《高级安全策略课件》由会员分享,可在线阅读,更多相关《高级安全策略课件(24页珍藏版)》请在金锄头文库上搜索。
1、Advanced Policy Configuration,Advanced Policy Options,PolicyAdvanced,Advanced Policy Options (cont.),PolicyAdvanced,Traffic Logs,Logs session close time, session duration, addressing (including translation) and service,Reports Policies Traffic Log,Configuring Traffic Logs,set policy (from zone to zo
2、ne sa da service action) log,Policy,Verifying/Accessing Logging,get log traffic,Policies,Reports Policies,Traffic Counters,Graphical view of traffic matching policy WebUI only,Reports Policies Traffic Counting Graph,Configuring Traffic Counters,set policy (from zone to zone sa da service action) cou
3、nt,PolicyAdvanced,Verifying/Accessing Traffic Counters,Policies,Reports Policies,get counters policy ,Policy Scheduling,Allows policy to be enabled or disabled based on time Two options Recurring times Two windows per day Weekly schedule Once only Recommend NTP be configured for accuracy,Configuring
4、 Policy Scheduling,Create schedule Apply schedule to policy,Create Schedule - WebUI,Objects Schedules New,Create Schedule CLI,set scheduler recurrent start stop start stop ns208- set scheduler NoICQ recurrent mon start 7:00 stop 12:00 start 13:00 stop 18:00 ns208- set scheduler NoICQ recurrent tues
5、start 7:00 stop 12:00 13:00 stop 18:00 (etc.) set scheduler once start stop ns208- set scheduler Y2K once start 01/01/2000 stop 01/02/2000,Apply Schedule to Policy,set policy (from zone to zone sa da service action) schedule ,PolicyAdvanced,Verifying Scheduling,If policy has gray background, policy
6、is in “inactive” period No indication of scheduling during “active” period,User Authentication,Requires users to enter username/password before traffic is permitted through NetScreen Can be used in conjunction with NS Remote Client Can be used between LANs as an additional check of user ID Two optio
7、ns Firewall authentication requires traffic to match policy to trigger login dialogue Policy must permit Telnet, FTP, or HTTP WebAuth requires user to browse to dedicated WebAuth address to trigger login dialogue Once authenticated, all traffic matching policy will pass,Firewall Authentication,Web S
8、erver 172.16.1.99,DA: 172.16.1.99, service HTTP,Auth Policy,Username? Password?,DA: 172.16.1.99, service HTTP,Username Password,Authenticated!,All traffic permitted by policy,WebAuth Authentication,DA: 10.1.1.42, service HTTP,Web Auth,Username? Password?,Username Password,Authenticated!,All traffic
9、permitted by policy,Web Server 172.16.1.99,WebAuth address 10.1.1.42,WebAuth example Firewall authentication depends on triggering protocol HTTP displays similar dialogue FTP/Telnet display text-based prompts,What the User Sees,Authentication Configuration Steps,Create user database Configure authen
10、tication policy (WebAuth only) Configure WebAuth address,Step 1: Create User Database,Objects Users Local Edit,set user password ,Step 2: Configure Authentication Policy,set policy (from zone to zone sa da service action) auth set policy (from zone to zone sa da service action) webauth,PolicyAdvance
11、d,Step 3: Configure WebAuth Address,Network Interface Edit,set interface webauth set interface webauth-ip ,Verifying Authentication,ns5gt- get user all Total users: 1 Id User name Enable Type ID-type Identity Belongs to groups - - - - - - - 1 JoeUser Yes auth ns5gt- get auth table Total users in table: 1 Successful: 1, Failed: 0 Pending : 0, Others: 0 Col T: Used: D = Default settings, W = WebAuth, A = Auth server in policy id src user group age status server T srczone dstzone 1 192.168.1.33 JoeUser 5 Success Local W N/A N/A,
