First, Huawei firewall device management
1, AAA Introduction
AAA is to verify (Authentication), authorization (Authorization) and accounting (Accounting) three English words for short, is a server program capable of handling user access request, the main purpose is to manage user access to the network server, the user has access Provide services. among them:
Validation: Which users can access the network.
Authorization: The user has access can get what services, what authority.
- Accounting: How to audit users who are using network resources.
AAA server is usually the same network access control, gateway servers, databases and user directories and other information to work together. To access network resources, it must first authenticate network users, so as to access network resources. The identification process is to verify the legitimacy of user identity; after the identification is completed, in order to authorize user access to network resources, and user access to network resources accounting management.
AAA authentication for network devices have a local authentication (local), Remote Authentication two categories. Local authentication by user name and password created and validated in the local and the remote authentication is done by various manufacturers its own AAA server, which requires equipment and AAA servers association.
Huawei firewall supports both local and remote configuration, today only about local authentication.
2, Huawei common management of the firewall are:
Management Console by way of: belong to band management, user bandwidth does not account for new equipment for the first time configuration scenarios.
Through Telnet management: it is in-band management, simple configuration, security is low, occupy less resources, mainly for security is not high, poor equipment performance scene.
Through the Web management: it is in-band management, based on graphical management, more suitable for novices to configure the device.
- Through SSH management, belonging to the in-band management, configuration complexity, high safety, resource consumption, mainly for the safety of relatively high demand scenarios, such as via the Internet to remotely manage network equipment company.
Second, the configuration of each management mode
Management Console mode, as long as the connected console cable to connect the client to use the Super Terminal, the specific operation please refer to relevant information, there is not much to say.
1, through Telnet management
Telnet management by configuring the terminal to log in through Telnet for configuration and management of the equipment.
(1) pre-configured ready
I am using eNSP software, add a firewall in eNSP in a Cloud devices (bridging virtual machine acts as a client to use) firewall on the need to import the system simulator, I used here is the USG6000 firewall, you can download location :https://pan.baidu.com/s/1K8867Y8aPRjP_WuwBaqDhg download firewall system.
USG6000 firewall, by default the smallest number of interfaces (ie G0 / 0/0) already configured some of the relevant configuration and IP address of the remote control, so there are a lot of configuration can be omitted, I use G1 / 0/0 This new the interface operation, more comprehensive.
(2) start configuring the firewall:
Console console first login, password management required initial configuration:
<USG6000V1>system-view #切换到系统视图
[USG6000V1]int g1/0/0 #进入G1/0/0接口
[USG6000V1-GigabitEthernet1/0/0]ip add 192.168.100.10 24 #接口配置IP地址
[USG6000V1-GigabitEthernet1/0/0]undo shutdown #激活接口
[USG6000V1-GigabitEthernet1/0/0]quit #保存退出
[USG6000V1]int g1/0/0 #进入G1/0/0接口
[USG6000V1-GigabitEthernet1/0/0]service-manage enable #进入到管理模式
[USG6000V1-GigabitEthernet1/0/0]service-manage telnet permit #允许telnet
[USG6000V1-GigabitEthernet1/0/0]quit #保存退出
[USG6000V1]firewall zone trust #进入到trust区域
[USG6000V1-zone-trust]add int g1/0/0 #将G1/0/0加入到trust区域
[USG6000V1-zone-trust]quit #保存退出
[USG6000V1]security-policy #设置安全策略
[USG6000V1-policy-security]rule name allow_telnet #创建安全策略名字为allow_telnet
[USG6000V1-policy-security-rule-allow_telnet]source-zone trust #配置安全策略源区域trust
[USG6000V1-policy-security-rule-allow_telnet]destination-zone local #配置安全策略目标区域local
[USG6000V1-policy-security-rule-allow_telnet]action permit #允许trust区域访问防火墙本地区域local
[USG6000V1-policy-security-rule-allow_telnet]quit #保存退出
[USG6000V1-policy-security]quit #同上
[USG6000V1]user-interface vty 0 4 #配置vty,允许5个终端使用telnet功能
[USG6000V1-ui-vty0-4]authentication-mode aaa #配置telnet使用AAA身份验证
[USG6000V1-ui-vty0-4]protocol inbound telnet #允许AAA验证telnet
[USG6000V1-ui-vty0-4]quit #保存退出
[USG6000V1]aaa #进入AAA验证
[USG6000V1-aaa]manager-user benet #AAA验证账户是benet
[USG6000V1-aaa-manager-user-benet]password cipher pwd@1234 #AAA验证密码是pwd@1234
[USG6000V1-aaa-manager-user-benet]service-type telnet #AAA给telnet提供验证功能
[USG6000V1-aaa-manager-user-benet]level 15 #设置telnet账户Benet为管理员权限
#“0”是参观级别,啥都做不了;“1”是监控级别,可以查看相关配置;“2”为配置级别,可以配置部分参数;“3-15”是管理级别,拥有最大的权限
[USG6000V1-aaa-manager-user-benet]quit
[USG6000V1-aaa]quitTelnet configuration management, can be connected to the firewall CMD, CRT, Xshell like HyperTerminal. as follows:
-
CMD connection:
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet. Login authentication Username:benet #输入刚才创建的账户名 Password: #输入刚才设置密码 The password needs to be changed. Change now? [Y/N]: y #首次登录需要更改密码,Y即可 Please enter old password: #输入旧密码 Please enter new password: #输入新密码 Please confirm new password: #确认新密码 遗失对主机的连接。 #退出重新telnet输入新密码即可 -
CRT connector:
- Xshell connection:
2, by way of SSH management
And Telnet, Web comparison, SSH and more secure, it is generally not recommended to use Telnet to log device, but the device to log in via ssh, let's start to configure SSH log device (re-take the environment reconfigured)
Start the configuration:
<USG6000V1>system-view #切换到系统视图
[USG6000V1]int g1/0/0 #进入G1/0/0接口
[USG6000V1-GigabitEthernet1/0/0]ip add 192.168.100.10 24 #接口配置IP地址
[USG6000V1-GigabitEthernet1/0/0]service-manage enable #进入到管理模式
[USG6000V1-GigabitEthernet1/0/0]service-manage ssh permit #允许ssh
[USG6000V1-GigabitEthernet1/0/0]quit #保存退出
[USG6000V1]firewall zone trust #进入到trust区域
[USG6000V1-zone-trust]add int g1/0/0 #将G1/0/0接口加入trust区域
[USG6000V1-zone-trust]quit
[USG6000V1]security-policy #进入安全策略
[USG6000V1-policy-security]rule name allow_ssh #创建安全策略allow_ssh
[USG6000V1-policy-security-rule-allow_ssh]source-zone trust #定义安全策略源区域为trust
[USG6000V1-policy-security-rule-allow_ssh]destination-zone local #定义安全策略目标区域为local
[USG6000V1-policy-security-rule-allow_ssh]action permit #允许trust区域访问local区域
[USG6000V1-policy-security-rule-allow_ssh]quit
[USG6000V1-policy-security]quit
[USG6000V1]rsa local-key-pair create #设置ssh密钥对,最长2048
The key name will be: USG6000V1_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]:2048 #输入
Generating keys...
..+++++
........................++
....++++
...........++
[USG6000V1]user-interface vty 0 4 #配置vty,允许5个终端
[USG6000V1-ui-vty0-4]authentication-mode aaa #ssh使用AAA验证
[USG6000V1-ui-vty0-4]protocol inbound ssh #允许ssh使用AAA验证
[USG6000V1-ui-vty0-4]quit
[USG6000V1]ssh user test #创建验证账户test
[USG6000V1]ssh user test authentication-type password #使用密码验证
[USG6000V1]ssh user test service-type stelnet #配置验证服务类型为ssh
[USG6000V1]aaa #进入AAA
[USG6000V1-aaa]manager-user test #AAA验证用户名为test
[USG6000V1-aaa-manager-user-test]password cipher pwd@1234 #AAA验证test账户密码为pwd@1234
[USG6000V1-aaa-manager-user-test]service-type ssh #AAA给ssh提供验证
[USG6000V1-aaa-manager-user-test]level 15 #设置ssh验证账户为管理员
[USG6000V1-aaa-manager-user-test]quit
[USG6000V1-aaa]quit
[USG6000V1]stelnet server enable #开启sshThus SSH manage configuration, or CRT Xshell connection test, as follows:
CRT connector:
This is the interface changes to your password, first login account input (test) created above, you can logon password pwd @ 1234, prompted to enter "Y" Change Password to change the password when re-connection.
Xshell connection:
just revised CRT login password, do not need to modify this. ,
3, through the Web management:
Start the configuration:
<USG6000V1>system-view #切换系统视图
[USG6000V1]int g1/0/0 #进入G1/0/0接口
[USG6000V1-GigabitEthernet1/0/0]ip add 192.168.100.10 24 #接口配置IP地址
[USG6000V1-GigabitEthernet1/0/0]service-manage http permit #允许http协议远程
[USG6000V1-GigabitEthernet1/0/0]service-manage https permit #允许https协议远程
[USG6000V1-GigabitEthernet1/0/0]quit
[USG6000V1]firewall zone trust #进入到trust区域
[USG6000V1-zone-trust]add int GigabitEthernet 1/0/0 #将G1/0/0接口加入trust区域
[USG6000V1-zone-trust]quit
[USG6000V1]security-policy #进入安全策略
[USG6000V1-policy-security]rule name allow_web #创建安全策略名字为allow_web
[USG6000V1-policy-security-rule-allow_web]source-zone trust #策略源区域为trust
[USG6000V1-policy-security-rule-allow_web]destination-zone local #策略目标区域为local
[USG6000V1-policy-security-rule-allow_web]action permit #允许trust区域访问local区域
[USG6000V1-policy-security-rule-allow_web]quit
[USG6000V1-policy-security]quit
[USG6000V1]web-manager security enable #开启web管理功能
[USG6000V1]aaa #进入AAA配置
[USG6000V1-aaa]manager-user web #配置验证账户名为web
[USG6000V1-aaa-manager-user-web]password #设置AAA验证密码
Enter Password: #输入密码
Confirm Password: #重复输入
[USG6000V1-aaa-manager-user-web]service-type web #允许使用web验证
[USG6000V1-aaa-manager-user-web]level 15 #设置为管理员权限
[USG6000V1-aaa-manager-user-web]quit
[USG6000V1-aaa]quitAfter the above configuration, you can now use the web access test, the firewall is turned on by default https port is 8443, using the client to access the test, after the above configuration, use https://192.168.100.10:8443 be accessed if the page load does not come out, refresh a few times just fine: 
Web way management is done!
Read the entire blog post you will find that each manage configuration is not complicated, many places are repeat orders.
This blog is over, thanks for reading!