Naphezu kwazo zonke izinzuzo ze-Palo Alto Networks firewalls, azikho izinto eziningi ku-RuNet ekusetheni lawa madivayisi, kanye nemibhalo echaza isipiliyoni sokuqaliswa kwazo. Sinqume ukufingqa izinto esiziqongelele ngesikhathi sisebenza ngemishini yalo mthengisi futhi sikhulume ngezici esihlangabezane nazo ngesikhathi sokuqaliswa kwamaphrojekthi ahlukahlukene.
Ukuze sikwethule ku-Palo Alto Networks, lesi sihloko sizobheka ukucushwa okudingekayo ukuze kuxazululwe enye yezinkinga ezivame kakhulu ze-firewall - i-SSL VPN yokufinyelela kude. Sizophinde sikhulume ngemisebenzi yensiza yokucushwa okujwayelekile kohlelo lokuvikela, ukuhlonza umsebenzisi, izinhlelo zokusebenza, nezinqubomgomo zokuphepha. Uma isihloko sibathakasela abafundi, esikhathini esizayo sizokhipha izinto ezihlaziya i-Site-to-Site VPN, umzila oguquguqukayo nokuphathwa okumaphakathi kusetshenziswa i-Panorama.
Iziqhumane zomlilo ze-Palo Alto Networks zisebenzisa ubuchwepheshe obuningi obusha, obufaka i-App-ID, i-User-ID, i-Content-ID. Ukusetshenziswa kwalokhu kusebenza kukuvumela ukuthi uqinisekise izinga eliphezulu lokuphepha. Isibonelo, nge-App-ID kungenzeka ukuhlonza ithrafikhi yohlelo lokusebenza ngokusekelwe kumasiginesha, ukuqoshwa kwekhodi nama-heuristics, ngaphandle kokunaka imbobo nephrothokholi esetshenzisiwe, okuhlanganisa ngaphakathi komhubhe we-SSL. I-User-ID ikuvumela ukuthi ukhombe abasebenzisi benethiwekhi ngokuhlanganiswa kwe-LDAP. I-Content-ID yenza kube nokwenzeka ukuskena ithrafikhi futhi kukhonjwe amafayela adlulisiwe nokuqukethwe kwawo. Eminye imisebenzi ye-firewall ihlanganisa ukuvikelwa kokungena, ukuvikelwa ezingozini kanye nokuhlaselwa kwe-DoS, i-anti-spyware eyakhelwe ngaphakathi, ukuhlunga kwe-URL, ukuhlanganisa, nokuphatha okumaphakathi.
Embukisweni, sizosebenzisa isitendi esingasodwa, esinokucushwa okufana nesangempela, ngaphandle kwamagama edivayisi, igama lesizinda sika-AD namakheli e-IP. Eqinisweni, konke kuyinkimbinkimbi - kungaba namagatsha amaningi. Kulesi simo, esikhundleni se-firewall eyodwa, kuzofakwa iqoqo emingceleni yamasayithi amaphakathi, futhi kungase kudingeke umzila oguquguqukayo.
Isetshenziswa esitendini I-PAN-OS 7.1.9. Njengokucushwa okujwayelekile, cabanga inethiwekhi ene-firewall ye-Palo Alto Networks emaphethelweni. I-firewall inikeza ukufinyelela okukude kwe-SSL VPN ehhovisi elikhulu. Isizinda se-Active Directory sizosetshenziswa njengesizindalwazi somsebenzisi (Umfanekiso 1).
Umfanekiso 1 - Umdwebo webhulokhi yenethiwekhi
Izinyathelo zokusetha:
- Ukulungiswa kwangaphambili kwedivayisi. Ukusetha igama, ikheli le-IP lokuphatha, imizila engashintshi, ama-akhawunti omlawuli, amaphrofayili okuphatha
- Ukufaka amalayisensi, ukulungisa nokufaka izibuyekezo
- Ilungiselela izindawo zokuphepha, ukuxhumana kwenethiwekhi, izinqubomgomo zethrafikhi, ukuhumusha kwekheli
- Ilungiselela Iphrofayili Yokuqinisekisa ye-LDAP kanye Nesici Sokuhlonza Umsebenzisi
- Isetha i-SSL VPN
1. Hlela kusengaphambili
Ithuluzi elikhulu lokumisa i-firewall ye-Palo Alto Networks isixhumi esibonakalayo sewebhu; ukuphathwa nge-CLI nakho kuyenzeka. Ngokuzenzakalelayo, isixhumi esibonakalayo sokuphatha sisethelwe ekhelini le-IP 192.168.1.1/24, ngena ngemvume: admin, iphasiwedi: admin.
Ungashintsha ikheli ngokuxhuma kusixhumi esibonakalayo sewebhu kusuka kunethiwekhi efanayo, noma usebenzisa umyalo setha i-deviceconfig system ip-address <> netmask <>. Kwenziwa kumodi yokumisa. Ukushintshela kumodi yokumisa, sebenzisa umyalo lungisa. Zonke izinguquko ku-firewall zenzeka kuphela ngemva kokuba izilungiselelo ziqinisekiswe umyalo yenza, kokubili kumodi yomugqa womyalo kanye nesixhumi esibonakalayo sewebhu.
Ukushintsha izilungiselelo kusixhumi esibonakalayo sewebhu, sebenzisa isigaba Idivayisi -> Izilungiselelo Ezijwayelekile Nedivayisi -> Izilungiselelo Zokuphatha. Igama, izibhengezo, indawo yesikhathi nezinye izilungiselelo zingasethwa esigabeni esithi Izilungiselelo Ezijwayelekile (Umfanekiso 2).
Umfanekiso 2 - Amapharamitha wokuphatha
Uma usebenzisa i-firewall ebonakalayo endaweni ye-ESXi, esigabeni esithi Izilungiselelo Ezijwayelekile udinga ukunika amandla ukusetshenziswa kwekheli le-MAC elinikezwe i-hypervisor, noma ulungiselele amakheli e-MAC ashiwo ku-firewall interfaces ku-hypervisor, noma uguqule izilungiselelo ze amaswishi abonakalayo ukuze i-MAC iguqule amakheli. Uma kungenjalo, ithrafikhi ngeke idlule.
Isixhumi esibonakalayo sokuphatha silungiselelwa ngokwehlukana futhi asiboniswa ohlwini lwezixhumanisi zenethiwekhi. Esahlukweni Izilungiselelo Zokuphatha icacisa isango elizenzakalelayo lesixhumi esibonakalayo sokuphatha. Eminye imizila emile imisiwe esigabeni samarutha abonakalayo; lokhu kuzoxoxwa ngakho kamuva.
Ukuze uvumele ukufinyelela kudivayisi ngezinye izixhumi ezibonakalayo, kufanele udale iphrofayela yokuphatha Iphrofayili Yokuphatha esigabeni Inethiwekhi -> Amaphrofayili Enethiwekhi -> Isixhumi esibonakalayo Mgmt futhi unikeze isixhumi esibonakalayo esifanele.
Okulandelayo, udinga ukumisa i-DNS ne-NTP esigabeni Idivayisi -> Amasevisi ukuthola izibuyekezo futhi ubonise isikhathi ngendlela efanele (Fig. 3). Ngokuzenzakalelayo, yonke ithrafikhi ekhiqizwe i-firewall isebenzisa ikheli le-IP lokuphatha njengekheli layo le-IP eliwumthombo. Unganikeza isixhumi esibonakalayo esihlukile sesevisi ngayinye ethile esigabeni Ukucushwa Komzila Wesevisi.
Umfanekiso 3 - i-DNS, i-NTP kanye nemingcele yesevisi yemizila yesistimu
2. Ukufaka amalayisensi, ukusetha nokufaka izibuyekezo
Ukuze isebenze ngokugcwele yonke imisebenzi ye-firewall, kufanele ufake ilayisensi. Ungasebenzisa ilayisense yesilingo ngokuyicela kozakwethu be-Palo Alto Networks. Isikhathi sayo sokusebenza siyizinsuku ezingama-30. Ilayisensi yenziwa yasebenza ngefayela noma kusetshenziswa i-Auth-Code. Amalayisense alungiselelwe esigabeni Idivayisi -> Amalayisense (Umdwebo 4).
Ngemva kokufaka ilayisensi, udinga ukulungisa ukufakwa kwezibuyekezo esigabeni Idivayisi -> Izibuyekezo Ezinamandla.
Esigabeni Idivayisi -> Isofthiwe ungalanda futhi ufake izinguqulo ezintsha ze-PAN-OS.
Umfanekiso 4 - Iphaneli yokulawula ilayisensi
3. Ilungiselela izindawo zokuphepha, ukuxhumana kwenethiwekhi, izinqubomgomo zethrafikhi, ukuhumusha kwekheli
Izinqamuleli zomlilo ze-Palo Alto Networks zisebenzisa i-zone logic lapho zilungisa imithetho yenethiwekhi. Izixhumanisi zenethiwekhi zabelwe indawo ethile, futhi le ndawo isetshenziswa emithethweni yethrafikhi. Le ndlela ivumela esikhathini esizayo, lapho ushintsha izilungiselelo zesixhumi esibonakalayo, ungashintshi imithetho yethrafikhi, kodwa esikhundleni salokho unikeze kabusha izixhumanisi ezidingekayo ezindaweni ezifanele. Ngokuzenzakalelayo, ithrafikhi ngaphakathi kwendawo ivunyelwe, ithrafikhi phakathi kwezindawo ivinjelwe, imithetho echazwe ngaphambilini inesibopho salokhu. okuzenzakalelayo kwe-intrazone ΠΈ okuzenzakalelayo kwe-interzone.
Umfanekiso 5 - Izindawo zokuphepha
Kulesi sibonelo, i-interface kunethiwekhi yangaphakathi yabelwe indawo ngaphakathi, futhi isixhumi esibonakalayo esibheke ku-inthanethi sabelwe indawo zangaphandle. Ku-SSL VPN, isixhumi esibonakalayo somhubhe senziwe futhi sabelwa indawo Vpn (Umdwebo 5).
Izixhumanisi zenethiwekhi ye-Palo Alto Networks firewall zingasebenza ngezindlela ezinhlanu ezihlukene:
- Thepha - esetshenziselwa ukuqoqa ithrafikhi ngezinjongo zokuqapha nokuhlaziya
- HA - isetshenziselwa ukusebenza kweqoqo
- I-Virtual Wire - kule modi, i-Palo Alto Networks ihlanganisa izixhumanisi ezimbili futhi idlula ngokusobala ithrafikhi phakathi kwazo ngaphandle kokushintsha amakheli e-MAC nawe-IP
- Ungqimba2 β shintsha imodi
- Ungqimba3 - Imodi yerutha
Umfanekiso 6 - Ukusetha imodi yokusebenza yesixhumi esibonakalayo
Kulesi sibonelo, imodi ye-Layer3 izosetshenziswa (Fig. 6). Amapharamitha esixhumi esibonakalayo akhombisa ikheli le-IP, imodi yokusebenza kanye nendawo yokuphepha ehambisanayo. Ngokungeziwe kumodi yokusebenza yesixhumi esibonakalayo, kufanele ukwabele irutha eyi-Virtual Router, lokhu kuyi-analogue yesibonelo se-VRF ku-Palo Alto Networks. Amarutha abonakalayo ahlukaniswe wodwa futhi anamathebula awo omzila kanye nezilungiselelo zephrothokholi yenethiwekhi.
Izilungiselelo zerutha ebonakalayo zicacisa imizila emile kanye nezilungiselelo zephrothokholi yomzila. Kulesi sibonelo, umzila ozenzakalelayo kuphela wenzelwe ukufinyelela amanethiwekhi angaphandle (Fig. 7).
Umfanekiso 7 - Ukusetha irutha ebonakalayo
Isigaba esilandelayo sokucushwa yizinqubomgomo zethrafikhi, isigaba Izinqubomgomo -> Ukuphepha. Isibonelo sokumisa sikhonjiswe kuMfanekiso 8. Umqondo wemithetho uyafana nawo wonke ama-firewall. Imithetho iyahlolwa ukusuka phezulu kuye phansi, kuze kufike emdlalweni wokuqala. Incazelo emfushane yemithetho:
1. Ukufinyelela kwe-SSL VPN ku-Web Portal. Ivumela ukufinyelela kuphothali yewebhu ukuze uqinisekise ukuxhumana okukude
2. Ithrafikhi ye-VPN - evumela ithrafikhi phakathi kokuxhumana okukude kanye nehhovisi elikhulu
3. I-inthanethi eyisisekelo - ivumela i-dns, i-ping, i-traceroute, izinhlelo zokusebenza ze-ntp. I-firewall ivumela izinhlelo zokusebenza ezisuselwe kusiginesha, ukukhishwa kwekhodi, kanye ne-heuristics kunezinombolo zembobo namaphrothokholi, yingakho isigaba Sesevisi sithi isicelo-okuzenzakalelayo. Imbobo ezenzakalelayo/iphrothokholi yalolu hlelo lokusebenza
4. Ukufinyelela Iwebhu - ukuvumela ukufinyelela ku-inthanethi ngezivumelwano ze-HTTP ne-HTTPS ngaphandle kokulawula uhlelo lokusebenza
5,6. Imithetho ezenzakalelayo yenye ithrafikhi.
Umfanekiso 8 β Isibonelo sokusetha imithetho yenethiwekhi
Ukuze ulungiselele i-NAT, sebenzisa isigaba Izinqubomgomo -> NAT. Isibonelo sokucushwa kwe-NAT sikhonjiswe kuMfanekiso 9.
Umfanekiso 9 - Isibonelo sokucushwa kwe-NAT
Kunoma iyiphi ithrafikhi kusuka ngaphakathi kuya kwangaphandle, ungashintsha ikheli lomthombo libe yikheli le-IP langaphandle le-firewall futhi usebenzise ikheli lembobo eliguqukayo (PAT).
4. Ukulungisa Iphrofayili Yokuqinisekisa ye-LDAP kanye Nomsebenzi Wokuhlonza Umsebenzisi
Ngaphambi kokuxhuma abasebenzisi nge-SSL-VPN, udinga ukulungisa indlela yokuqinisekisa. Kulesi sibonelo, ukuqinisekiswa kuzokwenzeka kusilawuli sesizinda se-Active Directory ngesixhumi esibonakalayo sewebhu se-Palo Alto Networks.
Umfanekiso 10 - Iphrofayili ye-LDAP
Ukuze uqinisekise ukusebenza, udinga ukumisa Iphrofayela ye-LDAP ΠΈ Iphrofayela Yokuqinisekisa. Esigabeni Idivayisi -> Amaphrofayili Weseva -> I-LDAP (Umdwebo 10) udinga ukucacisa ikheli le-IP kanye nembobo yesilawuli sesizinda, uhlobo lwe-LDAP ne-akhawunti yomsebenzisi efakwe emaqenjini. Ama-Opharetha Eseva, Abafundi Belogi Lomcimbi, Abasebenzisi be-COM abasabalalisiwe. Bese esigabeni Idivayisi -> Iphrofayela Yokuqinisekisa dala iphrofayili yokuqinisekisa (Umdwebo 11), phawula eyakhiwe ngaphambilini Iphrofayela ye-LDAP futhi kuthebhu ethi Okuthuthukisiwe sibonisa iqembu labasebenzisi (Fig. 12) abavunyelwe ukufinyelela kude. Kubalulekile ukuqaphela ipharamitha kuphrofayela yakho Isizinda somsebenzisi, ngaphandle kwalokho ukugunyazwa okusekelwe eqenjini ngeke kusebenze. Inkambu kufanele ikhombise igama lesizinda se-NetBIOS.
Umfanekiso 11 - Iphrofayili yokuqinisekisa
Umfanekiso 12 - Ukukhethwa kweqembu AD
Isigaba esilandelayo siwukusetha Idivayisi -> Ukukhonjwa komsebenzisi. Lapha udinga ukucacisa ikheli le-IP lesilawuli sesizinda, imininingwane yokuxhuma, futhi futhi ulungiselele izilungiselelo Nika amandla Ilogi Yokuphepha, Nika amandla Iseshini, Nika amandla i-Probing (Umdwebo 13). Esahlukweni Imephu Yeqembu (Umfanekiso 14) udinga ukuqaphela imingcele yokuhlonza izinto ku-LDAP kanye nohlu lwamaqembu azosetshenziselwa ukugunyazwa. NjengakuPhrofayela Yokuqinisekisa, lapha udinga ukusetha ipharamitha Yesizinda Somsebenzisi.
Umfanekiso 13 - Imingcele yemephu yomsebenzisi
Umfanekiso 14 - Imingcele yeQembu Lemephu
Isinyathelo sokugcina kulesi sigaba ukudala indawo ye-VPN nesixhumi esibonakalayo saleyo ndawo. Udinga ukunika amandla inketho kusixhumi esibonakalayo Nika amandla ukukhonjwa komsebenzisi (Umdwebo 15).
Umfanekiso 15 - Ukusetha indawo ye-VPN
5. Ukusetha i-SSL VPN
Ngaphambi kokuxhuma ku-SSL VPN, umsebenzisi okude kufanele aye kuphothali yewebhu, aqinisekise futhi alande iklayenti le-Global Protect. Okulandelayo, leli klayenti lizocela imininingwane futhi lixhume kunethiwekhi yebhizinisi. Ingosi yewebhu isebenza ngemodi ye-https futhi, ngokufanelekile, udinga ukuyifakela isitifiketi. Sebenzisa isitifiketi somphakathi uma kungenzeka. Lapho-ke umsebenzisi ngeke athole isexwayiso mayelana nokungavumelekile kwesitifiketi kusayithi. Uma kungenakwenzeka ukusebenzisa isitifiketi esisesidlangalaleni, kuzomele ukhiphe esakho, esizosetshenziswa ekhasini lewebhu le-https. Ingazisayinela yona ngokwayo noma ikhishwe yiziphathimandla zesitifiketi sendawo. Ikhompuyutha ekude kufanele ibe nempande noma isitifiketi esizisayinele sona ohlwini lweziphathimandla ezithenjwayo zezimpande ukuze umsebenzisi angatholi iphutha lapho exhuma kuphothali yewebhu. Lesi sibonelo sizosebenzisa isitifiketi esikhishwe ngama-Active Directory Certificate Services.
Ukuze ukhiphe isitifiketi, udinga ukudala isicelo sesitifiketi esigabeni Idivayisi -> Ukuphathwa Kwesitifiketi -> Izitifiketi -> Khiqiza. Esicelweni sibonisa igama lesitifiketi kanye nekheli le-IP noma i-FQDN yengosi yewebhu (Fig. 16). Ngemva kokwenza isicelo, landa .csr ifayela futhi ukopishe elikuqukethe endaweni yokucela isitifiketi kufomu lewebhu le-AD CS Web Enrollment. Kuya ngokuthi isiphathimandla sesitifiketi simiswa kanjani, isicelo sesitifiketi kufanele sigunyazwe futhi isitifiketi esikhishiwe kufanele silandwe ngefomethi. Isitifiketi Esibhalwe Ngekhodi se-Base64. Ukwengeza, udinga ukulanda isitifiketi sempande yesiphathimandla sokunikeza izitifiketi. Bese udinga ukungenisa zombili izitifiketi ku-firewall. Lapho ungenisa isitifiketi sephothali yewebhu, kufanele ukhethe isicelo esimweni esilindile bese uchofoza ukungenisa. Igama lesitifiketi kufanele lifane negama elishiwo ekuqaleni kwesicelo. Igama lesitifiketi sempande lingacaciswa ngokungafanele. Ngemva kokungenisa isitifiketi, udinga ukudala Iphrofayili Yesevisi ye-SSL/TLS esigabeni Idivayisi -> Ukuphathwa Kwesitifiketi. Kuphrofayili sibonisa isitifiketi esingeniswe ngaphambilini.
Umfanekiso 16 - Isicelo sesitifiketi
Isinyathelo esilandelayo ukusetha izinto I-Global Protect Gateway ΠΈ I-Global Protect Portal esigabeni Inethiwekhi -> I-Global Protect. Kuzilungiselelo I-Global Protect Gateway khombisa ikheli le-IP langaphandle le-firewall, kanye nelakhiwe ngaphambilini Iphrofayili ye-SSL, Iphrofayela Yokuqinisekisa, isixhumi esibonakalayo somhubhe nezilungiselelo ze-IP yeklayenti. Udinga ukucacisa iqoqo lamakheli e-IP lapho ikheli lizokwabelwa iklayenti, kanye Nomzila Wokufinyelela - lawa ama-subnet lapho iklayenti lizoba nomzila kuwo. Uma umsebenzi uwukusonga yonke i-traffic yomsebenzisi ngokusebenzisa i-firewall, udinga ukucacisa i-subnet 0.0.0.0/0 (Fig. 17).
Umfanekiso 17 - Ukulungisa inqwaba yamakheli e-IP nemizila
Bese udinga ukumisa I-Global Protect Portal. Cacisa ikheli le-IP le-firewall, Iphrofayili ye-SSL ΠΈ Iphrofayela Yokuqinisekisa kanye nohlu lwamakheli e-IP angaphandle ama-firewall lapho iklayenti lizoxhumeka khona. Uma kukhona ama-firewall ambalwa, ungasetha okubalulekile ngakunye, ngokuya ngokuthi abasebenzisi bazokhetha i-firewall abazoxhuma kuyo.
Esigabeni Idivayisi -> I-GlobalProtect Client udinga ukulanda ukusatshalaliswa kweklayenti le-VPN kumaseva e-Palo Alto Networks bese uyisebenzise. Ukuze uxhume, umsebenzisi kufanele aye ekhasini lewebhu le-portal, lapho ezocelwa khona ukuthi alilande I-GlobalProtect Client. Uma usulandiwe futhi usufakiwe, ungafaka imininingwane yakho futhi uxhume kunethiwekhi yakho yebhizinisi nge-SSL VPN.
isiphetho
Lokhu kuqeda ingxenye yokusetha ye-Palo Alto Networks. Sithemba ukuthi ulwazi beluwusizo futhi umfundi wazuza ukuqonda ngobuchwepheshe obusetshenziswa e-Palo Alto Networks. Uma unemibuzo mayelana nokusetha nokusikisela ngezihloko zezihloko ezizayo, zibhale kumazwana, sizokujabulela ukuphendula.
Source: www.habr.com