[Check Point] CheckPoint 防火墙实施指南UTM-1&Power-1+V2.0防火墙项目实施指南 |
CheckPoint 防火墙实施指南UTM-1&Power-1+V2.0防火墙项目实施指南 ![]() CheckPoint 防火墙实施指南UTM-1&Power-1+V2.0防火墙项目实施指南 ![]() CheckPoint 防火墙实施指南UTM-1&Power-1+V2.0防火墙项目实施指南 ![]() 课程介绍: 目 录 CHECK POINT防火墙项目实施指南 ....................................................................................................................... 1 1 .防火墙介绍 .................................................................................................................................................. 9 1.1 UTM-1 ........................................................................................................................................ 9 1.1.1 UTM-1功能特性 .............................................................................................................. 9 1.1.2 UTM-1防火墙面板接口说明 ........................................................................................ 10 1.2 POWER-1 .................................................................................................................................... 10 1.2.1 Power-1功能特性 .......................................................................................................... 10 1.2.2 Power-1面板接口说明 .................................................................................................. 11 1.3 术语介绍 ............................................................................................................................. 12 1.4 UTM-1/ POWER-1产品区别 ...................................................................................................... 13 1.4.1 市场定位的区别 ............................................................................................................ 13 2 防火墙系统配置指南 .................................................................................................................................. 13 2.1 初始化防火墙系统配置 ..................................................................................................... 13 2.1.1 支持的Check Point软件版本........................................................................................ 13 2.1.2 UTM-1/Power-1防火墙系统初始化 ............................................................................. 13 2.2 初始化管理服务器系统配置 ............................................................................................. 22 2.2.1 管理服务器的安装 ........................................................................................................ 23 2.2.2 初始化管理服务器系统 ................................................................................................ 25 2.2.3 管理服务器的高可用性配置 ........................................................................................ 33 2.2.4 防火墙管理客户端安装 ................................................................................................ 37 2.3 系统和网络配置 ................................................................................................................. 40 2.3.1 系统层配置 .................................................................................................................... 40 2.3.2 接口配置 ........................................................................................................................ 43 2.3.3 路由配置 ........................................................................................................................ 49 2.4 防火墙HA配置 .................................................................................................................. 55 2.4.1 SmartCenter配置ClusterXL属性 .................................................................................. 55 2.5 防火墙对象和策略配置 ..................................................................................................... 60 攻城狮论坛 bbs.vlan5.com #^_^# 版 权 归 原 作 者 所 有 本 资 料 仅.供试读 ©2011 Check Point Software Technologies Ltd. All rights reserved . 第 4 页 2.5.1 配置网络对象 ................................................................................................................ 60 2.5.2 配置服务对象 ................................................................................................................ 79 2.5.3 防火墙策略配置 ............................................................................................................ 81 2.5.4 配置网络地址转换(NAT) ............................................................................................... 85 2.5.5 配置OPSEC类型对象 .................................................................................................... 89 2.5.6 限制用户连接数 ............................................................................................................ 97 2.5.7 配置防火墙最大并发连接 ............................................................................................ 98 2.5.8 会话老化时间配置 ........................................................................................................ 98 2.6 POWER-1 多核(COREXL)配置 ..................................................................................................... 99 2.6.1 设置处理防火墙进程CPU的数量 .............................................................................. 100 2.6.2 设置处理防火墙接口的CPU数量 .............................................................................. 101 2.7 SYSLOG转发SMARTCENTER日志 ............................................................................................... 103 3 入侵防护(IPS)策略的配置 ......................................................................................................................... 105 3.1 IPS浏览 .................................................................................................................................. 105 3.2 IPS配置 .................................................................................................................................. 106 3.2.1 定义执行IPS的防火墙 ............................................................................................... 106 3.2.2 定义IPS Profile ............................................................................................................. 108 3.2.3 配置Protections ........................................................................................................... 111 3.2.4 配置Geo Protection ..................................................................................................... 112 3.2.5 配置Network Exceptions ............................................................................................. 113 3.2.6 IPS安全更新 ................................................................................................................ 114 3.2.7 Follow Up选项 ............................................................................................................. 115 3.2.8 Advanced选项 ............................................................................................................. 116 3.3 禁用IPS ............................................................................................................................. 116 4 身份识别控制(IDENTIFY AWARENESS) ...................................................................................................... 117 4.1 CAPTIVE PORTAL 设置 ............................................................................................................... 120 4.2 测试用户的访问控制(IDENTITY ACCESS) .............................................................................. 121 4.3 创建访问对象(ACCESS ROLES) ............................................................................................. 122 攻城狮论坛 bbs.vlan5.com #^_^# 版 权 归 原 作 者 所 有 本 资 料 仅.供试读 ©2011 Check Point Software Technologies Ltd. All rights reserved . 第 5 页 4.4 识别同一IP地址的多用户访问记录 .............................................................................. 123 4.5 使用CAPTIVE PORTAL认证 .................................................................................................. 125 5 SMARTEVENT事件分析器 ......................................................................................................................... 128 6 应用程序控制与URL过滤(APP CONTROL & URL FILTERING) .................................................................... 132 6.1 初始化APPLICATION CONTROL .............................................................................................. 132 6.2 创建 USERCHECK策略的动作 ............................................................................................ 134 6.3 初始化URL FILTERING ......................................................................................................... 136 7 对HTTPS 协议的检查 ............................................................................................................................... 138 7.1 为什么要检查HTTPS ........................................................................................................ 138 7.2 启用HTTPS INSPECTION ....................................................................................................... 138 7.3 BYPASS HTTPS INSPECTION .......................................................................................................... 138 8 数据防泄密测试(DLP) ............................................................................................................................... 139 8.1 DLP部署方案的条件: ......................................................................................................... 139 8.2 DLP部署环境的选择: ......................................................................................................... 139 8.2.1 使用集成DLP Blade的防火墙网关部署 .................................................................... 139 8.2.2 使用专业DLP硬件的部署方案 .................................................................................. 139 8.2.3 专用DLP网关部署到火墙后部 .................................................................................. 139 8.3 DLP部署的注意事项:............................................................................................................ 140 8.4 DLP数据防泄密测试 ............................................................................................................. 140 8.4.1 HTTP协议的数据防泄密测试 ..................................................................................... 141 8.4.2 SMTP发送关键字数据防泄密的测试 ........................................................................ 145 8.4.3 FTP文件上传数据防泄密测试 .................................................................................... 149 9 防垃圾邮件与防病毒 ................................................................................................................................ 151 9.1 开启防病毒与邮件安全模块 ........................................................................................... 151 9.2 配置防病毒与邮件安全策略 ........................................................................................... 151 9.3 下发防病毒与邮件安全策略 ........................................................................................... 152 9.4 测试邮件过滤功能 ........................................................................................................... 153 9.5 测试防病毒功能 ............................................................................................................... 154 攻城狮论坛 bbs.vlan5.com #^_^# 版 权 归 原 作 者 所 有 本 资 料 仅.供试读 ©2011 Check Point Software Technologies Ltd. All rights reserved . 第 6 页 10 僵尸网络防御(ANTI-BOT&ANTI-VIRUS) ..................................................................................................... 155 10.1 什么是僵尸网络 ............................................................................................................... 155 10.2 僵尸网络防御策略 ........................................................................................................... 155 11 防火墙维护和监控 .................................................................................................................................... 157 11.1 SMARTDASHBOARD ................................................................................................................ 157 11.1.1 使用Data Base Reversion Control ........................................................................... 157 11.2 SMARTVIEW TRACKER ............................................................................................................. 163 11.2.1 SmartView Tracker Mode ............................................................................................. 164 11.2.2 工具栏介绍 ............................................................................................................. 165 11.2.3 使用Filter过滤日志 ............................................................................................... 165 11.2.4 配置策略Track ........................................................................................................ 166 11.3 SMARTVIEW MONITOR ........................................................................................................... 167 11.3.1 配置Monitor ........................................................................................................... 167 11.3.2 监控Gateway 状态 ................................................................................................ 168 11.3.3 监控Traffic .............................................................................................................. 169 11.3.4 监控System Counters .............................................................................................. 170 11.3.5 监控Tunnels ............................................................................................................ 170 11.3.6 监控Remote Users .................................................................................................. 171 11.3.7 SmartUpdate ................................................................................................................ 172 11.3.8 安装安全更新 ......................................................................................................... 173 11.3.9 管理License ............................................................................................................. 174 12 防火墙备份与恢复 .................................................................................................................................... 176 12.1 SECUREPLATEFORM备份和恢复 ........................................................................................... 176 12.2 SMARTCENTER备份和恢复(UPGRADE_TOOLS) ........................................................................ 177 13 故障排查步骤............................................................................................................................................ 180 13.1 硬件故障排查: ............................................................................................................... 180 13.1.1 使用Hardware Diagnostic Tool ............................................................................... 180 13.1.2 电源与风扇状态检查.............................................................................................. 181 攻城狮论坛 bbs.vlan5.com #^_^# 版 权 归 原 作 者 所 有 本 资 料 仅.供试读 ©2011 Check Point Software Technologies Ltd. All rights reserved . 第 7 页 13.1.3 系统由于I/O错误无法启动 .................................................................................. 181 13.1.4 硬盘故障检查 ......................................................................................................... 181 13.1.5 网卡故障检查 ......................................................................................................... 181 13.2 软件故障排查 ................................................................................................................... 181 13.3 防火墙故障信息收集 ....................................................................................................... 182 13.3.1 登陆防火墙收集系统文件信息 .............................................................................. 182 13.3.2 Coredump文件的搜集................................................................................................. 182 13.3.3 收集debug .............................................................................................................. 182 13.3.4 使用 zdebug ............................................................................................................ 182 13.3.5 Debug FWD进程 .......................................................................................................... 183 13.4 故障排查步骤示例: ....................................................................................................... 184 13.4.1 问题现象 ................................................................................................................. 184 13.4.2 排查思路 ................................................................................................................. 184 13.4.3 排查结果分析 ......................................................................................................... 184 13.4.4 注意事项: ................................................................................................................ 185 14 常用命令 ................................................................................................................................................... 186 14.1 防火墙管理常用命令 ....................................................................................................... 186 14.2 系统管理常用命令 ........................................................................................................... 186 15 系统优化 ................................................................................................................................................... 187 15.1 对SMARTCENTER的优化 ..................................................................................................... 187 15.2 对防火墙模块的优化 ....................................................................................................... 188 15.2.1 关闭不需要的功能模块 .......................................................................................... 188 15.2.2 优化常用协议会话时长 .......................................................................................... 189 15.2.3 取消默认拒绝X11协议 ......................................................................................... 189 15.2.4 优化协议同步 ......................................................................................................... 190 15.2.5 其他优化建议 ......................................................................................................... 191 16 完整配置示例............................................................................................................................................ 193 16.1 分布式组网+OSPF+ECMP ................................................................................................. 193 攻城狮论坛 bbs.vlan5.com #^_^# 版 权 归 原 作 者 所 有 本 资 料 仅.供试读 ©2011 Check Point Software Technologies Ltd. All rights reserved . 第 8 页 16.1.1 网络规划及拓扑图 ................................................................................................. 193 16.1.2 IP地址规划 .................................................................................................................. 194 16.1.3 具体配置 ................................................................................................................. 194 16.2 分布式组网+STATIC+ECMP ................................................................................................ 201 16.2.1 网络规划及拓扑图 ................................................................................................. 201 16.2.2 IP地址规划 .................................................................................................................. 202 16.2.3 具体配置 ................................................................................................................. 202 16.3 HA组网+OSPF ................................................................................................................... 208 16.3.1 网络规划及拓扑图 ................................................................................................. 208 16.3.2 IP地址规划 .................................................................................................................. 209 16.3.3 具体配置 ................................................................................................................. 209 16.4 HA组网+STATIC路由 ......................................................................................................... 220 16.4.1 网络规划及拓扑图 ................................................................................................. 220 16.4.2 IP地址规划 .................................................................................................................. 221 16.4.3 具体配置 ................................................................................................................. 221 16.5 HA组网+OSPF+ECMP ....................................................................................................... 228 16.5.1 网络规划及拓扑图 ................................................................................................. 228 16.5.2 IP地址规划 .................................................................................................................. 229 16.5.3 具体配置 ................................................................................................................. 229 16.6 HA组网+STATIC+ECMP ...................................................................................................... 239 16.6.1 网络规划及拓扑图 ................................................................................................. 239 16.6.2 IP地址规划 .................................................................................................................. 240 16.6.3 具体配置 ................................................................................................................. 240 详细目录: 1 资源批量下载地址: ---> http://bbs.vlan5.com/forum-94-1.html 更多精品资源,打包下载(可按知识点/发布日期/培训班/讲师等方式批量下载视频/文档/资料/电子书) 本贴附件下载链接:
购买主题
已有 38 人购买
本主题需向作者支付 30 金币 才能浏览
|
相关帖子 |
| |
| |
| |
| |
| |
| |
| |
| |
| |