< Home

Updating the Artificial Intelligence Engine Database Using the Web UI

This section describes how to update the artificial intelligence engine database on the web UI.

Preparation

Before updating the artificial intelligence engine database, do as follows:

  • Checking the License Status

    Before updating the artificial intelligence engine database, ensure that the artificial intelligence engine license has been purchased and activated.

    To check the license status, perform the following operation:

    1. Choose System > License Management.

    2. In License Resource, search for the flow probe license. Check whether the license is activated or expired in Status.

      • If Status is Disable, activate the license. For operations, see License Management.
      • If Status indicates that the service has expired, renew the corresponding license.

  • Checking the Free Space of the CF Card and Memory

    Before updating the artificial intelligence engine database, check whether the free space in the device CF card and memory is sufficient. The following table lists the CF card and memory space required for updating the artificial intelligence engine database.

    Item

    CF Card Space

    Memory Space

    artificial intelligence engine database

    100 MB or higher

    50 MB or higher

    Perform the following operation:

    1. Select Dashboard.
    2. In Device Information, check the available space of the CF card and memory.

  • Checking the Artificial Intelligence Engine Database Version

    Check the artificial intelligence engine database version to determine whether the artificial intelligence engine database needs to be updated.

    Details are as follows:

    1. Choose System > Update Center.
    2. In Signature Database Update, view Current Version of the artificial intelligence engine database to be updated and determine whether it requires an update.

Context

The artificial intelligence engine database can be updated in either of the following modes:

  • Online update

    If the FW can communicate with the update center directly over the Internet or through a proxy server, you can update the artificial intelligence engine database in online mode.

  • Local update

    When the FW is physically isolated from the Internet and no proxy server is deployed on the intranet, you can update artificial intelligence engine database locally.

Online Update

The FW is deployed at the border of the internal network as the security gateway. The FW can communicate with sec.huawei.com through the Internet. Through immediate update or scheduled update, the FW can automatically download the artificial intelligence engine database and update the local artificial intelligence engine database.

Figure 1 Networking diagram for online update

  1. Set the IP address and security zone of the interface.
    1. Choose Network > Interface.
    2. Click GE0/0/1 and set the parameters as follows:

      Zone

      untrust

      IPv4

      IP Address

      1.1.1.1/24

    3. Click OK.
  2. Configure the update center address.
    1. Choose System > Update Center.

    2. Click Server IP Address.
    3. In the Configure Update Server dialog box that is displayed, set the IP address of the update server. This example uses the default configuration. To adjust parameter settings, see the following table.

      Parameter

      Description

      Server IP Address

      Enter the IP address of the server that the FW accesses for the scheduled update. By default, domain name sec.huawei.com is used.

      Port

      Enter the port of the server. The default value is 443.

      Source IP Address

      Specify the mode for obtaining the source IP address of update request packets.

      • Automatically obtained: The system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

      • Specified interface: The IP address and VPN instance of the interface are used as the source IP address and VPN instance of online update request packets.

        If the FW connects to the Internet through VPN, the interface must be bound to a corresponding instance. Otherwise, the update fails.

        The specified interface is not necessarily the outgoing interface of update request packets. To send update request packets, the system checks the route information to determine the outgoing interface.

      • Specified source IP address: Manually enter the source IP address of online update request packets and ensure that the FW can receive the reply packets.

        If the FW connects to the Internet through a VPN instance, you must run the update host source ip ip-address vpn-instance vpn-instance command on the CLI Console after you specify the source IP address. The configuration view is the system view. ip-address is the value specified in Specified source IP address, and vpn-instance is the name of the corresponding VPN instance.

      Instructions on the parameter are as follows:

      • Do not specify an interface that is bound to a virtual system. Otherwise, the update will fail.

      • If the interface has multiple IP addresses, you are advised to use Specified source IP address. Otherwise, the online update may fail.

      NOTE:

      This configuration takes effect for both signature database update and URL remote query. However, the source IP address cannot be bound to a VPN instance for URL remote query. When the FW connects to the Internet through a VPN instance, specify the outgoing interface if you need to use the URL remote query function.

      Connect to the upgrade center through a proxy server

      If the FW cannot access the update center directly, select this item and configure a proxy server for the update.

      Address

      If the FW cannot communicate with the update center over the Internet, configure a proxy server to connect to the update center and download signature databases for the FW. The proxy server address can be an IP address or domain name.

      Port

      Enter the port of the proxy server.

      User Name

      Enter the user name and password for logging in to the proxy server.

      Password

  3. Configure the DNS server and ensure that the FW can correctly resolve domain name sec.huawei.com.
    1. Choose Network > DNS > DNS.
    2. In DNS Server List, click Add.
    3. Configure the DNS server as follows:

      DNS server address

      2.2.2.2

    4. Click OK.

    When the FW connects to the Internet through a VPN instance, you must run the dns server vpn-instance vpn-instance-name command on the CLI Console to bind the VPN instance to the DNS server.

  4. Configure a security policy to allow the FW to access sec.huawei.com and DNS server.
    1. Choose Policy > Security Policy > Security Policy.
    2. Click Add Security Policy.
    3. Configure a security policy to allow the FW to access sec.huawei.com.

      Name

      policy_sec_huawei_com

      Source Zone

      local

      Destination Zone

      untrust

      Service

      HTTPS

      NOTE:
      HTTPS is used by default for the update. You can run the update online-mode command to change the update mode to HTTP. However, HTTPS is more secure than HTTP, so HTTPS is recommended. To use the HTTP update mode, strictly specify the matching conditions of the security policy as follows:

      • HTTP

      • FTP

      • TCP: src-port: 0-65535; dst-port: 32119

      • TCP: src-port: 0-65535; dst-port: 10001-15000

      The update through a proxy server only using HTTP. If the FW accesses the update center through a proxy server, set this parameter to HTTP.

      Action

      Permit

    4. Configure a security policy to allow the FW to access DNS server.

      Name

      policy_dns_server

      Source Zone

      local

      Destination Address

      2.2.2.2/32

      Service

      DNS

      Action

      Permit

  5. Configure online update.

    During online update, if normal services of the FW are interrupted, you can abort the update process. Wait for the network environment to improve before retrying the update.

    • Configure scheduled update.
      1. Select Scheduled Update on the line of the artificial intelligence engine database to be updated to enable scheduled update.
      2. Click Scheduled Update time on the line of the artificial intelligence engine database to be updated to set the time for scheduled update.

        Parameter

        Description

        Scheduled Update Time

        Set the update interval and time point. You need to set the time for scheduled update based on your network settings, but ensure that the update does not take up the network resources of normal services.
    • Configure immediate update: Click Update Immediately for artificial intelligence engine database.
  6. Verify the update result.

    After the update is completed, check whether the update succeeds in the Status column.
    • After the update is complete, you can view that Status is The online update succeeded.. Current Version is the target version, and Previous Version is the source version.
    • After the immediate update, if Status is displayed as System memory resources are insufficient. Please try again later., the artificial intelligence engine database file has been downloaded, but the installation fails due to insufficient memory. The system will retry at a scheduled time.

      • If you click Reinstall, installation starts immediately.

      • If you click Update Immediately, the system deletes the downloaded artificial intelligence engine database file and starts update again.

    • After the scheduled update, if Status is displayed as Retrying the update. Please wait..., the artificial intelligence engine database file has been downloaded, but the installation fails due to insufficient memory. The system will retry at a scheduled time.

      • If you click Reinstall, installation starts immediately.

      • If you click Terminate Update, the re-installation is aborted. If Status is displayed as System memory resources are insufficient. Please try again later., wait for a period before clicking Reinstall.

    • When Status displays an update failure, click Server Connectivity Test to locate the cause for the update failure.

      After you click Server Connectivity Test, the system automatically checks the connectivity between the FW and security center. A window is displayed on the web UI to show the detection procedure and provide the cause and handling suggestion in case of a connection failure.

      For example, when you obtain the upgrade server information, the system displays "Failed to obtain information" and provides handling suggestions, as shown in the following figure. In this case, you can modify the configuration according to the handling suggestions, and then click Recheck to verify the connection.

Local Update

You must obtain the update package before the local update.

  1. Download the update package.
    1. Log in to Huawei security center (isecurity.huawei.com) and choose Signature Update > Signature Update.
    2. Select the product type, series, name, and version.
    3. Click the tab of the artificial intelligence engine database to be updated.
    4. Download the artificial intelligence engine database file.

      Click download icon on the right side. The Detail dialog box is displayed. Download the artificial intelligence engine database file in .zip format and directly upload it to the FW.

  2. Choose System > Update Center.
  3. Click Update Locally for the artificial intelligence engine database.
  4. Click Browse... and select the desired update package.
  5. Click Update.
  6. After the update is complete, Status is The local update succeeded. Current Version is the target version, and Previous Version is the source version.
Parent Topic: Update Center
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >