< Home

Updating the Service Awareness Signature Database

Timely update of the service awareness signature database helps enhance the device's application identification capability.

Preparation

Before updating the service awareness signature database, do as follows:

  • Checking the Free Space of the CF Card and Memory

    Before updating the service awareness signature database, check whether the free space of the CF card and memory is sufficient. The following table lists the CF card and memory space required for updating the service awareness signature database.

    Signature Database

    CF Card Space

    Memory Space

    Service awareness signature database (SA-SDB)

    10 MB or higher
    • USG6510E/6510E-POE: 45 MB or higher
    • USG6530E: 140 MB or higher
    • USG6515E: 440 MB or higher
    • USG6525E: 440 MB or higher
    • USG6550E/6560E/6580E: 480 MB or higher
    • USG6555E/6565E/6575E-B/6585E/6605E-B: 480 MB or higher
    • USG6615E/6625E: 500 MB or higher
    • USG6610E/6620E: 500 MB or higher
    • USG6635E/6655E: 520 MB or higher
    • USG6630E: 700 MB or higher
    • USG6650E: 700 MB or higher
    • USG6680E: 700 MB or higher
    • USG6712E/6716E: 900 MB or higher

    To check the free space of the root directory, perform the following operations:

    1. In the user view, run the dir command to check the free space of the CF card on the MPU.

      The example command output of the FW is as follows:

      <sysname> dir
Directory of hda1:/                                                             
                                                                                
  Idx  Attr     Size(Byte)  Date        Time       FileName                     
    0  -rw-            754  Feb 06 2015 15:35:33   private-data.txt             
    1  -rw-          5,805  Feb 06 2015 15:35:51   cfgfile.zip                  
    2  drw-              -  Feb 06 2015 09:07:58   default-sdb                  
    3  drw-              -  Jul 08 2014 17:02:48   conf                         
                               ........                                         
   48  -rw-             36  Jan 30 2015 10:28:44   $_patchstate_reboot          
   49  -rw-          1,063  Feb 06 2015 09:13:26   nlog.log                     
   50  -rw-    173,569,921  Feb 04 2015 20:31:10   sup_c30.bin                  
                                                                                
1,200,576 KB total (379,168 KB free)

    2. In the user view, run the delete command to delete unwanted files from the CF card if the free space is insufficient.

      Files are deleted and cannot be restored after the delete command with the /unreserved parameter is executed.

  • Checking the Current Update Status

    Signature databases cannot be updated simultaneously. You can update a signature database only after the current update status is idle.

    To check the current update status, perform the following operation:

    1. Run the display update status command to check the update status of the signature database.

      <sysname> display update status
  Current Update Status: Idle.

      If Current Update Status is Idle, you can update the desired signature database. Otherwise, repeat the display update status command until Current Update Status changes to Idle, and then update the desired signature database.

  • Checking the Signature Database Version

    Check the signature database version to determine whether the signature database needs to be updated.

    To check the signature database version, perform the following operation:

    1. Run the display version sa-sdb command to check the signature database version.

      <sysname> display version sa-sdb                                           
SA SDB Update Information List:                                                 
----------------------------------------------------------------                
  Current Version:                                                              
    Signature Database Version    : 2016033101                                  
    Signature Database Size(byte) : 1735779                                     
    Update Time                   : 16:12:26 2016/05/14                         
    Issue Time of the Update File : 15:55:31 2016/03/31                         
                                                                                
  Backup Version:                                                               
    Signature Database Version    :                                             
    Signature Database Size(byte) : 0                                           
    Update Time                   : 00:00:00 0000/00/00                         
    Issue Time of the Update File : 00:00:00 0000/00/00                         
----------------------------------------------------------------

Context

The service awareness signature database can be updated in either of the following modes:

  • Online update

    If the FW can communicate with the update center directly over the Internet or through a proxy server, you can update the service awareness signature database in online mode.

    Online update has two ways:

    • Scheduled update

      The FW accesses the update center on a scheduled basis to search for the latest service awareness signature databases. If the new versions of service awareness signature databases are found, the FW downloads the latest service awareness signature databases to update the local service awareness signature databases at scheduled time.

    • Immediate update

      After the online service awareness signature database is updated, you can immediately update the local database instead of waiting for the scheduled update.

      The download address and process for immediate update is the same as that for the update through scheduled update. The two update modes differ in that immediate update can be performed at any time whereas scheduled update must be implemented at the specified time.

  • Local update

    When the FW is physically isolated from the Internet and no proxy server is deployed on the intranet, you can update service awareness signature databases locally.

For details on signature database update scenarios, see Update Center.

Online Update

If the FW can directly access the update center, you must configure a security policy on the FW to permit HTTP and FTP packets. If the FW accesses the update center through a proxy server, you must configure a security policy on the FW to permit HTTP packets.

  1. Configure an update center.
    1. Access the system view.

      system-view

    2. Configure the update center.

      update server { domain domain-name | ip ip-address } [ port port-number ]

      The default domain name is sec.huawei.com.

      Configure the DNS server to resolve the domain name of the update center. For details, see 3.

    3. Configure the CA certificate used by the device to communicate with the Huawei security center through HTTPS.

      update server ca-certificate certificate-file-name

      By default, the signature database update service uses the CA certificate (default_ca.cer) preset on the device to communicate with the Huawei security center.

  2. Optional: Configure a proxy server.

    Perform this step when the FW needs to access the update center using a proxy server.

    1. Enable the signature database proxy update.

      update proxy enable

    2. Set the domain name (or IP address), user name, and password of the proxy server.

      update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name [ password password ] ]

      If a domain name is configured for the proxy server, a DNS server must be configured to resolve the domain name. For details on how to configure the DNS server, see 3.

  3. Optional: Configure a DNS server.
    1. Configure the DNS server to resolve domain names.

      dns resolve

    2. Specify the IP address of the DNS server.

      dns server ip-address

  4. Optional: Specify the source IP address for online update request packets.

    • Specify an interface IP address and VPN instance as the source IP address and VPN instance for online update request packets.

      update host source interface-type interface-number

    • Specify the source IP address of online update request packets.

      update host source ip ip-address [ vpn-instance vpn-instance ]

    If the administrator does not specify the source IP address of online update request packets, the system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

    If the interface has multiple IP addresses, run the update host source ip ip-address command to set the source IP address of update request packets and ensure that the FW can receive the reply packets. Otherwise, the online update may fail.

    When the FW connects to the Internet through a VPN instance, these commands are mandatory. If the commands are not configured, the update will fail.

    • When update host source interface-type interface-number is configured, the interface must be bound to the corresponding VPN instance name.

    • When the update host source ip ip-address command is configured, vpn-instance vpn-instance must be specified.

  5. Configure the scheduled or immediate update function.

    After the scheduled or immediate update is started, you can run the update abort command to abort the update if the update consumes too much bandwidth and interrupts normal services. Wait until the bandwidth is sufficient for the update and normal services and then run the update online sa-sdb command to download the latest signature database.

    • Scheduled update

      1. Enable the scheduled update function for the signature database.

        update schedule sa-sdb enable

      2. Set the scheduled update time for the signature database.

        update schedule sa-sdb { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time

        It is recommended that the signature database be updated once every week. You can adjust the time as required.

    • Immediate update

      Download the latest signature database.

      update online sa-sdb

Local Update

The update package has been uploaded to the memory of the FW using SFTP, FTP or TFTP.

  1. Download the update package.

    Download update packages from the security center (isecurity.huawei.com). For details, refer to Update Center.

  2. Upload the update package from the PC to the memory of the FW.

    The upgrade package can be placed in any directory of the FW storage. However, the root directory is recommended.

    The signature database files are in .zip format. You can upload them directly to the FW without decompressing them.

  3. Access the system view.

    system-view

  4. Enable the local update function.

    update local sa-sdb file filename

Version Rollback

When the current signature database is faulty (for example, false positive occurs or system performance is degraded), you can roll back the current signature database to the previous version through version rollbacks.

You can roll back to only one version. If you perform version rollbacks repeatedly, the version rollback is implemented between the current version and the rollback version.

  1. Access the system view.

    system-view

  2. Roll back the signature database to an earlier version.

    update rollback sa-sdb

Parent Topic: Configuring Applications and Application Groups Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >