< Home

Scheduled Update

You can configure scheduled update if the FW can access the update server directly or through the proxy server. Signature databases can be automatically downloaded to update the local ones through scheduled update.

Networking Requirements

The FW is deployed at the border of the internal network as the security gateway. The FW can communicate with sec.huawei.com through the Internet. Through scheduled update, the FW can automatically download the signature databases and update the local signature databases.

Figure 1 Networking diagram for scheduled update

Procedure

  1. Purchase the license for the signature database update service and activate it on the device. For details, see License Management.

    The antivirus signature database, IPS signature database, and malicious domain name signature database are license-controlled. Without the license, the update will fail.

  2. Check whether the free space of the memory and CF card meets the update requirements. For details about the CF card space and memory space required by each signature database, see Preparation.
  3. Set the IP address and security zone of the interface.
    1. Choose Network > Interface.
    2. Click GE0/0/1 and set the parameters as follows:

      Zone

      untrust

      IPv4

      IP Address

      1.1.1.1/24

    3. Click OK.
  4. Configure the update center address.
    1. Choose System > Update Center.

    2. Click Server IP Address.
    3. In the Configure Update Server dialog box that is displayed, set the IP address of the update server. This example uses the default configuration. To adjust parameter settings, see the following table.

      Parameter

      Description

      Server IP Address

      Enter the IP address of the server that the FW accesses for the scheduled update. By default, domain name sec.huawei.com is used.

      Port

      Enter the port of the server. The default value is 443.

      Source IP Address

      Specify the mode for obtaining the source IP address of update request packets.

      • Automatically obtained: The system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

      • Specified interface: The IP address and VPN instance of the interface are used as the source IP address and VPN instance of online update request packets.

        If the FW connects to the Internet through VPN, the interface must be bound to a corresponding instance. Otherwise, the update fails.

        The specified interface is not necessarily the outgoing interface of update request packets. To send update request packets, the system checks the route information to determine the outgoing interface.

      • Specified source IP address: Manually enter the source IP address of online update request packets and ensure that the FW can receive the reply packets.

        If the FW connects to the Internet through a VPN instance, you must run the update host source ip ip-address vpn-instance vpn-instance command on the CLI Console after you specify the source IP address. The configuration view is the system view. ip-address is the value specified in Specified source IP address, and vpn-instance is the name of the corresponding VPN instance.

      Instructions on the parameter are as follows:

      • Do not specify an interface that is bound to a virtual system. Otherwise, the update will fail.

      • If the interface has multiple IP addresses, you are advised to use Specified source IP address. Otherwise, the online update may fail.

      NOTE:

      This configuration takes effect for both signature database update and URL remote query. However, the source IP address cannot be bound to a VPN instance for URL remote query. When the FW connects to the Internet through a VPN instance, specify the outgoing interface if you need to use the URL remote query function.

      Connect to the upgrade center through a proxy server

      If the FW cannot access the update center directly, select this item and configure a proxy server for the update.

      Address

      If the FW cannot communicate with the update center over the Internet, configure a proxy server to connect to the update center and download signature databases for the FW. The proxy server address can be an IP address or domain name.

      Port

      Enter the port of the proxy server.

      User Name

      Enter the user name and password for logging in to the proxy server.

      Password

  5. Configure the DNS server and ensure that the FW can correctly resolve domain name sec.huawei.com.
    1. Choose Network > DNS > DNS.
    2. In DNS Server List, click Add.
    3. Configure the DNS server as follows:

      DNS server address

      2.2.2.2

    4. Click OK.

    When the FW connects to the Internet through a VPN instance, you must run the dns server vpn-instance vpn-instance-name command on the CLI Console to bind the VPN instance to the DNS server.

  6. Configure a security policy to allow the FW to access sec.huawei.com and DNS server.
    1. Choose Policy > Security Policy > Security Policy.
    2. Click Add Security Policy.
    3. Configure a security policy to allow the FW to access sec.huawei.com.

      Name

      policy_sec_huawei_com

      Source Zone

      local

      Destination Zone

      untrust

      Service

      HTTPS

      NOTE:
      HTTPS is used by default for the update. You can run the update online-mode command to change the update mode to HTTP. However, HTTPS is more secure than HTTP, so HTTPS is recommended. To use the HTTP update mode, strictly specify the matching conditions of the security policy as follows:

      • HTTP

      • FTP

      • TCP: src-port: 0-65535; dst-port: 32119

      • TCP: src-port: 0-65535; dst-port: 10001-15000

      The update through a proxy server only using HTTP. If the FW accesses the update center through a proxy server, set this parameter to HTTP.

      Action

      Permit

    4. Configure a security policy to allow the FW to access DNS server.

      Name

      policy_dns_server

      Source Zone

      local

      Destination Address

      2.2.2.2/32

      Service

      DNS

      Action

      Permit

  7. Configure scheduled update.

    Select Scheduled Update on the line of the signature database to be updated to enable scheduled update.

    During scheduled update, if normal services of the FW are interrupted, you can abort the update process. Wait for the network environment to improve before retrying the update.

    By default, scheduled update for the signature database is enabled.

  8. Set the time for scheduled update.

    Click Scheduled Update time on the line of the signature database to be updated to set the time for scheduled update.

    Parameter

    Description

    Scheduled Update Time

    Set the update interval and time point. You need to set the time for scheduled update based on your network settings, but ensure that the update does not take up the network resources of normal services.

    The following part gives the recommended time for updating the corresponding signature databases. You can adjust them according to your network settings.

    • Intrusion Prevention Signature Database: once a week
    • Antivirus Signature Database: once a day
    • Service Awareness Signature Database: once a week
    • IP Reputation Signature Database: once a day
    • Malicious Domain Name Signature Database: once a day
    • File Reputation Database: once a day
    • Region identification signature database: once a week

    Action

    Select the action after the signature database is downloaded:

    • Download Only: The FW regularly downloads the signature database to the specified path but does not install the downloaded signature database.
    • Download and Install: The FW regularly downloads and automatically installs the signature database. By default, the system downloads and installs the signature database.

    Hotspot Update

    Enable the file reputation hotspot database update function.

    The function needs to be configured only when an update interval needs to be set for the file reputation signature database. After the function is enabled, the file reputation information in the cloud can be quickly obtained to block the latest threat files.

Follow-up Procedure

After the update is completed, check whether the update succeeds in the Status column.

  • If you select Download and Install, after the update is complete, you can view that Status is The online upgrade succeeded. Current Version is the target version, and Previous Version is the source version.

  • If you select Download Only, when Status is displayed as Download succeeded, you need to click Install Now. Successfully loaded indicates that the update succeeds.

  • If Status is displayed as Retrying the update. Please wait..., the database file has been downloaded, but the installation fails due to insufficient memory. The system will retry at a scheduled time.

    • If you click Reinstall, installation starts immediately.

    • If you click Terminate Update, the re-installation is aborted. If Status is displayed as System memory resources are insufficient. Please try again later., wait for a period before clicking Reinstall.

  • When Status displays an update failure, click Server Connectivity Test to locate the cause for the update failure.

    After you click Server Connectivity Test, the system automatically checks the connectivity between the FW and security center. A window is displayed on the web UI to show the detection procedure and provide the cause and handling suggestion in case of a connection failure.

    For example, when you obtain the upgrade server information, the system displays "Failed to obtain information" and provides handling suggestions, as shown in the following figure. In this case, you can modify the configuration according to the handling suggestions, and then click Recheck to verify the connection.

Parent Topic: Updating Signature Databases Using the Web UI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >