Configuring Cloud Management Using the CLI

Context

The FW has preset local and CA certificates issued by a CA server for authentication on the cloud management platform. Manually update the certificate if required. You can only use the CLI to update the certificate.
The FW does not have an administrator account by default. When you log in to the device for the first time, you need to create an administrator. For details, see Administrator.
The API administrator huawei is preset in the cloud management mode, and the password is empty. In cloud management mode, no password is required when certificate authentication is used.
The following describes only key configuration points on the FW that interconnects with the cloud management platform. For details about operations on the FW and cloud management platform, see the Product Documentation.

Procedure

Log in to the FW with the created administrator account.
Run the system-view command to access the system view.
Run the firewall run-mode cloud-manage command to change the running mode to cloud management. The FW configuration will be cleared, and the FW will restart.
Log in to the FW through the console port. For details, see Logging In to the Logging In to the CLI Through the Console Port.
- After the FW is switched to the cloud management mode, the FW configuration is cleared, and no administrator account is available. You can log in to the CLI only through the console port. If you still need to configure and manage the FW through the web UI or other methods, log in to the FW through the console port, create an administrator in the AAA view, and set the service type. The created administrator is bound to the cloud administrator role by default.
- After the FW is managed by the cloud management platform, the administrator account on the FW is determined by the configuration on the cloud management platform.
Configure Internet access. Assign the interface connected to the Internet to the untrust zone.
- Static IP address: Configure the fixed IP address and default gateway.
- PPPoE: Configure PPPoE and configure a default route with the outbound interface being the dialer interface.
- DHCP Client: Configure DHCP.
Optional: Specify the DNS server on the FW so that the FW can resolve the domain names of cloud management platforms. In cloud management mode, the domain name resolution function is enabled by default. You need to manually configure the DNS server when using a static IP address for access. In other access modes, the DNS server allocated by the carrier is automatically obtained, and you do not need to perform this step.
Optional: Configure security policies. In cloud management mode, the FW enables a permit security policy by default. In this policy, the source security zone is dmz or local, and the destination security zone is dmz or untrust. Therefore, the security policies required for connecting to the cloud management platform are all permitted by default with no need of administrator configuration. After the FW is connected to the cloud management platform, the cloud management platform delivers services to the FW. The security policies required by these services can be configured and delivered by the cloud management platform.
Set up or modify the connection to the cloud management platform.

Obtain the IP address/domain name of the cloud management platform from the platform administrator.

Generally, the port number of the cloud management platform is 10020. Obtain the actual port number from the platform administrator.
1. Run the api call-home host hostname { domain domain-name | ip ip-address } port port-number [ source-ip source-ip-address ] [ vpn-instance vpn-instance-name ] command to add or modify the cloud management platform connection information.
2. Run the api call-home connect [ host hostname ] command to initiate a connection to the cloud management platform.
Optional: Replace the pre-installed certificate.
Upload the CA certificate, local certificate, and key file to hda1:/pki/public.

Ensure that the local certificate matches the key pair.
- If you attempt to replace the pre-installed certificates, you must replace both the local and CA certificates. If you replace only one of them, a service anomaly may occur.
- You can centrally replace the pre-installed certificates of the FWs in batches on the cloud management platform or directly log in to the FWs one by one to replace the certificates. Select a method based on your network environment.
1. Run the pki realm default command to create a default domain.
2. Run the quit command to return to the system view.
3. Run the pki delete-certificate ca filename default_ca.cer command to delete the pre-installed CA certificate.
4. Run the pki delete-certificate local filename default_local.cer command to delete the pre-installed local certificate.
5. Run the pki rsa local-key-pair destroy key-name command to delete the key pair of the pre-installed local certificate.
6. Run the pki import-certificate ca realm default pem filename filename command to import a ca certificate.
7. Run the pki import-certificate local realm default pem filename filename command to import a local certificate.
8. Run the pki import rsa-key-pair default exclude-cert pem filename exportable password password command to import a key pair.
9. Run the reset api call-home connect [ host hostname ] command to initiate a reconnection to the cloud management platform.

Follow-up Procedure

You can determine whether the FW successfully connects to the cloud management platform by checking the status of the CLOUD indicator on the device.

Off: indicates that the FW does not initiate any connection to the cloud management platform.
On: indicates that the FW has connected to the cloud management platform.
Blink: indicates that the FW is initiating a connection to the cloud management platform.
The network quality may be unstable. Therefore, the time spent on connection establishment is not fixed. Generally, a connection can be established within 10 minutes. If the CLOUD indicator blinks for more than 10 minutes, the configuration or network may be faulty. In this case, check the configuration and network.