CLI: Example for Using the RESTCONF Client to Manage the Device

The FW supports the RESTCONF-based northbound management interface. The administrator can use the RESTCONF client to configure and manage the FW.

Networking Requirement

As shown in Figure 1, the customer wants to use the RESTCONF client to configure and manage the FW.

Figure 1 Using the RESTCONF client to configure and manage the FW

Configuration Procedure

Configure the IP address of the FW management interface, so that the FW and RESTCONF client are routable.
Configure a security policy on the FW to allow the RESTCONF client to access the RESTCONF interface of the FW.
Configure the FW administrator and set the service type to API. The RESTCONF client uses this administrator account to log in to and configure the FW.
Configure an HTTPS port, enable the RESTCONF interface, and set the certificate and session timeout period.

This example focuses on the configurations of the interconnection between the FW and RESTCONF client. Configure routes to ensure that devices are routable. For the RESTCONF client configuration, see the product manual.

Data Planning

Item		Data	Description
FW	Interface	Interface name: GigabitEthernet 0/0/0 IP address: 10.0.0.2/24	Management interface, reachable to the RESTCONF client If the management interface is not used, the used port must be added to a security zone.
	Security Policy	Policy name: policy_restconf Source security zone: trust Destination security zone: local Source IP address: 10.0.0.11 Service type: restconf; port number: 1025 Action: permit	The source security zone accommodates the interface connecting to the RESTCONF client. The management interface is in the trust zone by default. The source address is the IP address of the RESTCONF client. The service port in the security policy is the RESTCONF service port.
	Administrator	User name: restconf-admin Password: Myadmin@123 Authentication scheme: admin_local Level: 15 Service type: API	-
	RESTCONF	Service type: HTTPS Certificate: https.pem Port: 1025 Session timeout: 10 seconds	The PKCS12 and PEM local certificates are supported. For how to apply for and upload a certificate, see Certificate. You can also use the default certificate.
RESTCONF client	IP address	10.0.0.11/24	-

Procedure

Configure the IP address of the management interface.

<sysname> system-view
[sysname] interface GigabitEthernet 0/0/0
[sysname-GigabitEthernet0/0/0] ip address 10.0.0.2 24
[sysname-GigabitEthernet0/0/0] quit

Configure the security policy.

# Configure port 1025 as the RESTCONF service port.

[sysname] ip service-set restconf type object
[sysname-object-service-set-restconf] service protocol tcp source-port 0 to 65535 destination-port 1025
[sysname-object-service-set-restconf] quit

# Configure a security policy to reference the RESTCONF service.

[sysname] security-policy
[sysname-policy-security] rule name policy_restconf
[sysname-policy-security-rule-policy_restconf] source-zone trust
[sysname-policy-security-rule-policy_restconf] destination-zone local
[sysname-policy-security-rule-policy_restconf] source-address 10.0.0.11 32
[sysname-policy-security-rule-policy_restconf] service restconf
[sysname-policy-security-rule-policy_restconf] action permit
[sysname-policy-security-rule-policy_restconf] quit
[sysname-policy-security] quit

Configure the administrator and the corresponding service type, level, and authentication type.

[sysname] aaa
[sysname-aaa] manager-user netconf-admin
[sysname-aaa-manager-user-netconf-admin] password
Enter Password: 
Confirm Password:
[sysname-aaa-manager-user-netconf-admin] service-type api
[sysname-aaa-manager-user-netconf-admin] level 15
[sysname-aaa-manager-user-netconf-admin] authentication-scheme admin_local

Configure an HTTPS port, enable the RESTCONF interface, and set the certificate.

[sysname] api
[sysname-api] api https port 1025 enable
[sysname-api] security server-certificate https.pem

Configuration Scripts

#
aaa                                                                             
 manager-user netconf-admin                                                     
  password cipher @%@%\.!W9qM+A7"0/(!S@rLG1_YNTW#lDz>ZpH]~%%Uk^#;G_YQ1@%@%      
  service-type api                                                              
  level 15                                                                      
  authentication-scheme admin_local    
#                                                                               
interface GigabitEthernet0/0/0                                                  
 undo shutdown                                                                  
 ip address 10.0.0.2 255.255.255.0                                               
 #                                                                               
ip service-set restconf type object                                         
 service 0 protocol tcp source-port 0 to 65535 destination-port 1025            
#                        
security-policy
 rule name policy_restconf                                                              
  source-zone trust                                                             
  destination-zone local                                                          
  source-address 10.0.0.11 32                                        
  service restconf                                                          
  action permit
#                                                                               
api                                                                             
 api https port 1025 enable                                                          
 security server-certificate https.pem