Web: Example for Using the RESTCONF Client to Manage the Device
The FW supports the RESTCONF-based northbound management interface. The administrator can use the RESTCONF client to configure and manage the FW.
Networking Requirement
As shown in Figure 1, the customer wants to use the RESTCONF client to configure and manage the FW.
Configuration Procedure
- Configure the IP address of the FW management interface, so that the FW and RESTCONF client are routable.
Configure a security policy on the FW to allow the RESTCONF client to access the RESTCONF interface of the FW.
Configure the FW administrator and set the service type to API. The RESTCONF client uses this administrator account to log in to and configure the FW.
Configure an HTTPS port, enable the RESTCONF interface, and set the certificate and session timeout period.
Data Planning
| Item | Data | Description | |
|---|---|---|---|
| FW | Interface |
Interface name: GigabitEthernet 0/0/0 IP address: 10.0.0.2/24 |
Management interface, reachable to the RESTCONF client If the management interface is not used, the used port must be added to a security zone. |
Security Policy |
Policy name: policy_restconf Source security zone: trust Destination security zone: local Source IP address: 10.0.0.11 Service type: restconf; port number: 1025 Action: permit |
The source security zone accommodates the interface connecting to the RESTCONF client. The management interface is in the trust zone by default. The source address is the IP address of the RESTCONF client. The service port in the security policy is the RESTCONF service port. |
|
Administrator |
User name: restconf-admin Password: Myadmin@123 Authentication scheme: admin_local Level: 15 Service type: API |
- | |
RESTCONF |
Service type: HTTPS Certificate: https.pem Port: 1025 Session timeout: 10 seconds |
The PKCS12 and PEM local certificates are supported. For how to apply for and upload a certificate, see Certificate. You can also use the default certificate. |
|
RESTCONF client |
IP address |
10.0.0.11/24 |
- |
Procedure
- Configure the IP address of the management interface.
Choose and click
on the line of the management interface.Modify the interface IP address.
IP Address
10.0.0.2/24
- Configure the security policy.
- Configure port 1025 as the RESTCONF service port.
Choose and click Add.
- Configure port 1025 as the RESTCONF service port.
- Configure the administrator and the corresponding service type and authentication type.
Set the service type to API. The administrator is in level 15.
Choose and click Add.
- Configure an HTTPS port, enable the RESTCONF interface, and set the certificate and session timeout period.
Choose .
Configuration Scripts
# aaa manager-user netconf-admin password cipher @%@%\.!W9qM+A7"0/(!S@rLG1_YNTW#lDz>ZpH]~%%Uk^#;G_YQ1@%@% service-type api level 15 authentication-scheme admin_local # interface GigabitEthernet0/0/0 undo shutdown ip address 10.0.0.2 255.255.255.0 # ip service-set restconf type object service 0 protocol tcp source-port 0 to 65535 destination-port 1025 # security-policy rule name policy_restconf source-zone trust destination-zone local source-address 10.0.0.11 32 service restconf action permit # api api https port 1025 enable security server-certificate https.pem