HP 200 Unified Threat Management (UTM) Appliance manual Configuring a user privilege level

Page 139

Table 28 Command levels and user privilege levels

Level

Privilege

Default set of commands

 

 

Includes commands for network diagnosis and commands for accessing an external

0

Visit

device. Configuration of commands at this level cannot survive a device restart. Upon

device restart, the commands at this level are restored to the default settings.

 

 

 

 

Commands at this level include ping, tracert, telnet and ssh2.

 

 

 

 

 

Includes commands for system maintenance and service fault diagnosis. Commands at

1

Monitor

this level are not saved after being configured. After the device is restarted, the

commands at this level are restored to the default settings.

 

 

 

 

Commands at this level include debugging, terminal, refresh, and send.

 

 

 

 

 

Includes service configuration commands, including routing configuration commands

2

System

and commands for configuring services at different network levels.

By default, commands at this level include all configuration commands except for those

 

 

 

 

at manage level.

 

 

 

 

 

Includes commands that influence the basic operation of the system and commands for

 

 

configuring system support modules.

3

Manage

By default, commands at this level involve the configuration commands of file system,

 

 

FTP, TFTP, Xmodem download, user management, level setting, and parameter settings

 

 

within a system, which are not defined by any protocols or RFCs.

 

 

 

Configuring a user privilege level

If the authentication mode on a user interface is scheme, configure a user privilege level for the user interface's users through the AAA module or directly on the user interface. For SSH users who use public-key authentication, the user privilege level configured directly on the user interface always takes effect. For other users, the user privilege level configured in the AAA module has priority over the one configured directly on the user interface.

If the authentication mode on a user interface is none or password, configure the user privilege level directly on the user interface.

For more information about user login authentication, see "Logging in to the CLI." For more information about AAA and SSH, see Access Control Configuration Guide.

Configuring a user privilege level for users through the AAA module

Step

 

Command

Remarks

1.

Enter system view.

system-view

N/A

 

 

 

 

2.

Enter user interface

user-interface { first-num1

 

[ last-num1] { console vty }

N/A

 

view.

 

first-num2 [ last-num2 ] }

 

 

 

 

 

 

 

 

3.

Specify the scheme

 

By default, the authentication mode for

authentication-mode scheme

VTY users is scheme, and no

 

authentication mode.

authentication is needed for console

 

 

 

 

 

login users.

 

 

 

 

4.

Return to system view.

quit

N/A

 

 

 

 

133

Image 139
Contents HP Firewalls and UTM Devices Page Contents Page Iii Page Appearance OverviewF1000-A-EI/F1000-S-EI OverviewFront view F1000-EF5000 Aspf Firewall modules Enhanced firewall modules Firewall module for 5800 switchesUTM products U200-A front view U200-AFirewall application Application scenariosF1000-A-EI/F1000-S-EI U200-SVPN application Virtual firewall applicationF1000-E Firewall modules F5000Clound computing data center application Enhanced firewall modulesEnterprise network applicatoin Remote access applicationUTM Network diagram Login method Default setting and configuration requirements Login overviewLogin methods at a glance Login methodsUser interface assignment CLI login method and user interface matrixUser interface Login method CLI user interfacesPage Logging in through the console port for the first time Default console port propertiesParameter Default Logging in to the CLIConnection description Setting the properties of the serial port Configuring console login control settingsLast-number Configuring none authentication for console loginAuthentication Configuration tasks Reference Mode Command RemarksConfiguring scheme authentication for console login Configuring password authentication for console loginHwtacacs-scheme-name Configuration GuidePassword Domain domain-nameSpeed speed-value Configuring common console user interface settings optionalLogging in through Telnet Telnet loginDevice role Requirements Telnet server and Telnet client configuration requirementsConfiguring none authentication for Telnet login Telnetting to the device without authentication Configuring password authentication for Telnet loginPassword authentication interface for Telnet login Configuring scheme authentication for Telnet loginUser only depend on the user Step Command Remarks Configuring common VTY user interface settings optionalValue Using the device to log in to a Telnet serverCommand CharacterTo use the device to log in to a Telnet server Logging in through SSHSSH server and client requirements Configuring the SSH server on the deviceLdap-scheme-name Ssh2 server Local login through the AUX portUsing the device to log in to an SSH server Started Command ReferenceAUX login diagram Hardware Feature compatibleConfiguring none authentication for AUX login Configuring password authentication for AUX login Password authentication interface for AUX login Configuring scheme authentication for AUX loginApply the specified AAA Ip alias ip-address port-number Configuring common settings for AUX login optionalDisplay type of both the device Default AUX port properties Login procedureConnecting the AUX port to a terminal Power on the device and press Enter at the prompt Regular-expression Displaying and maintaining CLI loginTask Command Remarks Include regular-expressionSend all num1 aux console Available in user view Vty num2 Logging in by using the default Web login settings Configuration guidelinesLogging in to the Web interface Configuring Web login Adding a Web login accountWeb captcha verification-code Configuring Http loginBasic Web login configuration requirements Object RequirementsInterface interface-type Interface-number Configuring Https loginVerification-code Policy-name VPN Configuration GuideMask mask-length HttpsNetwork requirements Displaying and maintaining Web loginHttp login configuration example Configuration procedureHttps login configuration example # Create RSA local key pairs # Associate the Https service with SSL server policy myssl# Enable the Https service Configure the host Https clientConfiguring the Internet Explorer settings Troubleshooting Web browserFailure to access the device through the Web interface SymptomInternet Explorer setting Click OK in the Security Settings dialog box Configuring Firefox Web browser settingsFirefox Web browser setting Prerequisites Accessing the device through SnmpConfiguring Snmp access Configuring SNMPv3 accessNotify-view acl acl-number acl Configuring SNMPv1 or SNMPv2c accessIpv6 ipv6-acl-number See Getting Started Command Reference Priv-password acl acl-number acl ipv6 ipv6-acl-number# Configure an Snmp group Snmp login exampleStepCommand Remarks # Enable the Snmp agentPage Logging in to the firewall module from the network device Feature and hardware compatibilityLogging in to the firewall module from the network device Configuring the Acsei protocol Resetting the system of the firewall moduleAcsei startup and running Acsei timersConfiguring Acsei server on the network device Acsei starts up and runs in the following proceduresClient-id Configuring Acsei client on the firewall moduleDisplaying and maintaining Acsei server and client Network requirements# Log in to the firewall module Configuration procedure# Set the clock synchronization timer to 10 minutes # Set the monitoring timer to 10 secondsPage Performing basic configuration in the Web interface Basic configurationOverview Click Next For basic configuration appears Basic configuration wizard-1/6Click Next For configuring service management appears Basic configuration wizard-2/6 basic informationBasic configuration wizard-3/6 service management Assign IP addresses to the interfaces Another serviceClick Next For configuring NAT appears Configuration itemsConfigure the parameters as described in Table IP/Wildcard Basic configuration wizard-6/6 Performing basic configuration at the CLIZone name zone-name id zone-id Global-nameInterface interface-type Ip address ip-address mask-length maskConfiguration Hardware Supported storage medium Configuring the device name in the Web interfaceConfiguring the device name at the CLI Managing the deviceConfiguring the system time Configuring the system time in the Web interfaceDisplaying the current system time Calendar Configuring the network timeSource Interface Configuring the time zone and daylight saving timeThis example, Device a is the firewall Date and time configuration exampleConfiguring the local clock as the reference clock Configuration guidelines Configuring the system time at the CLIDate-time ± zone-offset System time configuration resultsDate-time Zone-offsetZone-offset + Both date-time To change the system timeDate-time ± zone-offset + Summer-offsetSetting the idle timeout timer at the CLI Setting the idle timeout timer in the Web interfaceTo set the idle timeout timer Banner message input modes Configuring bannersTo enable displaying the copyright statement Enabling displaying the copyright statementTo configure banners Configuring the maximum number of concurrent usersRebooting the device Configuring the exception handling methodRebooting the firewall in the Web interface Rebooting devices immediately at the CLI Rebooting the firewall at the CLIScheduling a device reboot Scheduling jobs Job configuration approachesComparison of non-modular and modular approaches View view-name Scheduling a job in the non-modular approachScheduling a job in the modular approach Job job-nameTime time-id at time date command command Scheduled job configuration example# Create a job named pc1, and enter its view # Display information about scheduled jobs Setting the port status detection timer# Create a job named pc2, and enter its view # Create a job named pc3, and enter its viewTo set the port status detection timer Configuring temperature thresholds for a device or a moduleConfiguring basic temperature thresholds Configuring advanced temperature thresholdsMonitoring an NMS-connected interface Clearing unused 16-bit interface indexes Interface-number begin Verifying and diagnosing transceiver modulesVerifying transceiver modules Diagnosing transceiver modulesDisplaying and maintaining device management Command ReferenceSee Getting Started Task Command Remarks Task Command Remarks Managing users Configuring a local user in the Web interfaceUser levels Click Add Configure a local user, as described in Table Click ApplyService type feature and hardware compatibility Configuration exampleItem Description Controlling user logins Configuring a local user at the CLIConfiguring Telnet login control Ipv6-address prefix-length Configuring source IP-based Telnet login controlSource sour-addr sour-wildcard Vpn-instancevpn-instance-nameConfiguring source MAC-based Telnet login control Telnet login control configuration exampleRule-string Getting Started Configuring source IP-based Snmp login controlGroup-name acl acl-number acl ipv6 Snmp login control configuration exampleIpv6 ipv6-acl-number Read-view write-viewwrite-viewConfiguring source IP-based Web login control Configuring Web login controlUser-id user-nameuser-name Web login control configuration exampleLogging off online Web users Source sour-addr sour-wildcard N/A any time-rangeField Description Displaying online usersConvention Description Using the CLICommand conventions Command conventionsCLI views Using the undo form of a commandReturning to user view from any other view Task CommandEntering system view from user view Returning to the upper-level view from any viewAccessing the CLI online help Command line editing keys Entering a commandEditing a command line Abbreviating commandsUsage guidelines Configuring and using command keyword aliasesConfiguring and using hotkeys To configure a command keyword aliasSystem-reserved hotkeys Enabling redisplaying entered-but-not-submitted commandsHotkey Function Error message Cause Understanding command-line error messagesUsing the command history function Common command-line error messagesControlling the CLI output Viewing history commandsSetting the command history buffer size for user interfaces Pausing between screens of outputSpecial characters supported in a regular expression Filtering the output from a display commandCharacter Meaning Examples Matches character1character2 Contain stringstring. string1string2\2 repeatsString1string2string2. string1string2\1\2 String1string2string1string2A being character2, but does not match 2a Configuring user privilege and command levelsCommand levels and user privilege levels Configuring a user privilege levelLevel Privilege Default set of commands Last-num1 vty first-num2 Last-num2 Management and MaintenanceBy default, the user privilege level Switching the user privilege level Authentication mode Keywords Description Privilege level switching authentication modesInformation, see Access Control Configuration Guide Information required for user privilege level switching Switching to a higher user privilege levelView command Saving the running configurationChanging the level of a command To change the level of a commandContacting HP Support and other resourcesRelated information GUI conventions Command conventionsSymbols ConventionsPort numbering in examples Network topology iconsIndex 144
Related manuals
Manual 3 pages 45.38 Kb