Upgrading the SAC Signature File

Procedure

• Perform an online upgrade.
  1. Run system-view
  2. (Optional) Run update server { domain domain-name | ip ip-address } [ port port-number ]

     The IP address or domain name of the update server is configured.

     By default, the domain name of the update server is sec.huawei.com, the HTTP port number is 80 and the HTTPS port number is 443.

  3. (Optional) Visit the upgrade server through the proxy server.

     1. Run update proxy enable

        The signature file proxy upgrade function is enabled.

        By default, the signature file proxy upgrade function is disabled.

     2. Run update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name [ password password ] ]

        The IP address or domain name of the proxy server is configured.

  4. (Optional) Run update online-mode { http | https }

     The online update mode of the signature database is set.

     By default, the online update is in HTTPS mode.

     When configuring the online update mode of the signature database, you can select HTTP or HTTPS. By default, the online update is in HTTPS mode. Update in HTTP mode is risky, and update in HTTPS mode is recommended. To perform update in HTTP mode, you must strictly restrict security policy matching conditions.

  5. Determine an online upgrade mode.

     • Online upgrade through the security center platform

       To ensure that the device can access the security center platform, configure DNS.

       1. Run dns resolve

          Dynamic DNS resolution is enabled.

       2. Run dns server ip-address

          An IP address is configured for the DSN server.

  6. Scheduled upgrade

     1. Run update schedule sa-sdb enable

        The scheduled upgrade function of the SAC signature file is enabled.

        By default, the scheduled online upgrade function of the SAC signature file is enabled.

     2. Run update schedule [ { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time ]

        The fixed online upgrade time of the SAC signature file is set.

        If no fixed upgrade time is set, a time between 22:00 and 08:00 is selected randomly as the daily upgrade time by default.

        It is recommended that you set time to the time when the device has the minimum traffic volume, for example, 6:00 am.

     3. Set the installation mode of the SAC signature file.

        An SAC signature file can take effect only after being installed on a device. You can select the installation mode, that is, whether confirmation is needed. If you select the confirmation mode, the device asks you whether to install the SAC signature file before the upgrade is performed.

        When you install the new SAC signature file, the old SAC signature file will be overwritten. During this process, services will be interrupted, so you are advised to enable installation confirmation when there is less impact on services.

        • Installation after confirmation

          1. Run update confirm sa-sdb enable

             The installation confirmation function is enabled. The upgrade file downloaded at a fixed time will be installed after confirmation.

             By default, the automatic installation confirmation function of all signature databases is disabled. The upgrade file downloaded at a fixed time will be installed automatically.

          2. Run update apply sa-sdb

             The downloaded upgrade file is installed.

        • Installation without confirmation

          Run undo update confirm sa-sdb enable

          The installation confirmation function is disabled. The upgrade file downloaded at a fixed time will be installed automatically without confirmation.

  7. (Optional) Immediate upgrade

     • Generally, scheduled upgrade can meet service requirements. However, if the upgrade time is not reached, you can select immediate upgrade.

       1. Run update online sa-sdb

          The SAC signature database is upgraded immediately.

       2. Run update apply sa-sdb

          The downloaded upgrade file is installed.

• Terminate the upgrade.

  After the upgrade is started, if many network resources are occupied, you can terminate the upgrade.

  The update can be terminated only during file downloading.

  1. Run system-view

     The system view is displayed.

  2. Run update abort

     The upgrade is terminated.

• Perform a version rollback.

  If an error occurs after the upgrade or the new SAC signature file does not meet requirements, use this command to roll back the version of the SAC signature file.

  Before the version rollback, you are advised to run the display version sa-sdb command to check the rollback version. Then you can choose whether to perform the version rollback. If no rollback version is available, the version rollback fails. The version in the device remains unchanged.

  1. Run system-view

     The system view is displayed.

  2. Run update rollback sa-sdb

     The SAC signature file version is rolled back.

• Perform a local upgrade.

  1. Run system-view

     The system view is displayed.

  2. Run update local sa-sdb file filename

     The SAC signature file is upgraded locally.

     Terminate upgrade are not supported in the local upgrade.

• Restore the version.

  If the signature file is restored to the factory default version, all other versions on the device are deleted.

  1. Run system-view

     The system view is displayed.

  2. Run update restore sdb-default sa-sdb

     The SAC signature file is restored to the factory default version.