Immediate Update

You can always update signature databases anytime you want.

Networking Requirements

The FW is deployed at the border of the internal network as the security gateway. The FW can communicate with sec.huawei.com through the Internet. Through immediate update, the FW can automatically download the signature databases and update the local signature databases. For scheduled and immediate updates, signature database download addresses (IP address of the server configured on the FW or the IP address of the proxy server) and update procedures are the same. The two update modes differ in that immediate update can be performed at any time whereas scheduled update must be implemented at the specified time.

Figure 1 Networking diagram for immediate update

Procedure

Purchase the license for the signature database update service and activate it on the device. For details, see License Management.
The antivirus signature database, IPS signature database, and malicious domain name signature database are license-controlled. Without the license, the update will fail.
Check whether the free space of the memory and CF card meets the update requirements. For details about the CF card space and memory space required by each signature database, see Preparation.
Set the IP address and security zone of the interface.
1. Choose Network > Interface.
2. Click GE0/0/1 and set the parameters as follows:
  
  Zone
  
  untrust
  
  IPv4
  
  IP Address
  
  1.1.1.1/24
3. Click OK.

Zone	untrust
IPv4
IP Address	1.1.1.1/24

Configure the update center address.

Choose System > Update Center.
Click Server IP Address.

In the Configure Update Server dialog box that is displayed, set the IP address of the update server. This example uses the default configuration. To adjust parameter settings, see the following table.

Parameter	Description
Server IP Address	Enter the IP address of the server that the FW accesses for the scheduled update. By default, domain name sec.huawei.com is used.
Port	Enter the port of the server. The default value is 443.
Source IP Address	Specify the mode for obtaining the source IP address of update request packets. Automatically obtained: The system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets. Specified interface: The IP address and VPN instance of the interface are used as the source IP address and VPN instance of online update request packets. If the FW connects to the Internet through VPN, the interface must be bound to a corresponding instance. Otherwise, the update fails. The specified interface is not necessarily the outgoing interface of update request packets. To send update request packets, the system checks the route information to determine the outgoing interface. Specified source IP address: Manually enter the source IP address of online update request packets and ensure that the FW can receive the reply packets. If the FW connects to the Internet through a VPN instance, you must run the update host source ip ip-address vpn-instance vpn-instance command on the CLI Console after you specify the source IP address. The configuration view is the system view. ip-address is the value specified in Specified source IP address, and vpn-instance is the name of the corresponding VPN instance. Instructions on the parameter are as follows: Do not specify an interface that is bound to a virtual system. Otherwise, the update will fail. If the interface has multiple IP addresses, you are advised to use Specified source IP address. Otherwise, the online update may fail. NOTE: This configuration takes effect for both signature database update and URL remote query. However, the source IP address cannot be bound to a VPN instance for URL remote query. When the FW connects to the Internet through a VPN instance, specify the outgoing interface if you need to use the URL remote query function.
Connect to the upgrade center through a proxy server	If the FW cannot access the update center directly, select this item and configure a proxy server for the update.
Address	If the FW cannot communicate with the update center over the Internet, configure a proxy server to connect to the update center and download signature databases for the FW. The proxy server address can be an IP address or domain name.
Port	Enter the port of the proxy server.
User Name	Enter the user name and password for logging in to the proxy server.
Password

Configure the DNS server and ensure that the FW can correctly resolve domain name sec.huawei.com.
1. Choose Network > DNS > DNS.
2. In DNS Server List, click Add.
3. Configure the DNS server as follows:
  
  DNS server address
  
  2.2.2.2
4. Click OK.
When the FW connects to the Internet through a VPN instance, you must run the dns server vpn-instance vpn-instance-name command on the CLI Console to bind the VPN instance to the DNS server.

DNS server address	2.2.2.2

Configure a security policy to allow the FW to access sec.huawei.com and DNS server.

Choose Policy > Security Policy > Security Policy.
Click Add Security Policy.

Configure a security policy to allow the FW to access sec.huawei.com.

Name	policy_sec_huawei_com
Source Zone	local
Destination Zone	untrust
Service	HTTPS NOTE: HTTPS is used by default for the update. You can run the update online-mode command to change the update mode to HTTP. However, HTTPS is more secure than HTTP, so HTTPS is recommended. To use the HTTP update mode, strictly specify the matching conditions of the security policy as follows: HTTP FTP TCP: src-port: 0-65535; dst-port: 32119 TCP: src-port: 0-65535; dst-port: 10001-15000 The update through a proxy server only using HTTP. If the FW accesses the update center through a proxy server, set this parameter to HTTP.
Action	Permit

Configure a security policy to allow the FW to access DNS server.

Name

policy_dns_server

Source Zone

local

Destination Address

2.2.2.2/32

Service

DNS

Action

Permit

Configure immediate update.
Click Update Immediately for the specified signature database.

During immediate update, if normal services of the FW are interrupted, you can abort the update process. Wait for the network environment to improve before retrying the update.

Name	policy_dns_server
Source Zone	local
Destination Address	2.2.2.2/32
Service	DNS
Action	Permit

Follow-up Procedure

After the update is completed, check whether the update succeeds in the Status column.

After the update is complete, you can view that Status is The online upgrade succeeded.. Current Version is the target version, and Previous Version is the source version.
If Status is displayed as System memory resources are insufficient. Please try again later., the database file has been downloaded, but the installation fails due to insufficient memory. The system will retry at a scheduled time.
- If you click Reinstall, installation starts immediately.
- If you click Update Immediately, the system deletes the downloaded signature database file and starts update again.
When Status displays an update failure, click Server Connectivity Test to locate the cause for the update failure.

After you click Server Connectivity Test, the system automatically checks the connectivity between the FW and security center. A window is displayed on the web UI to show the detection procedure and provide the cause and handling suggestion in case of a connection failure.

For example, when you obtain the upgrade server information, the system displays "Failed to obtain information" and provides handling suggestions, as shown in the following figure. In this case, you can modify the configuration according to the handling suggestions, and then click Recheck to verify the connection.