No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Updating Signature Databases

Updating Signature Databases

This section describes how to update signature databases using the CLI.

Preparation

This section describes preparations for signature database updates.

Checking the Free Space of the Root Directory

Before updating a signature database, check whether the free space of the root directory is sufficient. For details, see the following table.

Signature Database

Required Free Space

Antivirus signature database (AV-SDB)

8 MB or higher

Malicious domain name database

1 MB or higher

IPS signature database (IPS-SDB)

5 MB or higher

Application signature database used by the Central AP (SA-SDB)

5 MB or higher

Checking the Current Update Status

Signature databases cannot be updated simultaneously. You can update a signature database only after the current update status is idle.

To check the current update status, perform the following operation:

  1. Run the display update status command to check the update status of the signature database.

    <Huawei> display update status
      Current Update Status: Idle.
    

    If Current Update Status is Idle, you can update the desired signature database. Otherwise, repeat the display update status command until Current Update Status changes to Idle, and then update the desired signature database.

Checking the Signature Database Version

Check the signature database version to determine whether the signature database needs to be updated.

To check the signature database version, perform the following operation:

  1. Run the display version { av-sdb | cnc | ips-sdb | sa-sdb } * command to check the signature database version.

    # View the version of the AV signature database.

    <Huawei> display version av-sdb
    AV SDB Update Information List:                                               
    ----------------------------------------------------------------              
      Current Version:                                                            
        Signature Database Version    : 2016090600                             
        Signature Database Size(byte) : 28032                                         
        Update Time                   : 08:34:03 2016/09/07                       
        Issue Time of the Update File : 00:00:33 2016/09/07                       
                                                                                  
      Backup Version:                                                             
        Signature Database Version    : 2016090100                              
        Signature Database Size(byte) : 26752                                         
        Update Time                   : 07:18:56 2016/09/02                       
        Issue Time of the Update File : 20:11:40 2016/09/02                       
                                                                                  
      Download Version:                                                           
        Signature Database Version    :                                           
        Signature Database Size(byte) : 0                                         
    ----------------------------------------------------------------               

Determining Signature Database Update Options

You can determine to download and install an updated signature database or download it only.

Context

Signature database updates offer two options:

  • Download only: After signature databases are downloaded, you must manually install them.
  • Download and install: Signature databases are automatically installed after being downloaded.

By default, the system downloads and installs the signature database. For details about how to change the update option, see Procedure.

Procedure

  1. Access the system view.

    system-view

  2. Enable the signature database update confirmation function.

    update confirm { av-sdb | cnc | ips-sdb | sa-sdb } enable

    If a new signature database exists on the Central AP and needs to be installed, go to step 3.

  3. Install the downloaded signature database.

    update apply { av-sdb | cnc | ips-sdb | sa-sdb }

Follow-up Procedure

To restore to the default signature database update option, follow the instructions below:

  1. Access the system view.

    system-view

  2. Disable the signature database update confirmation function.

    undo update confirm { av-sdb | cnc | ips-sdb | sa-sdb } enable

Scheduled Update

After scheduled update is configured, the Central AP automatically downloads signature databases as scheduled.

Prerequisites

  • The Central AP can access the update server directly or through the proxy server.
  • When the device can directly access the update center, configure security policies as follows:

    • Set the source security zone to Local.
    • Permit HTTP and FTP traffic. HTTP is used by the Central AP to interact with the security center, and FTP is used to connect to FTP control channels for downloading signature database files.
    • Permit user-defined service traffic, with the protocol being TCP and destination port ranging from 10001 to 15000 (for connecting to FTP data channels).
  • When the device accesses the update center through the proxy server, configure security policies as follows:

    • Set the source security zone to Local.
    • Permit HTTP so that the Central AP can interact with the proxy server.

Procedure

  1. Configure an update center.
    1. Access the system view.

      system-view

    2. Configure the update center.

      update server { domain domain-name | ip ip-address } [ port port-number ]

      The update center is the security center platform, and its default domain name is sec.huawei.com.

  2. Optional: Configure a proxy server.

    Perform this step when the Central AP needs to access the update center using a proxy server.

    1. Enable the signature database proxy update.

      update proxy enable

    2. Set the domain name (or IP address), user name, and password of the proxy server.

      update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name [ password password ] ]

  3. Optional: Configure a DNS server.
    1. Configure the DNS server to resolve domain names.

      dns resolve

    2. Specify the IP address of the DNS server.

      dns server ip-address

  4. Optional: Specify the source IP address for online update request packets.

    • Specify an interface IP address as the source IP address for online update request packets.

      update host source interface-type interface-number

    • Specify the source IP address of online update request packets.

      update host source ip ip-address

    If the administrator does not specify the source IP address for online update request packets, the system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

    If the interface has multiple IP addresses, run the update host source ip ip-address command to set the source IP address of update request packets and ensure that the Central AP can receive the reply packets. Otherwise, the online update may fail.

  5. Enable the scheduled update function.

    update schedule { av-sdb | cnc | ips-sdb | sa-sdb } enable

    By default, scheduled update time for the signature database is enabled.

  6. Set scheduled update time.

    update schedule [ { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time ]

    update schedule { av-sdb | cnc | ips-sdb | sa-sdb } { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time

    You need to set the time for scheduled update based on your network settings, but ensure that the update does not take up the network resources of normal services.

    The following part gives the recommended time for updating the corresponding signature databases. You can adjust them according to your network settings.

    • Intrusion Prevention Signature Database: once a week
    • Antivirus Signature Database: once a day
    • Application Identification Signature Database used by the Central AP: once a week
    • Application Identification Signature Database used by the AP: once a week
    • Malicious Domain Name Signature Database: once a day
    NOTE:

    During a scheduled update, you can run the update abort command to abort the update if the update consumes too much bandwidth and interrupts normal services. Wait until the bandwidth is sufficient for the update and normal services and then run the update online { av-sdb | cnc | ips-sdb | sa-sdb } command to download the latest signature database.

  7. Optional: Install the downloaded signature database.

    update apply { av-sdb | cnc | ips-sdb | sa-sdb }

Follow-up Procedure

Scheduled update may fail due to some reasons. The system will retry update periodically. Therefore, you can set the retry interval.

  • In the system view, set the retry interval for downloading the signature database for scheduled update. The default value is 3600 seconds.

    update schedule retry-download interval interval-value

  • In the system view, set the retry interval for loading the signature database for scheduled update. The default value is 3600 seconds.

    update schedule retry-load interval interval-value

Immediate Update

You can always update signature databases anytime you want.

Prerequisites

  • The Central AP can access the update server directly or through the proxy server.
  • When the device can directly access the update center, configure security policies as follows:

    • Set the source security zone to Local.
    • Permit HTTP and FTP traffic. HTTP is used by the Central AP to interact with the security center, and FTP is used to connect to FTP control channels for downloading signature database files.
    • Permit user-defined service traffic, with the protocol being TCP and destination port ranging from 10001 to 15000 (for connecting to FTP data channels).
  • When the device accesses the update center through the proxy server, configure security policies as follows:

    • Set the source security zone to Local.
    • Permit HTTP so that the Central AP can interact with the proxy server.

Context

For scheduled and immediate updates, signature database download addresses (IP address of the server configured on the Central AP or the IP address of the proxy server) and update procedures are the same. The two update modes differ in that immediate update can be performed at any time whereas scheduled update must be implemented at the specified time.

Procedure

  1. Optional: Specify the source IP address for online update request packets.

    • Specify an interface IP address as the source IP address for online update request packets.

      update host source interface-type interface-number

    • Specify the source IP address of online update request packets.

      update host source ip ip-address

    If the administrator does not specify the source IP address for online update request packets, the system searches a route based on the IP address of the update server and uses the IP address of the outgoing interface as the source IP address of update request packets.

    If the interface has multiple IP addresses, run the update host source ip ip-address command to set the source IP address of update request packets and ensure that the Central AP can receive the reply packets. Otherwise, the online update may fail.

  2. Update the signature database immediately.

    update online { av-sdb | cnc | ips-sdb | sa-sdb }

    NOTE:

    If the immediate update consumes too much bandwidth and interrupts normal services of the Central AP, you can run the update abort command to abort the signature database update. Wait until the bandwidth is sufficient for the update and normal services and then download the latest signature database.

  3. Optional: Install the downloaded signature database.

    update apply { av-sdb | cnc | ips-sdb | sa-sdb }

    You do not need to run this command if the system has been configured to download and install the signature database. To set the signature database update option, see Determining Signature Database Update Options.

Local Update

If the device cannot access the security center, locally update the signature databases.

Prerequisites

The update package has been uploaded to the memory of the Central AP using SFTP, FTP or TFTP.

Procedure

  1. Download the update package.
    1. Log in to Huawei security center (sec.huawei.com) and choose Signature Update > Signature Update.
    2. Select the product type, series, name, and version.
    3. Click the tab of the signature database to be updated.

      • Antivirus signature database: AV
      • Application identification signature database used by the Central AP: SA
      • Malicious domain name database: CNC
      • IPS signature database: IPS

    4. Download the signature database file.

      Click download icon on the right side. The Detail dialog box is displayed.

      Certain signature database files have auxiliary files to further describe the signature databases or version changes:
      • Auxiliary file of the application identification signature database:

        The file "SA-SDB_Classified Application Protocol ID_x.x.xls" is bilingual (Chinese and English). It describes the application categories, application subcategories, software information, application information, and application bearer information supported by the Central APor AP.

        x.x in the file name specifies the file version, corresponding to a specific signature database version. Query the correct auxiliary file based on the support condition on the device.

      • Auxiliary file of the IPS signature database: describes the addition, deletion, and modification of IPS signatures, as well as vulnerability information about the signatures.

      • Auxiliary file of the antivirus signature database: describes information about changed virus families.

  2. Upload the update package to the memory of the Central AP.

    NOTE:

    The upgrade package can be placed in any directory of the Central AP storage. However, the root directory is recommended.

    The signature database files are in ZIP format. You can upload them directly to the Central AP without decompressing them.

  3. Access the system view.

    system-view

  4. Enable the local update function.

    update local { av-sdb | cnc | ips-sdb | sa-sdb } file filename

Version Rollback

When the current signature database is faulty (for example, false positive occurs or system performance is degraded), you can roll back the current signature database to the previous version through version rollbacks.

Context

You can roll back to only one version. If you perform version rollbacks repeatedly, the version rollback is implemented between the current version and the rollback version.

Procedure

  1. Access the system view.

    system-view

  2. Roll back the version of a specified database.

    update rollback { av-sdb | cnc | ips-sdb | sa-sdb }

Version Restoration

If an exception occurs during the update of the signature database, you can restore the signature database to the factory default version and perform the update again.

Context

After the signature database is restored to the default version, the signature database files corresponding to the rollback and download versions of the signature database will be deleted. Therefore, exercise caution when using the function.

Procedure

  1. Access the system view.

    system-view

  2. Restore the signature database to the factory default version.

    update restore sdb-default { av-sdb | ips-sdb | sa-sdb }

Verification and Check

This section describes the verification and check operations after a signature database is updated.

Verification

After updating a signature database, you can do as follows to check the configuration result:

Action

Command

Display the status of engines and the version of all signature databases.

display engine information

Display the update configuration.

display update configuration

Display the interface and source address configurations used in online update.

display update host source

Display the update status.

display update status

Display the version of a specified engine or signature database.

display version { av-sdb | cnc | ips-sdb | sa-sdb } *

Display the signature database update information.

display update information all-sdb
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 115530

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next