Updating the External Malicious URL Signature Database

By updating the external malicious URL signature database, the FW can identify and block the latest malicious URLs in a timely manner, defending against new attacks.

Context

The external malicious URL signature database supports only online update. Online update has two ways:

Scheduled update

The FW periodically connects to the external update server to check whether a new version of the external malicious URL signature database exists. If a new version of the external malicious URL signature database is available, the FW automatically downloads the new one and updates its external malicious URL signature database based on the preset time.
Immediate update

When the new external malicious URL signature database is available on the network but the scheduled update time on the FW is not reached or scheduled update is not enabled, you can select immediate update.

The signature database download address for immediate update is the same as that for scheduled update, and the update processes in both modes are the same. The difference between two update modes is the update time. The immediate update can be implemented at any time.

Procedure

The FW is deployed at the border of the internal network as the security gateway to communicate with the external update server through the Internet. By configuring online update, the FW can automatically download and update the external malicious URL signature database.

Figure 1 Online update

Before updating the external malicious URL signature database, prepare the malicious URL list file and deploy the external update server.
To ensure that the external malicious URL list is successfully loaded to the cache of the FW, the format of the malicious URL list released by external official websites must meet the following requirements on the FW:
- The malicious URL list file can only be in .txt format.
- The size of a malicious URL list file cannot exceed 15 MB.
- URLs or IP addresses are allowed in the malicious URL list.
- Only one URL or IP address can be entered in a line. The length of URLs or IP addresses cannot exceed 1279 characters.
Figure 2 shows a malicious URL list file in .txt format.
Figure 2 Malicious URL list file in .txt format
- The protocol of the external update server must be HTTPS.
- FW performs normalization when loading external malicious URL list files.

<FW> system-view
 [FW] interface GigabitEthernet 0/0/1
 [FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
 [FW-GigabitEthernet0/0/1] quit
 [FW] firewall zone untrust
 [FW-zone-untrust] add interface GigabitEthernet 0/0/1
 [FW-zone-untrust] quit

Configure parameters for interconnection between the FW and an external update server, including the URI and CA certificate of the external update server.
```
[FW] update ext-server ext-url-sdb uri https://www.example.com/url-list.txt ca-certificate ext.cer
```
Only the HTTPS protocol can be used for interconnection between the FW and external update server. The default port number is 443. If the port number is not 443, the configured URI must carry the specific port number. In the preceding URI, www.example.com is the domain name of the external update server or the IP address, and /url-list.txt is the path of the external dynamic malicious URL file.

The CA certificate is used to verify the external update server. The CA certificate can be obtained from the external update server. The obtained CA certificate can be referenced only after being imported to the FW. For details on how to import a CA certificate, see SSL-Encrypted Traffic Detection.

Only the CA certificate in PEM format can be imported for interconnection between the FW and an external update server.

The CA certificate that is being referenced cannot be modified or deleted. When the undo update ext-server ext-url-sdb command is used, the CA certificate is unbound. Then the CA certificate can be modified or deleted.
Configure the DNS server to ensure that the FW can correctly parse the domain name of the external update server. If the URI uses the domain name, the DNS server must be configured.
```
[FW] dns resolve
[FW] dns server 2.2.2.2
```
Optional: Specify the source IP address of online update request packets. For details, see Specifying the Source IP Address of Online Update Request Packets.

Configure security policies to allow the FW to access the external update server and DNS server.

# Configure a security policy to allow the FW to access the external update server.

[FW] security-policy
[FW-policy-security] rule name policy_update_sever
[FW-policy-security-rule-policy_update_sever] source-zone local
[FW-policy-security-rule-policy_update_sever] destination-zone untrust
[FW-policy-security-rule-policy_update_sever] service https
[FW-policy-security-rule-policy_update_sever] action permit
[FW-policy-security-rule-policy_update_sever] quit
[FW-policy-security] quit

# Configure a security policy to allow the FW to access the DNS server.

[FW] security-policy
[FW-policy-security] rule name policy_dns_server
[FW-policy-security-rule-policy_dns_server] source-zone local
[FW-policy-security-rule-policy_dns_server] destination-address 2.2.2.2 32
[FW-policy-security-rule-policy_dns_server] service dns
[FW-policy-security-rule-policy_dns_server] action permit
[FW-policy-security-rule-policy_dns_server] quit
[FW-policy-security] quit

Configure scheduled or immediate update.
- Scheduled update
```
[FW] update schedule ext-url-sdb enable              //Enable scheduled update of the external malicious URL signature database. 
[FW] update schedule ext-url-sdb daily 8:00          //Set the scheduled update time of the external malicious URL signature database.
```
  You need to set the scheduled update time based on your network settings. Ensure that the update does not take up the network resources of normal services. If the scheduled update time is not set, the sysname randomly selects a time between 22:00 and 07:59 as the daily scheduled upgrade time by default.
- Immediate update
```
[FW] update online ext-url-sdb
```