Apresentação - Fofortinetfortinetrtinet - Configurações Básicas

  • View
    9

  • Download
    5

Embed Size (px)

DESCRIPTION

fortinet

Transcript

  • *FortiGateConfiguraes BsicasEngenharia de RedesLaurence Stendard

  • *Tpicos Instalao Interfaces Rotas Firewall NAT VPN IPsec - Client-to-Site VPN SSL Client-to-Site VPN IPsec Site-to-Site IPS DoS Sensor Backup Command Line VDOM

  • * Conectar notebook/workstation interface interna. Configurar endereo na rede 192.168.1.99/24.Instalao

  • * https://192.168.1.99 name = admin password = em branco.Instalao (cont.)

  • *Instalao (cont.)

  • *Interfaces

  • *Interfaces (cont.)

  • *Interfaces - VLAN

  • *Interfaces VLAN (cont.)

  • *Interfaces IP Secundrio

  • *Interfaces IP Secundrio (cont.)

  • *No existe um opo opo para forar o modo de operao de uma interface atravs da interface web (?!)

    Isto deve ser configurado atravs da CLI:Fortigate51B # config system interfaceFortigate51B (interface) # edit wan1Fortigate51B (wan1) # set speed 100fullFortigate51B (wan1) # end Interfaces Modo de Operao

  • *Rotas

  • *Rotas (cont.)

  • *Firewall Regras - View

  • *Firewall Regras Default

  • *Endereo Externo: 200.202.114.251 -> Endereo Interno: 10.123.123.10NAT de Entrada 1 /p 1

  • *NAT de Entrada 1 p/ 1 (cont.)

  • *NAT de Entrada 1 p/ 1 (cont.)

  • *NAT de Entrada 1 p/ 1 (cont.)

  • *Endereo Externo: 10.123.123.[100-102] -> Endereo Interno: 200.202.114.[252-254]NAT de Sada 1 p/ 1

  • *NAT de Sada 1 p/ 1 (cont.)

  • *NAT de Sada 1 p/ 1 (cont.)

  • * necessrio criar uma regra de entrada mesmo que no exista a necessidade de acessos do ambiente externo para o interno. NAT de Sada 1 p/ 1 (cont.)

  • *NAT de Sada 1 p/ 1 (cont.)

  • *NAT de Sada 1 p/ 1 (cont.)

  • *NAT de Sada Central NAT Table

  • *NAT de Sada Central NAT Table (cont.)

  • *NAT de Sada Central NAT Table (cont.)

  • *NAT de Sada Central NAT Table (cont.)

  • *VPN IPsec Client-to-Site Servidor TACACS+

  • *VPN IPsec Client-to-Site Servidor TACACS+ (cont.)

  • *VPN IPsec Client-to-Site Servidor TACACS+ (cont.)

  • *VPN IPsec Client-to-Site Servidor TACACS+ (cont.)

  • *O campo Key deve ser preenchido com o mesmo valor usado no campo Server Key da configurao do Fortigate.VPN IPsec Client-to-Site Servidor TACACS+ (cont.)

  • *VPN IPsec Client-to-Site User Group

  • *VPN IPsec Client-to-Site User Group (cont.)

  • *VPN IPsec Client-to-Site User Group (cont.)

  • *VPN IPsec Client-to-Site Fase 1

  • *VPN IPsec Client-to-Site Fase 1 (cont.)

  • *VPN IPsec Client-to-Site Fase 1 (cont.)

  • *VPN IPsec Client-to-Site Fase 2

  • *VPN IPsec Client-to-Site Fase 2 (cont.)

  • *VPN IPsec Client-to-Site Fase 2 (cont.)

  • *VPN IPsec Client-to-Site Rede Interna e Range dos Remote Clients

  • *Range dos Remote Clients: NAT do endereo pblico do client para um endereo interno (facilita roteamento). Aplicado interface Fase 1 da VPN (MyVPN_Fase1).VPN IPsec Client-to-Site Rede Interna e Range dos Remote Clients (cont.)

  • * Regra de EntradaVPN IPsec Client-to-Site Regra de Firewall (cont.)

  • * Regra de SadaVPN IPsec Client-to-Site Regra de Firewall (cont.)

  • *VPN IPsec Client-to-Site Regra de Firewall (cont.)

  • *VPN IPsec Client-to-Site DHCP Clients

  • *VPN IPsec Client-to-Site DHCP Clients (cont.)

  • *VPN IPsec Client-to-Site DHCP Clients (cont.)

  • *Verso free: www.forticlient.comVPN IPsec Software Client

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *Caso existam mais redes a serem acessadas atravs da VPN:VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *VPN IPsec Software Client (cont.)

  • *Editar o grupo SSLVPN_TUNNEL_ADDR1VPN SSL Modo Web

  • *VPN SSL Modo Web (cont.)

  • *VPN SSL Modo Web (cont.)

  • *VPN SSL Modo Web (cont.)

  • *VPN SSL Modo Web (cont.)

  • *VPN SSL Modo Web Portal

  • *VPN SSL Modo Web Usurios e Grupos

  • *VPN SSL Modo Web Usurios e Grupos (cont.)

  • *Regra: Range SSL VPN -> Rede InternaVPN SSL Modo Web Regra de Firewall

  • *VPN SSL Modo Web Regra de Firewall (cont.)

  • *Regra de Web PortalVPN SSL Modo Web Regra de Firewall (cont.)

  • *VPN SSL Modo Web Regra de Firewall (cont.)

  • *VPN SSL Modo Web Regra de Firewall (cont.)

  • *VPN SSL Modo Web Regra de Firewall

  • *VPN SSL Modo Web Acesso

  • *Instalao do PluginVPN SSL Modo Web Acesso (cont.)

  • *VPN SSL Modo Web Acesso (cont.)

  • *VPN SSL Modo Web Acesso (cont.)

  • *Configuraes de gateway como feito para o modo Web.Adicionar rota para o Address Range SSLVPN_TUNNEL_ADDR1VPN SSL Modo Tunnel

  • *VPN SSL Modo Tunnel Instalar Client

  • *VPN SSL Modo Tunnel (cont.)

  • *VPN SSL Modo Tunnel (cont.)

  • *- Site A: Gateway = 200.202.114.250 - Rede=10.123.123.0/24- Site B: Gateway = 200.142.90.178 Rede = 10.55.1.0/24VPN IPsec Site-to-Site Fase 1

  • *VPN IPsec Site-to-Site Fase 1 (cont.)

  • *VPN IPsec Site-to-Site Fase 1 (cont.)

  • *VPN IPsec Site-to-Site Fase 2

  • *VPN IPsec Site-to-Site Fase 2 (cont.)

  • *Quando existirem mais de uma rede em ambos os lados devem ser criadas uma Fase 2 para cada par de redes que se comunicam.VPN IPsec Site-to-Site Fase 2 (cont.)

  • *VPN IPsec Site-to-Site Monitorao

  • *VPN IPsec Site-to-Site Monitorao (cont.)

  • *VPN IPsec Site-to-Site Monitorao (cont.)

  • *IPS - Sensor

  • *IPS Sensor (cont.)

  • *Filtros so utilizados para definir os protocolos e aplicaes analisados.IPS Filtro

  • *IPS Filtro (cont.)

  • *IPS Regra

  • *IPS Logs

  • *IPS Logs (cont.)

  • *IPS Descrio do Ataque

  • *Deteco de ataques atravs de desvios do comportamento da rede.DoS Sensor

  • *DoS Sensor (cont.)

  • *DoS Sensor (cont.)

  • *A deteco de DoS usa polticas especficas. (A poltica de IPS definida nas regras de firewall.)DoS Sensor (cont.)

  • *DoS Sensor (cont.)

  • *DoS Sensor (cont.)

  • *DoS Sensor (cont.)

  • *Backup e Restore

  • *Backup e Restore (cont.)

  • *Fortigate51B # execute backup full-config tftp my-config.cfg 200.202.114.251Please wait...Connect to tftp server 200.202.114.251 ...Send config file to tftp server OK.Backup e Restore (cont.)

  • *Virtual Domain (VDOM) = virtualizao do equipamentoVDOM

  • *VDOM (cont.)

  • *VDOM (cont.)

  • *VDOM - Criao

  • *VDOM Criao (cont.)

  • *VDOM Limites

  • *VDOM Limites (cont.)

  • *VDOM Adicionar Interfaces

  • *VDOM Adicionar Interfaces (cont.)

  • *VDOM Adicionar Interfaces (cont.)

  • *VDOM Operao

  • *Acesso atravs de SSH, Telnet, console local (9600,8,n,1) e dashboard: CLI

  • *Fortigate51B # show full-configuration#config-version=FG50BH-4.00-FW-build272-100331:opmode=0:vdom=0#conf_file_ver=14300459513520570275#buildno=0272#global_vdom=1config system global set access-banner disable set admin-concurrent enable set admin-https-pki-required disable set admin-lockout-duration 60 set admin-lockout-threshold 3 set admin-maintainer enable set admin-port 80CLI (cont.)

  • *Fortigate51B # get system performance status CPU states: 0% user 13% system 0% nice 87% idle Memory states: 33% used Average network usage: 30720 kbps in 1 minute, 16453 kbps in 10 minutes, 8129 kbps in 30 minutes Average sessions: 21 sessions in 1 minute, 19 sessions in 10 minutes, 22 sessions in 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 0 days, 22 hours, 50 minutesCLI (cont.)

  • *Fortigate51B # get system performance topRun Time: 16 days, 0 hours and 57 minutes17U, 4S, 15I; 502T, 130F, 129KF ipsengine 3049 S < 1.9 14.8 miglogd 25 S 1.9 2.5 newcli 726 R 0.9 2.7 httpsd 67 S 0.0 6.6 httpsd 63 S 0.0 6.5 cmdbsvr 15 S 0.0 4.4 httpsd 27 S 0.0 3.0 newcli 707 S 0.0 2.7 newcli 80 S 0.0 2.6 newcli 1400 S 0.0 2.6 sslvpnd 52 S 0.0 2.3 scanunitd 5867 S < 0.0 2.3 updated 54 S 0.0 2.3 merged_daemons 45 S 0.0 2.2 iked 444 S 0.0 2.2 forticron 46 S 0.0 2.2