Setting of northbound API login for the USG6000

33

The northbound API provides HTTP and HTTPS modes for login, of which HTTPS is more secure. Therefore, HTTPS is preferred.
1. Enable the HTTPS service of the northbound API (using the default certificate).
system-view
[sysname] api
[sysname-api] api https port 8447 enable
2. (Optional) Enable HTTPS (using the specified device certificate).
[sysname] api
[sysname-api] security server-certificate hda1:/server.cer
3. (Optional) Configure SSL and the encryption algorithm.
[sysname] api
[sysname-api] security version TLS 1.2
4. Set the service timeout period.
When the NGFW is configured to interact with the client through a northbound API, set the server timeout time. The default value is 90s.
[sysname] api
[sysname-api] connection aging-time seconds
5. Configure the administrator and API service.
[sysname] aaa
[sysname-aaa] manager-user abc
[sysname-aaa-manager-user-abc] password
Enter Password:
Confirm Password:
[sysname-aaa-manager-user-abc] service-type api
[sysname-aaa-manager-user-abc] level 3

Other related questions:
Method used to change the maximum number of allowed login failures for the USG6000 series
—For a VTY or console administrator, the maximum number of allowed authentication failures can be set in the lock authentication-count command. The default value is 3. # Set the threshold for authentication attempts to 5 on the console port. system-view [sysname] user-interface console 0 [sysname-ui-console0] lock authentication-count 5 —For users who log in through Telnet, SSH, web UI, FTP, SFTP, or SNMP, run the firewall blacklist authentication-count login-failed command to set the threshold for authentication attempts. By default, the value is 3 for Telnet, SSH, web, FTP, and SFTP users or 6 for SNMP users. # Set the threshold for authentication attempts to 5 for administrators who log in through the web UI. system-view [sysname] firewall blacklist authentication-count login-failed 5 If the number of consecutive wrong passwords exceeds the specified threshold, the client IP address is blacklisted to prevent more login attempts. By default, the blacklist entry will be time out in 10 minutes. That is, the user can try to log in again using the same IP address 10 minutes later.

Method for setting a permanently available password for the administrator of the USG6000 series
For the USG6000 series, the following example is provided for you to set the validity period of the administrator login password: # Set the password validity period for the administrator test to 80 days. system-view [sysname] aaa [sysname-aaa] manager-user test [sysname--manager-user-test] password valid-days 80 For the USG2000&5000 series, the following example is provided for you to set the validity period of the administrator login password: # Set the password validity period for the administrator test to 80 days. system-view [sysname] aaa [sysname-aaa] local-user test password valid-days 80 If valid-days is set to 0, the password never expires. For more command details, see the product documentation.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top