Limitations and Precautions for Update Center

Hardware Requirements

USG6510E/6510E-POE/6530E does not support the asset identification signature database and the file reputation signature database.

For versions earlier than V600R007C20SPC300, only the USG6615E/6625E and USG6575E-B/6605E-B support the artificial intelligence engine database. For V600R007C20SPC300 and later versions, the USG6610E/6620E, USG6630E/6650E, USG6635E/6655E, USG6680E and USG6712E/6716E also support the artificial intelligence engine database.

License Requirements

• The update of IPS and malicious domain name signature databases is IPS license-controlled, and the update of the antivirus signature database is antivirus license-controlled. After the licenses are loaded, manually load the signature databases for them to take effect.
• For the cloud sandbox, the update of the file reputation signature database is cloud sandbox detection license-controlled. For the local sandbox, the update of the file reputation signature database is not license-controlled.
• The update of application identification, IP reputation, asset identification signature database and region identification signature databases is not license-controlled.
• The update of artificial intelligence engine database is artificial intelligence engine license-controlled.

Limitations

• When the upgrade is performed through a proxy server, only HTTP upgrade is supported.
• Signature database update does not support IPv6. That is, the update server should not use an IPv6 address.
• The asset identification signature database supports only local update.
• The artificial intelligence engine database does not support version rollback.
• The source IP address (update host source) of the upgrade request packet cannot be the loopback address.

Precautions

• Before upgrading the signature database, ensure that the available memory space of the device meets the memory space requirements. If the memory space requirements are not met, the signature database may fail to be upgraded and the IAE may restart.

• In the scheduled upgrade scenario, it is recommended that the scheduled upgrade time of the area identification signature database be different from that of other signature databases. If the scheduled upgrade time is the same or close, other signature databases may fail to be scheduled.

• If the FW can directly access the update server, and the update mode is set to HTTPS, the device uses HTTPS to send update requests and download signature databases. Therefore, you need to configure security policies that permit HTTPS traffic. If the update mode is set to HTTP, the device uses HTTP to send update requests and uses FTP to download signature databases. Therefore, you need to configure security policies that permit HTTP and FTP (FTP includes port 21 and port 32119) traffic as well as user-defined service traffic in the connection to FTP data channels, with the protocol being TCP and destination port ranging from 10001 to 15000. HTTP and FTP are insecure. Therefore, you need to strictly limit the matching conditions of security policies.
• In a hot standby scenario, for the region identification signature database, asset identification signature database and the artificial intelligence engine database, after it is updated on the active device, the updated region identification signature database cannot be automatically synchronized to the standby device. You need to update it on both the active and standby devices. For other signature databases, only when the hot standby heartbeat interface is not bound to any VPN instance, after the signature database on the active device is updated, the active device automatically synchronizes the updated signature database to the standby device. But if the active device cannot synchronize the signature database to the standby device (for example, the heartbeat interface between the active and standby devices is abnormal), you can run update hrp-standby enable command to separately update the signature database on the standby device.
• In a hot standby scenario, after the signature database on the active device is updated, the standby device initiates a TCP connection request to obtain the signature database of the active device. In this case, you need to set the action to permit in the following security policies on the active and standby devices:
  • Active device:
    • The source security zone is the security zone where the heartbeat interface resides.
    • The destination security zone is Local.
    • The source IP address is the IP address of the heartbeat interface on the standby device and the source port is randomly allocated.
    • The destination IP address is the IP address of the heartbeat interface on the active device and the port number is 2017.
  • Standby device:
    • The source security zone is Local.
    • The destination security zone is the security zone where the heartbeat interface resides.
    • The source IP address is the IP address of the heartbeat interface on the standby device and the source port is randomly allocated.
    • The destination IP address is the IP address of the heartbeat interface on the active device and the port number is 2017.
• In V600R007C20SPC500 and later versions, after the FW is started and configurations are successfully loaded, the signature database pre-upgrade check is performed every 5 minutes.
  • If the check succeeds, the device automatically updates the intrusion prevention signature database, antivirus signature database, intelligent detection engine, and service awareness signature database. After the automatic upgrade is complete, the FW does not perform this check.
  • If the check fails for five consecutive times, view the AUTO-UPDATE log to obtain the cause and solution.
  • If the check fails within 12 hours after the first check starts, the signature database update is automatically triggered and an update failure log is reported. And the FW does not perform this check.
• If no schedule time is specified, the FW updates the signature database daily at any point during the time range 22:00 to 07:59 by default. You set the time for scheduled update based on your network conditions, but ensure that the update does not take up the network resources of normal services.
• If you need to perform the update immediately, take the network conditions into consideration and ensure that the update does not take up the network resources of normal services. After the scheduled update is enabled, if the network rate is too low and impacts the services and performance of FW, you can abort the update.
• In the scenario where services are used together, if the memory of a FW is less than or equal to 4 GB, the signature database update may fail due to insufficient memory. For details about the memory specifications of the FW, see the technical specifications of the corresponding model in the Hardware Guide > Hardware Introduction > Chassis.