CLI: Example for Logging In to the Web UI Using HTTPS (Specified Certificate)

Procedure

1. Configure the certificate.
   1. The FW generates a certificate request file. An administrator sends the file to the CA server through web, disks, or emails to apply for a certificate. The CA server generates a certificate. The administrator can use HTTP, LDAP, or other methods to download the local certificate from the server that stores the certificate to the FW memory and install the certificate. For detailed configuration process, see Certificate.
      

      Local certificate cep_local.cer is used as example.

   2. Optional: Obtain the CA certificate and import it to the browser of the administrator PC (client). For details, refer to the help of the browser.
      

      Although the client can still access the device through HTTPS even if the CA certificate is not imported to the browser, the client cannot verify the certificate and is prone to attacks.

   3. Configure the device to send a certificate to the client when the client accesses the device using HTTPS.

      <FW> system-view
      [FW] web-manager security server-certificate cep_local.cer

2. Adjust web service parameters.
   1. Configure the web service timeout period.

      [FW] web-manager timeout 5

      The default timeout period is 10 minutes.

   2. Optional: Configure SSL and the encryption algorithm.

      [FW] web-manager security version tlsv1.2
      [FW] web-manager security cipher-suit high-strength

      The device and PC must support the same SSL and encryption algorithm. If not, the SSL negotiation fails.

   3. Configure GigabitEthernet 0/0/3 IP address and enable the HTTPS service.

      [FW] interface GigabitEthernet 0/0/3  
      [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0
      [FW-GigabitEthernet0/0/3] service-manage enable
      [FW-GigabitEthernet0/0/3] service-manage https permit
      [FW-GigabitEthernet0/0/3] quit

   4. Add an interface to the security zone.

      [FW] firewall zone trust
      [FW-zone-trust] add interface GigabitEthernet0/0/3
      [FW-zone-trust] quit

3. Create an administrator.
   1. Configure a trusted host for the administrator.

      [FW] acl 2001                                                                   
      [FW-acl-basic-2001] rule permit source 10.3.0.0 0.0.0.255
      [FW-acl-basic-2001] rule 10 deny
      [FW-acl-basic-2001] quit                              

   2. Create an administrator role.
      

      Ignore this step if the default administrator role is used.

      The default IP address of the management interface is 192.168.0.1. The interface has been assigned to the Trust zone. The administrator can log in to the device through HTTPS.

      [FW] aaa
      [FW-aaa] role service-admin
      [FW-aaa-role-service-admin] description policy_object_network_readwrite_and_other_modules_none
      [FW-aaa-role-service-admin] dashboard none
      [FW-aaa-role-service-admin] monitor none
      [FW-aaa-role-service-admin] system none
      [FW-aaa-role-service-admin] network read-write
      [FW-aaa-role-service-admin] object read-write
      [FW-aaa-role-service-admin] policy read-write
      [FW-aaa-role-service-admin] quit

   3. Create an administrator and bind a role to the administrator.

      [FW-aaa] manager-user webadmin
      [FW-aaa-manager-user-webadmin] password
      Enter Password: 
      Confirm Password:   
      [FW-aaa-manager-user-webadmin] service-type web
      [FW-aaa-manager-user-webadmin] access-limit 10
      [FW-aaa-manager-user-webadmin] acl-number 2001
      [FW-aaa-manager-user-webadmin] quit
      [FW-aaa] bind manager-user webadmin role service-admin
      [FW-aaa] quit

   4. Set the IP address of the administrator PC to 10.3.0.10/24.
4. Log in to the FW on the administrator PC.
   1. Open a browser and enter https://10.3.0.1:8443.
   2. On the login UI, enter user name webadmin and password Myadmin@123 and click Login to access the web UI.