邁達特_經銷商基礎教育訓練Lab Guide

# 環境說明 ![image](https://hackmd.io/_uploads/BJhk9JYO6.png) 172.20.10.x Management 可用 IP : 172.20.10.100-172.20.10.199 GW:172.20.10.10 172.20.11.x Firewall-Ext 可用 IP : 172.20.11.100-172.20.11.199 GW:172.20.11.10 172.20.12.x Client-Int 可用 IP : 172.20.12.100-172.20.12.199 172.20.13.x Heartbeat可用 IP : 172.20.13.100-172.20.13.199 --- # Lab1 ## Lab1.1 安裝一台SMS ### GAIA安裝點選桌面瀏覽器,選取書籤host-client進入ESXi介面帳號密碼 root/VMware1! ![image](https://hackmd.io/_uploads/rkaaO1Kua.png) 右鍵點選虛擬機器->建立/登錄虛擬機器 ![image](https://hackmd.io/_uploads/S1Nqt1F_T.png) 選擇建立新的虛擬機器 ![image](https://hackmd.io/_uploads/ryR085u9p.png) 輸入名稱與系統資訊輸入資訊如下 * 名稱:CP-SMS * 相容性:ESXi 8.0虛擬機器 * 客體作業系統系列:Linux * 客體作業系統版本:其他6.x或更新版本的Linux(64位元) ![image](https://hackmd.io/_uploads/B1hYw9d9p.png) 選取儲存區->下一步 ![image](https://hackmd.io/_uploads/rJs5Dc_5p.png) CPU:4core RAM:8G HDD:200GB SCSI控制器:LSI Logic Parallel 網路介面卡:Management CD/DVD光碟機:資料存放區->ISOs->Check_Point_R81.20_T631.iso ![image](https://hackmd.io/_uploads/Skc2D9d9T.png) 選取第二個頁籤虛擬開機選項並將啟用UEFI安全開機反勾選 ![image](https://hackmd.io/_uploads/SyBpPc_c6.png) 最後檢查設定->完成 ![image](https://hackmd.io/_uploads/rkNAw5_5a.png) 開啟電源 ->在新視窗中點擊主控台 ![image](https://hackmd.io/_uploads/r1u4EFw5T.png) 完成後點選虛擬機器選取剛剛的CP-SMS 開始安裝作業 ![image](https://hackmd.io/_uploads/Hygu1xF_6.png) 警告開始安裝作業按下Enter ![image](https://hackmd.io/_uploads/BkaxxeYd6.png) 要求選擇語系按下Enter ![image](https://hackmd.io/_uploads/BJBMxlYOp.png) 設定磁區按下Enter ![image](https://hackmd.io/_uploads/ryLVlgtua.png) 輸入自定義密碼以P@ssw0rd為例 ![image](https://hackmd.io/_uploads/S1YwleYda.png) 下一個是Maintenance mode密碼以P@ssw0rd為例 ![image](https://hackmd.io/_uploads/Sy55xlYu6.png) 設定管理機介面使用的IP 設定內容如下 IP address 172.20.10.100 Netmask 255.255.255.0 Default gateway 172.20.10.101 ![image](https://hackmd.io/_uploads/H1neMxKdT.png) 下一步會警告要開始安裝->選擇ok ![image](https://hackmd.io/_uploads/rkovGeFdp.png) 這個畫面按下Enter手動離開 ![image](https://hackmd.io/_uploads/S1WG1Yd96.png) ### WEB初始化這邊會需要等一些時間,完成安裝步驟後打開Web瀏覽器輸入 https://172.20.10.100 首次進入頁面會出現憑證警告,按下advanced - Process to 172.20.10.100 ![image](https://hackmd.io/_uploads/HkVJsn_96.png) 輸入帳號密碼登入開始First Wizard ![image](https://hackmd.io/_uploads/SywiibYdT.png) 進入First Time Configuration 按Next ![image](https://hackmd.io/_uploads/SJjahWYdT.png) 設定Deployment Options Continue with R81.20 configuration ![image](https://hackmd.io/_uploads/ryWeTWKu6.png) 設定介面IP 直接Next ![image](https://hackmd.io/_uploads/B1fGpbYua.png) 設定Device Information 資訊如下 * Host Name/CP-SMS * Primary DNS Server/172.20.10.10 ![image](https://hackmd.io/_uploads/BJxVJFO96.png) 設定時區 ![image](https://hackmd.io/_uploads/rJTt6-Fdp.png) 設定Installation Type ![image](https://hackmd.io/_uploads/rkXspbFOa.png) 選擇Security Management Gatewaye記得反勾選 ![image](https://hackmd.io/_uploads/rJ236ZYua.png) 設定admin ![image](https://hackmd.io/_uploads/ByCCpbKO6.png) 設定GUI Client ![image](https://hackmd.io/_uploads/HyA1RWKOp.png) 按下Finish ![image](https://hackmd.io/_uploads/rkSbAbFOT.png) 按下Yes ![image](https://hackmd.io/_uploads/B1MYj2_56.png) 等設備重開 ![image](https://hackmd.io/_uploads/BJaf0ZFdp.png) ## Lab 1.2 安裝兩台GW ### GAIA安裝新建兩台GW-右鍵點選建立/登陸虛擬機器 ![image](https://hackmd.io/_uploads/r1auwmq_a.png) 建立新的虛擬機器 ![image](https://hackmd.io/_uploads/HkgfA_Xq_p.png) 輸入設備資訊兩台分別 * 名稱:**CP-SG1/CP-SG2** * 相容性:ESXi 8.0 * 客體作業系統系列:Linux * 客體作業系統版本:其他6.x或更新版本的Linux(64位元) 選取儲存區 ->下一步 ![image](https://hackmd.io/_uploads/SJXuYQcua.png) 設定虛擬機器注意新增網路介面卡共四張 CPU/4core RAM/8G HDD/100GB SCSI控制器/LSI Logic Parallel 網路介面卡/Management 網路介面卡/Firewall-Ext 網路介面卡/Client-Int 網路介面卡/Heartbeat CD/DVD光碟機/資料存放區 -> ISOs ->Check_Point_R81.20_T631.iso ![image](https://hackmd.io/_uploads/Hktm5X9da.png) 選取第二個頁籤虛擬開機選項並將啟用UEFI安全開機反勾選 ![image](https://hackmd.io/_uploads/S1sSj7cd6.png) 完成設定 ![image](https://hackmd.io/_uploads/Byd_omqOp.png) 點擊主控台->開啟瀏覽器主控台 ![image](https://hackmd.io/_uploads/rkqDT2_cp.png) 將設備開機並進入安裝畫面 ![image](https://hackmd.io/_uploads/HkiORQq_6.png) 選擇語系 ![image](https://hackmd.io/_uploads/Hkk9AX5d6.png) 設定partition 注意System-root 調整為19G log為20 ![image](https://hackmd.io/_uploads/Hy7zYyY56.png) 輸入密碼以P@ssw0rd為例 ![image](https://hackmd.io/_uploads/ryb6CXq_6.png) 輸入Maintenance Mode密碼以P@ssw0rd為例 ![image](https://hackmd.io/_uploads/BJs1y4c_T.png) 設定Interface 選擇eth0 剩下的後續再進行設定 ![image](https://hackmd.io/_uploads/SyNMZVcOa.png) 設定資訊如下兩台分別 IP address:**172.20.10.101/172.20.10.102** Netmask:255.255.255.0 Default Gateway:172.20.10.10 ![image](https://hackmd.io/_uploads/HJ5RZE9uT.png) 開始進行安裝 ![image](https://hackmd.io/_uploads/SysJGVq_T.png) 完成後OK按下Enter ![image](https://hackmd.io/_uploads/B1ZF7Fucp.png) ### WEB初始化這邊會需要等一些時間,完成安裝步驟後打開web瀏覽器輸入 https://172.20.10.101/102 ![image](https://hackmd.io/_uploads/SJMTHN9_p.png) 進入First Time Configuration 按Next ![image](https://hackmd.io/_uploads/SJjahWYdT.png) 設定Deployment Options Continue with R81.20 configuration ![image](https://hackmd.io/_uploads/ryMMeT_c6.png) 設定介面IP 直接Next ![image](https://hackmd.io/_uploads/ryPMvNqOp.png) 其他介面最後一起設定,這邊先下一步 ![image](https://hackmd.io/_uploads/r1AmlBcOp.png) 設定Device Information 資訊如下 * Host Name:CP-SG1/CP-SG2 * Primary DNS Server/172.20.10.10 設定時區 ![image](https://hackmd.io/_uploads/rJTt6-Fdp.png) 設定Installation Type ![image](https://hackmd.io/_uploads/rkXspbFOa.png) 選擇Security Gateway ![image](https://hackmd.io/_uploads/SJxIxH9up.png) DAIP可以先跳過,按Next ![image](https://hackmd.io/_uploads/SyAKxSqOT.png) Gateway需要輸入SIC,這邊以1234為例 ![image](https://hackmd.io/_uploads/Bk12eBcda.png) 按下Finish -> Yes ![image](https://hackmd.io/_uploads/SJN6gr9_T.png) 等設備重開 ![image](https://hackmd.io/_uploads/rkICxr5dp.png) 重新回到WebUI 設定Network Interface 點選未設定的interface 按下edit ![image](https://hackmd.io/_uploads/SkrI4K9Op.png) 設定介面資訊勾選Enable 並輸入對應IP ![image](https://hackmd.io/_uploads/BkiYrF9Oa.png) 最終結果如下圖 SG1設定101 SG2設定102 注意link status是否為綠燈 ![image](https://hackmd.io/_uploads/ByxA3rYcup.png) 點到IPv4 Static Routes 設定default Gateway Default Gateway 172.20.11.10 ![image](https://hackmd.io/_uploads/BJSusuoOT.png) 最後CP-SG2重複執行一次上述動作並注意修改IP ## Lab 1.3管理機納管GW 回到桌面開啟SmartConsole 輸入帳密後Login ![image](https://hackmd.io/_uploads/r1CSOt9OT.png) 第一次登入會有一個fingerprint確認,確認後按下proceed ![image](https://hackmd.io/_uploads/r17BYt5OT.png) 於第一個GateWay& Services選擇新增->Gateway ![image](https://hackmd.io/_uploads/S1T0tKc_T.png) 選擇Wizard Mode ![image](https://hackmd.io/_uploads/r1Fe9Kcdp.png) 輸入要納管的GW資訊 Gateway Name:CP-SG1/CP-SG2 Gateway platform: Open server IP address: CP-SG1 172.20.10.101/CP-SG2 172.20.10.102 ![image](https://hackmd.io/_uploads/S1oOqt5O6.png) 輸入前面設定的SIC 1234 ![image](https://hackmd.io/_uploads/BJzNaK5u6.png) 按下Next 若沒問題就可以get topology 並按下Finsh ![image](https://hackmd.io/_uploads/HJrp6Kc_6.png) 第二台重複一次,並確保完成後會看到SMS/CP-SG1/CP-SG2 並按下Publish ![image](https://hackmd.io/_uploads/ByX0fR_ca.png) 完成後進行第一次的install policy ![image](https://hackmd.io/_uploads/ry8rmRd56.png) 按下install ![image](https://hackmd.io/_uploads/HyYUXA_5a.png) # Lab2 ## Lab 2.1 設定NAT Rule 點選右側object 設定Network Object ![image](https://hackmd.io/_uploads/r1D7X5cOa.png) 建立外腳物件與內腳物件參考架構圖 External:172.20.11.0/24 Internal:172.20.12.0/24 ![image](https://hackmd.io/_uploads/B1znV5q_a.png) 點選第二個NAT介面勾選 add automatic address translation rules 選擇Hide behind Gateway後按下OK ![image](https://hackmd.io/_uploads/S1_4sAu5a.png) 轉到NAT Rule相關頁面,可以看到剛剛設定好的Rule自動出現在Policy內 ![image](https://hackmd.io/_uploads/rJYcK5qdT.png) ## Lab 2.2 網路測試回到VM ESXi 點開Window10 Client IP:172.20.12.150 測試ping Gateway內腳172.20.12.101 測試ping 外部IP 8.8.8.8 此時發現不通 ![image](https://hackmd.io/_uploads/rkba2Auq6.png) ## Lab 2.3 設定Access Policy for lab測試點選第二個頁面Security Policies 將預設Rule改成ANY ANY Accept ![image](https://hackmd.io/_uploads/Hkc0k59dp.png) 按下Install Policy publish & Install ![image](https://hackmd.io/_uploads/Syl4lq5_T.png) 按下Install ![image](https://hackmd.io/_uploads/ry1Sx99OT.png) 左下角點開Detail可以看到目前Install狀態 ![image](https://hackmd.io/_uploads/By0Jjcqup.png) 完成後回到第一個Gateway & Servers 確認均處於綠色勾勾狀態 ![image](https://hackmd.io/_uploads/Sy9xMc9up.png) 回到VM ESXi 點開Window10 Client 測試ping 外部IP 8.8.8.8 ![image](https://hackmd.io/_uploads/r1kTo_jO6.png) # Lab3 ## Lab3.1 License更新回到SmartConsole 左上角點開Manage licenses and packages ![image](https://hackmd.io/_uploads/HJv_Dts_T.png) 會出現一個提示視窗按下OK ![image](https://hackmd.io/_uploads/r14DDFjd6.png) 會開啟SmartUpdate介面 ![image](https://hackmd.io/_uploads/S1lyuFsu6.png) 匯入license 點選左上角 License & Contracts -> add License -> From File ![image](https://hackmd.io/_uploads/SyEm_Fo_6.png) 選取桌面的License資料夾分兩次選取CPlicense ![image](https://hackmd.io/_uploads/HyPeotjua.png) 選取成功後會出現提示訊息 ![image](https://hackmd.io/_uploads/H1akFts_p.png) 點到第二個頁籤Licenses & Contracts 會注意到SMS已經綁定IP出現紅色的trail license ![image](https://hackmd.io/_uploads/rJrmKts_T.png) 右鍵點選其中一台GW 選擇Attach Licenses ![image](https://hackmd.io/_uploads/By-OKtiOT.png) 會出現unattach的license在上面 ![image](https://hackmd.io/_uploads/r1rFKKo_6.png) 完成後注意到GW上也出現紅色的trial key ![image](https://hackmd.io/_uploads/BkGsYKsO6.png) 重複執行一遍確認兩個GW都有license 最終呈現畫面如下 ![image](https://hackmd.io/_uploads/Hkd6tYjOa.png) ## Lab3.2 update contract 完成License後點選license&Contracts -> Update Contracts -> From File ![image](https://hackmd.io/_uploads/HkrGcKs_6.png) 選取剛剛license資料夾內的ServiceContract.xml 按下Open ![image](https://hackmd.io/_uploads/BJqu9ts_6.png) 完成後會注意到最後一排Has Contracts 變成Yes ![image](https://hackmd.io/_uploads/rkRp5tsdp.png) ## Lab3.3 更新DA&hotfix 開啟瀏覽器並輸入IP進入WebUI管理介面,左側選單拉到最下面選擇CPUSE的Status and Actions ![image](https://hackmd.io/_uploads/SyQnotiOT.png) 點選圖片中的Showing Recommended packages改成All ![image](https://hackmd.io/_uploads/SJwZ2You6.png) 手動更新Depoly Agent 按下Install DA -> 按下Browse ![image](https://hackmd.io/_uploads/rJmmTKodT.png) 選取Downloads裡面的DeploymentAgent ![image](https://hackmd.io/_uploads/HyHl19jdT.png) 按下Install ![image](https://hackmd.io/_uploads/SkAPTtoOa.png) 手動更新hotfix 首先import hotfix package 選取Import Packages -> Browse ![image](https://hackmd.io/_uploads/S1yA6YiuT.png) 選取Downloads裡面的JUMBO_HF_MAIN_Bundle ![image](https://hackmd.io/_uploads/ryt7J5ouT.png) 按下Import 這裡會需要一點時間 ![image](https://hackmd.io/_uploads/Sy_Nk5iua.png) 完成後會出現Downloaded Successful 在上面點選右鍵 Verify Update 做檢查 ![image](https://hackmd.io/_uploads/HyaIlqouT.png) 檢查OK ![image](https://hackmd.io/_uploads/SJ8dg9o_T.png) 右鍵點選Install Update ![image](https://hackmd.io/_uploads/SyW9ecj_T.png) 更新Hotfix會重開故建議安排在維護時間進行 ![image](https://hackmd.io/_uploads/SyCsxqjOT.png) # Lab4 ## Lab4.1 啟用Access Policy 回到Gateways & Services點選SG1/SG2,並將Application Control & URL Filter勾選 ![image](https://hackmd.io/_uploads/SkftC_sdT.png) 系統會跳出一個畫面詢問是不是內腳IP 按下Yes ![image](https://hackmd.io/_uploads/ByeRRdsO6.png) 切換到Security Policies 右鍵點選Policy -> Edit Policy ![image](https://hackmd.io/_uploads/SJwIyKoO6.png) 點選後按下Edit Layer ![image](https://hackmd.io/_uploads/rJDZxtiua.png) 勾選Application & URL filtering 讓這層Policy開啟功能 ![image](https://hackmd.io/_uploads/rkOQxKsuT.png) 完成後Publish & Install ![image](https://hackmd.io/_uploads/HJeDxFjOT.png) 測試設定以下幾條Policy 第一條不允許source:172.20.12.0/24使用Youtube、Facebook，Drop要使用Blocked Message 第二條不允許source:172.20.12.0/24使用icmp 第三條允許source:172.20.12.0/24到任何地方第四條不允許其他所有traffic 記得Track要更改為Log，才會有紀錄另外點選More -> 選到Detail Log 才可以看到application log細項 ![image](https://hackmd.io/_uploads/S1Oy8cjOT.png) 記得要publish後install policy ![image](https://hackmd.io/_uploads/HkE-I5iup.png) 回到Window10 測試ping ![image](https://hackmd.io/_uploads/rkjF85sda.png) 開啟win10的瀏覽器測試facebook youtube![image](https://hackmd.io/_uploads/SyvzDcs_p.png) ## Lab4.2 使用Log&Monitor檢視事件點選Logs&Monitor -> log ![image](https://hackmd.io/_uploads/B1r1M3o_p.png) ![image](https://hackmd.io/_uploads/ryaVGhsuT.png) 於上方Search Bar篩選Facebook 檢查剛剛被drop掉的紀錄 ![image](https://hackmd.io/_uploads/BkpQXhoOa.png) ![image](https://hackmd.io/_uploads/By0vEhs_p.png) 也可以透過預設的queries 搜尋 application control 上方會帶入參數blade:"application control" ![image](https://hackmd.io/_uploads/SyqhEns_6.png) 回到Policy 設定一筆 Social Networking 並設定Extended log ![image](https://hackmd.io/_uploads/r1yOK3i_T.png) Install Policy ![image](https://hackmd.io/_uploads/S1BtFhi_T.png) 回到Win10 測試其他網站,測試 Youtube Twitter ![image](https://hackmd.io/_uploads/Hydfqnsu6.png) 檢視Log 會看到分別Accept與Drop ![image](https://hackmd.io/_uploads/H1Muqho_p.png) # Lab5 ## Lab5.1 設定Inline Layer 設定Address Range 分別包含下面兩個網段 172.20.12.1~ 172.20.12.127和172.20.12.128~172.20.12.254 ![image](https://hackmd.io/_uploads/H1BGBajdp.png) ![image](https://hackmd.io/_uploads/ry-9Bps_p.png) 刪除所有Rule ![image](https://hackmd.io/_uploads/rkbEUpiOT.png) 建立兩條rule分別是來源172.20.12.1-127和172.20.12.128-254允許到任何地方建立第三條rule允許任何人連到CP-SMS、CP-SG1、CP-SG2 建立第四條deny all rule Publish、install policy Install policy之後，client要能連線管理和連到internet 並設定section title 第一筆分類為Stealth Rule 二三筆為Social Network 最後一筆分類為Cleanup Rule ![image](https://hackmd.io/_uploads/HJ5HiToua.png) 滑鼠右鍵點選第2條rule的Action欄位，選擇Inline Layer > New layer ![image](https://hackmd.io/_uploads/rkhuspoO6.png) 輸入Rule Name，勾選Applications & URL Filtering，點選OK ![image](https://hackmd.io/_uploads/SyzlFajOT.png) 可以注意到此時出現了.1Rule ![image](https://hackmd.io/_uploads/B1XrKTs_a.png) 修改Rule1的inline rule 1.1 阻擋facebook，Track為Detailed Log 1.2 允許Social Networking，Track為Detailed Log 1.3 允許其他所有traffic，Track為Log ![image](https://hackmd.io/_uploads/rkRP56i_a.png) 同樣方式新增修改Rule2的inline rule 2.1阻擋YouTube，Track為Detailed Log 2.2允許Social Networking，Track為Detailed Log 2.3允許其他所有traffic，Track為Log 調整完畢記得publish再install policy ![image](https://hackmd.io/_uploads/HJS65Tjd6.png) ![image](https://hackmd.io/_uploads/Sk7P-T3uT.png) 測試原有IP172.20.12.150,可以連上FB,不能連YT ![image](https://hackmd.io/_uploads/ryHgzTndp.png) 修改本機IP到172.20.12.110 可以連YT,不能連FB ![image](https://hackmd.io/_uploads/HkBxaE0Fp.png) 172.20.12.110能看到阻擋facebook連線事件是因為Policy終止對Social Networking做log Youtube為Media Steam沒有做log和允許其他連線的Track不是Detailed Log 所以沒事件資料 ![image](https://hackmd.io/_uploads/BkwDT4CYa.png) ## Lab5.2 設定Order Layer Policy 移除所有Access Rule 新增第一條允許172.20.12.0/24到CP-SMS,CP-SG1,CP-SG2，Track為Log 新增第二條阻擋172.20.12.0/24的icmp，Track為Log 新增第三條允許其他http、https、icmp、dns封包，Track為Log 新增第四條阻擋其他所有封包，Track為Log ![image](https://hackmd.io/_uploads/ByJJwT3d6.png) 開始新增Order Layer Policy 滑鼠右鍵點選Access Control > Policy，選擇Edit Policy ![image](https://hackmd.io/_uploads/HybtO6n_6.png) 點選Edit Layer ![image](https://hackmd.io/_uploads/S1TNFa2dT.png) 取消勾選Applications & URL Filtering，點OK ![image](https://hackmd.io/_uploads/ry_8FT3d6.png) 點選Access Control的 + 然後點選New Layer ![image](https://hackmd.io/_uploads/BkLhK6h_p.png) 輸入此Order Layer Name : App Layer，再勾選Applications & URL Filtering，點選OK ![image](https://hackmd.io/_uploads/ry_y9p3up.png) 此時可看到Access Control有兩條Policy分別為Network和App Layer，點選OK ![image](https://hackmd.io/_uploads/HJbW9phO6.png) 點選App Layer開始新增application control rule ![image](https://hackmd.io/_uploads/B1pz9phOT.png) 新增第一條阻擋Facebook，Track為Detailed Log 新增第二條允許Social Networking、Media Stream，Track為Detailed Log 新增第三條允許其他所有，Track為Detailed Log Publish在install policy ![image](https://hackmd.io/_uploads/Syg56a3ua.png) Client不能連facebook，可以連youtube ![image](https://hackmd.io/_uploads/H1XV0T3O6.png) 在LOGS & MONITOR中可看到事件紀錄 ![image](https://hackmd.io/_uploads/BkVLRp2up.png) 點選阻擋facebook的事件，可再詳細內容裡的Matched Rules看到觸發那一個Layer的哪一條rule ![image](https://hackmd.io/_uploads/HkzhCTh_6.png) 測試Dropbox App Layer的Track為Detailed Log，所以有紀錄Dropbox資訊 ![image](https://hackmd.io/_uploads/rkz8eA2da.png) ## Lab5.3 建立第二個管理者同時並登入修改設定切換到MANAGE & SETTINGS > Permissions & Administrator，點選新增 ![image](https://hackmd.io/_uploads/H1YYaE0Fp.png) 設定User名稱為Metaage Authentication Method:Check Point Password Set New Password Permission:Super User ![image](https://hackmd.io/_uploads/SkLVbCndp.png) 點選左上角Install Database ![image](https://hackmd.io/_uploads/By3LzA2Op.png) 按下Install 然後Publish&Install ![image](https://hackmd.io/_uploads/HJCvMR2ua.png) 開一個新的SmartConsole並使用Metaage帳號登入 ![image](https://hackmd.io/_uploads/BkdaEAn_T.png) 會看到admin/Metaage是同時登入的 ![image](https://hackmd.io/_uploads/HyTdxH0YT.png) 此時使用Metaage的SmatConsole修改一條rule，可在admin的SmartConsole看到同一條rule是被鎖定的，且是未修改的狀態 ![image](https://hackmd.io/_uploads/rJmSLRhO6.png) 當admin做的publish後該條rule會解除鎖定，admin才可以看到Metaage修改後的內容請注意，publish只是把修改退送給所有連線的管理者SmartConsole 還是要執行install policy後，新的設定在防火牆才會生效