ç§ãã¡ã¯ã»ãŒãã¹ãŠã®ãã³ããŒãšååããŠãããç§ãã¡ã®ã©ãã§ã¯äœå¹Žã«ãããã£ãŠããã¹ãŠã®äž»èŠãªãœãããŠã§ã¢å®çŸ©ãœãªã¥ãŒã·ã§ã³éçºè ã®ã¢ãŒããã¯ãã£ãæãäžããæéããããŸããã Fortinetã®SD-WANã¯ããã§ã¯å°ãé¢ããŠãããéä¿¡ãã£ãã«éã®ãã©ãã£ãã¯ã®ãã©ã³ã¹ããšãæ©èœããã¡ã€ã¢ãŠã©ãŒã«ãœãããŠã§ã¢ã«çµã¿èŸŒãã ã ãã§ãããã®ãœãªã¥ãŒã·ã§ã³ã¯ããªãæ°äž»çã§ãããããéåžžãã°ããŒãã«ãªå€æŽã®æºåããŸã æŽã£ãŠããªãããéä¿¡ãã£ãã«ãããå¹æçã«äœ¿çšãããäŒæ¥ã§æ€èšãããŠããŸãã
ãã®èšäºã§ã¯ããã®ãœãªã¥ãŒã·ã§ã³ã®é©åãªãœãªã¥ãŒã·ã§ã³ã§ããFortinet SD-WANãæ§æããŠæäœããæ¹æ³ãšãããã§çŽé¢ããå¯èœæ§ã®ããèœãšãç©Žã«ã€ããŠèª¬æããŸãã
SD-WANåžå Žã§æã泚ç®ãã¹ããã¬ãŒã€ãŒã¯ã次ã®2ã€ã®ã¿ã€ãã®ããããã«åé¡ã§ã
ãŸãã1ãSD-WANãœãªã¥ãŒã·ã§ã³ãæåããäœæããã¹ã¿ãŒãã¢ããããããã®äžã§æãæåãããã®ã¯ã倧äŒæ¥ãè³Œå ¥ãããšãã«éçºã®å€§ããªæšé²åãåãåããŸã-ããã¯Cisco / ViptelaãVMWare / VeloCloudãNuage / Nokia
2ã®æŽå²ã§ããSD-WANãœãªã¥ãŒã·ã§ã³ãäœæããåŸæ¥ã®ã«ãŒã¿ãŒã®ããã°ã©ã å¯èœæ§ãšç®¡çæ§ãéçºãã倧èŠæš¡ãªãããã¯ãŒã¯ãã³ããŒã¯æŽå²ã§ããžã¥ãããŒããã¢ãŠã§ã€
Fortinetã¯ãªããšããã®éãèŠã€ããããšãã§ããŸãããæ©èœã¯ãã¡ã€ã¢ãŠã©ãŒã«ã®ãœãããŠã§ã¢ã«çµã¿èŸŒãŸããŠãããããéåžžã®ã«ãŒãã£ã³ã°ãšæ¯èŒããŠè€éãªã¢ã«ãŽãªãºã ã䜿çšããŠãã€ã³ã¿ãŒãã§ã€ã¹ãä»®æ³ãã£ãã«ã«çµåãããããã®éã®è² è·ãåæ£ã§ããŸãããã®æ©èœã¯SD-WANãšåŒã°ããŸããã©ã®ãã©ã«ãã£ããããSD-WANãšåŒã°ããã®ã§ããããïŒåžå Žã¯ãSoftware-Definedããå¶åŸ¡å¹³é¢ãããŒã¿å¹³é¢ãå°çšã³ã³ãããŒã©ãŒããªãŒã±ã¹ãã¬ãŒã¿ãŒããåé¢ããããšãæå³ãããšããç解ãåŸã ã«æ·±ããŠããŸãã Fortinetã«ã¯ãã®ãããªãã®ã¯ãããŸãããäžå 管çã¯ãªãã·ã§ã³ã§ãããåŸæ¥ã®FortimanagerããŒã«ã䜿çšããŠæäŸãããŸããããããç§ã®æèŠã§ã¯ãæœè±¡çãªçå®ãæ¢ããŠãçšèªã«ã€ããŠè°è«ããæéãç¡é§ã«ããã¹ãã§ã¯ãããŸãããçŸå®ã®äžçã§ã¯ãã©ã®ã¢ãããŒãã«ãé·æãšçæããããŸããæåã®æ¹æ³ã¯ãããããç解ããã¿ã¹ã¯ã«äžèŽãããœãªã¥ãŒã·ã§ã³ãéžæã§ããããã«ããããšã§ãã
Fortinetã®SD-WANãã©ã®ããã«èŠããäœãã§ãããã説æããããã«ãã¹ã¯ãªãŒã³ã·ã§ãããæã«åã£ãŠã¿ãŸãã
䜿ãæ¹
2ã€ã®ããŒã¿ãªã³ã¯ã§æ¥ç¶ããã2ã€ã®ãã©ã³ãããããšããŸãããããã®ããŒã¿äŒéãã£ãã«ã¯ãéåžžã®ã€ãŒãµãããã€ã³ã¿ãŒãã§ã€ã¹ãLACP-Port-Channelã«ã°ã«ãŒãåãããã®ãšåãæ¹æ³ã§ã°ã«ãŒãåãããŸããæã®äººã¯PPPãã«ããªã³ã¯ãèŠããŠããã§ãããããããé©åãªã¢ãããžãŒã§ãããã£ãã«ã«ã¯ãç©çââããŒããVLAN SVIãVPNããŸãã¯GREãã³ãã«ã䜿çšã§ããŸãã
VPNãŸãã¯GREã¯éåžžãã€ã³ã¿ãŒããããä»ããŠãã©ã³ããªãã£ã¹ã®LANãæ¥ç¶ãããšãã«äœ¿çšãããŸãããŸããç©çããŒã-ãµã€ãéã«L2æ¥ç¶ãããå ŽåããŸãã¯å°çšã®MPLS / VPNãä»ããŠæ¥ç¶ããå ŽåããªãŒããŒã¬ã€ãšæå·åãªãã®æ¥ç¶ã«æºè¶³ããŠããå Žåã SD-WANã°ã«ãŒãã§ç©çããŒãã䜿çšãããå¥ã®ã·ããªãªã¯ãã€ã³ã¿ãŒããããžã®ãŠãŒã¶ãŒã®ããŒã«ã«ã¢ã¯ã»ã¹ã®ãã©ã³ã¹ãåãããšã§ãã
ç§ãã¡ã®ããŒã¹ã«ã¯ã2ã€ã®ããã¬ã³ã ãªãã¬ãŒã¿ãŒããä»ããŠæ©èœãã4ã€ã®ãã¡ã€ã¢ãŠã©ãŒã«ãš2ã€ã®VPNãã³ãã«ããããŸããã¹ããŒã ã¯æ¬¡ã®ããã«ãªã
ãŸããVPNãã³ãã«ã¯ããã³ããšã³ãã¢ãŒãã§æ§æãããŠãããããpingãå®è¡ããŠç¹å®ã®æ¥ç¶ãä»ããŠæ¥ç¶ãããŠããããšã確èªã§ããP2Pã€ã³ã¿ãŒãã§ã€ã¹äžã®IPã¢ãã¬ã¹ãæã€ããã€ã¹éã®ãã€ã³ãããŒãã€ã³ãæ¥ç¶ã®ããã«èŠããŸããã³ãã«ã¯æ©èœããŠããŸãããã©ãã£ãã¯ãæå·åããŠå察åŽã«ç§»åããã«ã¯ããã©ãã£ãã¯ããã³ãã«ã«ã«ãŒãã£ã³ã°ããã ãã§ååã§ããå¥ã®æ¹æ³-ãµãããããªã¹ãã䜿çšããŠæå·åãããã©ãã£ãã¯ãéžæãããšãæ§æãããè€éã«ãªãããã管çè ã¯éåžžã«æ··ä¹±ããŸãã倧èŠæš¡ãªãããã¯ãŒã¯ã§ã¯ãVPNãæ§ç¯ããããã«ãADVPNãã¯ãããžãŒã䜿çšã§ããŸããããã¯Ciscoã®DMVPNãŸãã¯Huaweiã®DVPNã«é¡äŒŒããŠãããæ§æãç°¡çŽ åã§ããŸãã
äž¡åŽã«BGPã«ãŒãã£ã³ã°ãåãã2ã€ã®ããã€ã¹ã®ãµã€ãéVPNæ§æ
«» (DC)
«» (BRN)
config system interface
âedit "WAN1"
ââset vdom "Internet"
ââset ip 1.1.1.1 255.255.255.252
ââset allowaccess ping
ââset role wan
ââset interface "DC-BRD"
ââset vlanid 111
ânext
âedit "WAN2"
ââset vdom "Internet"
ââset ip 3.3.3.1 255.255.255.252
ââset allowaccess ping
ââset role lan
ââset interface "DC-BRD"
ââset vlanid 112
ânext
âedit "BRN-Ph1-1"
ââset vdom "Internet"
ââset ip 192.168.254.1 255.255.255.255
ââset allowaccess ping
ââset type tunnel
ââset remote-ip 192.168.254.2 255.255.255.255
ââset interface "WAN1"
ânext
âedit "BRN-Ph1-2"
ââset vdom "Internet"
ââset ip 192.168.254.3 255.255.255.255
ââset allowaccess ping
ââset type tunnel
ââset remote-ip 192.168.254.4 255.255.255.255
ââset interface "WAN2"
ânext
end
config vpn ipsec phase1-interface
âedit "BRN-Ph1-1"
ââset interface "WAN1"
ââset local-gw 1.1.1.1
ââset peertype any
ââset net-device disable
ââset proposal aes128-sha1
ââset dhgrp 2
ââset remote-gw 2.2.2.1
ââset psksecret ***
ânext
âedit "BRN-Ph1-2"
ââset interface "WAN2"
ââset local-gw 3.3.3.1
ââset peertype any
ââset net-device disable
ââset proposal aes128-sha1
ââset dhgrp 2
ââset remote-gw 4.4.4.1
ââset psksecret ***
ânext
end
config vpn ipsec phase2-interface
âedit "BRN-Ph2-1"
ââset phase1name "BRN-Ph1-1"
ââset proposal aes256-sha256
ââset dhgrp 2
ânext
âedit "BRN-Ph2-2"
ââset phase1name "BRN-Ph1-2"
ââset proposal aes256-sha256
ââset dhgrp 2
ânext
end
config router static
âedit 1
ââset gateway 1.1.1.2
ââset device "WAN1"
ânext
âedit 3
ââset gateway 3.3.3.2
ââset device "WAN2"
ânext
end
config router bgp
âset as 65002
âset router-id 10.1.7.1
âset ebgp-multipath enable
âconfig neighbor
ââedit "192.168.254.2"
âââset remote-as 65003
âânext
ââedit "192.168.254.4"
âââset remote-as 65003
âânext
âend
âconfig network
ââedit 1
âââset prefix 10.1.0.0 255.255.0.0
âânext
end
config system interface
âedit "WAN1"
ââset vdom "Internet"
ââset ip 2.2.2.1 255.255.255.252
ââset allowaccess ping
ââset role wan
ââset interface "BRN-BRD"
ââset vlanid 111
ânext
âedit "WAN2"
ââset vdom "Internet"
ââset ip 4.4.4.1 255.255.255.252
ââset allowaccess ping
ââset role wan
ââset interface "BRN-BRD"
ââset vlanid 114
ânext
âedit "DC-Ph1-1"
ââset vdom "Internet"
ââset ip 192.168.254.2 255.255.255.255
ââset allowaccess ping
ââset type tunnel
ââset remote-ip 192.168.254.1 255.255.255.255
ââset interface "WAN1"
ânext
âedit "DC-Ph1-2"
ââset vdom "Internet"
ââset ip 192.168.254.4 255.255.255.255
ââset allowaccess ping
ââset type tunnel
ââset remote-ip 192.168.254.3 255.255.255.255
ââset interface "WAN2"
ânext
end
config vpn ipsec phase1-interface
â edit "DC-Ph1-1"
ââ set interface "WAN1"
ââ set local-gw 2.2.2.1
ââ set peertype any
ââ set net-device disable
ââ set proposal aes128-sha1
ââ set dhgrp 2
ââ set remote-gw 1.1.1.1
ââ set psksecret ***
â next
â edit "DC-Ph1-2"
ââ set interface "WAN2"
ââ set local-gw 4.4.4.1
ââ set peertype any
ââ set net-device disable
ââ set proposal aes128-sha1
ââ set dhgrp 2
ââ set remote-gw 3.3.3.1
ââ set psksecret ***
â next
end
config vpn ipsec phase2-interface
â edit "DC-Ph2-1"
ââ set phase1name "DC-Ph1-1"
ââ set proposal aes128-sha1
ââ set dhgrp 2
â next
â edit "DC2-Ph2-2"
ââ set phase1name "DC-Ph1-2"
ââ set proposal aes128-sha1
ââ set dhgrp 2
â next
end
config router static
âedit 1
ââset gateway 2.2.2.2
ââet device "WAN1"
ânext
âedit 3
ââset gateway 4.4.4.2
ââset device "WAN2"
ânext
end
config router bgp
â set as 65003
â set router-id 10.200.7.1
â set ebgp-multipath enable
â config neighbor
ââ edit "192.168.254.1"
âââ set remote-as 65002
ââ next
ââedit "192.168.254.3"
âââset remote-as 65002
ââ next
â end
â config network
ââ edit 1
âââ set prefix 10.200.0.0 255.255.0.0
â ânext
end
ç§ã®æèŠã§ã¯ããã®æ¹æ³ã§VPNãæ§æããæ¹ã䟿å©ãªã®ã§ãæ§æãããã¹ã圢åŒã§æäŸããŠããŸããã»ãšãã©ãã¹ãŠã®èšå®ã¯äž¡åŽã§åãã§ããããã¹ã圢åŒã§ã¯ãã³ããŒïŒããŒã¹ãã§è¡ãããšãã§ããŸããWebã€ã³ã¿ãŒãã§ãŒã¹ã§åãããšããããšãééããç¯ãããããªããŸããã©ããã«ãã§ãã¯ããŒã¯ãå¿ããããééã£ãå€ãå ¥åãããããŸãã
ãã³ãã«ã«ã€ã³ã¿ãŒãã§ã€ã¹ãè¿œå ãããšã
ãã¹ãŠã®ã«ãŒããšã»ãã¥ãªãã£ããªã·ãŒã¯ããã³ãã«ã«å«ãŸããŠããã€ã³ã¿ãŒãã§ã€ã¹ã§ã¯ãªãããã³ãã«ãåç §ã§ããŸããå°ãªããšããå éšãããã¯ãŒã¯ããSD-WANãžã®ãã©ãã£ãã¯ã¯èš±å¯ããå¿ èŠããããŸãããããã®ã«ãŒã«ãäœæãããšãã«ãIPSãã¢ã³ããŠã€ã«ã¹ãHTTPSé瀺ãªã©ã®ä¿è·æ段ãé©çšã§ããŸãã
SD-WANã«ãŒã«ããã³ãã«çšã«æ§æãããŠããŸãããããã¯ãç¹å®ã®ãã©ãã£ãã¯ã®ãã©ã³ã·ã³ã°ã¢ã«ãŽãªãºã ã決å®ããã«ãŒã«ã§ãããããã¯ãããªã·ãŒããŒã¹ã«ãŒãã£ã³ã°ã®ã«ãŒãã£ã³ã°ããªã·ãŒã«äŒŒãŠããŸããããã©ãã£ãã¯ãããªã·ãŒã«æºæ ããçµæã§ããããã¯ã¹ãããããéåžžã®çºä¿¡ã€ã³ã¿ãŒãã§ã€ã¹ã¯ã€ã³ã¹ããŒã«ãããŸããããSD-WANãã³ãã«ã«è¿œå ãããã€ã³ã¿ãŒãã§ã€ã¹ãšããããã®ã€ã³ã¿ãŒãã§ã€ã¹éã®ãã©ãã£ãã¯ãã©ã³ã·ã³ã°ã¢ã«ãŽãªãºã ããããŸãã
ãã©ãã£ãã¯ã¯ãL3-L4æ å ±ãèªèãããã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¿ãŒããããµãŒãã¹ïŒURLããã³IPïŒãããã³ã¯ãŒã¯ã¹ããŒã·ã§ã³ãšã©ãããããã®èªèããããŠãŒã¶ãŒã«ãã£ãŠãäžè¬çãªãããŒããåé¢ã§ããŸãããã®åŸã次ã®ãã©ã³ã·ã³ã°ã¢ã«ãŽãªãºã ã®ãããããå°çšãã©ãã£ãã¯ã«å²ãåœãŠãããšãã§ããŸãã
ã€ã³ã¿ãŒãã§ã€ã¹èšå®ãªã¹ãã¯ããã®ã¿ã€ãã®ãã©ãã£ãã¯ãåŠçãããã³ãã«ã«ãã§ã«è¿œå ãããŠããã€ã³ã¿ãŒãã§ã€ã¹ãããããã®ã€ã³ã¿ãŒãã§ã€ã¹ãéžæããŸãããã¹ãŠã®ã€ã³ã¿ãŒãã§ã€ã¹ãè¿œå ããããã§ã¯ãªãã®ã§ãSLAã®é«ãé«äŸ¡ãªãã£ãã«ãããŒãããããªãå Žåã¯ã䜿çšãããã£ãã«ïŒããšãã°ãé»åã¡ãŒã«ïŒãå¶éã§ããŸããFortiOS 6.4.1ã§ã¯ãSD-WANãã³ãã«ã«è¿œå ãããã€ã³ã¿ãŒãã§ã€ã¹ããŸãŒã³ã«ã°ã«ãŒãåããŠãããšãã°ããªã¢ãŒããµã€ããšã®éä¿¡çšãšNATã䜿çšããããŒã«ã«ã€ã³ã¿ãŒãããã¢ã¯ã»ã¹çšã®ãŸãŒã³ãäœæããããšãå¯èœã«ãªããŸãããã¯ããéåžžã®ã€ã³ã¿ãŒãããã«åãããã©ãã£ãã¯ããã©ã³ã¹ãåãããšãã§ããŸãã
ãã©ã³ã·ã³ã°ã¢ã«ãŽãªãºã ã«ã€ããŠ
FortigateïŒFortinetã®ãã¡ã€ã¢ãŠã©ãŒã«ïŒããã£ãã«éã§ãã©ãã£ãã¯ãåå²ããæ¹æ³ã«é¢ããŠãåžå Žã§ã¯ããŸãäžè¬çã§ã¯ãªã2ã€ã®èå³æ·±ããªãã·ã§ã³ããããŸãã
æäœã³ã¹ãïŒSLAïŒ -çŸæç¹ã§SLAãæºãããã¹ãŠã®ã€ã³ã¿ãŒãã§ã€ã¹ãããéã¿ã®å°ããæ¹ãéžæãããŸãã ïŒã³ã¹ãïŒç®¡çè ãæåã§èšå®ããŸãããã®ã¢ãŒãã¯ãããã¯ã¢ããããã¡ã€ã«è»¢éãªã©ã®ãéãããã©ãã£ãã¯ã«é©ããŠããŸãã
æé«å質ïŒSLAïŒ -ãã®ã¢ã«ãŽãªãºã ã¯ãéåžžã®é 延ããžãã¿ãŒãããã³ãã±ããæ倱Fortigateã«å ããŠãçŸåšã®ãã£ãã«è² è·ã䜿çšããŠãã£ãã«ã®å質ãè©äŸ¡ã§ããŸãããã®ã¢ãŒãã¯ãVoIPããããªäŒè°ãªã©ã®æ©å¯æ§ã®é«ããã©ãã£ãã¯ã«é©ããŠããŸãã
ãããã®ã¢ã«ãŽãªãºã ã§ã¯ãããã©ãŒãã³ã¹SLAãèšå®ããå¿ èŠããããŸãããã®ã¡ãŒã¿ãŒã¯å®æçã«ïŒãã§ãã¯ééã§ïŒSLAã³ã³ãã©ã€ã¢ã³ã¹ã«é¢ããæ å ±ïŒéä¿¡ãã£ãã«ã®ãã±ããæ倱ãé 延ããžãã¿ãŒïŒãç£èŠããçŸåšå質ãããå€ãæºãããŠããªããã£ãã«ããæåŠãã§ããŸãã -倱ããããã±ãããå€ãããããé 延ãå€ãããŸããããã«ãã¡ãŒã¿ãŒã¯ãã£ãã«ã®ã¹ããŒã¿ã¹ãç£èŠããå¿çãç¹°ãè¿ã倱ãããå ŽåïŒéã¢ã¯ãã£ãã«ãªãåã«é害ãçºçããå ŽåïŒã«ãäžæçã«ãã£ãã«ããã³ãã«ããåé€ã§ããŸãã埩å ãããšããããã€ãã®é£ç¶ããŠåä¿¡ãããå¿çïŒåŸã§ãªã³ã¯ã埩å ïŒã®åŸãã¡ãŒã¿ãŒã¯èªåçã«ãã£ãã«ããã³ãã«ã«æ»ããããŒã¿ã¯åã³ãã³ãã«ãä»ããŠè»¢éãããŸãã
ãã¡ãŒã¿ãŒãèšå®ã¯æ¬¡ã®ããã«ãªããŸãã
Webã€ã³ã¿ãŒãã§ã€ã¹ã§ã¯ãICMP-Echo-rââequestãHTTP-GETãããã³DNSèŠæ±ããã¹ããããã³ã«ãšããŠäœ¿çšã§ããŸããã³ãã³ãã©ã€ã³ã«ã¯ãããå°ãå€ãã®ãªãã·ã§ã³ããããŸããTCP-echoããã³UDP-echoãªãã·ã§ã³ãšãç¹æ®ãªå質枬å®ãããã³ã«ã§ããTWAMPã䜿çšã§ããŸãã
枬å®çµæã¯ã次ã®Webã€ã³ã¿ãŒãã§ã€ã¹ã§ç¢ºèªã§ããŸãã
ã³ãã³ãã©ã€ã³ïŒ
ãã©ãã«ã·ã¥ãŒãã£ã³ã°
ã«ãŒã«ãäœæããŠããã¹ãŠãæåŸ ã©ããã«æ©èœããªãå Žåã¯ãSD-WANã«ãŒã«ãªã¹ãã®ãããã«ãŠã³ãå€ã確èªããå¿ èŠããããŸãããã©ãã£ãã¯ããã®ã«ãŒã«ã«è©²åœãããã©ããã衚瀺ãããŸãã
ã¡ãŒã¿ãŒã®ã»ããã¢ããããŒãžã§ãæéã®çµéã«äŒŽããã£ãã«ãã©ã¡ãŒã¿ãŒã®å€åã確èªã§ããŸããç¹ç·ã¯ãã©ã¡ãŒã¿ã®ãããå€ã瀺ããŠããŸã
ãWebã€ã³ã¿ãŒãã§ã€ã¹ã§ã¯ãéåä¿¡ãããããŒã¿ã®éãšã»ãã·ã§ã³æ°ã«ãã£ãŠãã©ãã£ãã¯ãã©ã®ããã«åæ£ãããŠãããã確èªã§ããŸãã
ããããã¹ãŠã«å ããŠããã±ããã®ééãæ倧éã«è©³çŽ°ã«è¿œè·¡ãã絶奜ã®æ©äŒããããŸããå®éã®ãããã¯ãŒã¯ã§äœæ¥ããå Žåãããã€ã¹æ§æã«ã¯ãSD-WANããŒããä»ããå€ãã®ã«ãŒãã£ã³ã°ããªã·ãŒããã¡ã€ã¢ãŠã©ãŒã«ãããã³ãã©ãã£ãã¯åæ£ãèç©ãããŸãããããã¯ãã¹ãŠè€éãªæ¹æ³ã§çžäºäœçšããŸãããã³ããŒã¯ãã±ããåŠçã¢ã«ãŽãªãºã ã®è©³çŽ°ãªãããã¯å³ãæäŸããŠããŸãããçè«ãæ§ç¯ããŠãã¹ãããã®ã§ã¯ãªãããã©ãã£ãã¯ãå®éã«ã©ãã«è¡ãã®ãã確èªããããšãéåžžã«éèŠã§ãã
ããšãã°ã次ã®äžé£ã®ã³ãã³ã ã¯ãéä¿¡å ã¢ãã¬ã¹ã10.200.64.15ãå®å ã¢ãã¬ã¹ã10.1.7.2ã®2ã€ã®ãã±ããã远跡ããŸãã 10.200.64.15ãã10.7.1.2ã2åpingããã³ã³ãœãŒã«ã®åºåã確èªããŸãã æåã®ããã±ãŒãžïŒ 2çªç®ã®ããã±ãŒãžïŒ
diagnose debug flow filter saddr 10.200.64.15
diagnose debug flow filter daddr 10.1.7.2
diagnose debug flow show function-name
diagnose debug enable
diagnose debug trace 2
ïŒããã§ã¯ããã¡ã€ã¢ãŠã©ãŒã«ãåä¿¡ããæåã®ãã±ããã§ãã æ°ããã»ãã·ã§ã³ã¯ãããçšã«äœæãããŸããã ãããŠè©Šåã¯ãã«ãŒãã£ã³ã°ããªã·ãŒã®èšå®ã§çºèŠããã ããã¯ããã±ãããVPNãã³ãã«ã®ããããã«éä¿¡ããå¿ èŠãããããšãå€æïŒ Anããã«ãŒã«ããã¡ã€ã¢ãŠã©ãŒã«ããªã·ãŒã§çºèŠãããèš±å¯ïŒ ãã±ãããVPNãã³ãã«ã«æå·åããŠéä¿¡ãããŸãã æå·åãããŸãããã±ããã¯ããã®WANã€ã³ã¿ãŒãã§ã€ã¹ã®ã²ãŒããŠã§ã€ã¢ãã¬ã¹ã«éä¿¡ãããŸã ã2çªç®ã®ãã±ããã®å Žåããã¹ãŠãåãã§ãããå¥ã®VPNãã³ãã«ã«éä¿¡ãããå¥ã®ãã¡ã€ã¢ãŠã©ãŒã«ããŒããçµç±ããŠéä¿¡ãããŸãã
id=20085 trace_id=475 func=print_pkt_detail line=5605 msg="vd-Internet:0 received a packet(proto=1, 10.200.64.15:42->10.1.7.2:2048) from DMZ-Office. type=8, code=0, id=42, seq=0."
VDOM â Internet, Proto=1 (ICMP), DMZ-Office â L3-. Type=8 â Echo.
msg="allocate a new session-0006a627"
msg="Match policy routing id=2136539137: to 10.1.7.2 via ifindex-110"
"find a route: flag=04000000 gw-192.168.254.1 via DC-Ph1-1"
msg="Allowed by Policy-3:"
func=ipsecdev_hard_start_xmit line=789 msg="enter IPsec interface-DC-Ph1-1"
func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-DC-Ph1-1"
func=esp_output4 line=905 msg="IPsec encrypt/auth"
msg="send to 2.2.2.2 via intf-WAN1"
func=ipsecdev_hard_start_xmit line=789 msg="enter IPsec interface-DC-Ph1-2"
func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-DC-Ph1-2"
func=esp_output4 line=905 msg="IPsec encrypt/auth"
func=ipsec_output_finish line=622 msg="send to 4.4.4.2 via intf-WAN2"
ãœãªã¥ãŒã·ã§ã³ã®é·æ
ä¿¡é Œæ§ã®é«ãæ©èœãšãŠãŒã¶ãŒãã¬ã³ããªãŒãªã€ã³ã¿ãŒãã§ãŒã¹ã SD-WANãç»å Žããåã«FortiOSã§å©çšå¯èœã ã£ãæ©èœã»ããã¯å®å šã«ä¿æãããŸããã€ãŸããæ°ããéçºããããœãããŠã§ã¢ã¯ãããŸããããå®çžŸã®ãããã¡ã€ã¢ãŠã©ãŒã«ãã³ããŒã®æçããã·ã¹ãã ããããŸããåŸæ¥ã®ãããã¯ãŒã¯æ©èœã®ã»ããã䜿çšãããšã䟿å©ã§ç¿åŸããããWebã€ã³ã¿ãŒãã§ã€ã¹ã«ãªããŸããããšãã°ããšã³ããã€ã³ãã«ãªã¢ãŒãã¢ã¯ã»ã¹VPNæ©èœãåããŠããSD-WANãã³ããŒã¯ããã€ãããŸããïŒ
ã¬ãã«80ã®ã»ãã¥ãªãã£ã FortiGateã¯ãããããã¡ã€ã¢ãŠã©ãŒã«ãœãªã¥ãŒã·ã§ã³ã®1ã€ã§ãããã¡ã€ã¢ãŠã©ãŒã«ãæ§æããã³ç®¡çããããã®å€ãã®è³æãã€ã³ã¿ãŒãããäžã«ããããã³ããŒã®ãœãªã¥ãŒã·ã§ã³ããã§ã«ç¿åŸããŠããåŽååžå Žã®å€ãã®ã»ãã¥ãªãã£ã¹ãã·ã£ãªã¹ããããŸãã
SD-WANæ©èœã®ã³ã¹ãã¯ãŒãã§ããSD-WANæ©èœãå®è£ ããããã«è¿œå ã®ã©ã€ã»ã³ã¹ã¯å¿ èŠãªããããFortiGateã§SD-WANãæ§ç¯ããå Žåã¯ãéåžžã®WANãæ§ç¯ããå Žåãšåãã³ã¹ããããããŸãã
äŸ¡æ Œã®äœããšã³ããªãããå€ã Fortigateã«ã¯ãããŸããŸãªããã©ãŒãã³ã¹ã®ããã®ããã€ã¹ã®åªããã°ã©ããŒã·ã§ã³ããããŸããæ幎å°ã§æãå®äŸ¡ãªã¢ãã«ã¯ãããšãã°3ã5人ã®åŸæ¥å¡ã®ãªãã£ã¹ã販売æ ç¹ãäžããã®ã«éåžžã«é©ããŠããŸããå€ãã®ãã³ããŒã¯ããã®ãããªäœããã©ãŒãã³ã¹ã§æé ãªã¢ãã«ãæã£ãŠããŸããã
ãã€ããã©ãŒãã³ã¹ã SD-WANæ©èœããã©ãã£ãã¯ãã©ã³ã·ã³ã°ã«åæžããããšã§ãå瀟ã¯å°çšã®SD-WAN ASICããªãªãŒã¹ããããšãã§ããŸããããã®ãããã§ãSD-WANã®éçšã«ãã£ãŠããã¡ã€ã¢ãŠã©ãŒã«ã®ããã©ãŒãã³ã¹ãå šè¬çã«äœäžããããšã¯ãããŸããã
Fortinetæ©åšã«ãªãã£ã¹å šäœãå®è£ ããæ©èœããããã¯ãããã€ãã®ãã¡ã€ã¢ãŠã©ãŒã«ãã¹ã€ãããWi-Fiã¢ã¯ã»ã¹ãã€ã³ãã§ãããã®ãªãã£ã¹ã¯ç®¡çãç°¡åã§äŸ¿å©ã§ããã¹ã€ãããšã¢ã¯ã»ã¹ãã€ã³ãã¯ãã¡ã€ã¢ãŠã©ãŒã«ã«ç»é²ããããããããå¶åŸ¡ãããŸããããšãã°ãããã¯ããã®ã¹ã€ãããå¶åŸ¡ãããã¡ã€ã¢ãŠã©ãŒã«ã€ã³ã¿ãŒãã§ã€ã¹ããã¹ã€ããããŒããã©ã®ããã«èŠãããã瀺ããŠããŸã
ãåäžã®é害ãã€ã³ããšããŠã³ã³ãããŒã©ã¯ãããŸããããã³ããŒèªèº«ãããã«çŠç¹ãåœãŠãŠããŸãããããã¯éšåçã«ã®ã¿ãã©ã¹ãšåŒã¶ããšãã§ããŸããã³ã³ãããŒã©ãŒãæã£ãŠãããã³ããŒã¯ãé害èæ§ãä¿èšŒããããã«å®äŸ¡ã§ãããã»ãšãã©ã®å Žåãä»®æ³åç°å¢ã§å°éã®ã³ã³ãã¥ãŒãã£ã³ã°ãªãœãŒã¹ãç ç²ã«ããŸãã
äœãæ¢ãã¹ãã
ã³ã³ãããŒã«ãã¬ãŒã³ãšããŒã¿ãã¬ãŒã³ã®åé¢ã®æ¬ åŠãã€ãŸãããããã¯ãŒã¯ã¯æåã§æ§æãããããã§ã«å©çšå¯èœãªåŸæ¥ã®ç®¡çããŒã«ã§ããFortiManagerã䜿çšããŠæ§æããå¿ èŠããããŸãããã®ãããªåé¢ãå®è£ ããŠãããã³ããŒã®å Žåããããã¯ãŒã¯ã¯ããèªäœã§çµã¿ç«ãŠãããŸãã管çè ã¯ãããããžã調æŽããã ãã§ãã©ããã§äœããçŠæ¢ããã ãã§æžã¿ãŸãããã ããFortiManagerã®åãæã¯ããã¡ã€ã¢ãŠã©ãŒã«ã ãã§ãªããã¹ã€ãããWi-Fiã¢ã¯ã»ã¹ãã€ã³ããã€ãŸããããã¯ãŒã¯ã®ã»ãŒå šäœã管çã§ããããšã§ãã
å¶åŸ¡å¯èœæ§ã®æ¡ä»¶ä»ãæé·ãåŸæ¥ã®ããŒã«ã䜿çšããŠãããã¯ãŒã¯æ§æãèªååãããããSD-WANã®å®è£ ã«ãããããã¯ãŒã¯ç®¡çæ§ã¯å€§å¹ ã«åäžããŸãããäžæ¹ãæ°ããæ©èœã¯ããã³ããŒãæåã«ãã¡ã€ã¢ãŠã©ãŒã«ãªãã¬ãŒãã£ã³ã°ã·ã¹ãã çšã«ã®ã¿ãªãªãŒã¹ãïŒããã«äœ¿çšã§ããããã«ãªããŸãïŒããã®åŸãå¿ èŠãªã€ã³ã¿ãŒãã§ã€ã¹ã§å¶åŸ¡ã·ã¹ãã ãè£å®ãããããããæ©ãå©çšã§ããããã«ãªããŸãã
äžéšã®æ©èœã¯ã³ãã³ãã©ã€ã³ããå©çšã§ããå ŽåããããŸãããWebã€ã³ã¿ãŒãã§ã€ã¹ããã¯å©çšã§ããŸããã誰ãããã§ã«ã³ãã³ãã©ã€ã³ããäœããæ§æããŠããããšãWebã€ã³ã¿ãŒãã§ã€ã¹ã«è¡šç€ºããªãã®ã¯æãã®ã§ãã³ãã³ãã©ã€ã³ã«ç§»åããŠäœããæ§æããã®ã¯ããã»ã©æããªãå ŽåããããŸãããã ããããã¯éåžžãææ°ã®æ©èœã«é¢ä¿ããFortiOSã®æŽæ°ã«ãããWebã€ã³ã¿ãŒãã§ã€ã¹ã®æ©èœãåŸã ã«åŒ·åãããŸãã
誰ã®ããã§ãã
æ¯åºãå°ãªãæ¹ãžã 8ã10ã®ãã©ã³ãã®ãããã¯ãŒã¯ã«è€éãªäžå€®ã³ã³ããŒãã³ãã䜿çšããŠSD-WANãœãªã¥ãŒã·ã§ã³ãå®è£ ããããšã¯ãããããã®äŸ¡å€ããªãå ŽåããããŸããäžå€®ã³ã³ããŒãã³ãããã¹ãããã«ã¯ãSD-WANããã€ã¹ã®ã©ã€ã»ã³ã¹ãšä»®æ³åã·ã¹ãã ã®ãªãœãŒã¹ã«ãéããããå¿ èŠããããŸããå°ããªäŒç€Ÿã¯éåžžãç¡æã®ã³ã³ãã¥ãŒãã£ã³ã°ãªãœãŒã¹ãäžè¶³ããŠããŸãã Fortinetã®å Žåã¯ããã¡ã€ã¢ãŠã©ãŒã«ãè³Œå ¥ããã ãã§ãã
å°ããªæããããããã人ãå€ãã®ãã³ããŒã«ãšã£ãŠããã©ã³ãã®ãœãªã¥ãŒã·ã§ã³ã®æäœäŸ¡æ Œã¯éåžžã«é«ãããšã³ãã«ã¹ã¿ããŒã®ããžãã¹ã®èŠ³ç¹ããã¯é¢çœããªãå ŽåããããŸãã Fortinetã¯ãéåžžã«é åçãªäŸ¡æ Œã§å°åããã€ã¹ãæäŸããŠããŸãã
ãŸã äžæ©èžã¿åºãæºåãã§ããŠããªã人ãã³ã³ãããŒã©ãç¬èªã®ã«ãŒãã£ã³ã°ãããã³ãããã¯ãŒã¯ã®èšç»ãšç®¡çã«å¯Ÿããæ°ããã¢ãããŒãã䜿çšããŠSD-WANãå®è£ ããããšã¯ãäžéšã®é¡§å®¢ã«ãšã£ãŠã¯å€§ããããå¯èœæ§ããããŸããã¯ãããã®ãããªå®è£ ã¯æçµçã«éä¿¡ãã£ãã«ã®äœ¿çšãšç®¡çè ã®äœæ¥ãæé©åããã®ã«åœ¹ç«ã¡ãŸãããæåã«å€ããåŠã¶å¿ èŠããããŸãããã©ãã€ã ã·ããã®æºåããŸã ã§ããŠããªãããéä¿¡ãã£ãã«ããããã«çµãåºãããå Žåã¯ãFortinetã®ãœãªã¥ãŒã·ã§ã³ãæé©ã§ãã