Shulou(Shulou.com)06/01 Report--

With regard to network equipment or servers, managers rarely guard the equipment for maintenance and management, and the most common and widely used one is remote management. The following is a brief introduction to several ways of Huawei firewall management.

Blog outline:

I. the common management methods of Huawei firewall

2. detailed explanation of the configuration of various management methods

1. Manage through the Console Lin

two。 Manage through Telnet

3. Log in to the device through Web

4. Configure SSH mode to log in to the device

I. the common management methods of Huawei firewall

When it comes to management, it will inevitably involve the concept of AAA, let's first take a look at-- AAA.

Overview of AAA

AAA is the abbreviation of three English words: authentication, authorization and bookkeeping. Is a server program that can handle user access requests, the main purpose is to manage user access to the network server, to provide services for users with access rights.

Where:

Authentication: which users can access the network server; authorization: what services and permissions are available to users with access rights; bookkeeping: how to audit users who are using network resources

AAA server usually works with network access control, gateway server, database and user information directory. If you want to access network resources, you must first authenticate users, so that you can access network resources. The process of authentication is to verify the legitimacy of the user's identity; after the authentication is completed, the user can be authorized to access the network resources, and the user can access the network resources for billing management.

The AAA authentication methods of network devices can be divided into two categories: local authentication and remote authentication.

Local authentication is the creation and authentication of users and passwords locally; remote authentication is done through the free AAA server of each vendor, which requires the device to be associated with the AAA server

The common management methods of Huawei firewall are:

Management through Console: it belongs to out-of-band management, does not occupy bandwidth, and is suitable for the first configuration scenario of new devices; management through Telnet: it belongs to in-band management, with simple configuration, low security and low resource consumption, which is mainly suitable for scenarios with low security. For example, inside the company; through Web management, it belongs to in-band management, which can be based on graphical management, which is more suitable for novice configuration; SSH management: it belongs to in-band management with complex configuration, high security and high resource consumption, which is mainly suitable for scenarios with high security requirements, such as remote management of company network equipment through the Internet. Manage through the Console Lin

This method is suitable for the new equipment just purchased, in the actual environment, just plug in the Console! I won't say any more here!

two。 Manage through Telnet

Telnet management mode enables the terminal to log in to the device through Telnet through configuration to realize the configuration and management of the device. In fact, this kind of environment only needs a firewall (version USG6000) and Cloud (mainly to bridge to the host or virtual machine). The experimental topology is as follows:

(1) when logging in to the Console console for the first time, configure the password as required, as shown in the figure

(2) configure firewall interface IP address Facilitate the management of system-view Enter system view in the future Return user view with Ctrl+ Z.[ USG6000V1] undo info enable Info: Information center is managed.[ USG6000V1] int g0Accord 0 [USG6000V1-GigabitEthernet0/0/0] ip add 192.168.1.1 24 [USG6000V1-GigabitEthernet0/0/0] undo shutdown Info: Interface GigabitEthernet0/0/0 is not shutdown. [USG6000V1-GigabitEthernet0/0/0] quit (3) turn on the Telnet function of the firewall [USG6000V1] telnet server enable (4) configure the firewall to allow remote management of [USG6000V1] int g0anth0 / 0 [USG6000V1-GigabitEthernet0/0/0] service-manage enable / / configure the interface management mode [USG6000V1-GigabitEthernet0/0/0] service-manage telnet permit / / to allow Telnet [USG6000V1-GigabitEthernet0/0/0] quit (5) to add firewall interface g0x0x0 to the security zone [USG6000V1] firewall zone trust [USG6000V1-zone-trust] add int g0Zet0 Error: The interface has been added to trust security zone. / / this is a normal prompt, indicating that this interface has been added to the security zone. [USG6000V1-zone-trust] quit (6) filter the firewall configuration inter-domain packets to ensure that the basic network communication is normal.

Because Telnet traffic is sent and received by the firewall itself, you need to configure the security policy from Trust zone to Local zone, as follows:

[USG6000V1] security-policy [USG6000V1-policy-security] rule name allow_telent// configuration rule, where allow_telnet is the rule name, and the [USG6000V1-policy-security-rule-allow_telent] source-zone trust / / matching condition can be customized. The source region is the trust region [USG6000V1-policy-security-rule-allow_telent] destination-zone local / / matching condition, and the target area is the local region [USG6000V1-policy-security-rule-allow_telent] action permit / / after the matching condition is met. The action performed. Permit for allow means [USG6000V1-policy-security-rule-allow_telent] quit [USG6000V1-policy-security] quit (7) configure authentication mode and local user information [USG6000V1] user-interface vty0 4 [USG6000V1-ui-vty0-4] authentication-mode aaa// user interface authentication is AAA [USG6000V1-ui-vty0-4] protocol inbound telnet / / allow Telnet to connect to the virtual terminal [USG6000V1-ui-vty0-4] quit6000V1] aaa [USG6000V1-aaa ] manager-user lzj// configure local user lzj [USG6000V1-aaa-manager-user-lzj] password cipher lzj@1234// configure user password (cipher is in ciphertext) Info: You are advised to config on man-machine mode.// recommends configuring password [USG6000V1-aaa-manager-user-lzj] service-type telnet / / configure service type telnet [USG6000V1-aaa-manager-user-lzj] level 3MB / configure user rights Level [USG6000V1-aaa-manager-user-lzj] quit [USG6000V1-aaa] quit

Note: the USG6000 series is the latest version, and the manager-user command is required to configure the local username and password, while previous versions use the local-user command.

(8) client test access

Client Telnet access succeeded!

3. Log in to the device through Web

It is recommended to redeploy the device on the simulator, of course, you can continue to configure Web access on the basis of Telnet! In order to be simple and clear, friends better understand the way to configure Web, I redraw the experimental topology, the experimental topology is still the original appearance, a Cloud simulation real client, a USG6000 firewall. The configuration commands are as follows:

SysEnter system view Return user view with Ctrl+ Z.[ USG6000V1] undo info enable Info: Information center is management of http and https of the open interface of [USG6000V1] int g0and0 [USG6000V1-GigabitEthernet0/0/0] ip add 192.168.1.254 24 [USG6000V1-GigabitEthernet0/0/0] undo shutdown Info: Interface GigabitEthernet0/0/0 is not shutdown. [USG6000V1-GigabitEthernet0/0/0] service-manage http permit [USG6000V1-GigabitEthernet0/0/0] service-manage https permit [USG6000V1-GigabitEthernet0/0/0] quit// [USG6000V1] firewall zone trust [USG6000V1-zone-trust] add int g0/0/0 Error: The interface has been added to trust security zone. / / normal prompt You can ignore the [USG6000V1-zone-trust] quit// configuration interface to join the Trust region [USG6000V1] security-policy [USG6000V1-policy-security] rule name allow_ web [USG6000V1-policy-security-rule-allow_web] source-zone trust [USG6000V1-policy-security-rule-allow_web] destination-zone local [USG6000V1-policy-security-rule-allow_web] action permit [USG6000V1-policy-security-rule-allow_web] quit [USG6000V1-policy-security] quit// if Web access is configured on the basis of Telnet These security configurations can ignore [USG6000V1] web-manager security enable / / enable https secure access [USG6000V1] aaa [USG6000V1-aaa] manager-user lzj [USG6000V1-aaa-manager-user-lzj] passwordEnter Password:Confirm Password:// in this mode, the configured password will not be visible This is also the recommended way for Huawei [USG6000V1-aaa-manager-user-lzj] service-type web// to specify service type [USG6000V1-aaa-manager-user-lzj] level 3ram / specify permission level [USG6000V1-aaa-manager-user-lzj] quit [USG6000V1-aaa] quit

Note:

You can also customize the port after the "web-manager security enable" command, for example: web-manager security enableport 2000, execute the security parameter, and enable https management. If you do not add the security parameter, you can enable http management. Https and http management are never allowed to use the same port, and this configuration will result in port conflicts. Access failed!

Client access authentication:

The client accesses successfully through Web!

4. Configure SSH mode to log in to the device

In order for beginners to understand, here is to redeploy the equipment, experimental topology, the same as the first two ways! Can also be in the previous basis to continue to configure, according to their own ability! Log in to the device using SSH. The configuration commands are as follows:

SysEnter system view Return user view with Ctrl+ Z.[ USG6000V1] undo info enable Info: Information center is managers [USG6000V1] int g0and0 [USG6000V1-GigabitEthernet0/0/0] ip add 192.168.1.20 24 [USG6000V1-GigabitEthernet0/0/0] undo shutdown Info: Interface GigabitEthernet0/0/0 is not shutdown. [USG6000V1-GigabitEthernet0/0/0] service-manage enable [USG6000V1-GigabitEthernet0/0/0] service-manage ssh permit [USG6000V1-GigabitEthernet0/0/0] quit// Open Interface ssh Management [USG6000V1] Firewall zone trust [USG6000V1-zone-trust] add int g0/0/0 Error: The interface has been added to trust security zone. / / normal prompt, you can ignore [USG6000V1-zone-trust] quitsUSG6000V1] security-policy [USG6000V1-policy-security] rule name allow_ SSH [USG6000V1-policy-security-rule-allow_ssh] source-zone trust [USG6000V1-policy-security-rule-allow_ssh] destination-zone local [USG6000V1-policy-security-rule-allow_ssh] action permit [USG6000V1-policy-security] quit [USG6000V1] / / configure security policy After web or Telnet, these steps can omit [USG6000V1] rsa local-key-pair create / / the key pair needed to create SSH: The key name will be: USG6000V1_HostThe range of public key size is (512-2048). NOTES: If the key modulus is greater than 512, it will take a few minutes. Enter the default key length Default is 2048 Input the bits in the modulus [default = 2048]: Generating keys....+....++....++++.++ [USG6000V1] user-interface vty0 4 [USG6000V1-ui-vty0-4] authentication-mode aaaWarning: The level of the user-interface (s) will be the default level of AAA users Please check whether it is correct. [USG6000V1-ui-vty0-4] protocol inbound ssh [USG6000V1-ui-vty0-4] quit// and enable ssh protocol access [USG6000V1] ssh user lzj// specify lzj for SSH user [USG6000V1] ssh user lzj authentication-type password// configuration authentication mode [USG6000V1] ssh user lzj service-type stelnet// configuration service type [USG6000V1] aaa [USG6000V1-aaa] manager-user lzj// create local user lzj [USG6000V1-aaa-manager- User-lzj] password cipher lzj@1234Info: You are advised to config on man-machine mode.// prompt suggests using man-machine mode to set password [USG6000V1-aaa-manager-user-lzj] service-type ssh// to specify service type as ssh [USG6000V1-aaa-manager-user-lzj] level 3hamp / management mode to enable SSH service for 3 [USG6000V1-aaa-manager-user-lzj] quit [USG6000V1-aaa] quitters [USG6000V1] stelnet server enable//

Client access test:

I am used to using xshell, personal habits, cmd command box can also be!

Client SSH access succeeded!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.