< Home

CLI: Example for Logging in to the Web UI Using HTTPS (Default Certificate)

This section provides an example of how to configure HTTPS using the CLI and log in to the web UI.

Context

If the client connects to the device using HTTPS, the device sends a default or specified certificate to the client. If a default certificate is sent, the client cannot verify it and is prone to attacks. You are advised to use the specified certificate for security. For details, see CLI: Example for Logging In to the Web UI Using HTTPS (Specified Certificate).

Networking Requirements

Figure 1 shows how to configure local authentication administrator webadmin that can use HTTPS to log in to the web UI on the FW.

Figure 1 Networking diagram of logging in to the web UI using HTTPS (default certificate)

Data Planning

Item

Data

Description

User name

webadmin

-

Password

Myadmin@123

-

Authentication mode

Local authentication

-

Role

service-admin

service-admin is a user-defined role and has permissions only on the network, policy, and object.

Trusted host

10.3.0.0/24

The administrator area is limited by IP address.

Service Type

WEB

-

Web service timeout period

5 minutes

-

Configuration Roadmap

  1. Configure the login interface.

  2. Create an administrator, assign an administrator role, and configure a trusted host for the administrator.

  3. Verify the login to the Web UI.

This section describes only how to configure an administrator.

Procedure

  1. Optional: Configure the login interface.

    If you use the default settings of management interface to log in to the device, skip this step.

    Because the default IP address of the management interface has been set to 192.168.0.1, the interface has been added to the Trust zone, and the administrator is allowed to log in to the device using HTTPS.

    1. Set interface information.

      [FW] interface GigabitEthernet 0/0/3  
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet0/0/3] service-manage enable
[FW-GigabitEthernet0/0/3] service-manage https permit
[FW-GigabitEthernet0/0/3] quit

    2. Add the interface to a security zone.

      [FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet0/0/3
[FW-zone-trust] quit

  2. Create an administrator.
    1. Configure a trusted host for the administrator.

      [FW] acl 2001                                                                   
[FW-acl-basic-2001] rule permit source 10.3.0.0 0.0.0.255
[FW-acl-basic-2001] rule 10 deny
[FW-acl-basic-2001] quit

    2. Optional: Create an administrator role.

      Ignore this step if the default administrator role is used.

      [FW] aaa
[FW-aaa] role service-admin
[FW-aaa-role-service-admin] description policy_object_network_readwrite_and_other_modules_none
[FW-aaa-role-service-admin] dashboard none
[FW-aaa-role-service-admin] monitor none
[FW-aaa-role-service-admin] system none
[FW-aaa-role-service-admin] network read-write
[FW-aaa-role-service-admin] object read-write
[FW-aaa-role-service-admin] policy read-write
[FW-aaa-role-service-admin] quit

    3. Create an administrator and bind a role to the administrator.

      [FW-aaa] manager-user webadmin
[FW-aaa-manager-user-webadmin] password
Enter Password: 
Confirm Password:   
[FW-aaa-manager-user-webadmin] service-type web
[FW-aaa-manager-user-webadmin] access-limit 10
[FW-aaa-manager-user-webadmin] acl-number 2001
[FW-aaa-manager-user-webadmin] quit
[FW-aaa] bind manager-user webadmin role service-admin
[FW-aaa] quit

  3. Verify the login to the Web UI.
    1. Set the IP address of the administrator PC to 10.3.0.10/24.
    2. Open a browser and enter https://10.3.0.1:8443.

      The browser prompts you with a message, saying that the certificate is insecure. Select to continue browsing.

    3. On the login UI, enter user name webadmin and password Myadmin@123 and click Login to access the web UI.

Configuration Scripts

#                             
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0   
 service-manage https permit  
# 
firewall zone trust 
 set priority 85 
 add interface GigabitEthernet0/0/3
#                             
acl number 2001               
 rule 5 permit source 10.3.0.0 0.0.0.255
 rule 10 deny 
#                             
 web-manager security enable
 web-manager timeout 5        
#       
aaa                           
 authentication-scheme default
#                            
manager-user webadmin        
 password cipher %@%@*y:3*ZN}.%%qcL1cC|@XBVMDyDwlB.Wq'6JF(iOz2D8>A\SN%@%@
 service-type web
 level 15                   
 acl-number 2001            
#                            
 bind manager-user webadmin role service-admin 
role service-admin            
  description policy_object_network_readwrite_and_other_modules_none
 dashboard none
 monitor none
 system none
 network read-write 
 object read-write
 policy read-write
#
return
Parent Topic: Logging In to the Device
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >