No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Policy Configuration Commands

Security Policy Configuration Commands

display engine information

Function

The display engine information command displays the status of engines and the version of all signature databases.

Format

display engine information

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the status of engines and the version of all signature databases.

<Huawei> display engine information
==============================================================================  
Engine on CPU 0 in slot 0:                                                      
==============================================================================  
  Engine Status                    : Ready                                      
  Compile Status                   : Commit Succeeded                           
  IPS Engine Version               : V200R002C00SPC009                          
  IPS Signature Database Version   : 2015010602                                 
  SA Signature Database Version    : 2015030601                                 
  C&C Domain Name Database Version :                                            
------------------------------------------------------------------------------  
                                                                                

display security-policy

Function

The display security-policy command displays the security policy configuration.

Format

display security-policy { all | name policy-name }

Parameters

Parameter

Description

Value

all

Displays the configuration of all security policies.

-

name policy-name

Displays the configuration of a specified security policy.

The value is a string of 1 to 31 case-sensitive characters without spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view the configuration of a specified security policy or all security policies.

Example

# Display the configuration of all security policies.

<Huawei> display security-policy all
  Policy-name: huawei
  Policy-ID: 0  
   IPS: - 
   URLF: -  
   ACL: 0 
  Reference-Num: 0 

# Display the configuration of the security policy huawei.

<Huawei> display security-policy name huawei
  Policy-name: huawei
  Policy-ID: 0  
   IPS: - 
   URLF: -  
   ACL: 0 
  Reference-Num: 0 
Table 14-69  Description of the display security-policy command output
Item Description
Policy-name

Name of the security policy.

To configure a security policy, run the security-policy command.

Policy-ID

ID of the security policy.

IPS

IPS profile bound to the security policy.

To bind an IPS profile to a security policy, run the profile (security policy view) command.

URLF

URL filtering profile bound to the security policy.

To bind a URL filtering profile to a security policy, run the profile (security policy view) command.

ACL

ACL bound to the security policy.

To bind an ACL to a security policy, run the profile (security policy view) command.

Reference-Num

Total number of profiles in the security policy.

display update configuration

Function

The display update configuration command displays the update configuration.

Format

display update configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the update configuration.

<Huawei> display update configuration
Update Configuration Information:                                               
------------------------------------------------------------                    
  Update Server               : sec.huawei.com                                  
  Update Port                 : 80                                              
  Proxy State                 : Disable                                         
  Proxy Server                : -                                               
  Proxy Port                  : -                                               
  Proxy User                  : -                                               
  Proxy Password              : -                                               
  IPS-SDB:                                                                      
    Application Confirmation  : Disable                                         
    Schedule Update           : Enable                                          
    Schedule Update Frequency : Daily                                           
    Schedule Update Time      : 01:46                                           
  SA-SDB:                                                                       
    Application Confirmation  : Disable                                         
    Schedule Update           : Enable                                          
    Schedule Update Frequency : Daily                                           
    Schedule Update Time      : 01:46                                           
  CNC:                                                                          
    Application Confirmation  : Disable                                         
    Schedule Update           : Enable                                          
    Schedule Update Frequency : Daily                                           
    Schedule Update Time      : 01:46                                           
------------------------------------------------------------            

Item

Description

Update Server

IP address or domain name of the update server. The default domain name is that of the security center.

Update Port

Port number of the update server. The default value is 80.

Proxy State Whether the proxy server is enabled. The value can be:
  • Enable: The proxy server is enabled.
  • Disable: The proxy server is disable.

Proxy Server

IP address or domain name of the proxy server.

Proxy Port

Port number of the proxy server.

Proxy User

User name of the proxy server.

Proxy Password

Password of the proxy server.

IPS-SDB

Update configuration of the IPS-SDB.

Application Confirmation

Whether manual installation confirmation is enabled. The value can be:

  • Enable: Confirmation is required before the installation of the update file.
  • Disable: The update file is automatically installed.

Schedule Update

Whether the scheduled update function is enabled. The value can be:

  • Enable
  • Disable

Schedule Update Frequency

Scheduled update frequency. The value can be:

  • Weekly
  • Daily

Schedule Update Time

Scheduled update time

SA-SDB

Update configuration of the SA-SDB.

CNC

Update configuration of the CNC.

display update host source

Function

The display update host source command displays the interface and source address configurations used in online update.

Format

display update host source

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

This command displays the configurations of the update host source command.

Example

# Display the interface and source address configurations used in online update.

<Huawei> display update host source
----------------------------------------------------------------                
Source IP Information:                                                          
        IP address                 : 10.1.1.1                                   
        vpn-instance               : -                                          
Source Interface Information:                                                   
        interface name             : GigabitEthernet0/0/1                       
----------------------------------------------------------------                

display update status

Function

The display update status command displays the update status.

Format

display update status

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# View the current update status.

<Huawei> display update status
  Current Update Status: Idle.

The update status of a database can be:

  • Idle.
  • Online Update, Obtain The Update Package.
  • Version Rollback, Load The Update Package.
  • Version Apply, Verify The Authority.
  • Local Update, Load The Update Package.

display version (engine or signature database)

Function

The display version command displays the version of a specified engine or signature database.

Format

display version { cnc | ips-sdb | sa-sdb } *

Parameters

Parameter Description Value
cnc

Displays the version of a Malicious domain name database.

-

ips-sdb

Displays the version of an IPS signature database.

-

sa-sdb

Displays the version of a Application Identification signature database.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# View the version of the Application Identification signature database.

<Huawei> display version sa-sdb
SA SDB Update Information List:                                                 
----------------------------------------------------------------                
  Current Version:                                                              
    Signature Database Version    : 2015030601                                  
    Signature Database Size(byte) : 1675482                                     
    Update Time                   : 15:14:40 2015/07/29                         
    Issue Time of the Update File : 11:24:23 2015/03/06                         
                                                                                
  Backup Version:                                                               
    Signature Database Version    :                                             
    Signature Database Size(byte) : 0                                           
    Update Time                   : 00:00:00 0000/00/00                         
    Issue Time of the Update File : 00:00:00 0000/00/00                         
----------------------------------------------------------------  
Table 14-70  Description of the display version sa-sdb command output

Item

Description

Current Version

Current version information about the engine or signature database

Signature Database Version

Version of the engine or signature database

Signature Database Size(byte)

Size of the engine or signature database

Update Time

Date and time when the database was upgraded to this version

Issue Time of the Update File

Date and time when the file for the upgrade package to this version was released

Backup Version

Source version of the engine or signature database for rollbacks. The update rollback command rolls back the engine or signature database to this version.

Download Version

Version of the newly downloaded engine or signature database. If the signature database size is 0 bytes and the issue date and time are displayed as 00:00:00 0000/00/00, no version file to be installed exists.

The information is unavailable after the undo update confirm command is executed to disable manual installation confirmation.

engine configuration commit

Function

The engine configuration commit command commits the configuration of security policies.

Format

engine configuration commit

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Newly configured security policies or the modified security policies do not take effect until you run the engine configuration commit command to commit the configuration. To save time, commit the configurations in batches after you have completed all security policy configurations.

Example

# Commit the security policy configurations.

<Huawei> system-view
[Huawei] engine configuration commit

engine enable

Function

The engine enable command enables the deep security function.

The undo engine enable command disables the deep security function.

By default, the system disables the deep security function.

Format

engine enable

undo engine enable

Parameters

none

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To use the IPS or URL filtering function, you need to purchase a license and run the engine enable command to enable the deep security function.

Precautions

To disable deep security, run the undo engine enable command, and restart the device. After the device restarts, the deep security configurations are deleted.

Example

# Enable the deep security function.

<Huawei> system-view
[Huawei] engine enable

engine enhanced-detection

Function

The engine enhanced-detection command configures the engine to work in enhanced detection mode.

The undo engine enhanced-detection command configures the engine to work in common detection mode.

Format

engine enhanced-detection

undo engine enhanced-detection

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

By default, the engine works in common detection mode.

If the detection ratio is highly required, the engine can be configured to work in enhanced detection mode.

If the detection ratio is not highly required but the detection performance is highly required, the engine can be configured to work in common detection mode.

Example

# Configure the engine to work in enhanced detection mode.

<Huawei> system-view
[Huawei] engine enhanced-detection

engine log enable

Function

The engine log enable command enables the log generation function for a specific module or all modules.

The undo engine log enable command disables the log generation function for all or the specified module.

Format

engine log { ips | url-filter } enable

undo engine log { ips | url-filter } enable

Parameters

Parameter Description Value
ips Enables or disables the log generation function for IPS module. -
url-filter Enables or disables the log generation function for URL filtering module. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the log generation function is enabled for all modules.

Example

# Enable the log generation function for IPS module.

<Huawei> system-view
[Huawei] engine log ips enable

engine log timeout

Function

The engine log timeout command sets the period for caching IPS and URL filtering logs.

The undo engine log timeout command restores the default period for caching IPS and URL filtering logs.

By default, the period for caching IPS and URL filtering logs is 1 minute.

Format

engine log timeout interval

undo engine log timeout

Parameters

Parameter

Description

Value

interval

Specifies the period for caching IPS and URL filtering logs.

The value is an integer that raengines from 0 to 30, in minutes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can set the period for caching logs to control the frequency for sending IPS and URL filtering logs.

For example, if many intrusions occur on the IPS-enabled device in a given period of time, the IPS module reports many logs to the device in a short time. If the device outputs logs in real time, the administrator has to flood the screen. After the period for caching logs is set, the device outputs logs only when the period is reached. This prevents the impact of log output.

Precautions

The log buffer records a maximum of 1024 logs, and outputs 16 logs each time. The output logs are deleted from the buffer.

Example

# Set the period for caching IPS and URL filtering logs to 5 minutes.

<Huawei> system-view
[Huawei] engine log timeout 5

engine pass-through enable

Function

The engine pass-through enable command enables the pass-through mode of the engine.

The undo engine pass-through enable command disables the pass-through mode of the engine.

Format

engine pass-through enable

undo engine pass-through enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The pass-through mode of the engine is disabled by default.

After the pass-through mode of the engine is enabled, the system generates events, such as debugging information or log during service processing, but does not perform actual actions. Even a block action is configured for a service, the system does not block traffic but records the service event state.

Example

# Enable the pass-through mode of the engine.

<Huawei> system-view
[Huawei] engine pass-through enable

profile (security policy view)

Function

The profile command binds an IPS, URL filtering profile to a security policy.

The undo profile command unbinds an IPS, URL filtering profile from a security policy.

By default, no IPS, URL filtering profile is bound to a security policy.

Format

profile { ips ips-name | urlf urlf-name } * [ acl acl-id ]

undo profile

Parameters

Parameter

Description

Value

ips ips-name Specifies the name of an IPS profile bound to a security policy.
The value is a string of case-sensitive characters. The value cannot contain question marks (?), commas (,), double question marks ("), and hyphens (-).
  • If the value of ips-name does not contain any space, the value contains 1 to 32 characters.
  • If the value of ips-name contains spaces, you must enclose the value with double quotation marks (""), for example, "user for test", and the value contains 3 to 34 characters.
urlf urlf-name Specifies the name of a URL filtering profile bound to a security policy.
The value is a string of case-sensitive characters. The value cannot contain question marks (?), commas (,), double question marks ("), and hyphens (-).
  • If the value of urlf-name does not contain any space, the value contains 1 to 32 characters.
  • If the value of urlf-name contains spaces, you must enclose the value with double quotation marks (""), for example, "user for test", and the value contains 3 to 34 characters.
acl acl-id Specifies the number of an ACL. If no ACL is specified, the device detects all traffic passing through interzones. The value is an integer.
  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs

Views

Security policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device uses a security policy to implement integrated detection of content security.

Integrated detection of content security indicates that the device uses the Intelligent Awareness Engine to detect and process the content of one flow at one time, implementing content security functions including intrusion defense IPS , URL filtering.

After this command binds an IPS, URL filtering profile to a security policy and the security policy is applied to an interzone, the device performs IPS, URL filtering for traffic passing through the interzone.

Prerequisites

  • A URL filtering profile has been created using the profile type url-filter name command if the URL filtering profile needs to be bound to a security policy.
  • An ACL has been created using the acl (system view) command if the ACL needs to be bound to a security policy.

Precautions

To configure various content security protection functions (for example, URL filtering and IPS need to be configured simultaneously), configure a URL filtering profile and IPS profile, and run the profile command to bind the URL filtering profile and IPS profile to a security policy.

If a security policy has been applied to the interzone using the security-policy (interzone view) command, run the undo security-policy command to unbind the security policy from the interzone, and then bind the IPS, URL filtering filtering profile to the security policy.

Currently, only ACL4 is supported for IPS , URL filtering. When an ACL is bound to a security policy, pay attention to the following points:

  • If the ACL rule defines a permit clause, the device detects traffic matching the ACL rule.
  • If the ACL rule defines a deny clause, the device does not detect traffic matching the ACL rule.
  • If traffic does not match the ACL, the device does not detect the traffic.

Example

# Bind a URL filtering profile huawei to a security policy huawei.

<Huawei> system-view
[Huawei] profile type url-filter name huawei
[Huawei-profile-url-filter-huawei] quit
[Huawei] security-policy huawei
[Huawei-security-policy-huawei] profile urlf huawei

# Bind a IPS profile huawei to a security policy huawei.

<Huawei> system-view
[Huawei] profile type ips name huawei
[Huawei-profile-ips-huawei] quit
[Huawei] security-policy huawei
[Huawei-security-policy-huawei] profile ips huawei

security-policy

Function

The security-policy command creates a security policy and displays its view, or directly displays the view of an existing security policy.

The undo security-policy command deletes a security policy.

By default, no security policy is created.

Format

security-policy policy-name

undo security-policy policy-name

Parameters

Parameter

Description

Value

policy-name

Specifies the name of a security policy.

The value is a string of 1 to 31 case-sensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

As the network develops continuously, there are various types of potential risks such as Trojan horses, worms, and viruses in packets. Packet filtering rules based on the 5-tuple (source address, destination address, source port, destination port, protocol type) used to control traffic forwarding cannot meet requirements. Enterprises require more secure methods to protect network security.

To monitor network traffic, the device uses a security policy to implement integrated detection of content security. Integrated detection of content security indicates that the device uses the Intelligent Awareness Engine to detect and process the content of one flow at one time, implementing content security functions including intrusion defense and URL filtering. By configuring a security policy, the device controls traffic forwarding based on users and applications, provides traffic content security detection, and implements content security functions of intrusion defense, and URL filtering to ensure network security.

Follow-up Procedure

Run the security-policy (interzone view) command to create an interzone and enter the interzone view.

Example

# Create a security policy security.

<Huawei> system-view
[Huawei] security-policy security
[Huawei-security-policy-security] 

security-policy (interzone view)

Function

The security-policy command binds a security policy to an interzone.

The undo security-policy command unbinds a security policy from an interzone.

By default, no security policy is bound to an interzone.

Format

security-policy policy-name

undo security-policy policy-name

Parameters

Parameter

Description

Value

policy-name

Specifies the name of a security policy to be bound to an interzone.

The value is a string of 1 to 31 case-insensitive characters without spaces.

Views

Interzone view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A security policy must be bound to an interzone so that IPS or URL filtering in the security policy can be used to defend against application layer attacks (for example, buffer overflow attacks, Trojan horses, worms, and backdoor attacks) or control HTTP access rights.

Prerequisites

The firewall interzone command has been executed to create an interzone and enter the interzone view.

The security-policy command has been executed to create a security policy.

Example

# Bind the security policy security to an interzone.

<Huawei> system-view
[Huawei] firewall zone zone1
[Huawei-zone-zone1] priority 10
[Huawei-zone-zone1] quit
[Huawei] firewall zone zone2
[Huawei-zone-zone2] priority 13
[Huawei-zone-zone2] quit
[Huawei] security-policy security
[Huawei-security-policy-security] quit
[Huawei] firewall interzone zone1 zone2
[Huawei-interzone-zone1-zone2] security-policy security

update abort

Function

The update abort command aborts the update process.

Format

update abort

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

The update abort command can only be used for online/immediate updates or update retries. In online/immediate updates, the device needs to connect to the security center. If the network rate is too low and impacts the services and device performance, you can run the update abort command to abort the update and then retry updating when appropriate. In update retires, you cannot perform other update operations. If you need to use another update method, run the update abort command to abort the update process first.

Example

# Abort the update process.

<Huawei> system-view
[Huawei] update online cnc
[Huawei] update abort

update apply

Function

The update apply command installs the downloaded update files.

Format

update apply { cnc | ips-sdb | sa-sdb }

Parameters

Parameter Description Value
cnc

Installs the Malicious domain name database update files.

-

ips-sdb

Installs the IPS signature database update files.

-

sa-sdb

Installs the Application Identification signature database update files.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

If manual installation confirmation has been enabled by the update confirm command, run the update apply command to install the update files. If update files have been uploaded to the device memory using FTP, run the update local command to install them.

Example

# Install the Malicious domain name database update files.

<Huawei> system-view
[Huawei] update apply cnc

update confirm

Function

The update confirm command enables manual confirmation of database installation.

The undo update confirm command disables manual confirmation of database installation.

Format

update confirm { cnc | ips-sdb | sa-sdb } enable

undo update confirm { cnc | ips-sdb | sa-sdb } enable

Parameters

Parameter Description Value
cnc

Installs the Malicious domain name database update files.

-

ips-sdb

Installs the IPS signature database update files.

-

sa-sdb

Installs the Application Identification signature database update files.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

The manual confirmation of database installation is disabled by default. That is, the device automatically installs the upgrade files after downloading them.

If you enable manual confirmation of database installation, the device will not automatically install the upgrade files after downloading them. You need to run the update apply command to install the upgrade files.

Example

# Disable manual confirmation for the Malicious domain name database installation.

<Huawei> system-view
[Huawei] undo update confirm cnc enable

update force apply

Function

The update apply command forcibly installs the downloaded update files.

Format

update force apply { cnc | ips-sdb | sa-sdb }

Parameters

Parameter Description Value
cnc

Forcibly installs the Malicious domain name database update files.

-

ips-sdb

Forcibly installs the IPS signature database update files.

-

sa-sdb

Forcibly installs the SA signature database update files.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

This command is used to install the signature database only when excessive traffic causes insufficient memory for upgrade. This command enables the traffic to bypass the engine and resets all session tables. Use this command with caution.

Example

# Forcibly install theMalicious domain name database update files.

<Huawei> system-view
[Huawei] update force apply cnc

update force local

Function

The update force local command configures forcible manual update of local signature database. The signature database is uploaded to the device memory using FTP or SFTP.

Format

update force local { cnc | ips-sdb | sa-sdb } file filename

Parameters

Parameter Description Value
cnc

Indicates forcible manual update of the malicious domain name database.

-

ips-sdb

Indicates forcible manual update of the IPS signature database.

-

sa-sdb

Indicates forcible manual update of the SA signature database.

-

file filename

Specifies the file used for the update. You must upload the update files to the device memory before the update.

The absolute path of a file is a string of 1 to 64 characters without spaces.

Views

System view

Default Level

3: Management level

Usage Guidelines

This command is used to manually update the signature database only when excessive traffic causes insufficient memory for upgrade. This command enables the traffic to bypass the engine and resets all session tables. Use this command with caution.

Example

# Forcibly update the local malicious domain name database using file cnc_h10010000_2014120800.zip.

<Huawei> system-view
[Huawei] update force local cnc file flash:/cnc_h10010000_2014120800.zip

update force online

Function

The update force online command forcibly configures the immediate updates of the databases.

Format

update force online { cnc | ips-sdb | sa-sdb }

Parameters

Parameter Description Value
cnc

Forcibly indicates immediate update of the Malicious domain name database.

-

ips-sdb

Forcibly indicates immediate update of the IPS signature database.

-

sa-sdb

Forcibly indicates immediate update of the SA signature database.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

This command is used to immediately update the signature database only when excessive traffic causes insufficient memory for upgrade. This command enables the traffic to bypass the engine and resets all session tables. Use this command with caution.

Example

# Forcibly update the Malicious domain name database immediately.

<Huawei> system-view
[Huawei] update force online cnc

update force restore sdb-default

Function

The update force restore sdb-default command forcibly restores the signature database to the factory default version.

Format

update force restore sdb-default { ips-sdb | sa-sdb }

Parameters

Parameter Description Value
ips-sdb

Forcibly restores the IPS signature database to the factory default version.

-

sa-sdb

Forcibly restores the SA signature database to the factory default version.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

  • After you run the update force restore sdb-default command, the signature database is restored to the factory default version. All other versions on the Router are deleted. Perform the operation with caution.

  • This command is used to restore the signature database to the factory version only when excessive traffic causes insufficient memory for upgrade. This command enables the traffic to bypass the engine and resets all session tables. Use this command with caution.

Example

# Forcibly restore the IPS signature database to the factory default version.

<Huawei> system-view
[Huawei] update force restore sdb-default ips-sdb

update force rollback

Function

The update force rollback command forcibly rolls back the version of a specified database.

Format

update force rollback { cnc | ips-sdb | sa-sdb }

Parameters

Parameter Description Value
cnc

Forcibly rolls back the Malicious domain name database version.

-

ips-sdb

Forcibly rolls back the IPS signature database version.

-

sa-sdb

Forcibly rolls back the SA signature database version.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

This command is used to roll back the signature database only when excessive traffic causes insufficient memory for upgrade. This command enables the traffic to bypass the engine and resets all session tables. Use this command with caution.

Example

# Forcibly roll back the version of the Malicious domain name database.

<Huawei> system-view
[Huawei] update force rollback cnc

update host source

Function

The update host source command specifies an interface IP address and VPN instance as the source IP address and VPN instance for online update request packets.

The update host source ip command specifies the source IP address of online update request packets.

The undo update host source command deletes the specified interface IP address and VPN instance as the source IP address and VPN instance for online update request packets.

The undo update host source ip command deletes the specified source IP address of online update request packets.

Format

update host source interface-type interface-number

update host source ip ip-address [ vpn-instance vpn-instance ]

undo update host source

undo update host source ip

Parameters

Parameter Description Value
interface-type interface-number

Specifies the interface type and interface number.

-
ip-address

Specifies the source IP address of online update request packets.

The value is in dotted decimal notation.
vpn-instance

Specifies the name of a VPN instance.

The name is a string of 1 to 31 characters.

Views

System view

Default Level

3: Management level

Usage Guidelines

In normal cases, these commands are optional. If the administrator does not configure these commands, the system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

When the Router connects to the Internet through a VPN instance, these commands are mandatory. If the commands are not configured, the update will fail.

  • When update host source interface-type interface-number is configured, the interface must be bound to the corresponding VPN instance name.

  • When the update host source ip ip-address command is configured, vpn-instance vpn-instance must be specified.

Instructions on these commands are as follows:

  • The interface specified in the update host source interface-type interface-number command is not necessarily the outgoing interface of update request packets. This command actually specifies the IP address of a specific interface as the source IP address. To send update request packets, the system checks the route information to determine the outgoing interface.

    Do not specify an interface that is bound to a virtual system. Otherwise, the update will fail.

  • If the interface has multiple IP addresses, run the update host source ip ip-address command to set the source IP address of update request packets and ensure that the Router can receive the reply packets. Otherwise, the online update may fail.

  • When both update host source interface-type interface-number and update host source ip ip-address [ vpn-instance vpn-instance ] are configured, the system preferentially uses the specified IP address as the source IP address of update request packets. That is, the update host source interface-type interface-number command does not take effect.

Example

# Set the interface used for online update to GigabitEthernet 0/0/1.

<Huawei> system-view
[Huawei] interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[Huawei-GigabitEthernet0/0/1] quit
[Huawei] update host source GigabitEthernet 0/0/1

# Set the source IP address of online update request packets to 10.1.1.1.

<Huawei> system-view
[Huawei] update host source ip 10.1.1.1

update local

Function

The update local command configures manual update of local signature database. The signature database is uploaded to the device memory using FTP or SFTP.

Format

update local { cnc | ips-sdb | sa-sdb } file filename

Parameters

Parameter Description Value
cnc

Indicates manual update of the malicious domain name database.

-

ips-sdb

Indicates manual update of the IPS signature database.

-

sa-sdb

Indicates manual update of the Application Identification signature database.

-

file filename

Specifies the file used for the update. You must upload the update files to the device memory before the update.

The absolute path of a file is a string of 1 to 64 characters without spaces, for example, hda1:/abc.zip.

Views

System view

Default Level

3: Management level

Usage Guidelines

If the device cannot connect to the network, download the update files from the security center platform to a PC and upload the files to the device memory using FTP or SFTP. Then run the update local command to update the databases.

Example

# Manually update the local malicious domain name database using file cnc_h10010000_2014120800.zip.

<Huawei> system-view
[Huawei] update local cnc file flash:/cnc_h10010000_2014120800.zip

update online

Function

The update online command configures the immediate updates of the databases.

Format

update online { cnc | ips-sdb | sa-sdb }

Parameters

Parameter Description Value
cnc

Indicates immediate update of the Malicious domain name database.

-

ips-sdb

Indicates immediate update of the IPS signature database.

-

sa-sdb

Indicates immediate update of the Application Identification signature database.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Two types of updates are available for the databases: immediate update and scheduled update. When scheduled update is enabled, you can run the update online command to update the databases any time before the scheduled update time arrives. Before the update, ensure that the domain name or IP address of the update center is accessible.

Example

# Update the Malicious domain name database immediately.

<Huawei> system-view
[Huawei] update online cnc

update proxy

Function

The update proxy command sets the IP address or domain name of the proxy server.

The undo update proxy command deletes the proxy server setting.

Format

update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name [ password password ] ]

undo update proxy

Parameters

Parameter Description Value
domain domain-name

Specifies the domain name of the proxy server.

The value is a string of 1 to 64 characters, spaces not supported.

ip ip-address

Specifies the IP address of the proxy server.

The value is in dotted decimal notation.

port port-number

Specifies the port number of the proxy server.

The value is an integer ranging from 1 to 65535.

user user-name

Specifies the user name for logging in to the proxy server.

The user name is a string and must have been set on the proxy server.

The length of a user name without spaces ranges from 1 to 32 characters. The length of a user name with spaces ranges from 3 to 34 characters. If a user name contains spaces, it must be enclosed with quotation marks (such as "user for test").

password password

Specifies the password for logging in to the proxy server.

The password is a string and must be the same as the password corresponding to the user name of the proxy server.

  • If a password is encrypted, it contains 32 or 56 characters and must start and end with "%$%$".

  • If a password is not encrypted, it can contain spaces. The length of a password without spaces ranges from 1 to 32 characters. The length of a password with spaces ranges from 3 to 34 characters. If a password contains spaces, it must be enclosed with quotation marks.

Views

System view

Default Level

3: Management level

Usage Guidelines

None.

Example

# Configure a proxy server.

<Huawei> system-view
[Huawei] update proxy ip 192.168.2.33 port 8080 user test password Hello!123

update proxy enable

Function

The update proxy enable command enables the signature database proxy update function.

The undo update proxy enable command disables the signature database proxy update function.

Format

update proxy enable

undo update proxy enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

By default, the signature database proxy update function is disabled.

After this function is enabled, you must run the update proxy command to set the proxy server. Otherwise, the firewall cannot connect to the update server through the proxy server.

Example

# Enable the signature database proxy update function.

<Huawei> system-view
[Huawei] update proxy enable

update restore sdb-default

Function

The update restore sdb-default command restores the signature database to the factory default version.

Format

update restore sdb-default { ips-sdb | sa-sdb }

Parameters

Parameter Description Value
ips-sdb

Restores the IPS signature database to the factory default version.

-

sa-sdb

Restores the Application Identification signature database to the factory default version.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

After you run the update restore sdb-default command, the signature database is restored to the factory default version. All other versions on the Router are deleted. Perform the operation with caution.

Example

# Restore the IPS signature database to the factory default version.

<Huawei> system-view
[Huawei] update restore sdb-default ips-sdb

update rollback

Function

The update rollback command rolls back the version of a specified database.

Format

update rollback { cnc | ips-sdb | sa-sdb }

Parameters

Parameter Description Value
cnc

Rolls back the Malicious domain name database version.

-

ips-sdb

Rolls back the IPS signature database version.

-

sa-sdb

Rolls back the Application Identification signature database version.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Run the update rollback command to roll back the current version of a specified database to an earlier version. Only one earlier version is available for version rollback. If you run the update rollback command a second time, the version of the database is rolled back to the current version again.

NOTE:
The version rollback function is unavailable before the second update is complete.

Example

# Roll back the version of the Malicious domain name database.

<Huawei> system-view
[Huawei] update rollback cnc

update schedule

Function

The update schedule command sets scheduled update time for the signature database.

Format

update schedule [ { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time ]

update schedule { cnc | ips-sdb | sa-sdb } { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time

Parameters

Parameter Description Value
daily

Indicates daily update of a signature database.

-

weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun }

Indicates weekly update of a signature database.

-

cnc

Indicates scheduled update time of Malicious domain name database.

-

ips-sdb

Indicates scheduled update time of IPS-SDB.

-

sa-sdb

Indicates scheduled update time of SA-SDB.

-

time

Specifies the time in a day for the scheduled update of the signature database.

The format is hh:mm. The hour and minute are separated by a colon (:). The hh value ranges from 0 to 23 and the mm value ranges from 0 to 59.

Views

System view

Default Level

3: Management level

Usage Guidelines

  • Using the update schedule command, you can update all signature databases daily at any point during the time range 22:00 to 08:00.
  • Using the update schedule [ { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time ] command, you can configure scheduled update time for all signature databases.
  • Using the update schedule { cnc | ips-sdb | sa-sdb } { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time command, you can configure scheduled update time for a signature database.

Example

# Configure a scheduled update of signature databases at 02:00 every Wednesday.

<Huawei> system-view
[Huawei] update schedule weekly wed 02:00

# Configure a scheduled update of signature database at 03:00 every day.

<Huawei> system-view
[Huawei] update schedule daily 03:00

update schedule enable

Function

The update schedule enable command enables scheduled update time for the signature database.

The undo update schedule enable command disables scheduled update time for the signature database.

Format

update schedule { cnc | ips-sdb | sa-sdb } enable

undo update schedule { cnc | ips-sdb | sa-sdb } enable

Parameters

Parameter Description Value
cnc

Indicates the scheduled update time of the Malicious domain name database.

-

ips-sdb

Indicates the scheduled update time of the IPS signature database.

-

sa-sdb

Indicates the scheduled update time of the Application Identification signature database.

-

enable

Indicates daily update of a signature database.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

None

Example

# Enable scheduled update time function for the Malicious domain name database.

<Huawei> system-view
[Huawei] update schedule cnc enable

update server

Function

The update server command sets the IP address or domain name of the update server.

The undo update server command deletes the IP address or domain name of the update server.

Format

update server { domain domain-name | ip ip-address } [ port port-number ]

undo update server

Parameters

Parameter Description Value
domain domain-name Specifies the domain name of the update server. The value is a string of 1 to 64 characters, spaces not supported.
ip ip-address Specifies the IP address of the update server. The value is in dotted decimal notation.
port port-number Specifies the port number of the update server. The value is an integer ranging from 1 to 65535.

Views

System view

Default Level

3: Management level

Usage Guidelines

By default, the domain name of the update server is sec.huawei.com, and the port number is 80.

Example

# Set the IP address of the update server to 10.1.1.1 and port number to 86.

<Huawei> system-view
[Huawei] update server ip 10.1.1.1 port 86
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 103061

Downloads: 131

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next