< Home

Updating the Service Awareness Signature Database

Timely update of the service awareness signature database helps enhance the device's application identification capability.

Preparation

Before updating the service awareness signature database, do as follows:

  • Checking the Free Space of the CF Card and Memory

    Before updating the service awareness signature database, check whether the free space in the device CF card and memory is sufficient. The following table lists the CF card and memory space required for updating the service awareness signature database.

    Signature Database

    CF Card Space

    Memory Space

    Service awareness signature database (SA-SDB)

    10 MB or higher
    • USG6510E/6510E-POE: 45 MB or higher
    • USG6530E: 140 MB or higher
    • USG6515E: 440 MB or higher
    • USG6525E: 440 MB or higher
    • USG6550E/6560E/6580E: 480 MB or higher
    • USG6555E/6565E/6575E-B/6585E/6605E-B: 480 MB or higher
    • USG6615E/6625E: 500 MB or higher
    • USG6610E/6620E: 500 MB or higher
    • USG6635E/6655E: 520 MB or higher
    • USG6630E: 700 MB or higher
    • USG6650E: 700 MB or higher
    • USG6680E: 700 MB or higher
    • USG6712E/6716E: 900 MB or higher

    Perform the following operation:

    1. Select Dashboard.

    2. In Device Information, check the available space of the CF card and memory.

  • Checking the Signature Database Version

    Check the service awareness signature database version to determine whether the service awareness signature database needs to be updated.

    Details are as follows:

    1. Choose System > Update Center.

    2. In Signature Database Update, view Current Version of the service awareness signature database to be updated and determine whether it requires an update.

Context

The service awareness signature database can be updated in either of the following modes:

  • Online update

    If the FW can communicate with the update center directly over the Internet or through a proxy server, you can update the service awareness signature database in online mode.

    Online update has two ways:

    • Scheduled update

      The FW accesses the update center on a scheduled basis to search for the latest service awareness signature databases. If the new versions of service awareness signature databases are found, the FW downloads the latest service awareness signature databases to update the local service awareness signature databases at scheduled time.

    • Immediate update

      After the online service awareness signature database is updated, you can immediately update the local database instead of waiting for the scheduled update.

      The download address and process for immediate update is the same as that for the update through scheduled update. The two update modes differ in that immediate update can be performed at any time whereas scheduled update must be implemented at the specified time.

  • Local update

    When the FW is physically isolated from the Internet and no proxy server is deployed on the intranet, you can update service awareness signature databases locally.

For details on signature database update scenarios, see Update Center.

Online Update

If the FW can directly access the update center, you must configure a security policy on the FW to permit HTTP and FTP packets. If the FW accesses the update center through a proxy server, you must configure a security policy on the FW to permit HTTP packets.

  1. Choose System > Update Center.
  2. Click Server IP Address.
  3. In the Configure Update Server dialog box that is displayed, set the IP address of the update server.

    Parameter

    Description

    Server IP Address

    Enter the IP address of the server that the FW accesses for the scheduled update. By default, domain name sec.huawei.com is used.

    Port

    Enter the port of the server. The default value is 443.

    Source IP Address

    Specify the mode for obtaining the source IP address of update request packets.

    • Automatically obtained: The system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

    • Specified interface: The IP address and VPN instance of the interface are used as the source IP address and VPN instance of online update request packets.

      If the FW connects to the Internet through VPN, the interface must be bound to a corresponding instance. Otherwise, the update fails.

      The specified interface is not necessarily the outgoing interface of update request packets. To send update request packets, the system checks the route information to determine the outgoing interface.

    • Specified source IP address: Manually enter the source IP address of online update request packets and ensure that the FW can receive the reply packets.

      If the FW connects to the Internet through a VPN instance, you must run the update host source ip ip-address vpn-instance vpn-instance command on the CLI Console after you specify the source IP address. The configuration view is the system view. ip-address is the value specified in Specified source IP address, and vpn-instance is the name of the corresponding VPN instance.

    Instructions on the parameter are as follows:

    • Do not specify an interface that is bound to a virtual system. Otherwise, the update will fail.

    • If the interface has multiple IP addresses, you are advised to use Specified source IP address. Otherwise, the online update may fail.

    NOTE:

    This configuration takes effect for both signature database update and URL remote query. However, the source IP address cannot be bound to a VPN instance for URL remote query. When the FW connects to the Internet through a VPN instance, specify the outgoing interface if you need to use the URL remote query function.

    Connect to the upgrade center through a proxy server

    If the FW cannot access the update center directly, select this item and configure a proxy server for the update.

    Address

    If the FW cannot communicate with the update center over the Internet, configure a proxy server to connect to the update center and download signature databases for the FW. The proxy server address can be an IP address or domain name.

    Port

    Enter the port of the proxy server.

    User Name

    Enter the user name and password for logging in to the proxy server.

    Password

  4. Click OK.
  5. Select Scheduled Update or Immediate Update.

    During the online update, if normal services of the FW are interrupted, you can abort the update process. Wait for the network environment to improve before retrying the update.

    • Scheduled update

      1. Select Scheduled Update for the service awareness signature database to be updated.

      2. Click Scheduled Update time and set the time for the scheduled update.

        Parameter

        Description

        Scheduled Update Time

        Set the update interval and time point. You need to set the time for scheduled update based on your network settings, but ensure that the update does not take up the network resources of normal services.

        You are advised to update the service awareness signature database every week. The update time can be adjusted based on network conditions.

        Action

        Select the action after the signature database is downloaded:

        • Download Only: The FW regularly downloads the signature database to the specified path but does not install the downloaded signature database.
        • Download and Install: The FW regularly downloads and automatically installs the signature database. By default, the system downloads and installs the signature database.
      3. Click OK.

    • Immediate update

      1. Click Update Immediately for the service awareness signature database.
      2. Click OK.
  6. Verify the update result.

    • Scheduled update

      If you select Download and Install, after the update is complete, you can view that Status is The online upgrade succeeded. Current Version is the target version, and Previous Version is the source version.

      If you select Download Only, when Status is displayed as Download succeeded, you need to click Install Now. The loading succeeded indicates that the update succeeds.

      If Status is displayed as Retrying the update. Please wait..., the database file has been downloaded, but the installation fails due to insufficient memory. The system will retry at a scheduled time.

      • If you click Reinstall, installation starts immediately.

      • If you click Terminate Update, the re-installation is aborted. If Status is displayed as System memory resources are insufficient. Please try again later., wait for a period before clicking Reinstall.

    • Immediate update

      After the update is complete, you can view that Status is The online upgrade succeeded.. Current Version is the target version, and Previous Version is the source version.

      If Status is displayed as System memory resources are insufficient. Please try again later., the database file has been downloaded, but the installation fails due to insufficient memory. The system will retry at a scheduled time.

      • If you click Reinstall, installation starts immediately.

      • If you click Update Immediately, the system deletes the downloaded signature database file and starts update again.

Local Update

You must obtain the update package before the local update.

  1. Download the update package.

    Download update packages from the security center (isecurity.huawei.com). For details, refer to Update Center.

  2. Choose System > Update Center.
  3. Click Update Locally for the specified signature database.
  4. Click Browse... and select the desired update package.
  5. Click Update.

    The signature database files are in ZIP format. You can upload them directly to the FW without decompressing them.

  6. After the update is complete, Status is The local upgrade succeeded. Current Version is the target version, and Previous Version is the source version.

Version Rollback

If an exception occurs after a signature database is updated, you can roll back the signature database to the source version.

You can roll back to only one version. If you perform version rollbacks repeatedly, the version rollback is implemented between the current version and the rollback version.

  1. Choose System > Update Center.
  2. Click Roll Back for the specified signature database.
  3. Click OK.
  4. After the rollback is complete, Status is The version rollback succeeded. Current Version is the target version, and Previous Version is the source version.
Parent Topic: Configuring Applications and Application Groups Using the Web UI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >