< Home

Updating the Signature Database

When a device is delivered, the signature database may not meet the actual requirements. For example, the signature database capability is small or the signature database is outdated. In this case, you are advised to update the intrusion prevention signature database and malicious domain name signature database immediately after the device is booted, and update the two signature databases in a timely manner during O&M to better defend against threats on the network.

Preparation

Before updating the IPS signature database and malicious domain name signature database, do as follows:

  • Checking the License Status

    Before updating the IPS signature database and malicious domain name signature database, ensure that the license for the update service has been purchased and activated. The IPS signature database and malicious domain name signature database use the same update license.

    To check the license status, perform the following operation:

    1. Choose System > License Management.

    2. In License Resource, search for the IPS signature database. Check whether the license is activated or expired in Status.

      • If Status is Disable, activate the license. For operations, see License Management.
      • If Status indicates that the service has expired, renew the corresponding license.

  • Checking the Free Space of the CF Card and Memory

    Before updating the IPS signature database and malicious domain name signature database, check whether the free space in the device CF card and memory is sufficient. The following table lists the CF card and memory space required for updating the IPS signature database and malicious domain name signature database.

    Signature Database

    CF Card Space

    Memory Space

    IPS signature database (IPS-SDB)

    30 MB or higher
    • USG6510E/6510E-POE: 52 MB or higher
    • USG6530E: 100 MB or higher
    • USG6515E: 440 MB or higher
    • USG6525E: 440 MB or higher
    • USG6550E/6560E/6580E: 480 MB or higher
    • USG6555E/6565E/6575E-B/6585E/6605E-B: 480 MB or higher
    • USG6615E/6625E: 500 MB or higher
    • USG6610E/6620E: 500 MB or higher
    • USG6635E/6655E: 520 MB or higher
    • USG6630E: 700 MB or higher
    • USG6650E: 700 MB or higher
    • USG6680E: 700 MB or higher
    • USG6712E/6716E: 900 MB or higher

    Malicious domain name signature database

    10 MB or higher
    • USG6510E/6510E-POE: 30 MB or higher
    • USG6530E: 50 MB or higher
    • USG6515E: 50 MB or higher
    • USG6525E: 50 MB or higher
    • USG6550E/6560E/6580E: 90 MB or higher
    • USG6555E/6565E/6575E-B/6585E/6605E-B: 90 MB or higher
    • USG6615E/6625E: 110 MB or higher
    • USG6610E/6620E: 110 MB or higher
    • USG6635E/6655E: 130 MB or higher
    • USG6630E: 310 MB or higher
    • USG6650E: 310 MB or higher
    • USG6680E: 310 MB or higher
    • USG6712E/6716E: 510 MB or higher

    Perform the following operation:

    1. Select Dashboard.
    2. In Device Information, check the available space of the CF card and memory.

  • Checking the Signature Database Version

    Check the IPS signature database and malicious domain name signature database version to determine whether the IPS signature database and malicious domain name signature database need to be updated.

    Details are as follows:

    1. Choose System > Update Center.
    2. In Signature Database Update, view Current Version of the IPS signature database and malicious domain name signature database to be updated and determine whether it requires an update.

Context

The IPS signature database and malicious domain name signature database can be updated in either of the following modes:

  • Online update

    If the FW can communicate with the update center directly over the Internet or through a proxy server, you can update the databases in online mode.

    Online update has two ways:

    • Scheduled update

      The FW accesses the update center on a scheduled basis to search for the latest IPS signature database and malicious domain name signature database. If the new versions of IPS signature database and malicious domain name signature database are found, the FW downloads the latest IPS signature database and malicious domain name signature database to update the local IPS signature database and malicious domain name signature database at scheduled time.

    • Immediate update

      After the online IPS signature database and malicious domain name signature database are updated, you can immediately update the local database instead of waiting for the scheduled update.

      The download address and process for updating the IPS signature database and malicious domain name signature database immediately is the same as that for the update through scheduled update. The two update modes differ in that immediate update can be performed at any time whereas scheduled update must be implemented at the specified time.

  • Local update

    When the FW is physically isolated from the Internet and no proxy server is deployed on the intranet, you can update IPS signature database and malicious domain name signature database locally.

For details on signature database update scenarios, see Update Center.

Online Update

If the FW can directly access the update center, you must configure a security policy on the FW to permit HTTP and FTP packets. If the FW accesses the update center through a proxy server, you must configure a security policy on the FW to permit HTTP packets.

  1. Choose System > Update Center.
  2. Click Server IP Address.
  3. In the Configure Update Server dialog box that is displayed, set the IP address of the update server.

    Parameter

    Description

    Server IP Address

    Enter the IP address of the server that the FW accesses for the scheduled update. By default, domain name sec.huawei.com is used.

    Port

    Enter the port of the server. The default value is 443.

    Source IP Address

    Specify the mode for obtaining the source IP address of update request packets.

    • Automatically obtained: The system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

    • Specified interface: The IP address and VPN instance of the interface are used as the source IP address and VPN instance of online update request packets.

      If the FW connects to the Internet through VPN, the interface must be bound to a corresponding instance. Otherwise, the update fails.

      The specified interface is not necessarily the outgoing interface of update request packets. To send update request packets, the system checks the route information to determine the outgoing interface.

    • Specified source IP address: Manually enter the source IP address of online update request packets and ensure that the FW can receive the reply packets.

      If the FW connects to the Internet through a VPN instance, you must run the update host source ip ip-address vpn-instance vpn-instance command on the CLI Console after you specify the source IP address. The configuration view is the system view. ip-address is the value specified in Specified source IP address, and vpn-instance is the name of the corresponding VPN instance.

    Instructions on the parameter are as follows:

    • Do not specify an interface that is bound to a virtual system. Otherwise, the update will fail.

    • If the interface has multiple IP addresses, you are advised to use Specified source IP address. Otherwise, the online update may fail.

    NOTE:

    This configuration takes effect for both signature database update and URL remote query. However, the source IP address cannot be bound to a VPN instance for URL remote query. When the FW connects to the Internet through a VPN instance, specify the outgoing interface if you need to use the URL remote query function.

    Connect to the upgrade center through a proxy server

    If the FW cannot access the update center directly, select this item and configure a proxy server for the update.

    Address

    If the FW cannot communicate with the update center over the Internet, configure a proxy server to connect to the update center and download signature databases for the FW. The proxy server address can be an IP address or domain name.

    Port

    Enter the port of the proxy server.

    User Name

    Enter the user name and password for logging in to the proxy server.

    Password

  4. Click OK.
  5. Select Scheduled Update or Immediate Update.

    During the online update, if normal services of the FW are interrupted, you can abort the update process. Wait for the network environment to improve before retrying the update.

    • Scheduled update

      1. Select Scheduled Update for the IPS signature database or malicious domain name signature database to be updated.

      2. Click Scheduled Update time and set the time for the scheduled update.

        Parameter

        Description

        Scheduled Update Time

        Set the update interval and time point. You need to set the time for scheduled update based on your network settings, but ensure that the update does not take up the network resources of normal services.

        You are advised to update the IPS signature database every week and the malicious domain name signature database every day. The update time can be adjusted based on network conditions.

        Action

        Select the action after the signature database is downloaded:

        • Download Only: The FW regularly downloads the signature database to the specified path but does not install the downloaded signature database.
        • Download and Install: The FW regularly downloads and automatically installs the signature database. By default, the system downloads and installs the signature database.
      3. Click OK.

    • Immediate update

      1. Click Update Immediately for the IPS signature database or malicious domain name signature database.
      2. Click OK.
  6. Verify the update result.

    • Scheduled update

      If you select Download and Install, after the update is complete, you can view that Status is The online upgrade succeeded. Current Version is the target version, and Previous Version is the source version.

      If you select Download Only, when Status is displayed as Download succeeded, you need to click Install Now. The loading succeeded indicates that the update succeeds.

      If Status is displayed as Retrying the update. Please wait..., the database file has been downloaded, but the installation fails due to insufficient memory. The system will retry at a scheduled time.

      • If you click Reinstall, installation starts immediately.

      • If you click Terminate Update, the re-installation is aborted. If Status is displayed as System memory resources are insufficient. Please try again later., wait for a period before clicking Reinstall.

    • Immediate update

      After the update is complete, you can view that Status is The online upgrade succeeded.. Current Version is the target version, and Previous Version is the source version.

      If Status is displayed as System memory resources are insufficient. Please try again later., the database file has been downloaded, but the installation fails due to insufficient memory. The system will retry at a scheduled time.

      • If you click Reinstall, installation starts immediately.

      • If you click Update Immediately, the system deletes the downloaded signature database file and starts update again.

Local Update

You must obtain the update package before the local update.

  1. Download the update package.

    Download update packages from the security center (isecurity.huawei.com). For details, refer to Update Center.

  2. Choose System > Update Center.
  3. Click Update Locally for the specified signature database.
  4. Click Browse... and select the desired update package.
  5. Click Update.

    The signature database files are in ZIP format. You can upload them directly to the FW without decompressing them.

  6. After the update is complete, Status is The local upgrade succeeded. Current Version is the target version, and Previous Version is the source version.

Version Rollback

If an exception occurs after a signature database is updated, you can roll back the signature database to the source version.

You can roll back to only one version. If you perform version rollbacks repeatedly, the version rollback is implemented between the current version and the rollback version.

  1. Choose System > Update Center.
  2. Click Roll Back for the specified signature database.
  3. Click OK.
  4. After the rollback is complete, Status is The version rollback succeeded. Current Version is the target version, and Previous Version is the source version.
Parent Topic: Configuring Intrusion Prevention Using the Web UI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >