Gigamon 장비는 제품별로 다양한 Packet 처리가 가능하다.
Mirror 트래픽을 전달 받아 가공을 통해 보안/모니터링/분석 장비에 전달함으로 효과를 얻을 수도 있고
Inline에 직접 개입하여 보안 장비들을 효과적으로 사용할 수 있게 구성이 가능하다.
참 재미난 Concept 이다.
As-Is의 구성은 현재 많이 사용되는 이중화 구성이다. 예전에는 이 구성이 최적화된 구성이었으나 시대가 바뀌었고
예전 구성에서의 문제점들을 해결할 수 있는 방법도 생겨났다.
| Firemon SIQL (1) | 2018.05.08 |
|---|---|
| Firemon 웹로그인유저 패스워드 복구방법 (0) | 2018.05.08 |
| Firemon CLI (0) | 2018.05.08 |
| Firemon SIQL (0) | 2017.08.08 |
[SSL VPN] Configuration
AxGate# show running-config
aos v2.1-x86(2.5-r28000)
!
hostname AxGate
!
username change password duration 60
username axroot privilege 15 password 5 8.ktW$kkQKSeYoc1JbA0nWqfQhiLhGIYulzXSPkjZ86cLUZ96
!
clock timezone KST 9
!
config sync manual
config sync group ip service time target
config sync signature
config sync parameters
config sync aip
config sync arp-sniff
config sync policy userauth security nat
config sync admin network
config sync l2-tunnel
!
config full-sync exclude ha
config full-sync exclude hostname
config full-sync exclude full-sync
config full-sync exclude sync
config full-sync exclude vrrp
!
healthcheck threshold 600
!
security zone dmz
security zone ssl
security zone trust
security zone untrust
security zone any
!
logging
console kernel off
memory system severity informational
memory audit
memory session
memory application
memory ipsec
memory anti-ddos
memory ips
memory anti-spam
memory anti-virus
memory sslvpn
memory userauth
file option size 50 alert 7 purge 5
file system audit session application ipsec anti-ddos ips anti-spam anti-virus sslvpn userauth
!
statistics log at 01:00:00
!
report
option top count 10
language html korean
!
arp max-entries 8192
!
ip domain-lookup timeout 1 retry 1
!
ip dhcp server lease-check icmp svpn0
!
ip dhcp pool ssl
network 50.0.0.0 255.255.255.0
range 50.0.0.10 50.0.0.50
classless-routes 7.7.1.10/32 50.0.0.1
lease 1 0 0
!
ipv6 neighbor max-entries 1024
!
ip igmp max-memberships 20
!
interface lo
ip address 127.0.0.1/8
!
interface eth0-0
ip address 10.10.11.116/24
security-zone untrust
no shutdown
!
interface eth0-1
ip address 7.7.2.1/24
security-zone trust
no shutdown
!
interface eth0-2
shutdown
!
interface eth0-3
shutdown
!
interface eth0-4
shutdown
!
interface eth0-5
shutdown
!
interface eth0-6
shutdown
!
interface eth0-7
shutdown
!
interface eth0-8
shutdown
!
interface eth0-9
shutdown
!
interface bond0
bonding mode balance-rr
bonding link-check miimon 1
shutdown
!
interface svpn0
mtu 1426
sslvpn heartbeat interval 500 threshold 10
sslvpn proto tcp port 7900 queue 16384
sslvpn key 1q2w3e
sslvpn algorithm aes128 aes128
sslvpn source eth0-0
ip address 50.0.0.1/24
security-zone ssl
no shutdown
!
ip route 0.0.0.0/0 10.10.11.1
ip route 7.7.1.0/24 10.10.11.118
!
security parameters
no offloading
control-no3way-timeout
session-timeout generic 1800
session-timeout icmp 10
session-timeout tcp 3600
session-timeout udp 60
state-timeout tcp syn-sent 120
state-timeout tcp syn-recv 60
state-timeout tcp no3way-est 60
state-timeout tcp fin-wait 120
state-timeout tcp close-wait 60
state-timeout tcp last-ack 30
state-timeout tcp time-wait 120
state-timeout tcp reset 3
session-limit 4500002
logging firewall
logging ha session-synced
logging security-policy expired
logging nat-policy expired
logging ipsec
logging ips
logging anti-ddos
logging anti-spam
logging anti-virus
logging application
logging sslvpn
logging userauth
accounting firewall
accounting ips
accounting anti-ddos
accounting anti-spam
accounting anti-virus
accounting ipsec
accounting application
top-statistics update-time 10
top-statistics topn-count 10
qos priority queue length 10
qos priority queue restore-time 10000
qos priority queue host-lifetime 60
nat entry-limit 5000
reference update-time 600
use-abbreviated-shell
!
security signature timeout connection 10 transaction 60
security signature retry connection 3
security signature code 20
!
ddns
update-period 600
!
service group acmsoda
proto tcp sport any dport eq 6969
!
service group ats
proto tcp sport any dport eq 2201
!
service group avt-profile
proto tcp sport any dport eq 5004
!
service group bgp
proto tcp sport any dport eq 179
!
service group blp2
proto tcp sport any dport eq 8195
!
service group bootpc
proto udp sport any dport eq 68
!
service group bootps
proto udp sport any dport eq 67
!
service group dcube(default)
proto esp
proto udp sport any dport eq 7900
!
service group dhcpv6-server
proto tcp sport any dport eq 547
!
service group dns
proto tcp sport any dport eq 53
proto udp sport any dport eq 53
!
service group fodms
proto udp sport any dport eq 7200
!
service group ftp
proto tcp sport any dport eq 21
!
service group ftps
proto tcp sport any dport eq 990
!
service group h263-video
proto tcp sport any dport eq 2979
!
service group h323gatedisc
proto tcp sport any dport eq 1718
!
service group h323gatestat
proto tcp sport any dport eq 1719
!
service group h323hostcall
proto tcp sport any dport eq 1720
!
service group h323hostcallsc
proto tcp sport any dport eq 1300
!
service group hostmon
proto udp sport any dport eq 5355
!
service group hpvipgrp
proto tcp sport any dport eq 5223
!
service group http
proto tcp sport any dport eq 80
!
service group https
proto tcp sport any dport eq 443
!
service group ike
proto udp sport any dport eq 500
!
service group imap
proto tcp sport any dport eq 143
proto tcp sport any dport eq 993
!
service group imaps
proto tcp sport any dport eq 993
!
service group kerberos
proto tcp sport any dport eq 88
!
service group kerberos_v5
proto tcp sport any dport eq 464
!
service group l2tp
proto udp sport any dport eq 1701
!
service group ldap
proto tcp sport any dport eq 389
!
service group ldaps
proto tcp sport any dport eq 636
!
service group mdns
proto udp sport any dport eq 5353
!
service group mevent
proto tcp sport any dport eq 7900
!
service group microsoft-ds
proto tcp sport any dport eq 445
!
service group mindprintf
proto tcp sport any dport eq 8033
!
service group mms
proto tcp sport any dport eq 1755
proto udp sport any dport eq 1755
!
service group ms-sql
proto udp sport any dport eq 1434
proto tcp sport any dport eq 1433
!
service group ms-sql-m
proto udp sport any dport eq 1434
!
service group ms-sql-s
proto tcp sport any dport eq 1433
!
service group mysql
proto tcp sport any dport eq 3306
!
service group netbios
proto udp sport any dport multi 137 138 139
!
service group netbios-dgm
proto udp sport any dport eq 138
!
service group netbios-ns
proto udp sport any dport eq 137
!
service group netbios-ssn
proto udp sport any dport eq 139
!
service group ntp
proto udp sport any dport eq 123
!
service group oracle
proto tcp sport any dport eq 1521
!
service group oracle-em2
proto tcp sport any dport eq 1754
!
service group oracle-vp1
proto tcp sport any dport eq 1809
!
service group oracle-vp2
proto tcp sport any dport eq 1808
!
service group pharos
proto tcp sport any dport eq 4443
!
service group pop3
proto tcp sport any dport eq 110
proto tcp sport any dport eq 995
!
service group pptp
proto udp sport any dport eq 1723
!
service group proshare-mc-2
proto tcp sport any dport eq 1674
!
service group radius-account
proto tcp sport any dport eq 1813
!
service group radius-auth
proto tcp sport any dport eq 1812
!
service group regacy_radius
proto tcp sport any dport multi 1645 1646
!
service group rsync
proto tcp sport any dport eq 873
!
service group rtsp
proto tcp sport any dport eq 554
!
service group sabams
proto tcp sport any dport eq 2760
!
service group sftp
proto tcp sport any dport eq 115
!
service group smtp
proto tcp sport any dport eq 25
!
service group smtps
proto tcp sport any dport eq 465
!
service group snapp
proto tcp sport any dport eq 2333
!
service group snmp
proto udp sport any dport eq 161
!
service group snmptrap
proto udp sport any dport eq 162
!
service group ssdp
proto udp sport any dport eq 1900
!
service group ssh
proto tcp sport any dport eq 22
!
service group stun
proto udp sport any dport eq 3478
!
service group syslog
proto udp sport any dport eq 514
!
service group tcslap
proto tcp sport any dport eq 2869
!
service group telnet
proto tcp sport any dport eq 23
!
service group teradataordbms
proto tcp sport any dport eq 8002
!
service group teredo
proto udp sport any dport eq 3544
!
service group tftp-mcast
proto tcp sport any dport eq 1758
!
service group unicall
proto tcp sport any dport eq 4343
!
service group vcom-tunnel
proto tcp sport any dport eq 8001
!
service group webcache
proto tcp sport any dport eq 8080
!
service group www
proto tcp sport any dport eq 80
proto tcp sport any dport eq 443
!
service group www-ldap-gw
proto tcp sport any dport eq 1760
!
service group x11-ssh-offset
proto tcp sport any dport eq 6010
!
service group xmpp-client
proto tcp sport any dport eq 5222
!
password policy admin
length 9 16
character-count upper 1 lower 1 digit 1 special 1
impossible sequential-count asc 3 same 3 qwerty-right 3
impossible contain-word id password 6
!
password policy user
length 9 16
character-count english 1 digit 1 special 1
!
userauth http port 10444 secure-port 10443
userauth http-install port 4443
userauth factor ip
userauth expire-timeout 24 expire-update delete-timeout 65535 connection-timeout 1
userauth max-connections 1000
userauth server priority local
userauth username mskang password 5 bJoq0$vdlEf8FVv1CqhdC3eFev.L0z0f/dAVUgCrhy3tyrFG7
userauth username test01 password 5 bJo35$EflVN/ufphqDzV8ZS498mrMv93yI9GSE2Vy6AjBJTd5
userauth username test02 password 5 4DmRC$d9M.Cb93m.JZWBFX6mcfuB9wEMJAbFCZiY/w0TzcD8C
userauth group special
userauth group special username mskang
userauth group special username test01
userauth group special username test02
!
application http option url-cache 10000
!
ip userauth policy from ssl to trust 1
source any
destination any
action authenticate
enable
!
ip userauth policy from ssl to untrust 1
source any
destination any
action authenticate
enable
!
security policy index 3
!
ip security policy from ssl to trust 10 id 1
source any
destination any
action pass log
enable
!
ip security policy from ssl to untrust 10 id 3
source any
destination any
tcp-mss 1300
action pass log
enable
!
vrrp vmac disable
!
line vty
exec-timeout 10 0
telnet port 2333
ssh port 2222
http secure-port 4433
login server request-condition auth-fail
login server priority local
login server privilege default monitor
!
end
AxGate#
| Fortinet FortiSandbox Clustering Setting sample (0) | 2021.01.20 |
|---|---|
| Juniper SRX 설정 방법 (CLI) (0) | 2021.01.20 |
| Juniper Firewall Transparent mode config (Example) (0) | 2018.05.08 |
| SRX Syslog config (0) | 2018.05.08 |
| Palo Alto Firewall Appliance PA-VM - Useful Commands (0) | 2018.05.08 |
| GigaSMART Packet Slicing (0) | 2019.09.23 |
|---|---|
| Passive SSL Decryption (0) | 2019.09.23 |
| ASF Example : instant messaging (0) | 2019.09.23 |
| NetFlow Generation - CLI (0) | 2019.09.23 |
| Gigamon Password reset : (0) | 2019.09.23 |
