< Home

Immediate Update

You can always update signature databases anytime you want.

Prerequisites

  • A license is available for updating the signature database, and the license is activated on the FW.
  • The FW can access the update server directly or through the proxy server.

  • When the device can directly access the update center, configure security policies as follows:

    • Set the source security zone to Local.
    • If the online update mode is set to HTTP: Permit HTTP and FTP (FTP includes port 21 and port 32119) traffic. HTTP is used by the FW to interact with the update center, and FTP is used to connect to FTP control channels for downloading signature database files.
    • If the online update mode is set to HTTP: Permit user-defined service traffic, with the protocol being TCP and destination port ranging from 10001 to 15000 (for connecting to FTP data channels).
    • If the online update mode is set to HTTPS, permit HTTPS traffic.

  • When the device accesses the update center through the proxy server, configure security policies as follows:

    • Set the source security zone to Local.
    • Permit HTTP so that the FW can interact with the proxy server.

Context

For scheduled and immediate updates, signature database download addresses (IP address of the server configured on the FW or the IP address of the proxy server) and update procedures are the same. The two update modes differ in that immediate update can be performed at any time whereas scheduled update must be implemented at the specified time.

Procedure

  1. Optional: Run the update online-mode { http | https } command to set the mode of online update.

    By default, the online update mode is HTTPS, and the device uses HTTPS to send update requests and download signature databases.

    Update in HTTP mode is risky, and update in HTTPS mode is recommended. To perform update in HTTP mode, you must strictly restrict security policy matching conditions.

  2. Optional: Configure an update center or a proxy server. For details, see Scheduled Update.

    If the update center or proxy server has been configured as described in Scheduled Update, skip this step.

  3. Optional: Run the update download-server aging-time age-time command to set the aging time of the download server.

    By default, the aging time of the download server is 7 days.

    If the download server is normal and has not been expired, you do not need to re-obtain the IP address of the download server. You need to re-obtain the IP address of the download server when the server has expired or is abnormal. You can use this command to adjust the aging time of the download server.

    The aging time of the download server applies to only HTTPS upgrade and not to HTTP upgrade.

    In V600R007C20SPC602 and later versions, the device in cloud authorization mode does not support this command.

  4. Optional: Specify the source IP address for online update request packets.

    • Specify an interface IP address and VPN instance as the source IP address and VPN instance for online update request packets.

      update host source interface-type interface-number

    • Specify the source IP address of online update request packets.

      update host source ip ip-address [ vpn-instance vpn-instance ]

    If the administrator does not specify the source IP address for online update request packets, the system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

    If the interface has multiple IP addresses, run the update host source ip ip-address command to set the source IP address of update request packets and ensure that the FW can receive the reply packets. Otherwise, the online update may fail.

    When the FW connects to the Internet through a VPN instance, these commands are mandatory. If the commands are not configured, the update will fail.

    • When update host source interface-type interface-number is configured, the interface must be bound to the corresponding VPN instance name.

    • When the update host source ip ip-address command is configured, vpn-instance vpn-instance must be specified.

    This configuration takes effect for both signature database update and URL remote query. However, the source IP address cannot be bound to a VPN instance for URL remote query. When the FW connects to the Internet through a VPN instance, run the update host source interface-type interface-number command to specify the outgoing interface if you need to use the URL remote query function.

  5. Update the signature database immediately.

    update online { av-sdb | cnc | file-reputation | ip-reputation | ips-sdb | sa-sdb | location-sdb | hot-file-reputation | hot-url-reputation }

    If the immediate update consumes too much bandwidth and interrupts normal services of the FW, you can run the update abort command to abort the signature database update. Wait until the bandwidth is sufficient for the update and normal services and then download the latest signature database.

  6. Optional: Install the downloaded signature database.

    update apply { av-sdb | cnc | file-reputation | ip-reputation | ips-sdb | sa-sdb }

    You do not need to run this command if the system has been configured to download and install the signature database. To set the signature database update option, see Determining Signature Database Update Options.

  7. Optional: Set the aging time of the online update of a hotspot database.

    update online aging-time aging-time

    The default aging time of the online update of a hotspot database is 12 hours. You can use the command in this step to set online update aging time for the file reputation hotspot database and URL hotspot database simultaneously.

  8. Optional: Run the update hrp-standby enable command to configure the function of separately updating the signature database on the standby device.

    By default, the function of separately updating the signature database on the standby device is disabled. That is, after the signature database on the active device is updated, the signature database is automatically synchronized to the standby device.

    By default, after the signature database on the active device is updated, the signature database is automatically synchronized to the standby device. This improves the efficiency of signature database update and prevents inconsistent content security detection capabilities on the active and standby devices. If the active device cannot synchronize the signature database to the standby device (for example, the heartbeat interface between the active and standby devices is abnormal), you can run this command to separately update the signature database on the standby device.

Parent Topic: Updating Signature Databases Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >