Unable to Update the Signature Database or Virus Library in UTM Mode When the USG Device is Moved to Another Network

Publication Date:  2012-07-18 Views:  103 Downloads:  0
Issue Description
At site A, the signature database or virus library of the USG device in UTM mode was successfully updated. Remove the rule directory in the flash and move the USG device to site B. The signature database or virus library failed to be updated in UTM mode
Alarm Information
Handling Process
Find the NAT device at the egress of the customer network, and enable interzone NAT ALG on the NAT device.
[sysname] display interzone trust untrust
interzone trust untrust
detect ftp
Root Cause
The UTM signature database or virus library is downloaded automatically from the security server by using FTP. If the UTM device connects to the network through the USG device and the interzone NAT ALG is not enabled, the situation is as follows:
1.      The UTM device is connected to port 21 of the server through port N (N > 1024).
2.      The UTM device starts to monitor port N 1.
3.      Port 21 responds to port N.
4.      The UTM device sends port N 1 to the server through port N.
5.      Port 21 of the server performs data link initialization for port N 1.
6.      The UTM device is deployed in the downstream of the USG device, and is only configured with port monitoring. The NAT entry for port N 1 has not been established on the USG device. As a result, the packet cannot reach the UTM device, and the data link fails to be established.
The USG device can connect to the Internet but cannot update the signature database or virus library.
After the NAT ALG function is enabled, the signature database or virus library is successfully updated.