As a graphical user interface is useless in case of routers and switches, it looks useful when configuring a firewall. Of course it is my point of view. I do not go into what is better for you. I like using CLI but, sometimes, it is worth to simplify your daily routine. The first step is to configure HTTPS access to webUI of USG6300. This is what we will focus today.

Well known topology from the last post:

Configure IP address of firewall’s interface and add it to trust zone:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24

[USG6300]firewall zone trust
[USG6300-zone-trust]add interface GigabitEthernet 0/0/7

Enable HTTPS server on that interface:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]service-manage https permit

Create two administrator’s accounts:

#
 manager-user web_lab
  password cipher %@%@`ruiCXfgEFCJGnNu0!<@&bYP@.eMJIk7-H&m&h&[xo11Oh_Z%@%@
  service-type web
  level 15
  ftp-directory hda1:
  ssh authentication-type password
  ssh service-type stelnet
 #
 manager-user web_lab_2
  password cipher %@%@S0e84!g|rRX38&1S*-l;h*!ub`{@$-`o0=71fW<8Ch{9g0'"%@%@
  service-type web
  level 15
  ftp-directory hda1:
  ssh authentication-type password
  ssh service-type stelnet
#

Why two accounts? Because we will assign different roles for these 2 administrators to show you such possibility. We will use the default system-admin role for one administrator and a new created web-admin role for the second one.

#
role system-admin
  description system-admin
 dashboard read-write
 monitor read-write
 policy read-write
 object read-write
 network read-write
 system read-write

#
role web_lab
 dashboard none
 monitor
  read-only session statistic statistic-acl
  none packet-capture diagnose
 policy none
 object none
 network none
 system none
#

Then we can bind our administrators to properly defined roles:

[USG6300-aaa]bind manager-user web_lab role system-admin
[USG6300-aaa]bind manager-user web_lab_2 role web_lab

Enable HTTPS server with default certificate and set the service port:

[USG6300]web-manager enable
 Enable http server successfully !
[USG6300]web-manager security enable port 8443
 Enable http security-server successfully ! web-manager

Let’s verify what will happen if we use both accounts to get to GUI of the firewall.

Open a browser and enter https://172.16.1.1:8443.

As you can notice, the access varies depending on the assigned role for administrators.

A new box for fun 🙂

Thanks to my colleagues I have opportunity to test Huawei Secospace USG6300.

A rental period is not long, so let’s start from the beginning.

Telnet and SSH

Configure IP address of firewall’s interface and assign it to trust zone:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24

[USG6300]firewall zone trust
[USG6300-zone-trust]add interface GigabitEthernet 0/0/7

Enable telnet and SSH services on that interface:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]service-manage telnet permit
[USG6300-GigabitEthernet0/0/7]service-manage ssh permit

Create local users for telnet and SSH access:

[USG6300]aaa
[USG6300-aaa]manager-user vty_labnario
[USG6300-aaa-manager-user-vty_labnario]password cipher Labnario123
[USG6300-aaa-manager-user-vty_labnario]service-type telnet
[USG6300-aaa-manager-user-vty_labnario]level 15

#
 manager-user ssh_labnario
  password cipher %@%@*;-$=&1LSK4n^9Tn)Ny!H,#w3&0~LrT%*W@gFyXV4LT,"2)$%@%@
  service-type ssh
  level 15
  ftp-directory hda1:
  ssh authentication-type password
  ssh service-type stelnet
 #

Set authentication method for VTY interfaces:

[USG6300]user-interface vty 0 4
[USG6300-ui-vty0-4]authentication-mode aaa

Enable servers for configured services:

[USG6300]telnet server enable
[USG6300]stelnet server enable

To complete SSH configuration, create RSA key:

[USG6300]rsa local-key-pair create
12:06:32  2015/03/31
The key name will be: USG6300_Host
The range of public key size is (512 ~ 2048).
NOTES: A key shorter than 2048 bits may cause security risks.
       The generation of a key longer than 512 bits may take several minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
.+++
.............+++
.............++++++++
.............++++++++

[USG6300]

Let’s verify access to the device:

***********************************************************
*           All rights reserved 2014                      *
*       Without the owner's prior written consent,        *
* no decompiling or reverse-engineering shall be allowed. *
* Notice:                                                 *
*      This is a private communication system.            *
*   Unauthorized access or use may lead to prosecution.   *
***********************************************************

Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.

Login authentication


Username:vty_labnario
Password:
Note: The max number of VTY users is 5, and the current number
      of VTY users on line is 1.
NOTICE:This is a private communication system.
       Unauthorized access or use may lead to prosecution.
<USG6300>
First time login or password is overtime, Please change your password.
Please input new password:**********
Please confirm new password:**********
Note: The max number of VTY users is 5, and the current number
      of VTY users on line is 1.
NOTICE:This is a private communication system.
       Unauthorized access or use may lead to prosecution.
<USG6300>

login as: ssh_labnario
ssh_labnario@172.16.1.1's password:

***********************************************************
*           All rights reserved 2014                      *
*       Without the owner's prior written consent,        *
* no decompiling or reverse-engineering shall be allowed. *
* Notice:                                                 *
*      This is a private communication system.            *
*   Unauthorized access or use may lead to prosecution.   *
***********************************************************

Note: The max number of VTY users is 5, and the current number
      of VTY users on line is 1.
  ----------------------------------------------------------------------------
  User last login information:
  ----------------------------------------------------------------------------
  Access Type: SSH
  IP-Address : 172.16.1.10
  Time       : 2015-03-31 12:08:16 +01:00
  State      : Login Succeeded
  ----------------------------------------------------------------------------
<USG6300>
Note: The max number of VTY users is 5, and the current number
      of VTY users on line is 1.
NOTICE:This is a private communication system.
       Unauthorized access or use may lead to prosecution.
<USG6300>

As you could see, password must be changed after the first login. You can disable modifying the password by the command:

[USG6300-aaa]undo manager-user password-modify enable

SFTP

As secure FTP is related to SSH, let’s try to finish this article with SFTP configuration:

#
 manager-user sftp_lab
  password cipher %@%@!siuS<f},>]>IM,2!|,#K!ul&;<u1g4:%'e8[NIfPZF@*'{v%@%@
  service-type ssh
  level 15
  ftp-directory hda1:
  ssh authentication-type password
  ssh service-type sftp
#
[USG6300]sftp server enable
Info: Succeeded in starting the SFTP server.

To verify, we can use PSFTP software:

psftp> open 172.16.1.1
login as: sftp_lab
Using username "sftp_lab".
sftp_lab/172.16.1.1's password:
Remote working directory is /
psftp>

Huawei AR routers have easy and effective CPU usage monitoring tool. They generate alarm, when CPU usage reaches 80%. When CPU usage falls to 75%, recovery usage alarm is generated again (clear alarm). This is a default behaviour, but these values can be easily changed in order to help optimize system performance and ensure system stability.

Let’s configure CPU usage alarm threshold as 85% and recovery usage alarm threshold as 80%. The following command can be used for that:

<labnario>system-view [labnario]set cpu-usage threshold 85 restore 80 Info: Succeeding in setting task cpu usage threshold 85 restore 80.

To check CPU usage alarm thresholds, we can use command:

[labnario]display cpu-usage configuration Master Board: The CPU usage monitor is turned on. The CPU thread usage monitor is turned on. The current monitor cycle is 10 seconds. The current monitor warning threshold is 85%. The current monitor restore threshold is 80%.

To restore the default the default CPU usage alarm thresholds:

[labnario]undo set cpu-usage threshold 85 restore 80

Useful training for beginners. If you want to start your adventure with Huawei VRP just click on the link and enjoy!

A new Huawei eNSP has been released.

Based on the release notes:

• Added AC/AP/STA simulators.
• WLAN devices support the following features: L2/L3 networking, inline/bypass mode, direct forwarding/tunnel forwarding (supported by IPv4); static and dynamic Option 43; MAC address or SN based authentication or non-authentication; the AC delivers configurations to APs; WEP, WPA-PSK, and WPA2-PSK authentication; 802.1x access authentication for WPA/WPA2; data encryption not supported; dual link backup; L2/L3 roaming; simulate APs to provide 2.4G or 5G signals; simulate STAs to connect to APs.
• The AR further supports the following features: IPv6 transition; DHCPv6; NetStream.
• Added router of eNSP 1.0.

Download it and enjoy!