HP 200 Unified Threat Management (UTM) Appliance manual Policy-name, VPN Configuration Guide

Page 61

Step

 

Command

Remarks

 

 

 

Optional.

 

 

 

By default, the HTTPS service is not associated

 

 

 

with any SSL server policy, and the device uses

 

 

 

a self-signed certificate for authentication.

3.

Associate the HTTPS

ip https ssl-server-policy

If you disable the HTTPS service, the system

 

service with an SSL server

automatically de-associates the HTTPS service

 

policy.

policy-name

from the SSL service policy. Before re-enabling

 

 

 

the HTTPS service, associate the HTTPS service

 

 

 

with an SSL server policy first.

 

 

 

If the HTTPS service has been enabled, any

 

 

 

changes to the SSL server policy associated

 

 

 

with it do not take effect.

 

 

 

 

 

 

 

By default, HTTPS is disabled.

 

 

 

Enabling the HTTPS service triggers an SSL

 

 

 

handshake negotiation process. During the

 

 

 

process, if the local certificate of the device

 

 

 

exists, the SSL negotiation succeeds, and the

 

 

 

HTTPS service can be started properly. If no

4.

Enable the HTTPS service.

ip https enable

local certificate exists, a certificate application

 

 

 

process will be triggered by the SSL

 

 

 

negotiation. Because the application process

 

 

 

takes much time, the SSL negotiation often fails

 

 

 

and the HTTPS service cannot be started

 

 

 

normally. In that case, execute the ip https

 

 

 

enable command multiple times to start the

 

 

 

HTTPS service.

 

 

 

 

 

 

 

Optional.

 

 

 

By default, the HTTPS service is not associated

 

 

 

with any certificate-based attribute access

 

 

 

control policy.

 

 

 

Associating the HTTPS service with a

 

 

 

certificate-based attribute access control policy

5.

Associate the HTTPS

 

enables the device to control the access rights

ip https certificate

of clients.

 

service with a certificate

 

access-control-policy

You must configure the client-verify enable

 

attribute-based access

 

control policy.

policy-name

command in the associated SSL server policy.

 

 

 

If not, no clients can log in to the device.

 

 

 

The associated SSL server policy must contain

 

 

 

at least one permit rule. Otherwise, no clients

 

 

 

can log in to the device.

 

 

 

For more information about certificate

 

 

 

attribute-based access control policies, see

 

 

 

VPN Configuration Guide.

 

 

 

 

6.

Specify the HTTPS service

ip https port port-number

Optional.

 

port number.

The default HTTPS service port is 443.

 

 

 

 

 

 

 

 

 

55

Image 61
Contents HP Firewalls and UTM Devices Page Contents Page Iii Page F1000-A-EI/F1000-S-EI OverviewOverview AppearanceFront view F1000-EF5000 Aspf Firewall modules Enhanced firewall modules Firewall module for 5800 switchesUTM products U200-A front view U200-AF1000-A-EI/F1000-S-EI Application scenariosU200-S Firewall applicationVPN application Virtual firewall applicationF1000-E Firewall modules F5000Clound computing data center application Enhanced firewall modulesEnterprise network applicatoin Remote access applicationUTM Network diagram Login methods at a glance Login overviewLogin methods Login method Default setting and configuration requirementsUser interface Login method CLI login method and user interface matrixCLI user interfaces User interface assignmentPage Parameter Default Default console port propertiesLogging in to the CLI Logging in through the console port for the first timeConnection description Setting the properties of the serial port Configuring console login control settingsAuthentication Configuration tasks Reference Mode Configuring none authentication for console loginCommand Remarks Last-numberConfiguring scheme authentication for console login Configuring password authentication for console loginPassword Configuration GuideDomain domain-name Hwtacacs-scheme-nameSpeed speed-value Configuring common console user interface settings optionalLogging in through Telnet Telnet loginDevice role Requirements Telnet server and Telnet client configuration requirementsConfiguring none authentication for Telnet login Telnetting to the device without authentication Configuring password authentication for Telnet loginPassword authentication interface for Telnet login Configuring scheme authentication for Telnet loginUser only depend on the user Step Command Remarks Configuring common VTY user interface settings optionalCommand Using the device to log in to a Telnet serverCharacter ValueTo use the device to log in to a Telnet server Logging in through SSHSSH server and client requirements Configuring the SSH server on the deviceLdap-scheme-name Using the device to log in to an SSH server Local login through the AUX portStarted Command Reference Ssh2 serverAUX login diagram Hardware Feature compatibleConfiguring none authentication for AUX login Configuring password authentication for AUX login Password authentication interface for AUX login Configuring scheme authentication for AUX loginApply the specified AAA Ip alias ip-address port-number Configuring common settings for AUX login optionalDisplay type of both the device Default AUX port properties Login procedureConnecting the AUX port to a terminal Power on the device and press Enter at the prompt Task Command Remarks Displaying and maintaining CLI loginInclude regular-expression Regular-expressionSend all num1 aux console Available in user view Vty num2 Logging in by using the default Web login settings Configuration guidelinesLogging in to the Web interface Configuring Web login Adding a Web login accountBasic Web login configuration requirements Configuring Http loginObject Requirements Web captcha verification-codeInterface interface-type Interface-number Configuring Https loginVerification-code Policy-name VPN Configuration GuideMask mask-length HttpsHttp login configuration example Displaying and maintaining Web loginConfiguration procedure Network requirementsHttps login configuration example # Enable the Https service # Associate the Https service with SSL server policy mysslConfigure the host Https client # Create RSA local key pairsFailure to access the device through the Web interface Troubleshooting Web browserSymptom Configuring the Internet Explorer settingsInternet Explorer setting Click OK in the Security Settings dialog box Configuring Firefox Web browser settingsFirefox Web browser setting Configuring Snmp access Accessing the device through SnmpConfiguring SNMPv3 access PrerequisitesIpv6 ipv6-acl-number See Getting Started Command Reference Configuring SNMPv1 or SNMPv2c accessPriv-password acl acl-number acl ipv6 ipv6-acl-number Notify-view acl acl-number aclStepCommand Remarks Snmp login example# Enable the Snmp agent # Configure an Snmp groupPage Logging in to the firewall module from the network device Feature and hardware compatibilityLogging in to the firewall module from the network device Configuring the Acsei protocol Resetting the system of the firewall moduleConfiguring Acsei server on the network device Acsei timersAcsei starts up and runs in the following procedures Acsei startup and runningDisplaying and maintaining Acsei server and client Configuring Acsei client on the firewall moduleNetwork requirements Client-id# Set the clock synchronization timer to 10 minutes Configuration procedure# Set the monitoring timer to 10 seconds # Log in to the firewall modulePage Performing basic configuration in the Web interface Basic configurationOverview Click Next For basic configuration appears Basic configuration wizard-1/6Click Next For configuring service management appears Basic configuration wizard-2/6 basic informationBasic configuration wizard-3/6 service management Assign IP addresses to the interfaces Another serviceClick Next For configuring NAT appears Configuration itemsConfigure the parameters as described in Table IP/Wildcard Basic configuration wizard-6/6 Performing basic configuration at the CLIInterface interface-type Global-nameIp address ip-address mask-length mask Zone name zone-name id zone-idConfiguration Configuring the device name at the CLI Configuring the device name in the Web interfaceManaging the device Hardware Supported storage mediumConfiguring the system time Configuring the system time in the Web interfaceDisplaying the current system time Calendar Configuring the network timeSource Interface Configuring the time zone and daylight saving timeThis example, Device a is the firewall Date and time configuration exampleConfiguring the local clock as the reference clock Configuration guidelines Configuring the system time at the CLIDate-time System time configuration resultsZone-offset Date-time ± zone-offsetZone-offset + Date-time ± zone-offset + To change the system timeSummer-offset Both date-timeSetting the idle timeout timer at the CLI Setting the idle timeout timer in the Web interfaceTo set the idle timeout timer To enable displaying the copyright statement Configuring bannersEnabling displaying the copyright statement Banner message input modesTo configure banners Configuring the maximum number of concurrent usersRebooting the device Configuring the exception handling methodRebooting the firewall in the Web interface Rebooting devices immediately at the CLI Rebooting the firewall at the CLIScheduling a device reboot Scheduling jobs Job configuration approachesComparison of non-modular and modular approaches Scheduling a job in the modular approach Scheduling a job in the non-modular approachJob job-name View view-nameTime time-id at time date command command Scheduled job configuration example# Create a job named pc1, and enter its view # Create a job named pc2, and enter its view Setting the port status detection timer# Create a job named pc3, and enter its view # Display information about scheduled jobsConfiguring basic temperature thresholds Configuring temperature thresholds for a device or a moduleConfiguring advanced temperature thresholds To set the port status detection timerMonitoring an NMS-connected interface Clearing unused 16-bit interface indexes Verifying transceiver modules Verifying and diagnosing transceiver modulesDiagnosing transceiver modules Interface-number beginDisplaying and maintaining device management Command ReferenceSee Getting Started Task Command Remarks Task Command Remarks Managing users Configuring a local user in the Web interfaceUser levels Click Add Configure a local user, as described in Table Click ApplyService type feature and hardware compatibility Configuration exampleItem Description Controlling user logins Configuring a local user at the CLIConfiguring Telnet login control Source sour-addr sour-wildcard Configuring source IP-based Telnet login controlVpn-instancevpn-instance-name Ipv6-address prefix-lengthConfiguring source MAC-based Telnet login control Telnet login control configuration exampleRule-string Getting Started Configuring source IP-based Snmp login controlIpv6 ipv6-acl-number Snmp login control configuration exampleRead-view write-viewwrite-view Group-name acl acl-number acl ipv6Configuring source IP-based Web login control Configuring Web login controlLogging off online Web users Web login control configuration exampleSource sour-addr sour-wildcard N/A any time-range User-id user-nameuser-nameField Description Displaying online usersCommand conventions Using the CLICommand conventions Convention DescriptionCLI views Using the undo form of a commandEntering system view from user view Task CommandReturning to the upper-level view from any view Returning to user view from any other viewAccessing the CLI online help Editing a command line Entering a commandAbbreviating commands Command line editing keysConfiguring and using hotkeys Configuring and using command keyword aliasesTo configure a command keyword alias Usage guidelinesSystem-reserved hotkeys Enabling redisplaying entered-but-not-submitted commandsHotkey Function Using the command history function Understanding command-line error messagesCommon command-line error messages Error message CauseSetting the command history buffer size for user interfaces Viewing history commandsPausing between screens of output Controlling the CLI outputSpecial characters supported in a regular expression Filtering the output from a display commandCharacter Meaning Examples String1string2string2. string1string2\1\2 Contain stringstring. string1string2\2 repeatsString1string2string1string2 Matches character1character2A being character2, but does not match 2a Configuring user privilege and command levelsCommand levels and user privilege levels Configuring a user privilege levelLevel Privilege Default set of commands Last-num1 vty first-num2 Last-num2 Management and MaintenanceBy default, the user privilege level Switching the user privilege level Authentication mode Keywords Description Privilege level switching authentication modesInformation, see Access Control Configuration Guide Information required for user privilege level switching Switching to a higher user privilege levelChanging the level of a command Saving the running configurationTo change the level of a command View commandContacting HP Support and other resourcesRelated information Symbols Command conventionsConventions GUI conventionsPort numbering in examples Network topology iconsIndex 144
Related manuals
Manual 3 pages 45.38 Kb