Changing HTTP used for web login to HTTPS on the USG

51

An example of using the CLI to change HTTP used for web login to HTTPS on the USG2000&5000&6000 series is as follows:
[sysname]undo web-manager enable /Disable the HTTP service.
Disable http server successfully !
[sysname]web-manager security enable port 8443 /Enable the HTTPS service.

Other related questions:
Method for configuring HTTPS login to the web UI of the USG6000
You can configure the HTTPS login to the web UI as follows:
Note: If you only enable the web function by running web-manager enable but do not enable the HTTPS service by running web-manager security enable, you cannot log in to the device.
1. Networking requirement
Configure a local authentication administrator webadmin for the NGFW and require that the administrator use HTTPS to log in to the web UI.

2. Configuration roadmap
a. Configure the web service for the device and enable the HTTPS service on the interface to allow the administrator to use HTTPS to log in to the web UI.
b. Create an administrator.
3. Operation procedure
system-view
a. Enable the web service.
Enable HTTPS.
[NGFW] web-manager security enable port 8443
Configure the timeout period for the web service.
[NGFW] web-manager timeout 5
By default, the web service timeout period is 10 minutes.
(Optional) Configure automatic web UI lockout upon 5 consecutive administrator login failures.
Note:
By default, the web UI will be added to the blacklist for 10 minutes (cannot be modified) after 3 consecutive authentication failures.
[NGFW] firewall blacklist authentication-count login-failed 5
Configure the IP address on GigabitEthernet 1/0/3 and enable the HTTPS service.
system-view
[NGFW] interface GigabitEthernet 1/0/3
[NGFW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[NGFW-GigabitEthernet1/0/3] service-manage enable
[NGFW-GigabitEthernet1/0/3] service-manage https permit
[NGFW-GigabitEthernet1/0/3] quit
Add the interface to the security zone.
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet1/0/3
[NGFW-zone-trust] quit
b. Create an administrator.
Create an administrator and bind a role to it.
[NGFW-aaa] manager-user webadmin
[NGFW-aaa-manager-user-webadmin] password
Enter Password:
Confirm Password:
[NGFW-aaa-manager-user-webadmin] service-type web
[NGFW-aaa-manager-user-webadmin] access-limit 10
[NGFW-aaa-manager-user-webadmin] level 3
[NGFW-aaa-manager-user-webadmin] quit
Log in to the NGFW on the administrator PC.
Open the browser on the PC and access https://10.3.0.1:8443, the IP address of the device to be logged in to.
On the login page, enter the administrator's user name and password, respectively webadmin and Myadmin@123, and click Enter to enter the web UI.

Method for configuring HTTPS login to the web UI of the USG2000&5000
Web login for the USG2000&5000
Operation procedure
Note:
The USG enables HTTP/HTTPS by default.
When you use HTTP for access, the device automatically switches to use HTTPS that is more secure.
1. Enable the HTTP service.
Run the system-view command to enter the system view.
Run the command of web-manager enable [ port port-number ] to enable the HTTP.
On the web browser, log in to the device through the address in the format of http://ip-address:port. The default port is 80.
2. Enable the HTTPS service.
By default, when the client PC logs in to the server using HTTPS, the server will send a default certificate to the client PC.
Run the system-view command to enter the system view.
Run the command of web-manager security enable port port-number to enable HTTPS.
On the web browser of the client PC, log in to the device through the address in the format of http://ip-address:port. The default port is 8443.
3. (Optional) Configure the timeout period for the web service.
Run the command of web-manager timeout minutes to set the web service timeout period.
The default web service timeout period is 10 minutes.
4. (Optional) Configure a web user.
Run the aaa command to enter the AAA view.
Run the command of local-user user-name password { cipher | irreversible-cipher } password to craete a local AAA user.
Run the command of local-user user-name service-type web to set user type to web.
Run the command of local-user user-name level level to specify the user level.
5. Note:
The default user name of admin and password of Admin@123 can be used for login.
To ensure successful login of the web user, you must at least configure the web user permission to level 3.

Task Example
1. Configure the IP address of the USG.
system-view
[USG] interface GigabitEthernet 0/0/1
[USG-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[USG-GigabitEthernet0/0/1] quit
2. Add the interface to the security zone to ensure normal network communication. The detailed procedure is omitted.
3. Enable the web management function.
[USG] web-manager security enable port 2000
4. Configure a web user.
[USG] aaa
[USG-aaa] local-user webuser password irreversible-cipher Admin@123
[USG-aaa] local-user webuser service-type web
[USG-aaa] local-user webuser level 3
5. Configure the PC IP address as 10.1.1.100/24.
Use the PC browser to access https://10.1.1.1:2000. Enter the user name and password to check whether the device can be logged in to.

Method used to change the WI access mode to HTTP
The WI access mode can be changed as required. HTTP mode is less secure than HTTPS mode. If you want to switch from HTTPS to HTTP, you only need to modify the access address formats for WI and vLB. For details, see related cases in Huawei's cloud computing forum.

How to configure login failure times and lock duration of local accounts on an AR router
By default, the account lock function of an AR router is enabled, the retry interval is five minutes, wrong password retry times are three, and account lock duration is five minutes. The following example exemplifies how to configure login failure times and lock duration for a local account: Set the retry interval to five minutes, wrong password retry times to 3, and account lock duration to five minutes. [Huawei] aaa [Huawei-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5 If the wrong password retry times are exceeded within the retry interval, a user is locked. Run the local-user < user-name > state active command to unlock the user.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top