< Home

Configuring Device Services

This section describes how to enable the Telnet or FTP and SSH services of the FW.

Adjusting HTTPS Server Parameters

By default, the HTTPS service with port number 8443 is enabled on the FW. After logging in to the FW through HTTPS, an administrator cannot disable the HTTPS service or change the HTTPS service port on the web UI.

  1. Choose System > Administrator > Service Settings.
  2. Enter a timeout period in Web Service Timeout.

    If you do not perform any action before the specified web service timeout period elapses, the FW displays a web service timeout message prompting you to log in again.

    The default timeout period is 10 minutes. Using the default value is recommended.

  3. In Max. Online Web Users, enter the maximum number of online web administrators.
  4. Click Apply.

Setting the Max. Consecutive Login Failures

  1. Choose System > Administrator > Service Settings.
  2. Set Max. Consecutive Login Failures. If the number of consecutive authentication failures of an administrator account reaches the specified value, the account will be locked.
  3. Set Lockout Duration. The value indicates the time during which the administrator account is locked. After the duration expires, the administrator account is automatically unlocked.
  4. Click Apply.

Setting the Minimum Password Length

  1. Choose System > Administrator > Service Settings.
  2. Enter the minimum length in Minimum Password Length.

    The password length of a new administrator account must meet the Minimum Password Length requirement.

  3. Click Apply.

Enabling the Telnet Service

During Telnet login, data and passwords are transmitted in plaintext mode, causing security risks. To secure data transmission, use STelnet instead.

Telnet is a FW function as a server. Telnet on the FW provides access services.

  1. Choose System > Administrator > Service Settings.
  2. Select Enable for Telnet Service.
  3. Click Apply.

Enabling the FTP Service

During FTP login, data and passwords are transmitted in plaintext mode, causing security risks. To secure data transmission, use SFTP instead.

FTP is a FW function as a server. FTP on the FW provides access services.

  1. Choose System > Administrator > Service Settings.
  2. Select Enable for FTP Service.
  3. Click Apply.

Enabling Password Management

If an administrator logs in to the FW after password management function is enabled, the FW will prompt the administrator to perform the following operations based on the administrator account and password status:

  • If the administrator logs in to the FW for the first time after password management function is enabled, the FW prompts the administrator to change the password. Otherwise, the administrator fails to log in.
  • If the administrator's password has expired, the FW will prompt the administrator to change the password. Otherwise, the administrator fails to log in.
  1. Choose System > Administrator > Service Settings.
  2. Select Enable in Password Management.
  3. Enter the password validity period in Password Validity.
  4. Click Apply.

Enabling the Function of Displaying Login Warning Information

After the function of displaying login warning information is enabled, when a web administrator enters the user name and password on the web UI, the system will display the warning information to notify the administrator of the results caused by the unauthorized use of the device. The administrator needs to click OK to access the web UI.

  1. Choose System > Administrator > Service Settings.
  2. Select Enable in Warning Information.
  3. Use the default warning information or set the warning information.

Enabling Two-Way Certificate Authentication

By default, two-way certificate authentication is disabled, and one-way certificate authentication is performed between the FW and the client. That is, the client performs certificate authentication on the FW, whereas the FW does not perform certificate authentication on the client.

To enable the FW to also perform certificate authentication on the client, enable two-way certificate authentication.

  1. Choose System > Administrator > Service Settings.
  2. Click Enable corresponding to Certificate Authentication and upload the CA certificate and local certificate.
    • CA Certificates: Indicates the CA certificate used by the FW to verify the client local certificate during login to the FW through HTTPS. For details, see CA Certificate.
    • Local Certificates: Indicates the certificate sent by the FW to the client for identifying its identity during login to the FW through HTTPS. For details about how to upload the certificate, see Local Certificate.
  3. Click Apply.

Enabling the STelnet or SFTP Service

SSH Telnet (STelnet) is a secure Telnet service. A FW functions as a Telnet server. It authenticates Telnet clients and encrypts data exchanged between the Telnet server and clients. STelnet on the FW provides secure access services.

SSH FTP (SFTP) is a secure FTP service. A FW functions as an FTP server. It authenticates FTP clients and encrypts data exchanged between the FTP server and clients. SFTP on the FW provides secure file transfer services.

  1. Choose System > Administrator > Service Settings.
  2. Expand SSH Service Settings, perform one of the following operations:

    • Select Enable for STelnet Service(IPv4 and IPv6).
    • Select Enable for SFTP Service(IPv4 and IPv6).

    By default, both the IPv4 SFTP/STelnet service and IPv6 SFTP/STelnet service are enabled after you click Enable. To enable the IPv4 SFTP/STelnet service or IPv6 SFTP/STelnet service separately, expand the Collapse button.

  3. Set the following parameters.

    Table 1 System parameters

    Parameter

    Description

    SSH Port(IPv4 and IPv6)

    Number of a listening port for STelnet or SFTP.

    On a FW SSH server providing STelnet and SFTP services, if a new port number is set, the FW must disconnect all the existing STelnet and SFTP connections to clients and then re-establish connections to clients using the new port number.

    By default, the IPv4 SSH service and IPv6 SSH service use the same port. To set an IPv4 SSH service port and an IPv6 SSH service port separately, expand the Collapse button.

    Authentication Attempts

    Maximum number of SSH authentication attempts allowed. If the number of failed attempts reaches the maximum number, the FW locks out an administrator for 10 minutes.

    Authentication Timeout

    Timeout period (seconds) for SSH user authentication. If an SSH client fails to be authenticated within the specified authentication timeout period, the SSH client must re-initiate an SSH connection.

    Key Generation Interval

    Interval (hours) at which a FW SSH server generates a key.

    SSH User Level

    Level of an administrator that uses SSH to log in to a FW.

    A larger value indicates a higher level.

  4. Click Apply.

Configuring the Northbound Interface

The client calls the northbound API provided by the FW to communicate with the FW. For details on environment construction and service configuration using a northbound API, refer to API Development Guide.

Unlock Configuration:

If overlapping management is performed on a device, configurations may be inconsistent, causing service conflicts. To resolve this issue, the controller (for example, SecoManager) can lock the device. Generally, the lock/unlock operation of the device is delivered by the controller. The unlock operation can be performed on the device only when the communication between the device and controller is interrupted. In other scenarios, do not perform the unlock operation on the device.

Only the controller can lock the device through the northbound interface. On the device side, only the unlock operation can be performed.

  1. Choose System > Administrator > Service Settings > Northbound Interface Settings.
  2. Set Unlock Configuration to the unlocked state.
  3. Click Apply.

Configure the NETCONF interface:

  1. Choose System > Administrator > Service Settings > Northbound Interface Settings.

  2. Select Enable of NETCONF.

  3. In NETCONF Port, enter a port number. By default, port 830 is used.

    If the NETCONF port number is changed after NETCONF is enabled, connected users are automatically disconnected.

  4. Optional: Configure proactive call-home registration.

    This function applies to the scenario where the FW proactively initiates connections to clients.

    Up to two proactive call-home registration connections can be created.

    1. Click Add.

    2. Set Host Name, IP Address/Domain Name, and Port for the host to connect to and Source IP Address and Virtual Router of the call-home registration connection initiated by the FW. Then click OK.

    If the interface that initiates the call-home registration request is bound to a virtual route, set Virtual Router. Otherwise, you do not need to set the parameter. The management interface is bound to a virtual route named default.

    After the configuration takes effect, the FW immediately initiates a call-home registration connection to the host. If the connection fails, it tries another twice (totally three times). If the connection still fails, the FW will initiate the connection again 3 minutes later. You can also click Reconnect to immediately initiate a connection. You can view the connection status in Status.

  5. Click Apply.

Configure the RESTCONF interface:

  1. Choose System > Administrator > Service Settings > Northbound Interface Settings.

  2. Select Enable of RESTCONF.

  3. Set the parameters one by one.

    Parameter

    Description

    Service

    Select HTTPS .

    Local Certificate

    Service is HTTPS, configure a local certificate.

    The PKCS12 and PEM local certificates are supported. For how to apply for and upload a certificate, see Certificate. You can also use the default certificate.

    Service Port

    The value is an integer ranging from 1025 to 50000.

    The default HTTPS service port is 8447.

  4. Click Apply.

Parent Topic: Configuring an Administrator Using the Web
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic