CLI: Example for Configuring the FW as an SFTP Server (Password Authentication)

Procedure

1. Configure the FW.
   1. Set an IP address for interface GigabitEthernet 0/0/3 and assign the interface to a security zone.

      <FW> system-view
      [FW] interface GigabitEthernet 0/0/3
      [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
      [FW-GigabitEthernet0/0/3] service-manage enable
      [FW-GigabitEthernet0/0/3] service-manage ssh permit
      [FW-GigabitEthernet0/0/3] quit
      [FW] firewall zone trust
      [FW-zone-trust] add interface GigabitEthernet 0/0/3
      [FW-zone-trust] quit

   2. Configure a security policy for the Local-Trust interzone to permit the SSH service.

      [FW] security-policy
      [FW-policy-security] rule name policy_sftp
      [FW-policy-security-rule-policy_sftp] service ssh
      [FW-policy-security-rule-policy_sftp] source-zone trust
      [FW-policy-security-rule-policy_sftp] destination-zone local
      [FW-policy-security-rule-policy_sftp] source-address 10.3.1.0 24
      [FW-policy-security-rule-policy_sftp] action permit
      [FW-policy-security-rule-policy_sftp] quit
      [FW-policy-security] quit

   3. Enable the SFTP service.

      [FW] sftp server enable

   4. Generate a local key pair.

      [FW] rsa local-key-pair create
      The key name will be: FW_Host    
      
      The range of public key size is (2048 ~ 2048). 
      NOTES: If the key modulus is greater than 512, 
              it will take a few minutes.
      Input the bits in the modulus[default = 2048]:2048
      Generating keys...
      .+++++
      ........................++
      ....++++
      ...........++

   5. Configure the VTY administrator interface.

      [FW] user-interface vty 0 4
      [FW-ui-vty0-4] authentication-mode aaa
      [FW-ui-vty0-4] protocol inbound ssh
      [FW-ui-vty0-4] user privilege level 3
      [FW-ui-vty0-4] quit

   6. Create an SFTP administrator account and specify an authentication mode and a service type.

      # Create SFTP administrator account sftpadmin_a and set the authentication mode to password, service type to SFTP, and service directory to hda1:.

      [FW] ssh user sftpadmin_a
      [FW] ssh user sftpadmin_a authentication-type password
      [FW] aaa
      [FW-aaa] manager-user sftpadmin_a
      [FW-aaa-manager-user-sftpadmin_a] level 3
      [FW-aaa-manager-user-sftpadmin_a] service-type ssh
      [FW-aaa-manager-user-sftpadmin_a] password
      Enter Password: 
      Confirm Password:   
      [FW-aaa-manager-user-sftpadmin_a] quit
      [FW-aaa] quit

   7. Set the service type to SFTP for the SSH account.

      [FW] ssh user sftpadmin_a service-type sftp

   8. Configure an SFTP service authorization directory for the SSH user.

      [FW] ssh user sftpadmin_a sftp-directory hda1:

2. Configure the administrator PC.
   1. Set the IP address and subnet mask of the administrator PC to 10.3.1.100/255.255.255.0.
   2. Install the PuTTY software. Details are omitted.
   3. Use the PuTTY to log in to FW_B through SFTP (the following uses PuTTY0.60 as an example).
      1. Run PSFTP.exe and enter open 10.3.0.1 to set up an SFTP connection with the FW. The system displays a prompt upon the first connection, as shown in Figure 2.
         Figure 2 PSFTP security prompt
         
      2. Enter y and type the user name and password (sftpadmin_a/Mydevice@a) to log in to the FW, as shown in Figure 3.
         Figure 3 Logging in to the FW
         

3. Download files from the FW.
   Figure 4 Downloading files from the FW