Scheduled Update

After scheduled update is configured, the FW automatically downloads signature databases as scheduled.

Prerequisites

A license is available for updating the signature database, and the license is activated on the FW.
The FW can access the update server directly or through the proxy server.
When the device can directly access the update center, configure security policies as follows:
- Set the source security zone to Local.
- If the online update mode is set to HTTP: Permit HTTP and FTP (FTP includes port 21 and port 32119) traffic. HTTP is used by the FW to interact with the update center, and FTP is used to connect to FTP control channels for downloading signature database files.
- If the online update mode is set to HTTP: Permit user-defined service traffic, with the protocol being TCP and destination port ranging from 10001 to 15000 (for connecting to FTP data channels).
- If the online update mode is set to HTTPS, permit HTTPS traffic.
When the device accesses the update center through the proxy server, configure security policies as follows:
- Set the source security zone to Local.
- Permit HTTP so that the FW can interact with the proxy server.

Procedure

Configure an update center.
1. Access the system view.
  system-view
2. Configure the update center.
  update server { domain domain-name | ip ip-address } [ port port-number ]
  
  The default domain name is sec.huawei.com.
  
  Configure the DNS server to resolve the domain name of the update center. For details, see step 5.
  
  By default, the HTTP port number is 80 and the HTTPS port number is 443.
3. Configure the CA certificate used by the device to communicate with the Huawei security center through HTTPS.
  update server ca-certificate certificate-file-name
  
  By default, the signature database update service uses the CA certificate (default_ca.cer) preset on the device to communicate with the Huawei security center.
4. Configure the CA certificate used by the device to communicate with the Huawei security center through HTTPS.
  update server ca-certificate certificate-file-name
  
  By default, the signature database update service uses the CA certificate (default_ca.cer) preset on the device to communicate with the Huawei security center.
Optional: Run the update download-server aging-time age-time command to set the aging time of the download server.
By default, the aging time of the download server is 7 days.

If the download server is normal and has not been expired, you do not need to re-obtain the IP address of the download server. You need to re-obtain the IP address of the download server when the server has expired or is abnormal. You can use this command to adjust the aging time of the download server.

The aging time of the download server applies to only HTTPS upgrade and not to HTTP upgrade.

In V600R007C20SPC602 and later versions, the device in cloud authorization mode does not support this command.
Optional: Run the update online-mode { http | https } command to set the mode of online update.
By default, the online update mode is HTTPS, and the device uses HTTPS to send update requests and download signature databases.

Update in HTTP mode is risky, and update in HTTPS mode is recommended. To perform update in HTTP mode, you must strictly restrict security policy matching conditions.
Optional: Configure a proxy server.
Perform this step when the FW needs to access the update center using a proxy server.
1. Enable the signature database proxy update.
  update proxy enable
2. Set the domain name (or IP address), user name, and password of the proxy server.
  update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name [ password password ] ]
  
  If a domain name is configured for the proxy server, a DNS server must be configured to resolve the domain name. For details on how to configure the DNS server, see 5.
Optional: Configure a DNS server.
1. Configure the DNS server to resolve domain names.
  dns resolve
2. Specify the IP address of the DNS server.
  dns server ip-address
When the device connects to the Internet through a VPN instance, you must run the dns server vpn-instance vpn-instance-name command to bind the VPN instance to the DNS server.
Optional: Specify the source IP address for online update request packets.
- Specify an interface IP address and VPN instance as the source IP address and VPN instance for online update request packets.
  
  update host source interface-type interface-number
- Specify the source IP address of online update request packets.
  
  update host source ip ip-address [ vpn-instance vpn-instance ]
If the administrator does not specify the source IP address for online update request packets, the system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

If the interface has multiple IP addresses, run the update host source ip ip-address command to set the source IP address of update request packets and ensure that the FW can receive the reply packets. Otherwise, the online update may fail.
When the FW connects to the Internet through a VPN instance, these commands are mandatory. If the commands are not configuredl, the update will fail.
- When update host source interface-type interface-number is configured, the interface must be bound to the corresponding VPN instance name.
- When the update host source ip ip-address command is configured, vpn-instance vpn-instance must be specified.
This configuration takes effect for both signature database update and URL remote query. However, the source IP address cannot be bound to a VPN instance for URL remote query. When the FW connects to the Internet through a VPN instance, run the update host source interface-type interface-number command to specify the outgoing interface if you need to use the URL remote query function.
Enable the scheduled update function.
update schedule { av-sdb | cnc | file-reputation | ip-reputation | ips-sdb | sa-sdb | location-sdb | hot-file-reputation } enable

By default, scheduled update time for the signature database is enabled.

The licenses for the antivirus signature database, IPS signature database, and malicious domain name database must be available. Otherwise, these databases cannot be upgraded successfully.
Set scheduled update time.
update schedule [ { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time ]

update schedule { av-sdb | cnc | file-reputation | ip-reputation | ips-sdb } { hourly minute | { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time }

update schedule sa-sdb { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time

update schedule hot-file-reputation minute minutes

update schedule location-sdb weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } time

You need to set the time for scheduled update based on your network settings, but ensure that the update does not take up the network resources of normal services.

The following part gives the recommended time for updating the corresponding signature databases. You can adjust them according to your network settings.
- Intrusion Prevention Signature Database: once a week
- Antivirus Signature Database: once a day
- Service awareness signature database: once a week
- IP Reputation Signature Database: once a day
- Malicious Domain Name Signature Database: once a day
- File Reputation Database: once a day
- Hot File-reputation Database: every five minutes
- Region identification signature database: once a week
During a scheduled update, you can run the update abort command to abort the update if the update consumes too much bandwidth and interrupts normal services. Wait until the bandwidth is sufficient for the update and normal services and then run the update online { av-sdb | cnc | file-reputation | ip-reputation | ips-sdb | sa-sdb | location-sdb | hot-file-reputation | hot-url-reputation } command to download the latest signature database.
Optional: Install the downloaded signature database.
update apply { av-sdb | cnc | file-reputation | ip-reputation | ips-sdb | sa-sdb }

You do not need to run this command if the system has been configured to download and install the signature database. To change the signature database update option, see Determining Signature Database Update Options.
Optional: Run the update online aging-time aging-time command to set the online update aging time of the hotspot database.
By default, the online update aging time of the hotspot database is 12 hours. You can use this command to set the online update aging time for both the file reputation hotspot database and URL hotspot database.
Optional: Run the update hrp-standby enable command to configure the function of separately updating the signature database on the standby device.
By default, the function of separately updating the signature database on the standby device is disabled. That is, after the signature database on the active device is updated, the signature database is automatically synchronized to the standby device.

By default, after the signature database on the active device is updated, the signature database is automatically synchronized to the standby device. This improves the efficiency of signature database update and prevents inconsistent content security detection capabilities on the active and standby devices. If the active device cannot synchronize the signature database to the standby device (for example, the heartbeat interface between the active and standby devices is abnormal), you can run this command to separately update the signature database on the standby device.

Follow-up Procedure

Scheduled update may fail due to some reasons. The system will retry update periodically. Therefore, you can set the retry interval.

In the system view, set the retry interval for downloading the signature database for scheduled update. The default value is 3600 seconds.

update schedule retry-download interval interval-value
In the system view, set the retry interval for loading the signature database for scheduled update. The default value is 3600 seconds.

update schedule retry-load interval interval-value