhi anamakheli e-IP ahlukene.
  • Ukusekelwa Kwamalungu Eqoqo Le-ClusterXL asebenzisa izinguqulo zesofthiwe ezihlukene.
  • Kuqedwe isidingo sokucushwa komlingo we-MAC lapho amaqoqo amaningana exhunywe ku-subnet efanayo.

13. VSX

  • Ukusekelwa kokuthuthukiswa kwe-VSX nge-CPUSE ku-Gaia Portal.
  • Usekelo lwemodi ye-Active Up ku-VSLS.
  • Ukusekelwa kwemibiko yezibalo ye-CPView yeSistimu Ebonakalayo ngayinye

14. Zero TouchInqubo elula yokusetha i-Plug & Play yokufaka into esetshenziswayo — ukususa isidingo sobuchwepheshe bokusebenza kanye nokuxhuma kumshini ukuze ucushwe kwasekuqaleni.

15. I-Gaia REST APII-Gaia REST API inikeza indlela entsha yokufunda nokuthumela ulwazi kumaseva asebenzisa i-Gaia Operating System. Bheka u-sk143612.

16. Umzila Othuthukile

  • Izithuthukisi ku-OSPF ne-BGP zivumela ukusetha kabusha futhi uqalise kabusha i-OSPF engumakhelwane kusenzakalo ngasinye se-CoreXL Firewall ngaphandle kwesidingo sokuqala kabusha i-daemon egudliwe.
  • Ukuthuthukisa ukuvuselelwa komzila ukuze kube nokuphathwa okuthuthukisiwe kokungahambisani kwemizila ye-BGP.

17. Amakhono amasha e-kernel

  • I-Linux kernel ethuthukisiwe
  • Isistimu yokuhlukanisa entsha (gpt):
  • Isekela amadrayivu angaphezu kuka-2TB aphathekayo/anengqondo
  • Isistimu yefayela esheshayo (xfs)
  • Isekela isitoreji sesistimu esikhulu (kufika ku-48TB kuhloliwe)
  • Ukuthuthukiswa kokusebenza okuhlobene ne-I/O
  • Ulayini Omuningi:
  • Usekelo olugcwele lwe-Gaia Clish lwemiyalo ye-Multi-Queue
  • Ukucushwa okuzenzakalelayo "kuvuliwe ngokuzenzakalelayo".
  • Usekelo lwe-SMB v2/3 lokukhweza ku-Mobile Access blade
  • Usekelo lwe-NFSv4 (iklayenti) olungeziwe (i-NFS v4.2 inguqulo ye-NFS ezenzakalelayo esetshenzisiwe)
  • Ukusekelwa kwamathuluzi esistimu amasha okulungisa iphutha, ukuqapha nokumisa uhlelo

18. Isilawuli se-CloudGuard

  • Ukuthuthukiswa kokusebenza kokuxhunywa Ezikhungweni Zedatha zangaphandle.
  • Ukuhlanganiswa ne-VMware NSX-T.
  • Ukusekela imiyalo eyengeziwe ye-API ukuze udale futhi uhlele izinto Zeseva Yesikhungo Sedatha.

19. Iseva ye-Multi-Domain

  • Yenza isipele futhi ubuyisele Iseva Yokuphathwa Kwesizinda ngasinye Kuseva Yesizinda Esiningi.
  • Thuthela Iseva Yokuphathwa Kwesizinda Kuseva Yesizinda Sezizinda Eziningi eyodwa uye Engameleni Yokuphepha Yezizinda Ezihlukahlukene.
  • Thutha Iseva Yokuphathwa Kokuphepha ukuze ube Iseva Yokuphathwa Kwesizinda Kuseva Yesizinda Esiningi.
  • Thutha Iseva Yokuphathwa Kwesizinda ukuze ube Iseva Yokuphathwa Kokuphepha.
  • Buyisela Isizinda Kuseva Yesizinda Esiningi, noma Iseva Yokuphathwa Kokuphepha esibuyekezweni sangaphambilini ukuze sihlelwe okwengeziwe.

20. I-SmartTasks ne-API

  • Indlela entsha yokuqinisekisa ye-API yokuphatha esebenzisa ukhiye we-API okhiqizwa ngokuzenzakalela.
  • I-New Management API iyala ukudala izinto zeqoqo.
  • Ukuthunyelwa Okumaphakathi kwe-Jumbo Hotfix Accumulator kanye nama-Hotfixes asuka ku-SmartConsole noma nge-API kuvumela ukufaka noma ukuthuthukisa Amasango Okuphepha amaningi namaCluster ngokuhambisana.
  • I-SmartTasks - Lungiselela imibhalo ezenzakalelayo noma izicelo ze-HTTPS ezicushwe imisebenzi yomlawuli, njengokushicilela iseshini noma ukufaka inqubomgomo.

21. UkuthunyelwaUkuthunyelwa Okumaphakathi kwe-Jumbo Hotfix Accumulator kanye nama-Hotfixes asuka ku-SmartConsole noma nge-API kuvumela ukufaka noma ukuthuthukisa Amasango Okuphepha amaningi namaCluster ngokuhambisana.

22. I-SmartEventYabelana ngokubukwa kwe-SmartView nemibiko nabanye abalawuli.

23.Log ExporterKhipha amalogi ahlungwe ngokwamanani enkundla.

24. I-Endpoint Security

  • Ukusekelwa kokubethelwa kwe-BitLocker kokubethelwa kweDiski Okugcwele.
  • Usekelo lwezitifiketi Zangaphandle Zesiphathimandla Sesitifiketi seklayenti le-Endpoint Security
  • ukuqinisekiswa nokuxhumana ne-Endpoint Security Management Server.
  • Usekelo losayizi oguquguqukayo wamaphakheji weklayenti le-Endpoint Security asuselwe kokukhethiwe
  • izici zokusatshalaliswa.
  • Inqubomgomo manje ingalawula izinga lezaziso kubasebenzisi bokugcina.
  • Ukusekelwa kwemvelo ye-VDI eqhubekayo ekuphathweni kwenqubomgomo ye-Endpoint.

Esikuthanda kakhulu (kusekelwe emisebenzini yamakhasimende)

Njengoba ubona, maningi amasu amasha. Kodwa kithi, njengalokhu isihlanganisi sesistimu, kunamaphuzu amaningana athakazelisa kakhulu (aphinde athakazelisa kumakhasimende ethu). Okuphezulu kwethu okungu-10:

  1. Ekugcineni, ukusekelwa okugcwele kwamadivayisi we-IoT sekuvele. Sekuvele kunzima ukuthola inkampani engenawo amadivaysi anjalo.
  2. Ukuhlolwa kwe-TLS manje sekubekwe kungqimba oluhlukile (Usendlalelo). Kulula kakhulu kunamanje (ngo-80.30). Akusekho ukusebenzisa Ideshibhodi ye-Legasy endala. Futhi, manje ungasebenzisa Izinto Ezibuyekezwayo kunqubomgomo yokuhlola ye-HTTPS, njenge-Office365, Google, Azure, AWS, njll. Lokhu kulula kakhulu uma udinga ukusetha okuhlukile. Noma kunjalo, akukho ukusekelwa kwe-tls 1.3. Ngokusobala "bazobamba" ne-hotfix elandelayo.
  3. Izinguquko ezibalulekile ze-Anti-Virus ne-SandBlast. Manje usungakwazi ukuhlola izivumelwano ezifana ne-SCP, SFTP kanye ne-SMBv3 (njengoba kunjalo, akekho ongaphinde ahlole le mithetho yomthetho eneziteshi eziningi).
  4. Kukhona ukuthuthukiswa okuningi mayelana ne-Site-to-Site VPN. Manje usungakwazi ukumisa izizinda ze-VPN ezimbalwa esangweni eliyingxenye yemiphakathi eminingi ye-VPN. Kulula kakhulu futhi kuphephe kakhulu. Ngaphezu kwalokho, i-Check Point ekugcineni ikhumbule i-Route Based VPN futhi yathuthukisa kancane ukuzinza kwayo/ukuhambisana kwayo.
  5. Kuvele isici esidume kakhulu kubasebenzisi abakude. Manje ungaqinisekisa hhayi kuphela umsebenzisi, kodwa futhi nedivayisi axhuma kuyo. Isibonelo, sifuna ukuvumela ukuxhumana kwe-VPN kusuka kumadivayisi ezinkampani kuphela. Lokhu kwenziwa, yiqiniso, ngosizo lwezitifiketi. Kungenzeka futhi ukukhweza ngokuzenzakalela (i-SMB v2/3) amasheya kubasebenzisi abakude ngeklayenti le-VPN.
  6. Ziningi izinguquko ekusebenzeni kweqoqo. Kodwa mhlawumbe okunye okuthakazelisa kakhulu ukuthi kungenzeka ukusebenzisa iqoqo lapho amasango anezinguqulo ezahlukene ze-Gaia. Lokhu kulula uma uhlela isibuyekezo.
  7. Amakhono athuthukisiwe we-Zero Touch. Into ewusizo kulabo abavame ukufaka amasango "amancane" (isibonelo, ama-ATM).
  8. Okwamalogi, isitoreji esingafika ku-48TB sesiyasekelwa.
  9. Ungabelana ngamadeshibhodi akho e-SmartEvent nabanye abalawuli.
  10. I-Log Exporter manje ikuvumela ukuthi uhlunge kuqala imilayezo ethunyelwe usebenzisa izinkambu ezidingekayo. Labo. Amalogi adingekayo kuphela nemicimbi ezodluliselwa kumasistimu akho e-SIEM

Vuselela

Mhlawumbe abaningi sebevele becabanga ngokubuyekeza. Asikho isidingo sokujaha. Okokuqala, inguqulo 80.40 kufanele ithuthele kokuthi Ukutholakala Okujwayelekile. Kodwa ngisho nangemva kwalokho, akufanele ubuyekeze ngokushesha. Kungcono ukulinda okungenani i-hotfix yokuqala.
Mhlawumbe abaningi “bahlezi” ezinguqulweni ezindala. Ngingasho ukuthi okungenani sekungenzeka (futhi kuyadingeka) ukuvuselela ku-80.30. Lokhu kakade kuwuhlelo oluzinzile futhi olufakazelwe!

Ungakwazi futhi ukubhalisela amakhasi ethu omphakathi (yocingo, Facebook, VK, I-TS Solution Blog), lapho ungalandela khona ukuvela kwezinto ezintsha ku-Check Point neminye imikhiqizo yezokuphepha.

Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. Ngena ngemvume, wamukelekile.

Iyiphi inguqulo ye-Gaia oyisebenzisayo?

  • R77.10

  • R77.30

  • R80.10

  • R80.20

  • R80.30

  • Izincwajana zemininingwane

Bangu-13 abasebenzisi abavotile. Abasebenzisi abangu-6 bagobile.

Source: www.habr.com

Engeza amazwana