< Home

(Optional) Configuring the Web UI

This section describes how to configure the administrator web UI.

Context

The FW enables ports 80 and 8443 to provide the HTTPS service by default. When you use the web browser to access port 80, the FW automatically redirects the access to port 8443 for you to log in through HTTPS.

You can run the undo web-manager enable command to disable port 80.

By default, if you fail to access the web page for three consecutive times, your account will be locked for 30 minutes. In addition, the FW provides the web administrator page locking function. If three administrator accounts that share the same IP address are locked within a specific period, the web page will be locked for a period. The IP address cannot be used to access the web page within the period. Therefore, the function prevents the passwords of administrator accounts from be cracked by brute force attacks.

Procedure

  1. Access the system view.

    system-view

  2. Adjust HTTPS server parameters.

    • Configure HTTPS with a default certificate.

      When a PC (client) attempts to use HTTPS to log in to a FW, the FW (server) delivers a default certificate to the PC. The certificate is assigned by an unknown Certificate Authority (CA). The PC cannot verify the certificate, and is therefore vulnerable to attacks.

      If you do not use the default port to log in, run the undo web-manager security enable [ port port-number ] command in advance to disable the HTTPS service and default port 8443. Then enable the HTTPS service again.

      1. Run the web-manager security enable [ port port-number ] command to enable the HTTPS service.

      2. Specify an SSL protocol and an encryption algorithm.

        The FW (server) and a PC (client) must run the same SSL protocol and use the same encryption algorithm. An inconsistency causes an SSL negotiation failure.

        1. Specify an SSL or TLSV protocol.

          web-manager security version { { tlsv1 | tlsv1.1 | tlsv1.2 } * | all }

          By default, the FW supports the TLS1.2 protocols.

          After you specify a new SSL protocol type, new connections will use the new SSL protocol for negotiation, and the existing connections still use the original SSL protocol for negotiation.

        2. Specify an encryption algorithm.

          web-manager security cipher-suit { high-strength | all }

          By default, the FW supports the high-strength encryption algorithms.

          You are advised to set the high-strength parameter instead.

    • Configure HTTPS with a specified certificate.

      When a PC (client) uses HTTPS to log in to a FW, the FW (server) delivers a specified certificate to the PC. The certificate is assigned by a CA that the PC can recognize. Therefore the PC can establish a secure connection to the FW based on the valid certificate.

      The certificate can be issued by a worldwide known certificate authority or a PC that supports the certificate service. The PC must import a CA certificate before being able to authenticate a certificate sent by the FW.

      1. The FW generates a certificate request file, sends the file to the CA server to apply for the certificate, and imports the local certificate to the FW. For the configuration procedure, see Certificate.

      2. Optional:

        Import the CA certificate obtained from the CA server which the FW applies for a certificate to the browser. For details, see the instructions to the Firefox or Internet Explorer.

        Although the client can still access the FW through HTTPS even if the CA certificate is not imported to the browser, the client cannot authenticate the access and is vulnerable to attacks.

      3. Configure the FW to send a certificate to the client when the client accesses the FW through HTTPS.

        web-manager security server-certificate file-name

      4. Enable HTTPS.

        web-manager security enable [ port port-number ]

        Enter the address of a FW following the string of "https://" in the address bar on the web browser of the PC to log in to the FW. Ensure that the address is the same as that specified in the certificate.

      5. Configure an SSL or TLS protocol and an encryption algorithm. For the configuration procedure, see Specify an SSL protocol and an encryption algorithm.

  3. Optional: Set the timeout period for a web service.

    web-manager timeout minutes

    The default timeout period is 10 minutes.

  4. Optional: Enable the function of display login warning information.

    After the function of displaying login warning information is enabled, when a web administrator enters the user name and password on the web UI, the system will display the warning information to notify the administrator of the results caused by the unauthorized use of the device. The administrator needs to click OK to access the web UI.

    1. Access the AAA view.

      aaa

    2. Enable the function of display login warning information.

      manager-user warning-banner enable

    3. Configure the warning information.

      manager-user warning-banner { chinese | english } text

      The FW provides the default warning information. You can choose to modify it.

      Default warning information:

      WARNING! Unauthorized use of the device is strictly prohibited and may be subject to criminal prosecution. Accept, Enter the system; Reject, Withdraw from the system; If nothing is selected, you will not allow to access the system.

Parent Topic: Configuring an Administrator Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >