Updating the Signature Database

When a device is delivered, the signature database may not meet the actual requirements. For example, the signature database capability is small or the signature database is outdated. In this case, you are advised to update the intrusion prevention signature database and malicious domain name signature database immediately after the device is booted, and update the two signature databases in a timely manner during O&M to better defend against threats on the network.

Preparation

Before updating the IPS signature database and malicious domain name database, do as follows:

Checking the License Status

Before updating the IPS signature database and malicious domain name database, ensure that the license for the update service has been purchased and activated. The IPS signature database and malicious domain name database use the same update license.

To check the license status, perform the following operation:
1. Run the display license command to check whether the required license has been activated or has expired.
  - If the status of the signature database to be updated is Disabled, activate the license. For details on how to activate the license, see License Management.
  - If the status of the signature database to be updated is Enabled, check whether the license has expired. If yes, purchase the license.

Checking the Free Space of the CF Card and Memory

Before updating the IPS signature database and malicious domain name signature database, check whether the free space of the CF card and memory is sufficient. The following table lists the CF card and memory space required for updating the IPS signature database and malicious domain name signature database.

Signature Database	CF Card Space	Memory Space
IPS signature database (IPS-SDB)	30 MB or higher	USG6510E/6510E-POE: 52 MB or higher USG6530E: 100 MB or higher USG6515E: 440 MB or higher USG6525E: 440 MB or higher USG6550E/6560E/6580E: 480 MB or higher USG6555E/6565E/6575E-B/6585E/6605E-B: 480 MB or higher USG6615E/6625E: 500 MB or higher USG6610E/6620E: 500 MB or higher USG6635E/6655E: 520 MB or higher USG6630E: 700 MB or higher USG6650E: 700 MB or higher USG6680E: 700 MB or higher USG6712E/6716E: 900 MB or higher
Malicious domain name database	10 MB or higher	USG6510E/6510E-POE: 30 MB or higher USG6530E: 50 MB or higher USG6515E: 50 MB or higher USG6525E: 50 MB or higher USG6550E/6560E/6580E: 90 MB or higher USG6555E/6565E/6575E-B/6585E/6605E-B: 90 MB or higher USG6615E/6625E: 110 MB or higher USG6610E/6620E: 110 MB or higher USG6635E/6655E: 130 MB or higher USG6630E: 310 MB or higher USG6650E: 310 MB or higher USG6680E: 310 MB or higher USG6712E/6716E: 510 MB or higher

To check the free space of the root directory, perform the following operations:

In the user view, run the dir command to check the free space of the CF card on the MPU.

The example command output of the FW is as follows:

<sysname> dir
Directory of hda1:/                                                             
                                                                                
  Idx  Attr     Size(Byte)  Date        Time       FileName                     
    0  -rw-            754  Feb 06 2015 15:35:33   private-data.txt             
    1  -rw-          5,805  Feb 06 2015 15:35:51   cfgfile.zip                  
    2  drw-              -  Feb 06 2015 09:07:58   default-sdb                  
    3  drw-              -  Jul 08 2014 17:02:48   conf                         
                               ........                                         
   48  -rw-             36  Jan 30 2015 10:28:44   $_patchstate_reboot          
   49  -rw-          1,063  Feb 06 2015 09:13:26   nlog.log                     
   50  -rw-    173,569,921  Feb 04 2015 20:31:10   sup_c30.bin                  
                                                                                
1,200,576 KB total (379,168 KB free)

In the user view, run the delete command to delete unwanted files from the CF card if the free space is insufficient.

Files are deleted and cannot be restored after the delete command with the /unreserved parameter is executed.

Checking the Current Update Status

Signature databases cannot be updated simultaneously. You can update a signature database only after the current update status is idle.

To check the current update status, perform the following operation:
1. Run the display update status command to check the update status of the signature database.
```
<sysname> display update status
  Current Update Status: Idle.
```
  If Current Update Status is Idle, you can update the desired signature database. Otherwise, repeat the display update status command until Current Update Status changes to Idle, and then update the desired signature database.

Checking the Signature Database Version

Check the signature database version to determine whether the signature database needs to be updated.

To check the signature database version, perform the following operation:

Run the display version { ips-sdb | cnc } command to check the signature database version.

<sysname> display version ips-sdb                                           
IPS SDB Update Information List:                                                
----------------------------------------------------------------                
  Current Version:                                                              
    Signature Database Version    : 2016042310                                  
    Signature Database Size(byte) : 653281                                      
    Update Time                   : 16:15:13 2016/05/14                         
    Issue Time of the Update File : 17:31:13 2016/04/23                         
                                                                                
  Backup Version:                                                               
    Signature Database Version    : 2016042704                                  
    Signature Database Size(byte) : 568481                                      
    Update Time                   : 16:12:23 2016/05/14                         
    Issue Time of the Update File : 13:14:59 2016/04/27                         
----------------------------------------------------------------                
IPS Engine Information List:                                                    
----------------------------------------------------------------                
  Current Version:                                                              
    IPS Engine Version            : V200R002C20SPC015S001                       
    IPS Engine Size(byte)         : 4270561                                     
    Update Time                   : 16:15:13 2016/05/14                         
    Issue Time of the Update File : 10:39:25 2016/05/14                         
                                                                                
  Backup Version:                                                               
    IPS Engine Version            : V200R002C20SPC012                           
    IPS Engine Size(byte)         : 3145728                                     
    Update Time                   : 16:12:23 2016/05/14                         
    Issue Time of the Update File : 19:45:45 2016/04/27                         
----------------------------------------------------------------

Context

The IPS signature database and malicious domain name signature database can be updated in either of the following modes:

Online update

If the FW can communicate with the update center directly over the Internet or through a proxy server, you can update the databases in online mode.

Online update has two ways:
- Scheduled update
  
  The FW accesses the update center on a scheduled basis to search for the latest IPS signature database and malicious domain name signature database. If the new versions of IPS signature database and malicious domain name signature database are found, the FW downloads the latest IPS signature database and malicious domain name signature database to update the local IPS signature database and malicious domain name signature database at scheduled time.
- Immediate update
  
  After the online IPS signature database and malicious domain name signature database are updated, you can immediately update the local database instead of waiting for the scheduled update.
  
  The download address and process for updating the IPS signature database and malicious domain name signature database immediately is the same as that for the update through scheduled update. The two update modes differ in that immediate update can be performed at any time whereas scheduled update must be implemented at the specified time.
Local update

When the FW is physically isolated from the Internet and no proxy server is deployed on the intranet, you can update IPS signature database and malicious domain name signature database locally.

For details on signature database update scenarios, see Update Center.

Online Update

If the FW can directly access the update center, you must configure a security policy on the FW to permit HTTP and FTP packets. If the FW accesses the update center through a proxy server, you must configure a security policy on the FW to permit HTTP packets.

Configure an update center.
1. Access the system view.
```
system-view
```
2. Configure the update center.
```
update server { domain domain-name | ip ip-address } [ port port-number ]
```
  The default domain name is sec.huawei.com.
  
  Configure the DNS server to resolve the domain name of the update center. For details, see 3.
3. Configure the CA certificate used by the device to communicate with the Huawei security center through HTTPS.
```
update server ca-certificate certificate-file-name
```
  By default, the signature database update service uses the CA certificate (default_ca.cer) preset on the device to communicate with the Huawei security center.
Optional: Configure a proxy server.
Perform this step when the FW needs to access the update center using a proxy server.
1. Enable the signature database proxy update.
```
update proxy enable
```
2. Set the domain name (or IP address), user name, and password of the proxy server.
```
update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name [ password password ] ]
```
  If a domain name is configured for the proxy server, a DNS server must be configured to resolve the domain name. For details on how to configure the DNS server, see 3.
Optional: Configure a DNS server.
1. Configure the DNS server to resolve domain names.
```
dns resolve
```
2. Specify the IP address of the DNS server.
```
dns server ip-address
```
Optional: Specify the source IP address for online update request packets.
- Specify an interface IP address and VPN instance as the source IP address and VPN instance for online update request packets.
```
update host source interface-type interface-number
```
- Specify the source IP address of online update request packets.
```
update host source ip ip-address [ vpn-instance vpn-instance ]
```
If the administrator does not specify the source IP address of online update request packets, the system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

If the interface has multiple IP addresses, run the update host source ip ip-address command to set the source IP address of update request packets and ensure that the FW can receive the reply packets. Otherwise, the online update may fail.
When the FW connects to the Internet through a VPN instance, these commands are mandatory. If the commands are not configured, the update will fail.
- When update host source interface-type interface-number is configured, the interface must be bound to the corresponding VPN instance name.
- When the update host source ip ip-address command is configured, vpn-instance vpn-instance must be specified.
Configure the scheduled or immediate update function.

After the scheduled or immediate update is started, you can run the update abort command to abort the update if the update consumes too much bandwidth and interrupts normal services. Wait until the bandwidth is sufficient for the update and normal services and then run the update online { ips-sdb | cnc } command to download the latest signature database.
- Scheduled update
  1. Enable the scheduled update function.
```
update schedule { ips-sdb | cnc } enable
```
  2. Set scheduled update time.
```
update schedule { ips-sdb | cnc } { hourly minute | { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time }
```
    You are advised to update the IPS signature database every week and the malicious domain name database every day. The update time can be adjusted based on network conditions.
- Immediate update
  
  Download the latest signature database.
```
update online { ips-sdb | cnc }
```

Local Update

The update package has been uploaded to the memory of the FW using SFTP, FTP or TFTP.

Download the update package.
Download update packages from the security center (isecurity.huawei.com). For details, refer to Update Center.
Upload the update package from the PC to the memory of the FW.

The upgrade package can be placed in any directory of the FW storage. However, the root directory is recommended.

The signature database files are in .zip format. You can upload them directly to the FW without decompressing them.
Access the system view.
```
system-view
```

Enable the local update function.

update local { ips-sdb | cnc } file filename

Version Rollback

When the current signature database is faulty (for example, false positive occurs or system performance is degraded), you can roll back the current signature database to the previous version through version rollbacks.

You can roll back to only one version. If you perform version rollbacks repeatedly, the version rollback is implemented between the current version and the rollback version.

Access the system view.
```
system-view
```
Roll back the signature database to an earlier version.
```
update rollback { ips-sdb | cnc }
```