How to Configure Security Policies to Allow NETCONF

NETCONF is an XML-based network management protocol and provides a set of programmable methods for network device configuration and management. The transport layer protocol of NETCONF can be BEEP, SSH, TLS, or SOAP. According to RFC, SSH must be supported. Therefore, SSH is the most widely used transport layer protocol for NETCONF. Currently, Huawei firewalls support SSH only.

The NMS, functioning as a NETCONF client, sends a connection request to the device functioning as a NETCONF server to establish an SSH connection. NETCONF sessions are carried over the SSH connection. According to RFC 6242, the NETCONF server (managed device) uses TCP port 830 to receive SSH connection requests from the NETCONF client by default. Most network devices provide the method of changing the NETCONF over SSH port. You can determine the ports to be opened based on the configuration of the network devices.

Figure 7-6 Typical NETCONF networking

For traffic from the NMS to managed devices, configure a security policy by referring to Table 7-9. In some scenarios, managed devices proactively initiate connection requests to register with the NMS, which is called Call Home registration. In this case, you need to configure a security policy (security policy 103 in Table 7-9) to permit traffic in the corresponding direction.

The communication port used by NETCONF varies according to the transport layer protocol. If heterogeneous devices are deployed on a network, check the port used by the devices to communicate with the NMS. Table 7-10 lists the ports allocated by the Internet Assigned Numbers Authority (IANA) to NETCONF.