Академический Документы
Профессиональный Документы
Культура Документы
V500R001C50SPC100
Upgrade Guide
Issue 01
Date 2017-03-29
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Content Conventions
The purchased products, services and features are stipulated by the contract made between
Huawei Technologies Co., Ltd. and the customer. All or part of the products, services and
features described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and recommendations
in this document are provided "AS IS" without warranties, guarantees or representations of
any kind, either express or implied.
scope of usage. You are obligated to take considerable measures to ensure that the content of
users' communications is fully protected when the content is being used and saved.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
Issue 01 (2017-03-29)
Initial commercial release.
Contents
2 NIP6800........................................................................................................................................153
2.1 Upgrade Preparation and Evaluation.......................................................................................................................... 154
2.1.1 Supported Source Versions...................................................................................................................................... 154
2.1.2 Hardware Support....................................................................................................................................................155
2.1.3 Upgrade Impact....................................................................................................................................................... 157
2.1.3.1 Impact of the Upgrade from V500R001C50........................................................................................................ 157
2.1.3.1.1 Impact of Feature Changes................................................................................................................................ 157
2.1.3.1.2 Impact of Command Changes........................................................................................................................... 160
2.1.3.1.3 Impact of Licenses.............................................................................................................................................163
2.1.3.1.4 Impact of Sensitive Features..............................................................................................................................163
2.1.3.2 Upgrade Impact from V500R001C30SPC300..................................................................................................... 164
2.1.3.2.1 Impact of Feature Changes................................................................................................................................ 164
2.1.3.2.2 Impact of Command Changes........................................................................................................................... 168
2.1.3.2.3 Impact of Licenses.............................................................................................................................................190
2.1.3.2.4 Impact of Sensitive Features..............................................................................................................................190
2.1.3.3 Other Upgrade Impacts.........................................................................................................................................190
2.1.4 System Software...................................................................................................................................................... 191
2.2 Upgrading Version Software in Single-System.......................................................................................................... 191
2.2.1 Impact of the Upgrade............................................................................................................................................. 192
2.2.1.1 Impact on the Current System During the Upgrade............................................................................................. 192
2.2.2 Precautions...............................................................................................................................................................192
1 NIP6300/6600
NOTICE
1. Before an upgrade from a patch version, run the patch delete all command to delete the
patch.
2. Perform the upgrade.
V500R001C00SPC300,V500R001C00SPC500,V500R001C20SPC100,
V500R001C20SPC200 and V500R001C20SPC300 cannot directly upgrade to
V500R001C50SPC100. Instead, upgrade them to V500R001C50SPC100 first or install the
following patches:
l For V500R001C20SPC100,V500R001C20SPC200 and V500R001C20SPC300, install
V500R001SPH002.
NOTICE
1. Patch upgrades cannot be performed in BootROM.
2. V1 upgrades are not recommended. If there are such requirements, contact Huawei
engineers.
3. To roll back from V500R001C50 to an early version, run the set system-software check-
mode all command. For other version, rollback can be directly performed.
Note the following items for patch upgrades:
l After activating the patch and setting the startup configuration file, ensure that the patch is
in activated state when the reboot or reboot fast command is used to restart the system.
Otherwise, the system restart may fail.
l If the patch is mistakenly deleted and the system restart fails after the startup configuration
file is set, you must re-activate the patch and restart the system again. For a high-end
firewall with dual MPUs, check whether the patch status of both MPUs is normal. If not,
delete the patch and then install and activate it again.
The device can parse To allow the device to parse and forward NSH
1
NSH packets. packets.
IPSec forwarding
adapts the user- To identify IKE or ESP packets based on the
8
configured IPSec user-configured port.
source port.
The northbound
interface is added.
Virtual-if- To improve the Controller's delivery efficiency.
9 [vsysname] can be The device does not obtain the ID of a created
used to deliver the virtual system.
Virtual-if
configuration.
Mainten
ance
and
The usage of virtual
manage
systems and ARP Function
2 ment of None.
resources can be enhanced.
the
obtained.
logical
resource
pool
Before modification,
traffic statistics on all
If the
interfaces apply to
maximum
virtual system
number of
Web interfaces. After the
virtual
interface modification, traffic
3 systems are None.
traffic statistics on all
created, too
statistics interfaces equal the
many memory
sum of traffic on
resources are
interfaces in the
occupied.
corresponding
system.
The firewall
AAPT can As old devices do not have
Cloud sandbox interconnect preset certificates, you must
5 AAPT interworking with a cloud manually import the
supports HTTPS. sandbox certificate and key for cloud
through sandbox interworking.
HTTPS.
The SSL
server
SSL The certificate can be
6 certificate None.
proxy virtualized.
supports
virtualization.
l The alarm
threshold
reminders are
added for daily
duration quota,
daily traffic Agile
quota, and Controller-
Quota monthly traffic Campus
7 control quota. None.
supports
policy
l A device domain traffic
name can be set statistics.
to hide the device
IP address on the
pushed alarm and
quota exhaustion
web pages.
Deleted Features
None.
New Commands
Command Description Impact
This command is
used in the root
system before C50.
After the upgrade to
C50, you must run
display ipsec display ipsec The keyword all-
the display ipsec
statistics statistics all-systems systems is added.
statistics all-
systems command
to display IPSec
statistics in the root
system.
Original Change
New Command Upgrade Impact
Command Description
Deleted Commands
None.
The license can still be used after the upgrade from V500R001C50 to V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C50 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
Deleted Features
Collection of the
accumulated value
This feature enables the NMS to analyze the
3 of specific policy
traffic and policy in a more convenient way.
traffic through the
OID
System memory
To detect memory overwriting and memory
10 detection
leak issues.
mechanism
Detection of abrupt
To detect abrupt changes of the memory, CPU
11 KPI information
usage, and session, and send alarms.
change
Disabling of the
bound interface
To disable the previously bound interface when
12 when the CPU usage
the CPU usage exceeds the specified threshold.
exceeds the
threshold
Customization of
session log
14 The function is enhanced.
templates in syslog
format
Enhanced session
15 The function is enhanced.
log function
Real-time traffic
16 The function is enhanced.
statistics collection
Alarm on the
exhaustion of
17 forwarding The function is enhanced.
resources on the
firewall
Enhanced restriction
18 on the number of The function is enhanced.
new connections
Alarm on abrupt
21 The function is enhanced.
session changes
Multicast packet
22 The function is enhanced.
filtering
Filtering and
23 viewing of blacklists The function is enhanced.
of various types
In policy query,
related policies can
be rapidly located
based on quintuple
information (or
accurate source and
destination The ease of
1 Policy information, and use shall be None
source and improved.
destination address
segments). Policy
objects support fuzzy
query and
association with the
drop-down list.
The support of
The function
6 HRP smooth upgrade is None
is enhanced.
added.
The northbound
function is added for
the per-user
maximum The function
8 BWM None
connection rate and is enhanced.
per-IP address
maximum
connection rate.
Virtualization is
supported.
When the certificate
or key pair is
imported through the
CLI, the file shall be
uploaded to the The function
9 PKI None
corresponding is enhanced.
directory (public on
the root firewall and
vsys+vsysid on the
virtual firewall)
under cfcard:/pki or
hda1:/pki.
Sending encrypted
Session session logs over an The function
13 None
log IPsec tunnel is is enhanced.
supported.
After the SA
signature database is
updated, application
names of functions
that reference
applications, such as
integrated policy,
application group,
Applicat and port mapping, The function
15 are smoothly updated None
ion is enhanced.
to new names after
configuration update.
For example,
QQ_Webmail is
updated to
WebMail_QQ, and
GMail to
WebMail_GMail.
None
New commands
For new command details, see the product document.
Modified commands
Original Change Impact of the
New Command
Command Description Upgrade
ssl whitelist
ssl whitelist
userdefined- Modify keywords. None
hostname xxx
hostname xxx
startup patch
STRING<5-48>
[ slave-board | all | The configuration
startup patch chassis patch file of the
None
STRING<5-48> STRING<1-16> standby board is
{ master | slave } | added.
slot
STRING<1-64> ]
display diag-logfile
STRING<1-64>
[ INTEGER<0-2147
display diag-logfile 483647> | hex ] * [ | The pipe character-
STRING<1-64> count ] [ | [ before based filtering and
None
[ INTEGER<0-2147 INTEGER<1-999> | query function is
483647> | hex ] * after added.
INTEGER<1-999> ]
* { begin | include |
exclude } TEXT0 ]
info-center info-center
timestamp { log | timestamp { log |
trap | debugging } trap | debugging }
{ { none | boot } | { { boot } | { date | In security
{ date | short-date | short-date | format- rectification, the no-
None
format-date } date } [ precision- timestamp mode is
[ precision-time time { tenth-second | deleted.
{ tenth-second | millisecond |
millisecond | second } ] }
second } ] } [ without-timezone ]
The function is
enhanced. The null
snmp-agent acl snmp-agent acl configuration at the
{ INTEGER<0-4294 INTEGER<0-42949 end of the ACL is None
967295> | null } 67295> meaningless, and no
buildrun information
is generated.
snmp-agent target-
snmp-agent target- host trap ipv6
host trap ipv6 address { udp-
address { udp- domain X:X::X:X
domain X:X::X:X [ udp-port
[ udp-port INTEGER<0-65535
INTEGER<0-65535 > | vpn-instance
> ] } params STRING<1-31> ]
securityname * } params Keyword vpn-
None
STRING<1-32> securityname instance is added.
[ { v3 STRING<1-32>
[ authentication | [ { v3
privacy ] | v2c | v1 } [ authentication |
| notify-filter-profile privacy ] | v2c | v1 }
STRING<1-32> | | notify-filter-profile
private-netmanager | STRING<1-32> |
ext-vb ] * private-netmanager |
ext-vb ] *
snmp-agent target-
snmp-agent target- host trap ipv6
host trap ipv6 address { udp-
address { udp- domain X:X::X:X
domain X:X::X:X [ udp-port
[ udp-port INTEGER<0-65535
INTEGER<0-65535 > | vpn-instance
> ] } params STRING<1-31> ] Keyword vpn-
None
securityname cipher * } params instance is added.
STRING<1-68> securityname cipher
[ { v2c | v1 } | STRING<1-68>
notify-filter-profile [ { v2c | v1 } |
STRING<1-32> | notify-filter-profile
private-netmanager | STRING<1-32> |
ext-vb ] * private-netmanager |
ext-vb ] *
undo snmp-agent
undo snmp-agent target-host ipv6
target-host ipv6 X:X::X:X
X:X::X:X securityname
Keyword vpn-
securityname { STRING<1-32> | None
instance is added.
{ STRING<1-32> | cipher
cipher STRING<1-68> }
STRING<1-68> } [ vpn-instance
STRING<1-31> ]
undo snmp-agent
undo snmp-agent target-host trap ipv6
target-host trap ipv6 address { udp-
address { udp- domain X:X::X:X
domain X:X::X:X [ udp-port
[ udp-port INTEGER<0-65535
Keyword vpn-
INTEGER<0-65535 > | vpn-instance None
instance is added.
> ] } params STRING<1-31> ]
securityname * } params
{ STRING<1-32> | securityname
cipher { STRING<1-32> |
STRING<1-68> } cipher
STRING<1-68> }
stelnet [ -a X.X.X.X
stelnet [ -a X.X.X.X | -i
| -i { STRING<1-256>
{ STRING<1-256> STRING<1-256> |
STRING<1-256> | STRING<1-256> } ]
STRING<1-256> } ] STRING<1-255>
STRING<1-255> [ INTEGER<1-6553
[ INTEGER<1-6553 5> ] [ [ -vpn-
5> ] [ [ -vpn- instance
instance STRING<1-31> ] |
STRING<1-31> ] | [ prefer_kex
[ prefer_kex STRING<1-64> ] |
STRING<1-64> ] | [ identity-key { rsa |
ECC authentication
[ identity-key { rsa | dsa | ecc } ] | [ user-
is added in response
dsa } ] | identity-key { rsa | None
to a new
[ prefer_ctos_cipher dsa | ecc } ] |
requirement.
STRING<1-32> ] | [ prefer_ctos_cipher
[ prefer_stoc_cipher STRING<1-32> ] |
STRING<1-32> ] | [ prefer_stoc_cipher
[ prefer_ctos_hmac STRING<1-32> ] |
STRING<1-32> ] | [ prefer_ctos_hmac
[ prefer_stoc_hmac STRING<1-32> ] |
STRING<1-32> ] | [ prefer_stoc_hmac
[ -ki STRING<1-32> ] |
INTEGER<1-3600> [ -ki
] | [ -kc INTEGER<1-3600>
INTEGER<3-10> ] ] ] | [ -kc
* INTEGER<3-10> ] ]
*
stelnet ipv6 [ -a
stelnet ipv6 [ -a X:X::X:X ]
X:X::X:X ] STRING<1-255> [ -
STRING<1-46> [ - oi
oi { STRING<1-256>
{ STRING<1-256> STRING<1-256> |
STRING<1-256> | STRING<1-256> } ]
STRING<1-256> } ] [ INTEGER<1-6553
[ INTEGER<1-6553 5> ] [ [ prefer_kex
5> ] [ [ prefer_kex STRING<1-64> ] |
STRING<1-64> ] | [ identity-key { rsa |
[ identity-key { rsa | dsa | ecc } ] | [ user-
ECC authentication
dsa } ] | identity-key { rsa |
is added in response
[ prefer_ctos_cipher dsa | ecc } ] | None
to a new
STRING<1-32> ] | [ prefer_ctos_cipher
requirement.
[ prefer_stoc_cipher STRING<1-32> ] |
STRING<1-32> ] | [ prefer_stoc_cipher
[ prefer_ctos_hmac STRING<1-32> ] |
STRING<1-32> ] | [ prefer_ctos_hmac
[ prefer_stoc_hmac STRING<1-32> ] |
STRING<1-32> ] | [ prefer_stoc_hmac
[ -ki STRING<1-32> ] |
INTEGER<1-3600> [ -ki
] | [ -kc INTEGER<1-3600>
INTEGER<3-10> ] ] ] | [ -kc
* INTEGER<3-10> ] ]
*
Traffic interruption
reset arp { static | all reset arp { static | resulting from
None
| dynamic } dynamic } misoperations is
prevented.
nssa [ default-route-
nssa [ default-route- advertise { [ [ cost
advertise { [ [ cost INTEGER<1-16777
INTEGER<1-16777 214> ] | [ type
214> ] | [ type INTEGER<1-2> ] |
INTEGER<1-2> ] | [ tag
[ tag INTEGER<0-42949
Integrated from the
INTEGER<0-42949 67295> ] ] * } | no-
OSPFv3 FA None
67295> ] ] * } | no- import-route | no-
requirement.
import-route | no- summary |
summary | translator-always |
translator-always | translator-interval
translator-interval INTEGER<1-120> |
INTEGER<1-120> | set-n-bit | suppress-
set-n-bit ] * forwarding-address ]
*
rserver rserver
[ INTEGER<0-31> [ INTEGER<0-31>
[ to [ to
INTEGER<0-31> ] ] INTEGER<0-31> ] ]
The command that
rip X.X.X.X [ port rip X.X.X.X [ port
restricts the
INTEGER<0-65535 INTEGER<0-65535
maximum number
> | weight > | weight
of connections of the
INTEGER<1-1024> INTEGER<1-8192> None
physical server
| status { inactive | | status { inactive |
(max-connection
health-check } | health-check } |
INTEGER<0-6553
description description
5>) is added.
STRING<1-32> ] * STRING<1-32> |
max-connection
INTEGER<0-65535
>]*
packet-capture packet-capture
queue queue The view is changed
INTEGER<0-3> to- INTEGER<0-42949 from system view to None
file STRING<5-64> 67295> to-file any view.
STRING<5-64>
packet-capture packet-capture
startup [ packet-len startup [ packet-len
INTEGER<40-1500 INTEGER<40-1500
The view is changed
> ] [ sample-rate > ] [ sample-rate
from system view to None
INTEGER<1-10000 INTEGER<1-10000
any view.
> ] [ packet-num > ] [ packet-num
INTEGER<1-1000> INTEGER<1-1000>
] ]
packet-capture packet-capture
{ ipv4-packet { ipv4-packet
INTEGER<3000-39 INTEGER<3000-39
99> | ipv6-packet 99> | ipv6-packet
INTEGER<3000-39 INTEGER<3000-39
99> | no-ip-packet | 99> | no-ip-packet |
The view is changed
all-packet } [ queue all-packet } [ queue
from system view to None
INTEGER<0-3> ] INTEGER<0-42949
any view.
[ interface 67295> ] [ interface
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } STRING<1-256> }
[ inbound | [ inbound |
outbound ] ] outbound ] ]
configure disk type configure disk type The size of the audit
audit-log audit-log log disk space can None
INTEGER<1-100> INTEGER<0-100> be set to 0%.
configure disk type configure disk type The size of the data
{ content-report } { content-report } filtering report disk
None
INTEGER<1-100> INTEGER<0-100> space can be set to
0%.
configure disk type configure disk type The size of the file
{ file-block-report } { file-block-report } blocking report disk
None
INTEGER<1-100> INTEGER<0-100> space can be set to
0%.
configure disk type configure disk type The size of the mail
{ mail-log } { mail-log } filtering log disk
None
INTEGER<1-100> INTEGER<0-100> space can be set to
0%.
configure disk type configure disk type The size of the URL
{ url-log } { url-log } log disk space can None
INTEGER<1-100> INTEGER<0-100> be set to 0%.
configure disk type configure disk type The size of the URL
{ url-report } { url-report } report disk space can None
INTEGER<1-100> INTEGER<0-100> be set to 0%.
configure disk type configure disk type The size of the user
{ user-log } { user-log } log disk space can None
INTEGER<1-100> INTEGER<0-100> be set to 0%.
report type threat- report type threat- The virus, attack The virus, attack
report item { threat- report item { threat- region, and attacked region, and attacked
type | application | type | application | region dimensions region dimensions
attacker | victim | attacker | victim | are deleted from are deleted from
threat-name | virus- threat-name | defend threat reports. threat reports.
name | defend | | all | map } enable (1) The virus (1) The virus
attacker-location | dimension can be dimension can be
victim-location | all | replaced by replaced by
map } enable advanced search of advanced search of
the threat name the threat name
dimension with the dimension with the
virus threat type. virus threat type.
(2) The attack and (2) The attack and
attacked region attacked region
dimensions can be dimensions can be
replaced by threat replaced by threat
map query. map query.
report type traffic- report type traffic- The application Traffic reports do
report item { source- report item { source- category, address not contain
ip | destination-ip | ip | destination-ip | type, source region, application category,
application | application | and destination address type, source
application-category application-sub- region dimensions region, and
| application-sub- category | all | map | are deleted from destination region
category | source- out-interface } traffic reports. dimensions.
location | enable (1) The application (1) The application
destination-location | category dimension category dimension
address-type | all | can be replaced can be replaced
map } enable using the application using the application
sub-category sub-category
dimension. dimension.
(2) The source and (2) The source and
destination region destination region
dimensions can be dimensions can be
replaced by traffic replaced by traffic
map query. map query.
undo report type undo report type The application Traffic reports do
traffic-report item traffic-report item category, address not contain
{ source-ip | { source-ip | type, source region, application category,
destination-ip | destination-ip | and destination address type, source
application | application | region dimensions region, and
application-category application-sub- are deleted from destination region
| application-sub- category | all | map | traffic reports. dimensions.
category | source- out-interface } (1) The application (1) The application
location | enable category dimension category dimension
destination-location | can be replaced can be replaced
address-type | all | using the application using the application
map } enable sub-category sub-category
dimension. dimension.
(2) The source and (2) The source and
destination region destination region
dimensions can be dimensions can be
replaced by traffic replaced by traffic
map query. map query.
Deleted commands
Command Cause of Deletion Impact
The license can still be used after the upgrade from V500R001C30SPC300 to V500R001C50.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C30SPC300 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
New features
None
Modified features
No. Feature Change Cause Impact of the Upgrade
Description
Enhanced reliability
The function
2 HRP of the HRP command None.
is enhanced.
backup mechanism.
Interface shutdown
triggered when the
number of sessions,
Reliabili The function
3 CPU usage, or None.
ty is enhanced.
interface traffic rate
exceeds the
threshold.
Command added to
Security check whether the The function
5 None.
zone detection function is is enhanced.
enabled.
Deleted Features
None
New commands
Command Description Impact
firewall exceeded cpu-usage Sets a threshold for the CPU To enhance maintainability,
threshold<integer<60-100> usage. so that interfaces can be shut
> down if the CPU usage
exceeds the threshold.
hrp base config enable Restores commands upon To enhance hot standby
enhanced startup. reliability.
Modified features
None
Deleted commands
None
The license can still be used after the upgrade from V500R001C30SPC200 to
V500R001C30SPC300.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C30SPC200to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
New features
None
Modified features
No. Feature Change Cause Impact of the Upgrade
Description
Deleted Features
None
display ipsec fpath statistics Displays IPsec data plane Added an IPsec debugging
related statistics. command.
display ipsec fpath statistics Displays IPsec data plane Added an IPsec debugging
[slot <slotid> ]cpu <cpu- related statistics on a CPU. command.
id>]
reset ipsec fpath statistics Displays IPsec data plane Added an IPsec debugging
related statistics. command.
reset ipsec fpath statistics Displays IPsec data plane Added an IPsec debugging
[ slot <slotid>cpu <cpu-id>] related statistics on a CPU. command.
reset security-policy statistic Clears statistics on the Added a function that allows
number of packets and bytes you to view the statistics
that match security policies. through MIB.
[undo] api netconf validate Enables the verification The verification function is
function. originally enabled by
default, compromising the
performance. Therefore, it is
modified to be disabled by
default. You can use this
command to enable it again.
firewall defend tcp split- Enables the function of Added a function. After this
handshake-spoof enable defending against split function is enabled, the
handshake spoofing attacks. firewall can block TCP split
handshake spoofing attacks,
defend against malicious
data injection, and discard
SYN packets with data.
ssh server dh-exchange min- Specifies the minimum DH Enhanced the existing
len length supported by the function.
server when SSH uses the
dh_exchange key exchange
algorithm.
display firewall display firewall Changed the default After the upgrade,
session aging-time session aging-time aging time of SQLNET sessions
SQLNET from 600 are persistent
seconds to 14400 sessions whose
seconds. default aging time is
14400 seconds.
When the number of
persistent
connections exceeds
1/3 of the session
specification, their
aging time is
automatically
changed to that of
common TCP
sessions.
display gpm method display gpm method Modified the output None.
of the display gpm
method command.
display gpm flow display gpm flow Modified the output None.
of the display gpm
method command.
Deleted commands
None.
The license can still be used after the upgrade from V500R001C30SPC100 to
V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C30SPC100to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
V500R001C20SPC300 V500R001C50SPC100
In mail audit logs, attachment names are In mail audit logs, attachment names are
separated using commas or spaces. separated using slashes (/).
The [undo] traffic-policy bandwidth force The default state is changed from enabled to
statistic enable command enables or disabled for high-end firewalls. The default
disables the traffic policy statistics function. state is still enabled for low-end and mid-
By default, the function is enabled. range firewalls.
The [undo] firewall packet-filter basic- The default state of this command is
protocol enable command enables or changed from enabled to disabled.
disables security policy control for BGP,
LDP, BFD, and OSPF unicast packets. By
default, the function is enabled.
V500R001C20SPC300 V500R001C50SPC100
When user management uses the SSL When user management uses the SSL
protocol, the cipher list supports low-, protocol, the cipher list supports medium-
medium-, and high-length encryption and high-length encryption algorithms.
algorithms.
Static mapping deletion on the MIB deletes Only static mappings that are not referenced
all static mappings configured on the are deleted.
device.
[undo] ssl ssl version { tlsv10 | The keyword sslv3 is SSL3.0 is no longer
version { tlsv10 tlsv11 | tlsv12 } deleted. By default, supported. After a
| tlsv11 | tlsv12 TLS11 and TLS12 are device enabled with
| sslv3 } supported. SSL3.0 is upgraded,
the restored default
configuration is
TLS11 and TLS12.
speed {10 | 100 speed {10 | 100 | The function is added. None.
| 1000} undo 1000} undo speed The negotiation mode,
speed [undo] [undo] negotiation duplex mode, and rate
negotiation auto duplex { half | can be set in the view
auto duplex full } undo duplex of an Eth-Trunk
{ half | full } member interface.
undo duplex
The license can still be used after the upgrade from V500R001C20SPC300 to
V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C20SPC300 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
Packet discard logs is not caused by UNRs Packet discard logs caused by UNRs and
and PAT port conflicts are generated. PAT port conflicts are generated.
The maintenance method is enhanced.
SSL VPN virtualization scenarios are not SSL VPN virtualization scenarios (the
supported. virtual gateways in different virtual systems
use the same IP address in the root system
as their virtual gateway addresses) are
supported.
Only low-end and mid-range models
support SSL VPN.
The VPN client can't parately upgraded and The VPN client can be separately upgraded
imported to the device. and imported to the device.
Only low-end and mid-range models
support SSL VPN.
undo report type undo report type The map keyword is None.
threat-report item threat-report item added to control the
{ threat-type | { threat-type | enabling report.
application | attacker application | attacker
| victim | threat- | victim | threat-
name | virus-name | name | virus-name |
defend | attacker- defend | attacker-
location | victim- location | victim-
location | all } location | all | map }
enable enable
undo report type undo report type The map keyword is None.
traffic-report item traffic-report item added to control the
{ source-ip | { source-ip | enabling report.
destination-ip | destination-ip |
application | application |
application-category application-category
| application-sub- | application-sub-
category | source- category | source-
location | location |
destination-location | destination-location |
address-type | all } address-type | all |
enable map } enable
acl ipv6 { [ number ] acl ipv6 [ number ] IPv6 addresses are None.
{ INTEGER<0-4294 { INTEGER<0-4294 supported in virtual
967295> | 967295> | systems.
INTEGER<0-42949 INTEGER<0-42949
67295> } } [ vpn- 67295> } [ vpn-
instance instance
STRING<1-31> ] STRING<1-31> ]
report type threat- report type threat- The map keyword is None.
report item { threat- report item { threat- added to control the
type | application | type | application | enabling report.
attacker | victim | attacker | victim |
threat-name | virus- threat-name | virus-
name | defend | name | defend |
attacker-location | attacker-location |
victim-location | victim-location | all |
all } enable map } enable
report type traffic- report type traffic- The map keyword is None.
report item { source- report item { source- added to control the
ip | destination-ip | ip | destination-ip | enabling report.
application | application |
application-category application-category
| application-sub- | application-sub-
category | source- category | source-
location | location |
destination-location | destination-location |
address-type | all } address-type | all |
enable map } enable
The license can still be used after the upgrade from V500R001C20SPC200 to
V500R001C50SPC100
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C20SPC200 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
The firewall system statistics function is The default status of this function is
disabled by default. changed from disabled to enabled.
The root firewall does not have the Add the following default setting.
worktime time range setting after the time-range worktime period-range 08:00:00
configuration is restored. to 18:00:00 working-day.
The license can still be used after the upgrade from V500R001C20SPC100 to
V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C20SPC100 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
Security policy groups are not supported. Security policy groups are not supported.
Setting the policy acceleration delay is not [system] policy accelerate delay delay-time.
supported.
Layer-2 packet filtering based on MAC Layer-2 packet filtering based on MAC
addresses is not supported. addresses is supported, and the MAC
address can be configured as a policy
matching condition.
Domain name matching is not supported. Domain name matching is supported, and
the address object in a policy can reference
a domain name group as the match
condition.
V500R001C00SPC500 V500R001C50SPC100
Device type and access mode matching is Device type and access mode matching is
not supported. supported.
In the security policy view, run:
[ undo ] device-classification device-
category <device-category-name>
[ undo ] device-classification device-group
<device-category-name>
[ undo ] access-authentication { wireless-
portal | wireless-8021x | wired-8021x |
wired-portal }
The BFD protocol of the firewall is not The BFD protocol of the firewall is
controlled by security policies. controlled by security policies.
If the live network uses BFD, but
corresponding CFD rules are not configured
in the security policies, you need to allow
the BFD sessions through in security policy
rules. For example:
[sys] ip service-set bfd type object
[sys-object-service-set-bfd] service 0
protocol udp source-port 0 to 65535
destination-port 3784
[sys-object-service-set-bfd] service 1
protocol udp source-port 0 to 65535
destination-port 4784
[sys-object-service-set-bfd] quit
[sys] security-policy
[sys-policy-security] rule name allow_bfd
[sys-policy-security-rule-allow_bfd]
description BFD
[sys-policy-security-rule-allow_bfd] service
bfd
[sys-policy-security-rule-allow_bfd] action
permit
The license can still be used after the upgrade from V500R001C00SPC500 to
V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C00SPC500 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
V500R001C00SPC300 V500R001C50SPC100
Security policy groups are not supported. Security policy groups are not supported.
Setting the policy acceleration delay is not [system] policy accelerate delay delay-time.
supported.
Layer-2 packet filtering based on MAC Layer-2 packet filtering based on MAC
addresses is not supported. addresses is supported, and the MAC
address can be configured as a policy
matching condition.
V500R001C00SPC300 V500R001C50SPC100
Domain name matching is not supported. Domain name matching is supported, and
the address object in a policy can reference
a domain name group as the match
condition.
Device type and access mode matching is Device type and access mode matching is
not supported. supported.
In the security policy view, run:
[ undo ] device-classification device-
category <device-category-name>
[ undo ] device-classification device-group
<device-category-name>
[ undo ] access-authentication { wireless-
portal | wireless-8021x | wired-8021x |
wired-portal }
The BFD protocol of the firewall is not The BFD protocol of the firewall is
controlled by security policies. controlled by security policies.
If the live network uses BFD, but
corresponding CFD rules are not configured
in the security policies, you need to allow
the BFD sessions through in security policy
rules. For example:
[sys] ip service-set bfd type object
[sys-object-service-set-bfd] service 0
protocol udp source-port 0 to 65535
destination-port 3784
[sys-object-service-set-bfd] service 1
protocol udp source-port 0 to 65535
destination-port 4784
[sys-object-service-set-bfd] quit
[sys] security-policy
[sys-policy-security] rule name allow_bfd
[sys-policy-security-rule-allow_bfd]
description BFD
[sys-policy-security-rule-allow_bfd] service
bfd
[sys-policy-security-rule-allow_bfd] action
permit
The license can still be used after the upgrade from V500R001C00SPC300 to
V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C00SPC300 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
Upgrade Description:
NOTICE
1. After the manual update is complete, you can query history logs and reports, but
cannot roll back the system.
2. Manual update will overwrite the logs of the source version with new logs. Therefore,
you are advised to manually update the log database immediately after upgrading the
system software if the customer does not require version rollback.
3. The time and time zone after the upgrade must be correct.
Network
management eSight V300R007C00
software (NMS)
Agile Controller-
Controller V200R003C20
Campus
Agile Controller-
V300R001C10
DCN
Agile Controller-
V200R002C00
Cloud Manager
Configuration
V100R006C00B023
conversion tool
NOTICE
All patches cannot be upgraded.
The patch loading procedure is the same for hot-standby and single-device scenarios.
Whether the patch is first loaded to the active or standby device does not affect the patch
loading effect.
1.3.2 Precautions
Precautions
During the upgrade, take the following precautions:
l Ensure the stable power supply during the upgrade and avoid power failures. If the
device cannot start normally after a power failure, try to upgrade in BootROM mode. For
details, see Appendix A: Upgrading System Software Using BootROM.
l The registration of boards takes a period of time. After the device is restarted, do not
perform any operations until all the boards are registered. When you run the display
device command to display the registration status of a board, Registered is displayed in
the Register field and Normal is displayed in the Status field.
Figure 1 shows the flow for upgrading to V500R001C50SPC100 from an earlier version.
NOTE
For details on how to upgrade the version software using BootROM, see Appendix A: Upgrading
System Software Using BootROM.
Configur License file See license impact in To analyze the display license
ation analysis Upgrade Impact command output and check whether
analysis the license file needs to be converted
or merged according to the
description in section License
Impact.
Prerequisites
To upgrade system software using the Web UI, upload the system software to the CF card of
the properly operating NIP6300/6600 , specify the system software to be used at the next
startup, and restart the NIP6300/6600 .
The premise is that you have logged in to the Web environment using the Web UI. If the login
using the Web UI is not configured, log in to the NIP6300/6600 using the console port to
configure the Web environment. For configuration details, see Setting Up an Environment
for Upgrading System Software Using Web.
By default, the device allows an administrator to log in to the web UI using HTTPS.
NOTE
The network using two PCs is used as an example to facilitate description. You can use only one PC as
Telnet/SSH and HTTPS clients.
l Login tool
Login tools help you log in to the device on the Web UI. This document uses the tool in
Windows (Windows XP+SP2) as an example. The browser of the PC must meet any of
the following requirements:
Internet Explorer: version 8.0 or later
Firefox (recommended): version 10.0 or later
Chrome: version 17.0 or later
l File comparison tool.
A file comparison tool is used to compare the configuration files before and after the
upgrade. Use proven third-party tools, such as Beyond Compare.
Figure 1-2 Schematic diagram of the NIP6300/6600 serving as the Web server
The Web service is enabled on the NIP6300/6600 by default. You can use the IP address
192.168.0.1 of interface GigabitEthernet 0/0/0 on the NIP6300/6600 and the default user
name admin and password Admin@123 to log in to the web UI of the NIP6300/6600 through
HTTPS. If you have disabled the Web service or deleted the default user, do as follows to
reconfigure the service.
NOTE
You can use only one PC on which you run both the Telnet/SSH client and the browser/FTP server. To
facilitate description, the network using two PCs is used as an example. The following steps apply to this
two-PC network.
Procedure
Step 1 On PC1, log in to the CLI of the NIP6300/6600 through Telnet or SSH.
You are recommended to use interface GigabitEthernet 0/0/0 on the NIP6300/6600 for log in.
By default, the IP address for interface GigabitEthernet 0/0/0 is 192.168.0.1, the user name is
admin, and the password is Admin@123.
Step 2 Enter the system view and start the Web service. Configure a user with user name webuser
and password Admin@1234 and the level of the Web user. You can use other user names and
passwords as required.
<NIP> system-view
[NIP] web-manager enable
[NIP] web-manager security enable port 8443
[NIP] aaa
[NIP-aaa] manager-user admin
[NIP-aaa-manager-user-admin] password cipher Admin@1234
[NIP-aaa-manager-user-admin] service-type web telnet ssh
[NIP-aaa-manager-user-admin] level 15
[NIP-aaa-manager-user-admin] quit
[NIP-aaa] quit
[NIP] interface GigabitEthernet0/0/0
[NIP-GigabitEthernet0/0/0] service-manage enable
[NIP-GigabitEthernet0/0/0] service-manage http permit
[NIP-GigabitEthernet0/0/0] service-manage https permit
[NIP-GigabitEthernet0/0/0] quit
Step 3 Log in to https://192.168.0.1 using the Internet Explorer on PC2 to verify the configurations.
If the login interface of the Web server is displayed in the IE browser, and the login succeeds
through admin and Admin@1234, it indicates that you can log in to the Web server normally.
After the configuration is verified, you can either keep this connection for further use, or exit
from the Web server and relog in to it when required.
----End
Context
Obtain the following files for the upgrade:
Procedure
Step 1 Access the home page of http://support.huawei.com/enterprise.
Step 2 If you are not a registered member of the website, perform 3 to register. If you are a registered
member, go to 4.
Step 3 Click Register and register as prompted. If the registration succeeds, you will receive your
user name and password.
Step 4 Enter the user name, password, and verification code. Then click Login.
Step 5 After login, choose Support > Software > Enterprise Networking > Security > Firewall &
VPN Gateway . In the navigation tree, choose the corresponding version of
V500R001C50SPC100 to display the list of system software and documents. You can
download a file by clicking its file name.
----End
Context
Content feature component packages are not released along with the software package. You
must access the security center website and load the packages in online mode, or download
and load them locally.
In V500R001C50SPC100, the following Content features compose the content security
component package: application behavior control, SSL decryption and URL logging.
Procedure
Step 1 Access Huawei security center at http://sec.huawei.com/sec. (Internet Explorer: version 8.0
or later or Firefox)
Step 2 Expand the NIP6300/6600 Series tab and select the product model and version, such as
NIP6680 - V500R001C50SPC100.
Step 3 Select and download the component package. The component packages are as follows:
CSG: content security component package, including the application behavior control, URL
logging and SSL decryption.
NOTE
Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content feature
component packages.
The content feature component package to be loaded must be compatible with the system software.
----End
Context
The premise is that you have logged in to the Web environment of the device from PC2 using
the Web UI. On the Web UI, you can query the current system software and perform
subsequent operations.
After login, you can query the version information of the running system software in System
Information on the DashBoard page, as shown in figure 1. V500R001C50SPC100 is used as
an example
Click Upgrade at the right side of Version, as shown in figure 2, to query the existing system
software. Record the system software file name for file backup
NOTE
The root directory of the CF card is hda1:/. You can use the system software on the CF card to start the
device.
Context
If no license-controlled function, such as content security function (intrusion prevention/anti-
virus/pre-defined URL category query) is used, skip this section.
Procedure
Step 1 Check information about the current license. You do not need to apply for another license if
the current license does not expire or no function needs to be added.After login, you can
query the license information in License Information on the DashBoard page, as shown in
figure 1:
The preceding information is about an activated license file. Service Expire Time in the
figure indicates the expiry time of the IPS/AV signature database upgrade service or the URL
predefined category query service, not the expiry time of the license file.
Use the Notepad on the PC to open and check the license file. license.dat is used only as an
example. In practice, replace license.dat with the actual file name:
........
Product=FW
Feature=FWVSYS01
Esn="030UEKZxxxxxxxxx"
Attrib="COMM,2014-06-04,60,NULL,NULL,NULL"
Function="LFWVSYS08=1"
Resource="LFWVSYS07=700"
Comment=",,V544HUP32MUW-7W4A"
Sign=3694DA7AE8190BF77FC8D6A08689E64DCDC1CDB8AE70E625AF2490B755A828D1619795F892C
7708CCDD512AADC816D2C6074CEF5FCFB18305CC6FF87DC2E9E0F1F84C65511344DA2BB3C1F4BD92
B2EECEB8670DDC42DC83385D8DC36B8547638653FFC7CE27A1A09943936B79C3152D73C8C416583F
01B3413518B4B9110A53C9C673C1A56CE6C6FC70877DA393131A6161A4380CA0FF3FEE8E0982ADD3
5E53834F649BF1CC36F4AA6C8BAFE75582A2C5E0D22442F0E929A3A16CC876D2EA0B7932499718F3
2951238DB8BE8D6B31EEEB53CFC34646B2A48A884DEB9DE6569ACC3AA4CBE02214FAED74ACFA66C8
E3191930F53F941BDEED02A717F6154ABB6BC
........
Note the fields in bold of the Attrib attribute. COMM indicates a commercial license and
2014-06-04 indicates the expiry date of the license.
If the license expires, contact Huawei technical support personnel.
Step 2 Apply for a license file.For details on how to apply for a license file, see Appendix :
Applying for a License
After you obtain the license file, save it in the same directory as the system software
NOTICE
l Each license file corresponds to one equipment serial number (ESN).
l To successfully activate a license file, ensure that the name of the license file (including
the complete absolute path) does not exceed 64 characters. It is recommended that the
name of the license file be as short as possible without spaces
----End
Prerequisites
After you log in to the Web UI, check the device operating status on the Dashboard page
Context
The diagnosis information contains the output of multiple commonly-used display
commands. You can check the operating status of each device module.
On the Web UI, choose Monitor > Diagnosis Center > Diagnosis Infomation. Click Collect
to view device diagnosis information, as shown in figure 1. You can also save the diagnosis
information to a text file
You can either view the diagnosis information or export it for backup to facilitate subsequent
troubleshooting, as shown in figure 2:
Context
Important data includes the current system software, configuration file, license file, patch file,
diagnosis file, signature file.
NOTE
The license file, signature file, sensitive feature component packaget not support export from webpages.
Please see Performing the Upgrade Using the CLI
On the Web UI, you can use One-Touch Version Upgrade to back up important data before
the upgrade.
Procedure
Step 1 Display the System Update pageOn the Web UI, choose System > System Upgrade. On the
System Upgrade page, click One-Touch Version Upgrade, as shown in figure 1:
NOTICE
You need to save the configuration file before backing it up.
On the One-Touch Version Upgrade page, you can export alarms, logs, and configurations
and save configurations, as shown in figure 2
----End
NOTICE
Open the conversion result file, manually convert each command starting with ****, and
delete the commands starting with @@@@ because they are not supported in V500R001.
Here is an example:
profile type ips name ids
signature-set name default
action alert
**** os android | ios | unix-like | windows | other //This command must be
manually converted.
target both
severity low medium high
protocol all
#
@@@@ isp set filename CERNET.csv next-hop 202.112.41.177
@@@@ isp set filename china-educationnet.csv next-hop 202.112.41.177
@@@@ isp filename cernet_as4538.csv enable
//Confirm with the customer to check whether these commands can be deleted.
Context
It is strongly recommended that you load the converted configuration to a device, start the
device, save the configuration, export the configuration, and compare it with the original
configuration. The two copies of configuration must be consistent. If the verification
environment is unavailable on the site, You are advised to contact technical support engineers
for support.
NOTICE
If the remaining available space of the CF card is insufficient during the one-touch version
upgrade, the system automatically deletes the running system software
NOTE
Because the size of system software (*.bin files) is large, deleting unwanted system software can greatly
save the space on the CF card. You can delete the software that is running
Context
Figure 1-19 Flowchart of the version software upgrade through the Web
Procedure
Step 1 On PC2, open the Internet Explorer, access https://192.168.0.1, and enter user name admin
and password Admin@1234 to log in to the NGFW. User name admin and password
Admin@1234 are used as an example. You can set another user name and password as
required.
Step 2 Upload the system program.
NOTICE
Ensure that a configuration conversion tool is used to convert the original configuration file to
a configuration file applicable to the target version. For details, see Configuration
Conversion.
After the upload succeeds, the Configuration File Management page is displayed. The
available configuration files are listed on the page. Check whether the size of the uploaded
file in the list and the size of the file on PC2 are the same. If no, upload the file again.
1. ChooseSystem > Configuration File Management. You can view configuration file
information in Current System Software and Next Startup System Software.
2. Click Select for the Next Startup System Software, the Configuration File
Management page is displayed. Click . The Upload File dialog box is displayed.
Delete unwanted files if the free space in the CF card is insufficient.
3. Click Browse..., select the configuration file (must be a .cfg file or .zip file) to be
uploaded, and click Upload. The name of the file to be uploaded cannot be the same as
the name of any existing file in the CF card.
Step 3 Specify the configuration file to be used for the next startup. On the Configuration File
Management page, click of the uploaded file and then click OK to specify the file as the
configuration file for the next startup.
Step 4 (Optional) Upload and activate a new license file if required. Skip this step if no new license
file is required.
Choose System > License Management and use Local Manual Activation to upload a
license file and activate it.
Before upgrading the signature database, ensure that the activated license file contains the
content security function.
If the latest signature databases are not required, skip this step. The NGFW will automatically
load the default signature databases after startup.
If the latest signature database is required, you can upgrade the signature database in either
the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 Product Documentation.
Step 6 Upload the system software.
1. Choose System > System Upgrade. You can view system software information in
System Software
2. Click Select for System Software. The System Software Management page is
displayed.
Click . The Upload File dialog box is displayed.
Delete unwanted files if the free space in the CF card is insufficient.
Upload a file.
NOTICE
The name of the file to be uploaded cannot exceed 48 characters.
After the upload succeeds, the System Software Management page is displayed. The
corresponding files are listed on the page. Check whether the size of the uploaded file in
the list and the size of the file on PC2 are the same. If no, upload the file again.
3. Click Browse..., select the system software (must be a .bin file) to be uploaded, and click
Upload. The name of the file to be uploaded cannot be the same as the name of any
existing file in the CF card.
During the upload, do not close the Internet Explorer.
Step 7 If the file fails to be uploaded, the uploaded incomplete file cannot be deleted immediately.
Therefore, you need to delete the incomplete file after the device is restarted. Specify the
system software to be used for the next startup.
On the System Software Management page, click of the uploaded file and then click OK
to specify the file as system software for the next startup.
Step 8 Restart the device.
NOTE
If the configuration file for the next startup is imported, restart the device without saving the running
configuration. Otherwise, the running configuration will overwrite the imported configuration.
If sensitive features are not involved, the upgrade to V500R001C50SPC100 is complete. Otherwise, go
to the next step.
l Ensure that an activated license file is available. If the license file is not activated, the upgrade fails.
l Ensure that the device can access the security center directly or through a proxy server.
l Configure a security policy to permit HTTP and FTP packets when the device directly connects to
the security center or permit HTTP packets when the device connects to the security center through a
proxy server. For details, see the description of security policies and content security in
NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100 Administrator
Guide.
l Before executing the following online loading procedure, ensure that the DNS server address has
been configured and the DNS server can correctly parse http://sec.huawei.com.
l Upgrading V500R001 to V500R001C50SPC100.
URL component package
install-module URLRMT_H50010000_yyy.mod next-startup
1. Move the pointer to on the lower right of the page and click to open
the CLI console. Click any space on the page. If the command prompt <sysname> is
displayed, you can perform configurations on the CLI.
2. After the loading in either local or online mode, run the display module-information
verbose command to view details on the dynamically loaded component package. The
following information is a part of the command output. If the State value is
INSTALL_OK, the component packet has been successfully loaded.
<sysname> display module-information verbose
Module
Information
------------------------------------------------------------------------
- NP INSTALL_OK -
NOTICE
If the configuration file for the next startup is imported, restart the device without
saving the running configuration. Otherwise, the running configuration will overwrite
the imported configuration.
For the upgrade from V500R001C00 to V500R001C50SPC100, if the configuration
file is not imported, you are advised to save the current configurations before
restarting the device.
Step 10 Now, the upgrade to V500R001C30 is complete. The optional follow-up task is to restore and
test services.
----End
NOTE
If the login page fails to be displayed, clear the browser buffer or use another browser.
In System Software, you can view the running system version and the version for the next
startup.
Choose System > Configuration File Management. You can view the running configuration
file and the configuration file for the next startup.
Figure 1-26 Displaying the running configuration file and the configuration file for the next
startup
View system log information on the Dashboard page, as shown in figure 10.
You can either view the diagnosis information or export it for backup to facilitate subsequent
troubleshooting, as shown in figure 12.
You can also use Beyond Compare to compare the configuration files before and after the
upgrade.
Recover the configuration based on the check result or contact the technical support
personnel.
l Compare the entries (such as routes, session entries, and FIB entries) before and after the
upgrade to see if any entry is lost and check whether the service traffic before and after
the upgrade are identical.
l Consult the network administrator to check whether services are running properly.
NOTE
You can use only one PC on which you run both the Telnet/SSH client and the FTP client. To facilitate
description, the network using two PCs is used as an example. The following steps apply to this two-PC
network.
2. If you are not a registered member of the website, perform 3 to register. If you are a
registered member, go to 4.
3. Click Register and register as prompted. If the registration succeeds, you will receive
your user name and password.
4. Enter the user name, password, and verification code. Then click Login.
5. After login, choose Support > Software > Enterprise Networking > Security >
Firewall & VPN Gateway . In the navigation tree, choose the corresponding version of
V500R001C50SPC100 to display the list of system software and documents. You can
download a file by clicking its file name.
Figure 1-36 Schematic diagram of the NIP6300/6600 serving as the FTP server
Perform the following steps to configure the NIP6300/6600 as the FTP server:
3. Set the file transfer mode. Set the directory for saving the backup files on PC2 to D:
\FTP\Backup. The folder must already exist. You can specify another directory as
required.
ftp> binary /Run the binary command to specify file transmission in binary
mode.
ftp> lcd "d:\FTP\Backup" /Set the directory that stores the backup files on
PC2.
NOTE
The binary mode is required for file integrity, especially in the Linux or Unix system.
4. Run the get remote-filename[ local-filename] command to download the file and save it
to local directory D:\FTP\Backup
For example, before the upgrade, download the existing version software (for example,
V500R001C00SPC300.bin), vrpcfg.zip, Sensitive Feature Component
Packages($_install_mod/*.mod),license.dat, and diagnosis file (for example, diagnostic-
info.txt) to PC2 for backup.
ftp> get vrpcfg.zip
ftp> get license.dat
ftp> get V500R001C00SPC300.bin
It takes a long time to delete the *.bin file. Please wait and do not restart the device.
Files are deleted and cannot be restored after the delete command with the /unreserved
parameter is executed. If the /unreserved parameter is not specified, the files are stored in the
recycle bin. To optimize space for the CF card, run the reset recycle-bin hda1: command to
empty the recycle bin.
NOTE
Because the version software (*.bin file) is large, deleting unwanted version software can release large
space on the CF card.
You can not delete the software that is running.
Context
Content feature component packages are not released along with the software package. You
must access the security center website and load the packages in online mode, or download
and load them locally.
In V500R001C50SPC100, the following Content features compose the content security
component package: application behavior control, SSL decryption and URL logging.
Procedure
Step 1 Access Huawei security center at http://sec.huawei.com/sec. (Internet Explorer: version 8.0
or later or Firefox)
Step 2 Expand the NIP6300/6600 Series tab and select the product model and version, such as
NIP6680 - V500R001C50SPC100.
Step 3 Select and download the component package. The component packages are as follows:
CSG: content security component package, including the application behavior control, URL
logging and SSL decryption.
NOTE
Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content feature
component packages.
The content feature component package to be loaded must be compatible with the system software.
----End
NOTICE
Open the conversion result file, manually convert each command starting with ****, and
delete the commands starting with @@@@ because they are not supported in V500R001.
Here is an example:
profile type ips name ids
signature-set name default
action alert
**** os android | ios | unix-like | windows | other //This command must be
manually converted.
target both
severity low medium high
protocol all
#
@@@@ isp set filename CERNET.csv next-hop 202.112.41.177
@@@@ isp set filename china-educationnet.csv next-hop 202.112.41.177
@@@@ isp filename cernet_as4538.csv enable
//Confirm with the customer to check whether these commands can be deleted.
Context
It is strongly recommended that you load the converted configuration to a device, start the
device, save the configuration, export the configuration, and compare it with the original
configuration. The two copies of configuration must be consistent. If the verification
environment is unavailable on the site, You are advised to contact technical support engineers
for support.
Context
Figure 1-37 Flowchart of the version software upgrade through the CLI
NOTE
FTP is used as an example. For SFTP file upload and download, see Device Serving as the SFTP
Server to Upload or Download Files Through SFTP.
Procedure
Step 1 Log in to the NGFW from PC2 using FTP. This document uses the Windows FTP client as an
example. In practice, you are advised to use a proven third-party FTP client (such as Cute
FTP) to transfer files.
The following information is displayed:
C:\> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): ftpuser
331 Password required for ftpuser.
Password:
230 User logged in.
ftp>
Step 2 Set the file transfer mode. Set the directory for saving upgrade-related files on PC2 to D:\FTP.
The folder must already exist. You can specify another directory as required.
ftp> binary /Run the binary command to specify file transmission in binary
mode.
ftp> lcd D:\FTP /Set the directory that stores the files required for the upgrade
on PC2.
Step 3 Run the put command to upload the NIPV500R001C50SPC100.bin file to the CF card of the
NGFW. The name of the file to be uploaded cannot be the same as the name of any existing
file in the CF card. If a file with the same name already exists in the CF card, the file is
replaced by the uploaded file.
ftp> put D:\FTP\ NIPV500R001C50SPC100.bin
Depending on the network conditions, the upload of the version software may take some time.
Please wait. After the upload is complete, check whether the size of the file in the CF card is
consistent with that on PC2. If no, re-upload the file to ensure that the file is completely
uploaded to the CF card.
NOTICE
Convert the configuration file of the original version to that of V500R001C50SPC100. For
details, seeConfiguration Conversion.
Step 4 Run the put command to upload the configuration file that has been converted (for example,
vrpcfg_new.cfg) to the CF card of the NGFW. The name of the file to be uploaded cannot be
the same as the name of any existing file in the CF card. If a file with the same name already
exists in the CF card, the file is replaced by the uploaded file.
ftp> put D:\FTP\vrpcfg_new.cfg
After the upload is complete, check whether the size of the file in the CF card is consistent
with that on PC2. If no, re-upload the file to ensure that the file is completely uploaded to the
CF card.
Step 5 When the file upload is complete, exit the FTP environment. Log in to the CLI of the NGFW
through Telnet or SSH from PC1.
Step 6 In the user view, run the startup system-software filename command to specify the version
software for the next startup of the NGFW.
<NGFW> startup system-software NIPV500R001C50SPC100.bin
Info:System software for the next startup:hda1:/NIPV500R001C50SPC100.bin, start
read file....
Succeeded in setting the software for booting system.
Step 7 In the user view, run the startup saved-configuration filename command to specify the
configuration file for the next startup of the NGFW as the uploaded file.
<NGFW> startup saved-configuration vrpcfg_new.cfg
Info: Succeeded in setting the configuration for booting system.
Step 8 (Optional) Upload and activate a new license file if required. Skip this step if no new license
file is required.
Run the put command to upload the new license file (for example, license_new.dat) to the CF
card of the NGFW. The name of the file to be uploaded cannot be the same as the name of any
existing file in the CF card. If a file with the same name already exists in the CF card, the file
is replaced by the uploaded file.
Run the license file filename command in the system view to activate the license file.
[NGFW] license active license_new.dat
Info:License is successfully activated.
NOTICE
l If no content security feature is involved, skip this step.
l Ensure that an activated license file is available. If the license file is not activated, the
upgrade fails.
l You must obtain the component package from the security center (http://sec.huawei.com)
in advance and upload it to the $_install_mod folder in the root directory. Then, load the
component package as follows:
Upgrading the content security feature component package applies to the following
scenarios:
l Upgrading V500R001 to V500R001C50SPC100.
install-module CSG_H50010000_yyy.mod next-startup
After the configuration is complete, run the display module-information verbose command
to view details on the dynamically loaded component package. The following information is a
part of the command output. If the State value is INSTALL_OK, the component package has
been successfully loaded.
<sysname> display module-information verbose
Module Information
------------------------------------------------------------------------
Module Version InstallTime PackageName
------------------------------------------------------------------------
ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_yyy.mod
************************************************************************
* Content Security Group information, as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
* URL Filter information , as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
NOTICE
l If the configuration file for the next startup is imported, restart the device without saving
the running configuration. Otherwise, the running configuration will overwrite the
imported configuration.
l For the upgrade from V500R001 to V500R001C50SPC100, if the configuration file is not
imported, you are advised to save the current configurations before restarting the device.
----End
Then run the display startup command in any view to check the current version software and
configuration file, and those for the next startup.
<sysname>display startup
MainBoard:
Configured startup system software: hda1:/
V500R001C50SPC100.bin
Startup system software: hda1:/ V500R001C50SPC100.bin
CPU utilization for ten seconds: 13.0% : one minute: 13.0% : five minutes:
13.0%
In any view, run the display health command to check the CPU and memory usage.
<sysname> display health
System Memory Usage
Information:
System memory usage at 2015-11-17
21:10:41
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
0 13%
80%
-------------------------------------------------------------------------------
If the CPU and memory usage before and after the upgrade differ slightly, the device runs
properly.
In normal cases, the interface card status is Normal. If the Status field is displayed as
Abnormal, the interface card in the slot runs improperly.
If the interface cards in certain slots do not work properly, contact the technical support
personnel.
You can also use Beyond Compare to compare the configuration files before and after the
upgrade.
Recover the configuration based on the check result or contact the technical support
personnel.
Prerequisites
NOTICE
To roll back to the source version, for V500R001C50, run the set system-software check-
mode all command; for other versions, directly roll back the version.
Before rolling back the original version, make sure that the corresponding configuration file
(already backed up before the upgrade) is loaded to the CF card of the device and is specified
as the file for next startup by running the startup saved-configuration cfg-filename command.
Then restart the device, avoiding configuration loss due to CLI differences between versions.
Upload the sensitive feature component package *.mod corresponding to the source version
to the device.
Application Scenario
The version rollback needs to be implemented if:
l The device cannot start normally after upgrade, and the current version needs to be rolled
back to the previous one.
In this case, you need to roll the version to the backup source version in BootROM
mode. The detailed procedure is the same as that of upgrading the version software in
BootROM mode. For details, see Appendix A: Upgrading System Software Using
BootROM.
l The device can start normally after upgrade, but a certain function cannot run normally,
and therefore the current version needs to be rolled back to the previous one.
In this case, you can adopt either of the following modes to roll back the version:
Roll back the version through command lines. The detailed procedure is the same as
that of upgrading the version software in CLI mode. For details, see Upgrade
Through CLI.
Roll back the version through Web. The detailed procedure is the same as that of
upgrading the version software in Web mode. For details, see Upgrade Through
Web.
Roll back the version using BootROM. The operations are the same as those for
upgrading the system software using BootROM. For operation details, see
Appendix A: Upgrading System Software Using BootROM.
NOTICE
As the database is different, the following operation will clear all logs.
ii. In the system view, run the delete log sdb command to delete the IDNAME
log file.
Precautions
During the version rollback, note the following:
1. The precautions and the result check method of the version rollback operation are the
same as those of the version upgrade operation. For details, see the descriptions of
corresponding upgrade modes.
2. During the version rollback, services are interrupted temporarily. The interruption
duration depends on the rollback mode and the service configuration.
Before the version rollback, contact technical support personnel to determine whether the
target version needs to be patched. If yes, install the patch immediately after the version
rollback is complete. For how to install the patch, see the usage guide of the corresponding
patch version.
1.4.1 Overview
Dual-system hot backup is an important feature of the device . Dual-system hot backup
indicates that two device are deployed, if one device is faulty, the other takes over the work
immediately. In this way, the single point failure is avoided, and the network stability and
reliability are improved. For details, refer to the corresponding product document.
You should comply with certain procedure and principle to upgrade version software in the
dual-system hot backup networking. The main principle of the upgrade is upgrading the
backup device and then the master device independently. Note that the HRP backup channel
(the heartbeat line) must be disconnected during the upgrade.
NOTICE
Upgrading version software in dual-system hot backup, the target version software of the
master device must be the same as that of the backup device.
Context
Figure 1 shows the detailed upgrade procedure, which is adopted for the master/backup mode
and the load balancing mode.
Figure 1-38 Flowchart of the version software upgrade in dual-system hot backup
environments
Use the active/standby mode as an example. Before the upgrade, NIP_A serves as the active
device and FW_B as the standby oneProcedure.
Procedure
Step 1 Disconnect FW_B (the prompt is HRP_S<FW_B>) and its upstream and downstream devices,
and the HRP backup channel (the heartbeat line) between FW_B and FW_A. Only the HRP
backup channel of FW_B can be closed.
Log in to FW_B through Telnet or SSH. Run the shutdown command on the interfaces
connecting FW_B to upstream and downstream devices, and interface of the HRP backup
channel between FW_B and FW_A. Suppose that on FW_B, the interfaces connected to
upstream and downstream devices are GigabitEthernet 1/0/3 and GigabitEthernet 1/0/1, and
the interface of the HRP backup channel connected to FW_A is GigabitEthernet 1/0/2. Do as
follows:
HRP_S<FW_B> system-view
HRP_S[FW_B] interface GigabitEthernet 1/0/3
HRP_S[FW_B-GigabitEthernet1/0/3] shutdown
HRP_S[FW_B-GigabitEthernet1/0/3] interface GigabitEthernet 1/0/1
HRP_S[FW_B-GigabitEthernet1/0/1] shutdown
HRP_S[FW_B-GigabitEthernet1/0/1] interface GigabitEthernet 1/0/2
HRP_S[FW_B-GigabitEthernet1/0/2] shutdown
Then wait one to two minutes, ensuring that session information on FW_B is completely
backed up to FW_A. You can run the display firewall session table command to check
whether the numbers of sessions on both devices are consistent. If yes, perform further
operations.
After previous operations are performed, FW_B becomes active, while FW_A becomes
standby. If the preemption function is enabled, FW_A will become active after a while and
start to forward service traffic.
Step 6 Observe the service running status. Check the information about the session tables on FW_A
and FW_B to verify the upgrade. If the services are running properly, run the save command
to save the configurations on FW_A and FW_B.Perform the following operations:
HRP_M<NIP_A> save
HRP_S<NIP_B> save
In addition, simulate link or device faults (run the shutdown command on relevant interfaces)
after successful upgrade and service tests, so that the device performs an active/standby
switchover. Then check whether the dual-system hot backup function is normal after upgrade.
Roll back the version to that before the upgrade if necessary. For details on version rollback,
see Version RollBack . The version rollback process in dual-system hot backup networking is
----End
1.5.1 Background
When the device fails to load the system software, and you cannot log in to the device using
the Web UI or CLI, upgrade the system software using BootROM.
At present, the device supports the system software transmission to the CF card using FTP or
TFTP in the BootROM menu. The device, serving as the client, downloads the system
software from the FTP/TFTP server, as shown in Figure 1. You must install the third-party
FTP/TFTP server software on PC2.
NOTE
You can use only one PC as both the HyperTerminal program and the FTP client. To facilitate
description, two PCs are used as an example.
The following section provides an example of how the device downloads the system software
from the FTP server.
Context
Figure 1 shows the process for upgrading the system software using BootROM.
Figure 1-40 Flowchart for upgrading the system software using BootROM
Context
The serial port of PC1 is connected to the console port of the device with a standard RS-232
configuration cable. Run the terminal emulation program (use the HyperTerminal in the
Windows XP as an example) on PC1 to ensure that PC1 communicates with the console port
of the device.
Procedure
Step 1 Configure the FTP server.
Install the FTP server program on PC2 and configure the FTP server using the document
delivered with the program. The premise is that you obtain the FTP server program in a
legitimate way. You have already created an FTP user whose name is 123 and password is
123 and configured the root directory of the user as the directory of the files to be uploaded or
downloaded.
Step 2 Power on or reboot the device.
Step 3 After the device is powered on, you can run the terminal emulation program on PC1 to check
the device startup process. When the following information is displayed, press Ctrl+B within
three seconds.
Password:
********
Step 4 In the BootROM main menu, enter 3 to access file management menu.
==================< File Management Menu >==================
| <1> Display File List |
| <2> Rename File |
| <3> Delete File |
| <4> Copy File |
| <5> Format Device |
| <0> Return to Main Menu |
============================================================
Enter your choice(0-5):
In the file management menu, enter 1 to check the available space in the CF card. If the
available space of the CF card is insufficient, enter 3 to delete unnecessary files.
Ensure that the CF card has sufficient available space. Enter 0 to return to the BootROM main
menu.
Step 5 In the BootROM main menu, enter 4 to access the load and upgrade menu.
=================< Load and Upgrade Menu >==================
| <1> Display File List |
| <2> Upgrade Application Software |
| <3> Download File from External Server |
| <4> Upload File to External Server |
| <5> Upgrade Extended Bootrom |
| <6> Upgrade Base Bootrom |
| <0> Return to Main Menu |
============================================================
Enter your choice(0-6):
In the load and upgrade menu, enter 2 to access the application software upgrade menu. The
current parameter settings are displayed.
Net Paramter:
Protocol type : 1
Unit number : 0
In the application software upgrade menu, enter 2 to modify the load parameters.
Protocol type:
<1> FTP <2> TFTP
NOTE: TFTP protocol limits the file length to 32M bytes.
Protocol type : 1
Unit number : 0
................................................................................
................................................................................
................................................................................
................................................................................
..................................................................Done.
FTP user name Indicates the user name, which must be the
same as that specified on the FTP server.
After the download is complete, the device automatically specifies the downloaded system
software as that to be used at the next startup. Enter 0 to return to the load and upgrade menu.
Then, enter 0 to return to the BootROM main menu.
Step 6 In the load and upgrade menu, enter 3 to download the converted configuration file.
Net
paramter:
Protocol type : 1
Unit number : 0
Load file
name :vrpcfg_new.cfg
Download file to :
hda1:
<1> Download
file.
<2> Modify parameters.
<0>
Quit
After the downloading is complete, enter 0 to return to the load and upgrade menu. Then,
enter 0 to return to the BootROM main menu.
Step 7 In the BootROM main menu, enter 2 to specify the system software and configuration file.
====================< Extend Main Menu >====================
| <1> Boot System
|
| <2> Set Startup Application Software and Configuration |
| <3> File Management Menu...
|
| <4> Load and Upgrade Menu...
|
| <5> Modify Bootrom Password
|
| <6> Reset Factory Configuration
|
| <0> Reboot
|
|
---------------------------------------------------------|
|
| Press Ctrl+Z to Enter Diagnose Menu... |
============================================================
<1> Modify
setting
<0>
Quit
After the setting is complete, enter 0 to return to the BootROM main menu.
----End
Prerequisites
The prerequisites for console port login are as follows:
Context
IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the NIP6300/6600
by default. You can use this IP address and the default user name admin and password
Admin@123 to log in to the CLI of the NIP6300/6600 through Telnet. If the Telnet
configuration is cancelled or you desire to use SSH for the login, log in to the NIP6300/6600
from the console port to construct the Telnet or SSH environment.
Figure 1 shows the connection for configuring the upgrade environment using the console
port. The serial port of the PC is connected to the console port of the device with a standard a
serial cable.
The device has two types of console ports: RJ45 and mini USB console ports. If an RJ45
console port is used, use the console cable delivered with the device. Using the cables of other
vendors might cause unexpected faults. If a mini USB console port is used, purchase the mini
USB-to-USB cable as required. The RJ45 and mini USB console ports cannot be used
together. If both ports are connected, only the mini USB console port is available.
Figure 1-41 Establishing the upgrade environment through the console port
Procedure
Step 1 Select Start > All Programs > Accessories > Communication > HyerTerminal to start the
terminal simulation program (for example, Windows XP HyerTerminal) on the PC. The
Connection Description dialog box is displayed, as shown in Figure 2.
Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1)
of the PC for connecting to the NIP6300/6600 from the Connect using drop-down list box, as
shown in Figure 3.
Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parameters
of the port, as shown in Figure 4. The communication parameters of COM1 must be the same
as those of the console port on the NIP6300/6600.
By default, the user name and password are admin and Admin@123 respectively for logging
in to the NIP6300/6600 through the console port. If you forget the user name and password
configured on the console port, see Password of the Console Port Is Forgotten.
Step 5 Configure upgrade environment.
l Configure Telnet for login.
Enable the Telnet service on GE 0/0/0 of the device. Configure AAA authentication and
Telnet for the virtual type terminal (VTY) user interface. Create a local Telnet user and
set the user name to user1, and password to Password1 for the Telenet user. Enable the
Telnet service on the device.
V500R001:
<NIP> system-view
[NIP] telnet server enable
[NIP] interface GigabitEthernet 0/0/0
[NIP-GigabitEthernet1/0/3] ip address 192.168.1.1 255.255.255.0
[NIP-GigabitEthernet1/0/3] service-manage telnet permit
[NIP-GigabitEthernet1/0/3] service-manage enable
[NIP-GigabitEthernet1/0/3] quit
[NIP] user-interface vty 0 4
[NIP-ui-vty0-4] authentication-mode aaa
[NIP-ui-vty0-4] user privilege level 3
[NIP-ui-vty0-4] quit
[NIP] aaa
[NIP-aaa] authorization-scheme default
[NIP-aaa-auth-default] quit
[NIP-aaa] manager-user user1
[NIP-aaa-manager-user-user1] password cipher Password1
[NIP-aaa-manager-user-user1] level 15
[NIP-aaa-manager-user-user1] service-type telnet
[NIP-aaa-manager-user-user1] quit
[NIP-aaa] bind manager-user user1 role system-admin
[NIP-aaa] quit
[NIP] firewall zone trust
[NIP-zone-trust] add interface GigabitEthernet1/0/3
[NIP-zone-trust] quit
----End
Prerequisites
Before you log in to the NIP6300/6600 using the console port, complete the following tasks:
Context
When the system software needs to be upgraded remotely, but the Web environment is not
configured, you can log in to the NIP6300/6600 through the console port and then configure
the Web environment. Then you can log in to the NIP6300/6600 remotely using Web to
upgrade the system software.
This section describes how to establish the HTTP-based upgrade environment through the
console port.
Figure 1 shows the connection for configuring the upgrade environment using the console
port. The serial port of the PC is connected to the console port of the NIP6300/6600 with a
standard a serial cable.
The device has two types of console ports: RJ45 and mini USB console ports. If an RJ45
console port is used, use the console cable delivered with the NIP6300/6600. Using the cables
of other vendors might cause unexpected faults. If a mini USB console port is used, purchase
the mini USB-to-USB cable as required. The RJ45 and mini USB console ports cannot be
used together. If both ports are connected, only the mini USB console port is available.
Procedure
Step 1 Run the terminal emulation program, such as the HyperTerminal of Windows XP, on the PC.
Choose Start > Programs > Accessories > Communications > HyperTerminal.
The Connection Description dialog box is displayed, as shown in Figure 2.
Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1) of
the PC for connecting to the NIP6300/6600 from the Connect using drop-down list box, as
shown in Figure 3.
Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parameters
of the port, as shown in Figure 4. The communication parameters of COM1 must be must be
consistent with those of the console port on the NGFW.
NOTE
If an administrator uses HTTP for access Web UI, the device automatically redirects to a more secure
service, HTTPS. If the browser displays a notification for an insecure certificate, you can continue the
browsing
----End
Procedure
Step 1 Restart the NIP6300/6600 and access the BootROM main menu
|
=============================================================
Step 4 After device startup, use the default user name admin and password Admin@123 for login
and use FTP to save the renamed configuration file to the PC.
Step 5 Reconfigure a user and copy the user information generated by the device to the renamed
configuration file.
manager-user newuser
password cipher %@%@@)wB&=/Q1Fvhl1W=,4C)Vpg^C.0{VCnlxU^3svMxY@^A)vmh%@%@
service-type web terminal telnet
level 15
Step 6 Upload the modified configuration file to the device and specify the file as that to be used at
the next startup. After device restart, you can use the configured user information to log in
----End
Context
As shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from the
NIP6300/6600 and upload or download files through FTP. This method requires the third-
party FTP server software to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the FTP server. The following example
describes takes the two-PC deployment.
Figure 1-49 Schematic diagram of uploading/downloading files through FTP and with the
NIP6300/6600 serving as the FTP client
Procedure
Step 1 Configure the FTP server.
Install the FTP server program on PC2 and configure the FTP server using the document
available with the program. Suppose that you obtain the FTP server program in a legitimate
way and description of the program is beyond the coverage of this document. Assume that an
FTP user already exists with the user name 123 and password 123, and that the root directory
of the user is set to the storage path of files to be uploaded/downloaded.
Step 2 Log in to the NIP6300/6600 from PC1 through Telnet/SSH.
Step 3 Log in to the FTP server on the NIP6300/6600.Run the ftp ip-address command in the user
view to establish an FTP connection to the PC and enter the FTP client view. The following
operation assumes that the IP address of the FTP server as 192.168.0.2.
<NIP> ftp 192.168.0.2
Trying 192.168.0.2 ...
Press CTRL+K to abort
Connected to 192.168.0.2.
220 ready for new user
User(192.168.0.2:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp]
Step 4 Upload files in storage media of the NIP6300/6600 to the FTP server.Run the put local-
filename [ remote-filename ] command in the FTP client view to upload files to the FTP
server.
[ftp] binary /Run the binary command to specify file transmission in binary
mode.
[ftp] put vrpcfg.zip
After the uploading is complete, check whether the sizes of files on the FTP server are the
same as those in the CF card. If no, re-upload the files to ensure that they are completely
uploaded to the FTP server.
Step 5 Download files from the FTP server to storage media of the NIP6300/6600.Run the get
remote-filename [ local-filename ] command in the FTP client view to download files from
the FTP server.
[ftp] binary /Run the binary command to specify file transmission in binary
mode.
[ftp] get vrpcfg.zip
After the downloading is complete, check whether the sizes of files in the CF card are the
same as those on the FTP server. If no, re-download the files to ensure that they are
completely downloaded to the CF card.
----End
Context
As shown in Figure 1, NIP6300/6600 serves as the SFTP server. Log in to the SFTP server
from the PC2 and upload/download files through SFTP. This method requires the third-party
SFTP client program (such as WinSCP) to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the SFTP server. The following example
describes takes the two-PC deployment.
Figure 1-50 Schematic diagram of uploading/downloading files through SFTP and with the
NIP6300/6600 serving as the SFTP server
The roadmap for configuring an SFTP client (PC2) to communicate with an SSH server
(NIP6300/6600) is as follows (RSA authentication is used):
Procedure
Step 1 Enable the SSH service on interface GigabitEthernet 0/0/0.
<NGFW> system-view
[NGFW] interface GigabitEthernet 0/0/0
[NGFW-GigabitEthernet0/0/0] service-manage ssh permit
[NGFW-GigabitEthernet0/0/0] service-manage enable
[NGFW-GigabitEthernet0/0/0] quit
Create SSH user client and set the authentication type to rsa, service type to SFTP, and
service directory to hda1:
Step 4 Generate a local key pair on PC2. The local key pair consists of host key and server key.
Step 5 Use password RsaKey001 to copy the host key of PC2 to the NIP6300/6600.
[NIP] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[NIP-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[NIP-rsa-key-code] 3047
[NIP-rsa-key-code] 0240
[NIP-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[NIP-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[NIP-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[NIP-rsa-key-code] 1D7E3E1B
[NIP-rsa-key-code] 0203
[NIP-rsa-key-code] 010001
[NIP-rsa-key-code] public-key-code end
[NIP-rsa-public-key] peer-public-key end
----End
Example
After the SFTP client connects to the SSH server, run the display ssh server status and
display ssh server session commands on the SSH server to check whether the SFTP service
is enabled and whether the SFTP client is connected to the SSH server.
l Check SSH server status.
[NIP] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server : Enable
STELNET server : Disable
Conn : VTY 4
Version : 2.0
State : started
Username : client
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : sftp
Authentication Type : rsa
Context
As shown in Figure 1, PC2 serves as the TFTP server. Log in to the TFTP server from the
NIP6300/6600 and upload or download files through TFTP. This method requires the third-
party TFTP server software to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the TFTP server. The following example
describes takes the two-PC deployment.
Figure 1-51 Schematic diagram of uploading/downloading files through TFTP and with the
NIP6300/6600 serving as the TFTP client
Procedure
Step 1 Configure the TFTP server.Install the TFTP server program on PC2 and configure the TFTP
server using the document available with the program. Suppose that you obtain the TFTP
server program in a legitimate way and description of the program is beyond the coverage of
this document. The following operation assumes that the root directory of the TFTP server is
set to the storage path of files to be uploaded/downloaded.
Step 3 Upload files in storage media of the NIP6300/6600 to the TFTP server.
NOTICE
Due to the limitation of third-party TFTP server software, TFTP upload of files larger than 16
MB may fail. Therefore, you are advised to use FTP to upload the files larger than 16 MB.
Run the tftp ip-address put source-filename [ destination-filename ] command in the user
view to upload files to the TFTP server. The following operation assumes that the IP address
of the TFTP server as 192.168.0.2.
<NIP> tftp 192.168.0.2 put test.bin
After the uploading is complete, check whether the sizes of files on the TFTP server are the
same as those in the CF card. If no, re-upload the files to ensure that they are completely
uploaded to the TFTP server.
Step 4 Download files from the TFTP server to CF card of the NIP6300/6600.Run the tftpip-
addressgetsource-filename [ destination-filename ] command in the user view to download
files from the TFTP server.
<NIP> tftp 192.168.0.2 get temp.bin
After the downloading is complete, check whether the sizes of files in the CF card are the
same as those on the TFTP server. If no, re-download the files to ensure that they are
completely downloaded to the CF card.
----End
Context
The license file to be loaded on the device is a .dat file. This file is not delivered with the
device and is independently generated by the license center of Huawei.
Procedure
Step 1 Obtain a license authorization code (Entitlement ID).
Find the license authorization certificate in the delivery accessories and obtain the Entitlement
ID, as shown in Figure 1.
NOTE
The license authorization certificate is delivered together with the product to the customer in A4 papers
or CD-ROMs.
Log in to the http://app.huawei.com/isdp and obtain the license file according to the procedure
in the system help or displayed information.
NOTICE
To apply for the licenses of multiple devices, make sure that the entitlement ID corresponds to
the ESN.
If you cannot obtain the license file, contact the local technical support personnel.
Step 4 You need to obtain a new license file if you want to expand the license capacity or use new
features that are subject to license control. In this case, follow the preceding steps to apply for
the new license.
The license center automatically combines the licenses for new features with the existing
license, and generates a new license.
----End
Upgrade successful
or not
Check of upgrade
operations
CF Compact Flash
IP Internet Protocol
IPSec IP Security
2 NIP6800
NOTICE
1. Before an upgrade from a patch version, run the patch delete all command to delete the
patch.
2. Perform the upgrade.
V500R001C00SPC300,V500R001C00SPC500,V500R001C20SPC100,
V500R001C20SPC200 and V500R001C20SPC300 cannot directly upgrade to
V500R001C50SPC100. Instead, upgrade them to V500R001C50SPC100 first or install the
following patches:
l For V500R001C20SPC100,V500R001C20SPC200 and V500R001C20SPC300, install
V500R001SPH002.
NOTICE
1. Patch upgrades cannot be performed in BootROM.
2. V3 upgrades are not recommended. If there are such requirements, contact Huawei
engineers.
3. To roll back from V500R001C50 to an early version, run the set system-software check-
mode all command. For other version, rollback can be directly performed.
Note the following items for patch upgrades:
l After activating the patch and setting the startup configuration file, ensure that the patch is
in activated state when the reboot or reboot fast command is used to restart the system.
Otherwise, the system restart may fail.
l If the patch is mistakenly deleted and the system restart fails after the startup configuration
file is set, you must re-activate the patch and restart the system again. For a high-end
firewall with dual MPUs, check whether the patch status of both MPUs is normal. If not,
delete the patch and then install and activate it again.
Table 1 lists all boards applicable to the NIP6800, including MPUs, SPUs, SFUs, and LPUs.
The NIP6800 has many historical boards and software versions. Certain scenarios do not
support the upgrade or have restrictions. Before the upgrade, you must read this section
carefully and confirm that the current hardware configuration meets the upgrade requirement.
MPU
SPU
SFU
LPU
License ESN:
210305G06R0000000000,210305G06R0000000000
Pay attention to the P/N information about the boards in mother slots, not in sub-slots.
For the NIP6830, pay attention to the boards in slots 1 to 3.
For the NIP6860, pay attention to the boards in slots 1 to 8.
For the , pay attention to the boards in slots 1 to 16.
The device can parse To allow the device to parse and forward NSH
1
NSH packets. packets.
IPSec forwarding
adapts the user- To identify IKE or ESP packets based on the
8
configured IPSec user-configured port.
source port.
The northbound
interface is added.
Virtual-if- To improve the Controller's delivery efficiency.
9 [vsysname] can be The device does not obtain the ID of a created
used to deliver the virtual system.
Virtual-if
configuration.
Mainten
ance
and
The usage of virtual
manage
systems and ARP Function
2 ment of None.
resources can be enhanced.
the
obtained.
logical
resource
pool
Before modification,
traffic statistics on all
If the
interfaces apply to
maximum
virtual system
number of
Web interfaces. After the
virtual
interface modification, traffic
3 systems are None.
traffic statistics on all
created, too
statistics interfaces equal the
many memory
sum of traffic on
resources are
interfaces in the
occupied.
corresponding
system.
The firewall
AAPT can As old devices do not have
Cloud sandbox interconnect preset certificates, you must
5 AAPT interworking with a cloud manually import the
supports HTTPS. sandbox certificate and key for cloud
through sandbox interworking.
HTTPS.
The SSL
server
SSL The certificate can be
6 certificate None.
proxy virtualized.
supports
virtualization.
l The alarm
threshold
reminders are
added for daily
duration quota,
daily traffic Agile
quota, and Controller-
Quota monthly traffic Campus
7 control quota. None.
supports
policy
l A device domain traffic
name can be set statistics.
to hide the device
IP address on the
pushed alarm and
quota exhaustion
web pages.
Deleted Features
None.
New Commands
Command Description Impact
This command is
used in the root
system before C50.
After the upgrade to
C50, you must run
display ipsec display ipsec The keyword all-
the display ipsec
statistics statistics all-systems systems is added.
statistics all-
systems command
to display IPSec
statistics in the root
system.
Original Change
New Command Upgrade Impact
Command Description
Deleted Commands
None.
The license can still be used after the upgrade from V500R001C50 to V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C50 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
Deleted Features
Collection of the
accumulated value
This feature enables the NMS to analyze the
3 of specific policy
traffic and policy in a more convenient way.
traffic through the
OID
System memory
To detect memory overwriting and memory
10 detection
leak issues.
mechanism
Detection of abrupt
To detect abrupt changes of the memory, CPU
11 KPI information
usage, and session, and send alarms.
change
Disabling of the
bound interface
To disable the previously bound interface when
12 when the CPU usage
the CPU usage exceeds the specified threshold.
exceeds the
threshold
Customization of
session log
13 The function is enhanced.
templates in syslog
format
Enhanced session
14 The function is enhanced.
log function
Real-time traffic
15 The function is enhanced.
statistics collection
Alarm on the
exhaustion of
16 forwarding The function is enhanced.
resources on the
firewall
Enhanced restriction
17 on the number of The function is enhanced.
new connections
Alarm on abrupt
19 The function is enhanced.
session changes
Multicast packet
20 The function is enhanced.
filtering
Filtering and
21 viewing of blacklists The function is enhanced.
of various types
In policy query,
related policies can
be rapidly located
based on quintuple
information (or
accurate source and
destination The ease of
1 Policy information, and use shall be None
source and improved.
destination address
segments). Policy
objects support fuzzy
query and
association with the
drop-down list.
The support of
The function
6 HRP smooth upgrade is None
is enhanced.
added.
The northbound
function is added for
the per-user
maximum The function
7 BWM None
connection rate and is enhanced.
per-IP address
maximum
connection rate.
Virtualization is
supported.
When the certificate
or key pair is
imported through the
CLI, the file shall be
uploaded to the The function
8 PKI None
corresponding is enhanced.
directory (public on
the root firewall and
vsys+vsysid on the
virtual firewall)
under cfcard:/pki or
hda1:/pki.
Sending encrypted
Session session logs over an The function
10 None
log IPsec tunnel is is enhanced.
supported.
After the SA
signature database is
updated, application
names of functions
that reference
applications, such as
integrated policy,
application group,
Applicat and port mapping, The function
12 are smoothly updated None
ion is enhanced.
to new names after
configuration update.
For example,
QQ_Webmail is
updated to
WebMail_QQ, and
GMail to
WebMail_GMail.
None
New commands
For new command details, see the product document.
Modified commands
Original New Command Change Impact of the
Command Description Upgrade
ssl whitelist
ssl whitelist
userdefined- Modify keywords. None
hostname xxx
hostname xxx
reset arp { static | all reset arp { static | Traffic interruption None
| slot slot resulting from
STRING<1-256> | STRING<1-256> | misoperations is
dynamic } dynamic } prevented.
Deleted commands
Command Cause of Deletion Impact
The license can still be used after the upgrade from V500R001C30SPC300 to V500R001C50.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C30SPC300to V500R001C50. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
Configuration V100R006C00B023
conversion tool
When upgrading the software version during the running of the device, to make the new
software version effective, you need to restart the NIP6800, which interrupts services.
When to restart the NIP6800 for the upgrade depends on your requirements. You need to
choose a suitable upgrade time to minimize the impacts on services.
2.2.2 Precautions
During the upgrade, take the following precautions:
1. Ensure the stable power supply during the upgrade and avoid power failures. If the
device cannot start normally after a power failure, try to upgrade in BootROM mode. For
details, see section Upgrade Through BootROM"."
2. The registration of boards takes a period of time. After the device is restarted, do not
perform any operations until all the boards are registered. When you run the display
device command to display the registration status of a board, Registered is displayed in
the Register field and Normal is displayed in the Status field.
3. Do not use the USB port of the MPU for version upgrade.
4. In case of dual MPUs, if one MPU is faulty and you replace it with a new one, you must
upgrade the new one. For details, see "Appendix: Upgrading the MPU."
License file Save the software To back up the currently used license
(license.dat package and export it file.
) to a local PC.
Patch file Save the software To back up the currently used patch
package and export it file.
to a local PC.
Context
You need to collect the following files for the upgrade:
3. PAF file
Indicates a version information file. Select the paf.txt file.
Procedure
Step 1 Log in to the homepage of Huawei at http://support.huawei.com/enterprise.
Step 2 If you are not a registered user, you need to go to 3 to register first. If you are already a
registered user, go to 4 to log in.
Step 3 Click Register and register with the system according to the prompt. After the registration
succeeds, you will obtain your account and password. Keep them safe.
Step 4 Enter the user name, password, and displayed verification code, and then click Login.
Step 5 Click SUPPORT, Choose Enterprise Security_Seco Space > Firewall Application
Security Gateway > Firewall&VPN Gateway>. Choose V500R001 >
V500R001C50SPC100from the Product Version drop-down list. Then click Product
Software and the Patches tab. Choose V500R001C50SPC100, and download the software
and release documents.
----End
Follow-up Procedure
After obtaining the system program, PAF file, and license file, choose Software Center >
Controlled Tool (Mini-tool Software) > Core Network Product Line > Wireless-OSS >
iManager M2000-II > Public Tools to download HASH verification tool
HashMyFiles_1.68en.zip for verifying the MD5 values of the preceding files. You can use
this tool in the Windows2000/XP/2003/Vista/Windows 7 operating system. Details are as
follows:
The verified MD5 values of the system program, PAF file, and license file should be the same
as those listed in the table. If they are different, the files may have been modified. Contact the
technical support personnel.
File MD5
(NIP6830)NIP6800_V500R001C50SPC100
.cc
File MD5
NIP6830)NIP6800V500R001C50SPC100P
WE
(NIP6860&)NIP6800_V500R001C50SPC1
00.cc
(NIP6860&)NIP6800_V500R001C50SPC1
00PWE.cc
paf.txt
license_HUAWEI_X.txt
PWE :
paf.txt
PWE :
license_HUAWEI_X.txt
Context
Content security feature component packages are not released along with the software
package. You must access the security center website and load the packages in online mode,
or download and load them locally.
In V500R001, the following content security features compose the content security
component package: file blocking, data filtering, application behavior control, mail
filtering, SSL proxy, smart DNS, URL logging, and audit.
Procedure
Step 1 Access Huawei security center at http://sec.huawei.com/sec .(Internet Explorer: version 8.0
or later or Firefox)
Step 2 Expand the tab and select the product model and version, such as NIP6830 -
V500R001C50SPC100.
Step 3 Select and download the component package. The component packages are as follows:
URLRMT: component package for the URL remote query feature.
CSG: content security component package, including the file blocking, data filtering, mail
filtering, application behavior control, audit, URL logging, SSL proxy, and smart DNS
features.
NOTE
Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content security
feature component packages.
The content security feature component package to be loaded must be compatible with the system
software.
----End
Prerequisites
Before the upgrade, you need to log in to the CLI of the NIP6800 to prepare the upgrade
environment.
By default, IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the
MPU of the NIP6800.Or another accessible IP address on the device has been set.
l You can use this IP address and the default user name admin and password Admin@123
to log in to the CLI of the NIP6800 through Telnet.
l If the Telnet configuration is canceled or you desire to use SSH for the login, log in to
the NIP6800 from the console port to construct the Telnet or SSH environment. For
details, see chapter "Appendix: Establishing the Upgrade Environment Through the
Console Port." You are advised to use SSH to log in to the NIP6800 to secure data
transfer.
NOTICE
Use interface GigabitEthernet 0/0/0 on the MPU of the NIP6800 to transfer the version
software. If you use an interface on the LPU to transfer the version software, use the FTP
service but not the TFTP service for transfer.
The following is an example in which the NIP6800 functions as an FTP server. This method
is easy because it does not require a third-party FTP server. For details on other modes, see
"Appendix: Uploading and Downloading Files." You are advised to use SFTP to transfer
files to secure data transfer.
As shown in Figure 1, the NIP6800 is configured as the FTP server and version software is
located on PC2 serving as the FTP client. On PC2, log in to the FTP server and upload the
version software to CF card 1 of the NIP6800 through FTP.
NOTE
You can use only one PC on which you run both the Telnet/SSH client and the FTP client. To facilitate
description, the network using two PCs is used as an example. The following steps apply to this two-PC
network.
Figure 2-2 Schematic diagram of the NIP6800 serving as the FTP server
Perform the following steps to configure the NIP6800 as the FTP server:
2. Enter the system view and start the FTP service. Configure a user account with user
name ftpuser and password Admin@123, and specify the storage path of the FTP file.
This storage path must be cfcard:. You can use other user accounts as required.
V500R001:
[sysname] ftp server enable
[sysname]aaa
[sysname-aaa] manager-user ftpuser
[sysname-aaa-manager-user-ftpuser] password
Enter Password:
Confirm Password:
[sysname-aaa-manager-user-ftpuser] service-type ftp
Warning: The user access modes include Telnet or FTP, so security risks exist.
[sysname-aaa-manager-user-ftpuser] level 3
[sysname-aaa-manager-user-ftpuser] ftp-directory cfcard:/
[sysname-aaa-manager-user-ftpuser] quit
[sysname-aaa] quit
3. On PC2, log in to the FTP server to check whether configurations are effective.
The following uses the configuration of Windows FTP client as an example. In practice,
you are advised to use a legitimate third-party FTP client (such as Cute FTP) to transfer
files.
Click Start and then Run. Enter cmd and then press Enter.
Enter ftp 192.168.0.1. This IP address is used when you log in to the NIP6800
through Telnet or SSH.
Enter the user name after the User (192.168.0.1:(none)) prompt and the password
after the Password prompt.
The following information is displayed:
C:\> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): ftpuser
331 Password required for ftpuser.
Password:
230 User logged in.
ftp>
If 230 User logged in. is displayed on the FTP client, you have logged in to the FTP
server normally.
After the configuration is verified, you can either keep this connection for further use, or
exit from the FTP server and relog in to it when required.
Preparing for the Environment for the Upgrade Through Web (HTTPS)
As shown in Figure 2, the NIP6800 is configured as the Web server and the version software
is located on PC2. On PC2, log in to the NIP6800 using the browser and then upload the
version software to the CF card of the NIP6800 through Web.
To transfer PAF file to the CF card of the NIP6800, you need to configure PC2 as the FTP
server so that the NIP6800 can download PAF file and license file from PC2 as an FTP client.
The Web service is enabled on the NIP6800 by default. You can use the IP address
192.168.0.1 of interface GigabitEthernet 0/0/0 on the MPU and the default user name admin
and password Admin@123 to log in to the web UI of the NIP6800 through HTTPS. If you
have disabled the Web service or deleted the default user, do as follows to reconfigure the
service.
NOTE
You can use only one PC on which you run both the Telnet/SSH client and the browser/FTP server. To
facilitate description, the network using two PCs is used as an example. The following steps apply to
this two-PC network.
Figure 2-3 Schematic diagram of the NIP6800 serving as the Web server
Enter
Password:
Confirm Password:
[sysname-aaa-manager-user-webuser]level 3
[sysname-aaa-manager-user-webuser]service-type web
[sysname-aaa-manager-user-webuser]quit
[sysname-aaa]quit
If the login interface of the Web server is displayed in the IE browser, and the login
succeeds through webuser and Admin@123, it indicates that you can log in to the Web
server normally.
After the configuration is verified, you can either keep this connection for further use, or
exit from the Web server and relog in to it when required.
4. Configure the FTP server.
This document does not provide the details about the FTP server program. Obtain the
FTP server program in a legitimate way, and configure the program according to related
documents. Assume that you have already created an FTP user account whose name is
123 and password is 123, and specified the root directory of the user as the directory for
saving the downloaded files.
NOTICE
Use interface GigabitEthernet 0/0/0 on the MPU of the NIP6800 to transfer the version
software.
The NIP6800 currently allows you to transfer the version software to CF card 1 through FTP
or TFTP in the BootROM menu. No matter you use FTP or TFTP, the NIP6800 functions as
the client that downloads the version software from the FTP or TFTP server.Figure 3 shows
the network for this case. In both modes, you must install third-party FTP or TFTP server
software on PC2.
NOTE
You can use only one PC on which you run both the HyperTerminal program and the FTP/TFTP server.
To facilitate description, the network using two PCs is used as an example. The following steps apply to
this two-PC network.
Figure 2-4 Schematic diagram of the NIP6800 serving as the FTP/TFTP client
This section uses the NIP6800 serving as the FTP client as an example.
This document does not provide the details about the FTP server program. Obtain the FTP
server program in a legitimate way, and configure the program according to related
documents. Assume that you have already created an FTP user account whose name is 123
and password is 123, and specified the root directory of the user as the directory for saving the
downloaded files.
Example
In any view, run the display version command to check the information about the running
version software. The following uses v500r001c00spc500.cc as an example. Part of output is
omitted.
<NIP6800> display version
Huawei Technologies Versatile Security Platform Software
Software Version: NIP6830 V500R001C00 (VSP (R) Software, Version 5.70)
..........
In any view, run the display startup command to check the version software and
configuration file in use. You need to record the underscored file names, facilitating file
backup.
<NIP6800> display startup
MainBoard:
Configed startup system software: cfcard:/v500r001c00spc500.cc
Startup system software: cfcard:/v500r001c00spc500.cc
Next startup system software: cfcard:/NIPV500R001C50SPC100.cc
Startup saved-configuration file: cfcard:/config.cfg
Next startup saved-configuration file: cfcard:/config.cfg
Startup paf file: cfcard:/paf.txt
Next startup paf file: cfcard:/paf.txt
Startup license file: cfcard:/license.txt
Next startup license file: cfcard:/license.txt
Startup patch package: cfcard:/patchpackage.pat
Next startup patch package: cfcard:/patchpackage.pat
Prerequisites
If the license function is not in use, skip this section.
Background Information
The licenses of the NIP6800 comprise the commercial and non-commercial ones.
l Commercial licenses
Indicates the licenses purchased by signing official contracts.
l Non-commercial licenses
Indicates the licenses used for testing. Non-commercial licenses have time limitations
and the general validity period is three months.
Before the upgrade, it is recommended that you perform the following procedure to check the
information on the current license, and ensure the validity of the license.
Procedure
Step 1 Check information on the current license
Run the display license command in any view to check the license information.
NOTICE
The length of storage path and file name of the license.dat file cannot be more than 64
characters.
GTP:
Enable
The underscored fields in the information that is displayed indicate the activated license file.
Here license.dat is only used as an example. In practice, use the actual information.
The following is a sample displayed after the more command is executed in the user view of
the NIP6800 to check the license file. Here license.dat is only used as an example. In
practice, use the actual license name to replace license.dat.
<NIP6800> more license.dat
..........
Product=NIP6800
Feature=FWVTNL1
Esn="ANY"
Sign=
2DA1A02B097D9151BDF18C71B42FA186733F68A387C4BF9891E7F1AC76AAD020555E5B90382CDC1BAF
B6F907E29AEA581F7C0862082194B3025E39F2A0E7CE
FD9609D654931AD00943B15043CA9ABAC62C1017AEAA8EF237731CC1752225B98E5FD731C0AA38C4C6
F1596E11430D10C9296F2AF663F70333F2BDACBC606765C3
..........
Note the underscored text. DEMO indicates that the license is a non-commercial license
whereas COMM stands for the commercial license. 2013-06-01 indicates the validity period
of the license file.
Apply for a license file.
If the license has expired, you need to apply for a license file, see chapter "Appendix:
Applying for a License."
----End
When Unregistered is displayed in the Register column, it indicates that the board in the slot
fails to be registered. When Abnormal is displayed in the Status column, it indicates that the
board in the slot is running abnormally.
NOTE
When the board in a certain slot cannot be registered or runs abnormally, record the board
status and contact technical support personnel to check whether the device can be upgraded or
the board needs to be replaced. After the upgrade, check the status of the board. If the board
cannot run normally still, contact technical support personnel.
Context
The important data refers to the configuration file, license file(*.dat), patch file, and system
program before the upgrade. You can use the display startup command to view the
configuration file, patch file, and system program in use and the display license command to
view the license file in use.
Procedure
Step 1 On PC2, log in to the NIP6800 through FTP.The following uses the FTP client of the
Windows operating system as an example. In practice, you are advised to use a legitimate
third-party FTP client (such as Cute FTP) to transfer files.
Step 2 Set the transmission mode of the file and configure the directory for storing the backup file as
a directory on PC2, for example, D:\FTP\Backup. Note that the directory must already exist.
You can use another existing directory as required.
ftp> binary /Run the binary command to configure the binary mode for
transmitting files.
ftp> lcd "d:\FTP\Backup" /Configure the directory on PC2 for storing the backup
file.
Step 3 Run the getremote-filename [ local-filename ] command to download the file and save it in
the D:\FTP\Backup directory of PC2.For example, download config.cfg, paf.txt,
license_huawei_x.txt, license.dat (if available),sensitive feature component package*.mod(if
available) and the system program before the upgrade (v500r001c00.cc) to PC2 for backup.
ftp> get config.cfg
..........
ftp: 4545 bytes received in 0.01Seconds 303.00Kbytes/sec.
ftp> get license.dat
..........
ftp: 2032 bytes received in 0.01Seconds 202.83Kbytes/sec.
ftp> get paf.txt
..........
ftp: 109256 bytes received in 1.3Seconds 1087.67Kbytes/sec.
ftp> get v500r001c00.cc
..........
ftp: 216118051 bytes received in 82.90Seconds 1087.67Kbytes/sec.
ftp> get license_huawei_x.txt
..........
ftp: 15307 bytes received in 1.3Seconds 1087.67Kbytes/sec.
ftp>cd $_install_mod
ftp> get CSG_H50010000.mod
..........
ftp: 955129 bytes received in 82.90Seconds 1087.67Kbytes/sec.
ftp> get URLRMT_H50010000.mod
..........
ftp: 955129 bytes received in 82.90Seconds 1087.67Kbytes/sec.
After the downloading is complete, check whether the sizes of the files on PC2 are the same
as those in the CF card. If no, re-download files to ensure that they are completely backed up
to PC2.
After the configuration is verified, you can either keep this FTP connection for further use, or
exit from the FTP server and relog in to it when required.
----End
The underscored text in the previous information indicates the free space of CF card 2.
Files are directly deleted and cannot be restored after the delete command with the /
unreserved parameter is configured.
NOTE
l The system program (*.cc) is large in size. Deleting unnecessary system programs can greatly save
the space of CF card 1. However, you cannot delete the system program currently used by the
device.
l If you use the BootROM for upgrade, delete the useless files in BootROM environment. For details
on operation methods, see Upgrade Through BootROM.
CLI (recommended) When the device is All versions support Transmitting the
running normally the CLI mode. The version software
and carries service CLI mode is easy- requires the support
traffic, the CLI is to-operate and has of the network
recommended for small impacts on environment.
the upgrade. services. The device needs to
be configured as the
FTP server or the
third-party FTP/
TFTP server
program is required.
BootROM When the device All versions support The operations are
cannot be started or this mode. When the complicated and
the version software device is faulty or have great impacts
is faulty, use this the version software on services.
mode for the cannot be loaded, Transmitting the
upgrade. the upgrade can be version software
performed in this requires the support
mode only. of the network
environment.
NOTE
The mentioned version software includes the system program (*.cc), PAF file, Sensitive Feature
Component Package and license file.
Version software must be stored in CF card 1. CF card 1 is located in the circuit board of the MPU and
mainly used to store the version software and configuration file. CF card 2 is located in the panel of the
MPU and mainly used to store log and alarm information.
Upgrade Flow
Figure 1shows the flow of upgrading the version software through CLI.
Figure 2-5 Flowchart of the version software upgrade through the CLI
Procedure
Step 1 On PC2, log in to the NIP6800 through FTP. FTP is used only as an example. You are advised
to use SFTP to transfer files to secure data transfer.The following uses the Windows FTP
client as an example. In practice, you are advised to use a legitimate third-party FTP client
(such as Cute FTP) to transfer files.
The following uses the Windows FTP client as an example. In practice, you are advised to use
a legitimate third-party FTP client (such as Cute FTP) to transfer files.
If the FTP connection established for backing up the important data to CF card 1 remain,
perform Step 2; if the FTP connection has timed out, log in again.
Step 2 Set the transmission mode of the file and configure the directory for storing the required
upgrade files as a directory on PC2, for example, D:\FTP. Note that the directory must
already exist. You can use another existing directory as required.
ftp> binary /Run the binary command to configure the binary mode for
transferring files.
ftp> lcd "d:\FTP" /Configure the directory on PC2 for storing the required
upgrade files.
CAUTION
The binary mode is required for file integrity, especially in the Linux or Unix system.
Step 3 Run the put command to upload NIP6800 to CF card 1 of the NIP6800.
Uploading the system program may take a few minutes, depending on the network conditions.
Please wait patiently.
NOTICE
After the uploading is complete, check whether the size of the file in the CF card is the same
as that on PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.
Step 4 Run the put command to upload the configuration file (such as vrpcfg_new.cfg) to the CF
card on the NIP6800.The name of the file to be uploaded cannot be the same as the name of
any file on the CF card.If a file with the same name exists on the CF card, the file will be
replaced by the uploaded one.
ftp> put D:\FTP\vrpcfg_new.cfg
NOTICE
After the uploading is complete, check whether the size of the file on the CF card is the same
as that on PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.
Step 5 Rename license_Secospace_X.txt to license_spcxxx.txt, and upload the file to the CF card 1
in the NIP6800. If a file with the same name exists in CF card 1, the system displays a
message to indicate whether to overwrite the original file.
NOTE
You can modify the names of the system program (*.cc), the PAF file, and license file. To ensure that
two software versions work on the same device, you are advised to modify the names of PAF and license
files and add the SPC version at the end of the file name, such as license_spcxxx.txt.
After the uploading is complete, check whether the size of the file in the CF card is the same as that on
PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.
ftp> put license_spcxxx.txt
..........
ftp: 12757 bytes sent in 0.03Seconds 425.23Kbytes/sec.
Step 6 Rename paf.txt to paf_spcxxx.txt and upload it to the CF card 1 in NIP6800. If a file with the
same name exists in CF card 1, the system prompts you to determine whether to overwrite the
original file.
ftp> put paf_spcxxx.txt
..........
ftp: 66033 bytes sent in 0.05Seconds 1320.66Kbytes/sec.
NOTICE
After the uploading is complete, check whether the size of the file in the CF card is the same
as that on PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.
After the uploading is complete, check whether the size of the file in the CF card is the same
as that on PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.
Step 7 After files are uploaded, exit from the FTP environment. On PC1, log in to the CLI of the
NIP6800 through Telnet or SSH. You are advised to use SSH to log in to the NIP6800 to
secure data transfer.
Step 8 If both MPUs are present, run the copy command in the user view to copy
NIPV500R001C50SPC100.cc, PAF and license to the standby MPU.
<NIP6800> copy cfcard:/NIPV500R001C50SPC100.cc slave#cfcard:/
<NIP6800> copy cfcard:/vrpcfg_new.cfg slave#cfcard:/
<NIP6800> copy cfcard:/paf_spcxxx.txt slave#cfcard:/
<NIP6800> copy cfcard:/license_spcxxx.txt slave#cfcard:/
Step 9 Run the startup system-softwarefilename command to configure the version software used
for the next startup of the NIP6800.
<NIP6800> startup system-software NIPV500R001C50SPC100.cc
Info: Succeeded in setting the software for booting system.
Step 10 Run the startup licensefilename command to configure the license file used for the next
startup of the NIP6800.
<NIP6800> startup license license_spcxxx.txt
Info: Succeeded in setting main board resource file for system.
Step 11 Run the startup paffilename command to configure the PAF file used for the next startup of
the NIP6800.
<NIP6800> startup paf paf_spcxxx.txt
Info: Succeeded in setting main board resource file for system.
Step 12 Run the startup save-configuration filename command to set the configuration file used for
the next startup of the NIP6800.The uploaded configuration file is the post-conversion one.
<NIP6800> startup save-configuration vrpcfg_new.cfg
Info: Succeeded in setting the configuration for booting system.
Step 13 If both MPUs are in position, run the following commands in the user view to configure the
version software, license file and PAF file for the next startup of the standby MPU of the
NIP6800.
<NIP6800> startup system-software NIPV500R001C50SPC100.cc slave-board
Info: Succeeded in setting the software for booting system.
<NIP6800> startup license license_spcxxx.txt slave-board
Info: Succeeded in setting slave board resource file for system.
<NIP6800> startup paf paf_spcxxx.txt slave-board
Info: Succeeded in setting slave board resource file for system.
NOTICE
l If no content security feature is involved, skip this step.
l Ensure that an activated license file is available. If the license file is not activated, the
upgrade fails.
l You must obtain the component package from the security center (http://sec.huawei.com)
in advance and upload it to the $_install_mod folder in the root directory. Then, load the
component package as follows:
Upgrade package:
l Upgrading V500R001 to V500R001C50SPC100.
URL component package
install-module URLRMT_H50010000_yyy.mod next-startup
After the configuration is complete, run the display module-information verbose command
to view details on the dynamically loaded component package. The following information is a
part of the command output. If the State value is INSTALL_OK, the component package has
been successfully loaded.
<NIP6800> display module-information verbose
Module Information
------------------------------------------------------------------------
Module Version InstallTime PackageName
------------------------------------------------------------------------
ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_yyy.mod
URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_yyy.mod
************************************************************************
* Content Security Group information, as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
* URL Filter information , as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
NOTICE
l Before the reboot command is configured, run the display startup command to check the
version software used for the next startup of the NIP6800.
l If the configuration file is imported, do not restart the device.
l For the upgrade from V500R001 to V500R001C50SPC100, if the configuration file is not
imported, you are advised to save the current configurations before restarting the device.
Info: If want to reboot with saving diagnostic information, input 'N' and then
execute 'reboot save diagnostic-information'.
System will reboot! Continue?[Y/N]:y
The duration of device startup depends on the hardware configurations and configuration file.
The more boards the device has, the longer the board registration lasts; the more items are
configured, the longer the configuration restoration lasts.
Step 16 (Optional) Update the signature databases of security functions.
Before upgrading the signature database, ensure that the activated license file contains the
content security function.
If the latest signature databases are not required, skip this step. The NGFW will automatically
load the default signature databases after startup.
If the latest signature database is required, you can upgrade the signature database in either
the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100
Product Documentation.
Step 17 (Optional) Upload and activate a new license file if required. Skip this step if no new license
file is required.
Run the put command to upload the new license file (for example, license_new.dat) to the CF
card of the NGFW. The name of the file to be uploaded cannot be the same as the name of any
existing file in the CF card. If a file with the same name already exists in the CF card, the file
is replaced by the uploaded file.
Run the license file filename command in the system view to activate the license file.
[NGFW] license active license_new.dat
Info:License is successfully activated.
----End
Upgrade Flow
Figure 1 shows the flow of upgrading the version software through Web.
Figure 2-6 Flowchart of the version software upgrade through the Web
Procedure
Step 1 Enter https://192.168.0.1 in the address box of the Internet Explorer on PC2, enter user name
webuser and password Admin@123 to log in to the NIP6800.
Step 2 Upload the system program.
1. Choose System > System Upgrade to view the current version.Current version:
V500R001C00SPC300 (VRP (R) Version 5.160)
2. Click Select corresponding to Master MPU. The Master MPU System Software
Management interface is displayed. Click . The Upload File dialog box is displayed.
Click Browse... and select the file to be uploaded. Click Import, as shown in Figure 2.
NOTE
If the file fails to be uploaded, the uploaded incomplete file cannot be deleted immediately.
Therefore, you need to delete the incomplete file after the device is restarted.
The file to be uploaded must end with suffix .cc and the file with the same name cannot exist in
the CF card. After the file is successfully uploaded, return to the Master MPU System Software
Management interface.
The corresponding file is displayed in the list. You need to check whether the size of the file in the
list is the same as that on PC2. If no, re-upload the file.
Step 3 Upload the license file and PAF file. (If the files can not be uploaded, run related commands
to perform the upgrade through ClI)
1. Click Select corresponding to Master MPU. The Master MPU PAF File Management
interface is displayed. Click . The Upload File dialog box is displayed. Click
Browse... and select the file to be uploaded. Click Import, as shown in Figure 3.
NOTE
The file to be uploaded must end with suffix .txt. If a file with the same name exists in CF card 1,
the system displays a message to indicate whether to overwrite the original file.
After the file is successfully uploaded, return to the Master MPU PAF File Management
interface. The corresponding file is displayed in the list. You need to check whether the size of the
file in the list is the same as that on PC2. If no, re-upload the file.
2. Click Select corresponding to Master MPU. The Master MPU License File
Management interface is displayed. Click . The Upload File dialog box is displayed.
Click Browse... and select the file to be uploaded. Click Import, as shown in Figure 4.
NOTE
The file to be uploaded must end with suffix .txt. If a file with the same name exists in CF card 1,
the system displays a message to indicate whether to overwrite the original file.
After the file is successfully uploaded, return to the Master MPU License File Management
interface. The corresponding file is displayed in the list. You need to check whether the size of the
file in the list is the same as that on PC2. If no, re-upload the file.
Step 4 If both MPUs are present, perform the following operations to copy the file to the Slave MPU.
1. On the System Upgrade tab, click Select in the Slave MPU Next Startup System
Software, Slave MPU PAF File Management, Slave MPU License File Management
group box respectively. The Slave MPU Next Startup System Software, Slave MPU
PAF File Management, Slave MPU LicenseFile Management interface is displayed
respectively. Click
to select the file to be copied and enter the name of the target file. If no name is
entered, the name of the file to be copied is used as that of the new file. Click OK, as
shown in Figure 5.
Figure 2-10 Copying files from the master MPU to the Slave MPU
If both MPUs are present, respectively click corresponding to the uploaded files on the
Main MPU System Software Management, Main MPU PAF File Management,Main
MPU License File Management and Slave MPU System Software Management, Slave
MPU PAF File Management, Slave MPU License File Managementinterfaces to configure
the current file as the version software used during next startup.
NOTE
l Ensure that an activated license file is available. If the license file is not activated, the upgrade fails.
l Ensure that the device can access the security center directly or through a proxy server.
l Configure a security policy to permit HTTP and FTP packets when the device directly connects to
the security center or permit HTTP packets when the device connects to the security center through a
proxy server. For details, see the description of security policies and content security in
NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100 Administrator
Guide.
l Before executing the following online loading procedure, ensure that the DNS server address has
been configured and the DNS server can correctly parse http://sec.huawei.com.
l Upgrading V500R001 to V500R001C50SPC100.
1. Move the pointer to on the lower right of the page and click to open
the CLI console. Click any space on the page. If the command prompt <NIP> is
displayed, you can perform configurations on the CLI.
download module nextstartup
install-module URLRMT_H50010000_yyy.mod next-startup
2. After the loading in either local or online mode, run the display module-information
verbose command to view details on the dynamically loaded component package. The
following information is a part of the command output. If the State value is
INSTALL_OK, the component packet has been successfully loaded.
<NIP6800> display module-information verbose
Module
Information
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
- NP INSTALL_OK -
Step 7 Choose System > Setup > Restart. Click Save and Restart to save the configurations and
restart the system. Or Click Restart not to save the configurations and restart the system.
NOTICE
l If the configuration file is imported, do not restart the device.
l For the upgrade from V500R001C00 to V500R001C50SPC100, if the configuration file is
not imported, you are advised to save the current configurations before restarting the
device.
The duration of device startup depends on the hardware configurations and configuration file.
The more boards the device has, the longer the board registration lasts; the more items are
configured, the longer the configuration restoration lasts.
Step 8 (Optional) Update the signature databases of security functions.
Before upgrading the signature database, ensure that the activated license file contains the
content security function.
If the latest signature databases are not required, skip this step. The NGFW will automatically
load the default signature databases after startup.
If the latest signature database is required, you can upgrade the signature database in either
the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100
Product Documentation.
----End
Upgrade Flow
Figure 1 shows the flow of upgrading the version software through CF card.
Figure 2-11 Flowchart of the version software upgrade through the CF card
Procedure
Step 1 Copy the files to the startup folder in the CF card.The files related to the upgrade must be
saved in the startup folder in the root directory of the CF card, and their names should satisfy
the following rules:
l The system program must end with suffix .cc and only one can be saved.
l The name of the PAF file must be paf.txt, and that of the license file must be license.txt.
l The name of the configuration file must contain keyword vrpcfg and end with file name
extension .cfg or .zip. In addition, only one configuration file can be saved. It is
recommended that you name the configuration file vrpcfg.cfg or vrpcfg.zip.
One CF card can be used for only one upgrade of one MPU. Therefore, if two MPUs are in
position, two CF cards are required.
Step 2 Insert the CF card into CF card slot 2 of the MPU.
Step 3 Set the startup mode.The MPU of the NIP6800 applies fast startup by default. During fast
startup, the device does not read the CF card, and the upgrade using a CF card is therefore
impossible. If you need to upgrade using a CF card, change the startup mode of the MPU
from fast startup to normal startup mode. Run the display bootmode-next command to view
the current startup mode of the MPU.
In system view, run the diagnose command to access the diagnose view. In the diagnose view,
run the undo set bootmode-next fastboot all command. The detailed operations are as
follows:
<NIP6800> system-view
[NIP6800] diagnose
[NIP6800-diagnose] undo set bootmode-next fastboot all
Caution! After set operation, 'startup' 'modify' 'set atm iwf' and 'set cpos'
command maybe
useless.
Are you sure to do this operation?[Y/N]:y
Set Boot mode successfully.
[NIP6800-diagnose] quit
[NIP6800] quit
Step 4 Run the reboot command in the user view to restart the NIP6800.After the reboot command
is configured, the device displays two prompts for confirmation, and you need to enter y
respectively to continue the operation.
<NIP6800> reboot
mpu 9:
Next startup system software: cfcard:/ v500r001c00spc500.cc
Paf:
V500R001C50SPC100
License:
V500R001C50SPC100
Next startup saved-configuration file: cfcard:/config.cfg
During the restart, the device automatically searches the startup folder of CF card 2 and
copies the files to CF card 1. Then the device loads the new version software.
The duration of device startup depends on the hardware configurations and configuration file.
The more boards the device has, the longer the board registration lasts; the more items are
configured, the longer the configuration restoration lasts.
Step 5 (Optional) After the upgrade completes, upgrade the content security feature.
l Local mode
You must obtain the component package from the security center in advance and upload
it to the $_install_mod folder in the root directory. Then, load the component package as
follows:
URL component package
install-module URLRMT_H50010000_yyy.mod next-startup
l Online mode
Ensure that the device can access the security center directly or through a proxy server.
Configure a security policy to permit HTTP and FTP packets when the device directly
connects to the security center or permit HTTP packets when the device connects to the
security center through a proxy server. For details, see the description of security policies
and content security in HUAWEI NIP6300/6600&NIP6800&IPS Module
V500R001C50SPC100 Product Documentation.
NOTE
Before executing the following online loading procedure, ensure that the DNS server address has
been configured and the DNS server can correctly parse http://sec.huawei.com.
download module nextstartup
install-module filename CSG_H50010000_xxx.mod next-startup
install-module filename URLRMT_H50010000_xxx.mod next-startup
After the loading in either local or online mode, run the display module-information
verbose command to view details on the dynamically loaded component package. The
following information is a part of the command output. If the State value is INSTALL_OK,
the component packet has been successfully loaded.
<sysname> display module-information verbose
Module Information
------------------------------------------------------------------------
Module Version InstallTime PackageName
------------------------------------------------------------------------
ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_xxx.mod
URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_xxx.mod
************************************************************************
* Content Security Group information, as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
* URL Filter information , as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
NOTICE
Restart the device. Then, the device will automatically load the content security component
package based on the license functions. To ensure that the sensitive feature configuration
takes effect, restart the device without saving the configuration or run the reboot fast
command to restart the device and re-load the configuration.
Now, the upgrade to V500R001 is complete. The optional follow-up task is to restore and test
services.
Before upgrading the signature database, ensure that the activated license file contains the
content security function.
If the latest signature databases are not required, skip this step. The NGFW will automatically
load the default signature databases after startup.
If the latest signature database is required, you can upgrade the signature database in either
the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100
Product Documentation.
----End
Context
Figure 1 shows the flow of upgrading the version software through BootROM.
Figure 2-12 Flowchart of the version software upgrade through the BootROM
Procedure
Step 1 Switch on the power supply to power on the NIP6800.
Step 2 After the device is powered on, you can view the process of the device startup through the
terminal emulation program (such as the HyperTerminal on Windows XP). When the
following information is displayed, press and hold CTRL+B.
****************************************************
* *
* 8090 boot ROM, Ver 60.01 *
* *
****************************************************
Password: **********
NOTE
The default password to access the BootROM main menu is WWW@HUAWEI, which is case
sensitive.
You are advised to change the default password after login for security. Keep your new password secure.
You are advised to change the default password after login for security. Keep
your new password secure.
Main Menu(bootload ver: 60.01)
1. List file(s) in
CFcard
2. List file(s) in
CFcard2
3. Return to main
menu
The host software must be stored in CFcard. Enter 1 to list files in CFcard.
Enter your choice(1-3):
1
patchpackage0812_1816.pat
66820 Aug 2 10:55 cfcard:/patchpackage_0730.pat ............
Total size: 998656KB, free size:
40976KB
1. List file(s) in
CFcard
2. List file(s) in
CFcard2
3. Return to main
menu
free size indicates the free space in CFcard. Compare the free space and the size of the
target host package.
2. If the free space in CFcard is less than the host package size, enter 9 to delete files from
CFcard.
Enter your choice(1-12):
9
deleted!
Delete successfully!
After the deletion is complete, enter 3 to return to the BootROM main menu.
Step 4 In the BootROM main menu, enter 3 to access the Ethernet submenu.
Enter your choice(1-12): 3
Ethernet Submenu
Step 5 Change the parameter settings of the Ethernet interface mode. In the Ethernet submenu, enter
3. The following information is displayed. After the parameters are specified, return to the
Ethernet submenu.
Enter your choice(1-4): 3
wanted one, you can modify it by enter the wanted file next to the existing one and press
Enter. This modification method is also applicable to the following parameters.
l inet on ethernet (e)
Indicates the IP address of the NIP6800. This IP address and that of the PC providing
FTP services should be on the same network segment.
l host inet (h)
Indicates the IP address of the PC providing FTP services.
l gateway inet (g)
Indicates the gateway IP address. When the NIP6800 and PC are not on the same
network segment, specify this parameter.
l user (u)
Indicates the FTP user name. The user name must have been specified on the PC
providing FTP services. The previous information takes 123 as an example.
l ftp password (pw) (blank = use rsh)
Indicates the password of the FTP user. The password must have been specified on the
PC providing FTP services. The previous information takes 123 as an example.
l flags (f)
Indicates the protocol adopted for downloading files. 0x0 indicates FTP, and 0x80
indicates TFTP. The previous information takes FTP as an example.
Other parameters do not need to be specified, and you can adopt the default values.
Step 6 In the Ethernet submenu, enter 2 to download files from the FTP server.
Enter your choice(1-4): 2
Loading.........................................................................
................................................................................
................................................................................
................................................................................
.....Done!
Writing to CFcard...Done!
Step 7 Repeat step 5 to set file name to license.txt. Other parameters do not need to be changed.
Step 8 Repeat step 6 to download license.txt to CF card 1. If the file of the same name exists on CF
card 1, the system displays a message to indicate whether to overwrite the original file is
displayed.
Step 9 Repeat step 5 to set file name to paf.txt. Other parameters do not need to be changed.
Step 10 Repeat step 6 to download paf.txt to CF card 1. If the file of the same name exists on CF card
1, the system displays a message to indicate whether to overwrite the original file is
displayed.
Step 11 In the Ethernet submenu, enter 4 to return to the BootROM main menu.
Step 12 In the BootROM main menu, enter 4 to access the Boot Files Submenu. Enter 1 to set the
version software for the next startup.
Enter your choice(1-7): 1
You must enter an absolute path when setting the version software for the next startup.
Step 13 In the Boot Files Submenu, enter 2 to set the PAF file for the next startup.
Enter your choice(1-7): 2
standby MPUs respectively. In the BootROM main menu, enter 2 to start the device from CF
card 1.
Step 18 (Optional) After the upgrade completes, upgrade the content security feature.
There are two modes for loading the content security component package: local mode and
online mode. The local mode is recommended.
l Local mode
You must obtain the component package from the security center in advance and upload
it to the $_install_mod folder in the root directory. Then, load the component package as
follows:
URL component package
install-module URLRMT_H50010000_yyy.mod next-startup
l Online mode
Ensure that the device can access the security center directly or through a proxy server.
Configure a security policy to permit HTTP and FTP packets when the device directly
connects to the security center or permit HTTP packets when the device connects to the
security center through a proxy server. For details, see the description of security policies
and content security in HUAWEI NIP6300/6600&NIP6800&IPS Module
V500R001C50SPC100 Product Documentation.
NOTE
Before executing the following online loading procedure, ensure that the DNS server address has
been configured and the DNS server can correctly parse http://sec.huawei.com.
download module nextstartup
install-module filename CSG_H50010000_yyy.mod next-startup
install-module filename URLRMT_H50010000_yyy.mod next-startup
After the loading in either local or online mode, run the display module-information
verbose command to view details on the dynamically loaded component package. The
following information is a part of the command output. If the State value is INSTALL_OK,
the component packet has been successfully loaded.
<sysname> display module-information verbose
Module Information
------------------------------------------------------------------------
Module Version InstallTime PackageName
------------------------------------------------------------------------
ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_yyy.mod
URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_yyy.mod
************************************************************************
* Content Security Group information, as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
* URL Filter information , as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
NOTICE
Restart the device. Then, the device will automatically load the content security component
package based on the license functions. To ensure that the sensitive feature configuration
takes effect, restart the device without saving the configuration or run the reboot fast
command to restart the device and re-load the configuration.
Now, the upgrade to V500R001 is complete. The optional follow-up task is to restore and test
services.
Step 19 (Optional) Update the signature databases of security functions.
Before upgrading the signature database, ensure that the activated license file contains the
content security function.
If the latest signature databases are not required, skip this step. The NGFW will automatically
load the default signature databases after startup.
If the latest signature database is required, you can upgrade the signature database in either
the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 Product Documentation.
----End
Example
After the device is started, log in to the CLI. In any view, run the display version command to
check the information about the running version software. The following is a sample output
for this command.
<NIP6800> display version
Huawei Technologies Versatile Security Platform Software
Software Version: NIP6830&NIP6860& V500R001C50SPC100(VSP (R) Software, Version
5.70)
..........
In any view, run the display startup command to check the version software and
configuration file in use.
<NIP6800> display startup
MainBoard:
Configured startup system software: cfcard:/NIPV500R001C50SPC100.cc
Startup system software: cfcard:/NIPV500R001C50SPC100.cc
Next startup system software: cfcard:/NIPV500R001C50SPC100.cc
Startup saved-configuration file: cfcard:/config.cfg
Next startup saved-configuration file: cfcard:/config.cfg
Startup paf file: cfcard:/paf.txt
Next startup paf file: cfcard:/paf.txt
Startup license file: cfcard:/license.txt
Next startup license file: cfcard:/license.txt
Startup patch package: cfcard:/patchpackage.pat
Next startup patch package: cfcard:/patchpackage.pat
The underscored text indicates the version of current software. Check whether the version is
the same as the target version. If no, check the upgrade procedure, locate the fault, and re-
upgrade software to the target version.
Context
In any view, run the display device command to check the registration status of the boards. In
normal cases, the Status column should be Normal.
Example
<NIP6800> display device
's Device status:
Slot # type online register status primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 LPU Present Registered Normal NA
6 SPU Present Registered Normal NA
8 LPU Present Registered Normal NA
9 MPU Present NA Normal Master
10 MPU Present Registered Normal Slave
11 SFU Present Registered Normal NA
12 SFU Present Registered Normal NA
13 SFU Present Registered Normal NA
14 SFU Present Registered Normal NA
15 CLK Present Registered Normal Master
16 CLK Present Registered Normal Slave
17 PWR Present Registered Normal NA
18 PWR Present Registered Normal NA
19 FAN Present Registered Normal NA
Half an hour after the registration of the MPU, if any board fails in registration, you need to
check whether the board is normal. Remove and re-insert the board. If it still cannot be
registered successfully, contact technical support personnel.
Context
Run the display license command in any view to check the license status.
Example
<NIP6800> display license
MainBoard:
Device ESN is: 210305G06R
The file activated is: cfcard:/license.dat
The time when activated is: 2016/01/07 22:56:01
The time when expired is: 2023-04-24
Virtual System : 4096
IPSec VPN : 278710
Carrier Network Enhanced Security Supported License: Enabled
Content Security Group: Enabled
Encryption Function : Enabled
Firewall Upgrade Additional Performance: 150Gbps
6RD Session Scale : 16M
NAT64 Session Scale : 16M
DS-Lite Session Scale: 16M
URL Remote Query : Enabled; service expire time: 2023/04/24
Context
Run the compare configuration command in the user view to compare the current
configuration file with that saved on CF card 1 and check whether configurations are lost or
changed.
If no configuration is lost, the following is displayed:
<NIP6800> compare configuration
Info:The current configuration is the SAME as the saved configuration!
If certain configurations are lost, the following shows that the underscored configurations are
lost (only the first difference is displayed; however, multiple differences may exist):
<NIP6800> compare configuration
Warning:The current configuration is NOT the same as the saved configuration!
====== Current configuration line 13343
======
#-----end----
#
#*****begin****vfw1****#
#-----end----#
The previous information serves as an example, and you should use actual display
information in the network environment.
It is recommended that you use Beyond Compare to compare the configuration files before
and after upgrade for any difference. If any configuration is lost, use the configuration file
before upgrade for recovery or contact technical support personnel.
Context
There are two methods of checking whether the service is normal:
l Collect several tables and compare the tables with those before upgrade to check whether
certain entries are lost, including routing table, FIB table, MAC table, session table
entries, and whether service traffic amount after upgrade is approximately the same as
that before upgrade.
l Contact the network administrator of the office and check whether the service is normal.
Context
It is recommended that you use SmartKit NSE2700 to comprehensively check the device after
upgrade. This will help you discover faults in time, ensuring device operation stability.
Prerequisites
NOTICE
To roll back to the source version, for V500R001C50, run the set system-software check-
mode all command; for other versions, directly roll back the version.
Before rolling back the original version, make sure that the corresponding configuration file
(already backed up before the upgrade) is loaded to the CF card of the device and is specified
as the file for next startup by running the startup saved-configurationcfg-filename command.
Then restart the device, avoiding configuration loss due to CLI differences between versions.
Application Scenario
The version rollback needs to be implemented if:
l The device cannot start normally after upgrade, and the current version needs to be rolled
back to the previous one.
In this case, you need to roll the version to the backup source version in BootROM
mode. The detailed procedure is the same as that of upgrading the version software in
BootROM mode. For details, see Upgrade Through BootROM.
l The device can start normally after upgrade, but a certain function cannot run normally,
and therefore the current version needs to be rolled back to the previous one.
In this case, you can adopt either of the following modes to roll back the version:
Roll back the version through command lines. The detailed procedure is the same as
that of upgrading the version software in CLI mode. For details, see Upgrade
Through CLI.
Roll back the version through Web. The detailed procedure is the same as that of
upgrading the version software in Web mode. For details, see Upgrade Through
Web.
Roll back the version through CF card. The detailed procedure is the same as that of
upgrading the version software in CF card mode. For details, see Upgrade
Through CF Card.
Roll back the version in one-click mode.
During the version rollback, note the following:
NOTICE
l If the folder does not exist, the One-clickversion rollback fails. You can specify the version
to be rolled back and the configuration file.
l Version rollback does not involve license rollback. If the license files are different in the
source and target versions, manually load the required license file according to the product
documentation after the rollback.
Upgrade operations:
1. Check whether the backup file (backcfg.zip) is available. The backup file should be in
the CFcard:/backupyyyyMMddHHmmss/ folder. If the backup file is unavailable, the
follow-up procedure cannot be performed.
<FW>dir backup/ --Check whether the backup file is in the backup
folder.
Directory of CFcard:/backup/
2. Copy the target version of version rollback to the CF card. For details, see Appendix:
Uploading and Downloading Files.
3. Access the diagnose view and run the recover system filename command.
NOTICE
l If multiple CFcard:/backup/yyyyMMddHHmmss folders exist, use the latest one
for the version rollback.
Procedure
Step 1 The precautions and the result check method of the version rollback operation are the same as
those of the version upgrade operation. For details, see the descriptions of corresponding
upgrade modes.
Step 2 During the version rollback, services are interrupted temporarily. The interruption duration
depends on the rollback mode and the service configuration.
Step 3 Before the version rollback, contact technical support personnel to determine whether the
target version needs to be patched. If yes, install the patch immediately after the version
rollback is complete. For how to install the patch, see the usage guide of the corresponding
patch version.
----End
2.3.1 Overview
Dual-system hot backup is an important feature of the device . Dual-system hot backup
indicates that two deviceba are deployed, if one device is faulty, the other takes over the work
immediately. In this way, the single point failure is avoided, and the network stability and
reliability are improved. For details, refer to the corresponding product document.
You should comply with certain procedure and principle to upgrade version software in the
dual-system hot backup networking. The main principle of the upgrade is upgrading the
backup device and then the master device independently. Note that the HRP backup channel
(the heartbeat line) must be disconnected during the upgrade.
NOTICE
Upgrading version software in dual-system hot backup, the target version software of the
master device must be the same as that of the backup device.
Context
Figure 1 shows the detailed upgrade procedure, which is adopted for the master/backup mode
and the load balancing mode.
Figure 2-13 Flowchart of the version software upgrade in dual-system hot backup
environments
Take master/standby backup as an example. Before the upgrade, FW_A serves as the master
device and FW_B as the standby one. Do as follows to perform the upgrade:
Procedure
Step 1 Disconnect FW_B (the prompt is HRP_S<FW_B>) and its upstream and downstream devices,
and the HRP backup channel (the heartbeat line) between FW_B and FW_A. Only the HRP
backup channel of FW_B can be closed.
Log in to FW_B through Telnet or SSH. Run the shutdown command on the interfaces
connecting FW_B to upstream and downstream devices, and interface of the HRP backup
channel between FW_B and FW_A. Suppose that on FW_B, the interfaces connected to
upstream and downstream devices are GigabitEthernet 1/0/3 and GigabitEthernet 1/0/1, and
the interface of the HRP backup channel connected to FW_A is GigabitEthernet 1/0/2. Do as
follows:
HRP_S<FW_B> system-view
HRP_S[FW_B] interface GigabitEthernet 1/0/3
HRP_S[FW_B-GigabitEthernet1/0/3] shutdown
HRP_S[FW_B-GigabitEthernet1/0/3] interface GigabitEthernet 1/0/1
HRP_S[FW_B-GigabitEthernet1/0/1] shutdown
HRP_S[FW_B-GigabitEthernet1/0/1] interface GigabitEthernet 1/0/2
HRP_S[FW_B-GigabitEthernet1/0/2] shutdown
In the system view of FW_B, you need to upgrade the software version. The precautions and
the detailed procedure are the same as those of upgrading a single device. Select a proper
upgrade directory if desired. For details, see Upgrading Version Software in Single-System.
Step 3 After the upgrade and re-startup of FW_B are complete and FW_B becomes active, restore
the connection between FW_B and its upstream and downstream devices, and do not recover
the HRP backup channel (the heartbeat line) between FW_B and FW_A. Run the undo
shutdown command on the interfaces connecting FW_B to upstream and downstream
devices. Do as follows:
<FW_B> system-view
[FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] undo shutdown
[FW_B-GigabitEthernet1/0/3] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] undo shutdown
[FW_B-GigabitEthernet1/0/1] quit
Then wait one to two minutes, ensuring that session information on FW_B is completely
backed up to FW_A. You can run the display firewall session table command to check
whether the numbers of sessions on both devices are consistent. If yes, perform further
operations.
After previous operations are performed, FW_B becomes active, while FW_A becomes
standby. If the preemption function is enabled, FW_A will become active after a while and
start to forward service traffic.
Step 6 Observe service running status, check session information on FW_A and FW_B, and verify
upgrade results.In addition, it is recommended that you simulate link or device faults (run the
shutdown command on related interface) after successful upgrade and service tests, so that
the device performs master/standby switchover. This helps you to check whether the dual-
system hot backup function is normal after upgrade.
If the version rollback is required, roll back the version software to the original version. The
rollback procedure of version software in Dual-System Hot Backup is the same as its upgrade
procedure, just take the original version as the target version.
----End
Prerequisites
The prerequisites for console port login are as follows:
l A PC (with RS232 serial port) and an RS-232 cable are available.
l A terminal simulation program (such as Windows XP HyerTerminal) is installed on the
PC.
l The NIP6800 is powered on and running properly.
Background Information
IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the MPU of the
NIP6800 by default. You can use this IP address and the default user name admin and
password Admin@123 to log in to the CLI of the NIP6800 through Telnet. If the Telnet
configuration is canceled or you desire to use SSH for the login, log in to the NIP6800 from
the console port to construct the Telnet or SSH environment.
Figure 1 shows how to construct the Telnet or SSH environment through the console port. The
serial port of the PC is connected to the console port of the NIP6800 through a standard
RS-232 configuration cable.
Figure 2-14 Establishing the upgrade environment through the console port
Procedure
Step 1 Select Start > All Programs > Accessories > Communication > HyerTerminal to start the
terminal simulation program (for example, Windows XP HyerTerminal) on the PC. The
Connection Description dialog box is displayed, as shown in Figure 2.
Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1)
of the PC for connecting to the NIP6800 from the Connect using drop-down list box, as
shown in figure 3.
Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parameters
of the port, as shown in figure 4. The communication parameters of COM1 must be the same
as those of the console port on the NIP6800.
Step 4 Log in to the NIP6800, and enter the CLI.By default, the user name and password are admin
and Admin@123 respectively for logging in to the NIP6800 through the console port.
If an interface on the interface board is used to construct the Telnet environment, you
need to not only configure the previous commands, but also assign the interface to a
security zone and enable the interzone security policy between this security zone and the
Local zone. The following command output uses assigning GigabitEthernet 1/0/1 to the
Trust zone as an example. The IP address of the Telnet client is 192.168.0.2.
[NIP6800] firewall zone trust
[NIP6800-zone-trust] add interface GigabitEthernet 1/0/1
[NIP6800-zone-trust] quit
[NIP6800] policy interzone local trust inbound
[NIP6800-policy-interzone-local-trust-inbound] policy 1
[NIP6800-policy-interzone-local-trust-inbound-1] policy source 192.168.0.2 0
[NIP6800-policy-interzone-local-trust-inbound-1] policy destination
192.168.0.1 0
[NIP6800-policy-interzone-local-trust-inbound-1] action permit
If an interface on the interface board is used to construct the SSH environment, you need
to not only configure the previous commands, but also assign the interface to a security
zone and enable the interzone security policy between this security zone and the Local
zone. The following command output uses assigning GigabitEthernet 1/0/1 to the Trust
zone as an example. The IP address of the SSH client is 192.168.0.2.
[NIP6800] firewall zone trust
[NIP6800-zone-trust] add interface GigabitEthernet 1/0/1
[NIP6800-zone-trust] quit
[NIP6800] policy interzone local trust inbound
[NIP6800-policy-interzone-local-trust-inbound] policy 1
[NIP6800-policy-interzone-local-trust-inbound-1] policy source 192.168.0.2 0
[NIP6800-policy-interzone-local-trust-inbound-1] policy destination
192.168.0.1 0
[NIP6800-policy-interzone-local-trust-inbound-1] action permit
----End
Context
As shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from the
NIP6800 and upload or download files through FTP. This method requires the third-party FTP
server software to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the FTP server. The following example
describes takes the two-PC deployment.
Figure 2-18 Schematic diagram of uploading/downloading files through FTP and with the
device serving as the FTP client
Procedure
Step 1 Configure the FTP server.Install the FTP server program on PC2 and configure the FTP
server using the document available with the program. Suppose that you obtain the FTP
server program in a legitimate way and description of the program is beyond the coverage of
this document. Assume that an FTP user already exists with the user name 123 and password
123, and that the root directory of the user is set to the storage path of files to be uploaded/
downloaded.
Step 3 Log in to the FTP server on the NIP6800.Run the ftp ip-address command in the user view to
establish an FTP connection to the PC and enter the FTP client view. The following operation
assumes that the IP address of the FTP server as 192.168.0.2.
<NIP6800> ftp 192.168.0.2
Trying 192.168.0.2 ...
Press CTRL+K to abort
Connected to 192.168.0.2.
220 ready for new user
User(192.168.0.2:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp]
Step 4 Upload files in storage media of the NIP6800 to the FTP server.Run the put local-filename
[ remote-filename ] command in the FTP client view to upload files to the FTP server.
[ftp] binary /Run the binary command to specify file transmission in binary
mode.
[ftp] put test.cc
After the uploading is complete, check whether the sizes of files on the FTP server are the
same as those in the CF card. If no, re-upload the files to ensure that they are completely
uploaded to the FTP server.
Step 5 Download files from the FTP server to storage media of the NIP6800.Run the get remote-
filename [ local-filename ] command in the FTP client view to download files from the FTP
server.
[ftp] binary /Run the binary command to specify file transmission in binary
mode.
[ftp] get temp.cc
After the downloading is complete, check whether the sizes of files in the CF card are the
same as those on the FTP server. If no, re-download the files to ensure that they are
completely downloaded to the CF card.
----End
Context
As shown in Figure 1, PC2 serves as the TFTP server. Log in to the TFTP server from the
NIP6800 and upload or download files through TFTP. This method requires the third-party
TFTP server software to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the TFTP server. The following example
describes takes the two-PC deployment.
Figure 2-19 Schematic diagram of uploading/downloading files through TFTP and with the
NIP6800 serving as the TFTP client
Procedure
Step 1 Configure the TFTP server.Install the TFTP server program on PC2 and configure the TFTP
server using the document available with the program. Suppose that you obtain the TFTP
server program in a legitimate way and description of the program is beyond the coverage of
this document. The following operation assumes that the root directory of the TFTP server is
set to the storage path of files to be uploaded/downloaded.
Step 2 Log in to the NIP6800 from PC1 through Telnet/SSH.
Step 3 Upload files in storage media of the NIP6800 to the TFTP server.Run the tftp ip-address put
source-filename [ destination-filename ] command in the user view to upload files to the
TFTP server. The following operation assumes that the IP address of the TFTP server as
192.168.0.2.
<NIP6800> tftp 192.168.0.2 put test.cc
After the uploading is complete, check whether the sizes of files on the TFTP server are the
same as those in the CF card. If no, re-upload the files to ensure that they are completely
uploaded to the TFTP server.
Step 4 Download files from the TFTP server to CF card of the NIP6800.Run the tftp ip-address get
source-filename [ destination-filename ] command in the user view to download files from the
TFTP server.
<NIP6800> tftp 192.168.0.2 get temp.cc
After the downloading is complete, check whether the sizes of files in the CF card are the
same as those on the TFTP server. If no, re-download the files to ensure that they are
completely downloaded to the CF card.
----End
Context
As shown in Figure 1, NIP6800 serves as the SFTP server. Log in to the SFTP server from the
PC2 and upload/download files through SFTP. This method requires the third-party SFTP
client program (such as WinSCP) to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the SFTP server. The following example
describes takes the two-PC deployment.
Figure 2-20 Schematic diagram of uploading/downloading files through SFTP and with the
NIP6800 serving as the SFTP server
Procedure
Step 1 Configure the SFTP client.Install the SFTP client program on PC2 and configure the SFTP
client using the document available with the program. Suppose that you obtain the SFTP
client program in a legitimate way and description of the program is beyond the coverage of
this document.
Step 3 On the NIP6800, create an SFTP user with user name user1 and password Admin@123 and
enable the SFTP server service.
<NIP6800> system-view
[NIP6800] rsa local-key-pair create
[NIP6800] user-interface vty 0 4
[NIP6800-ui-vty0-4] authentication-mode aaa
[NIP6800-ui-vty0-4] protocol inbound ssh
[NIP6800-ui-vty0-4] quit
[NIP6800] aaa
[NIP6800-aaa] local-user user1 password
Please cofigure the login
password(8-16)
Enter
Password:
Confirm
Password:
Step 4 Download files from CF card of the NIP6800 to the SFTP client.After the downloading is
complete, check whether the sizes of files on the SFTP client are consistent with those in the
CF card. If no, re-download the files to ensure that they are completely uploaded to the SFTP
server.
Step 5 Upload files from the SFTP client to CF card of the NIP6800.After the uploading is complete,
check whether the sizes of files in the CF card are consistent with those on the SFTP client. If
no, re-download the files to ensure that they are completely downloaded to the CF card.
----End
Context
As the ESNs of certain MPUs manufactured earlier are not activated, you cannot view the
ESNs by running the display license command.
<NIP6800> display license
Device ESN is: (null)
License file is not activated, please use default configuration!
In this case, you need to run the active mpu-esn command in the diagnose view to activate
ESNs manually. Then you can view the ESNs of the device.
Procedure
Step 1 In the user view, run the system-view command to access the system view.
<NIP6800> system-view
[NIP6800]
Step 2 Run the diagnose command, and access the diagnose view.
[NIP6800] diagnose
[NIP6800-diagnose]
Step 3 Run the active mpu-esn command to activate the ESN of the master MPU.
[NIP6800-diagnose] active mpu-esn
If both MPUs can be detected on the device, run the following command to activate the ESN
of the standby MPU.
[NIP6800-diagnose] active mpu-esn slave-board
If the current device does not support the active mpu-esn slave-board command, you need to
run the active mpu-esn command on both MPUs respectively. That is, insert MPU A first.
After MPU A is successfully registered, run the active mpu-esn command. Then pull out
MPU A, and insert MPU B. After MPU B is successfully registered, run the active mpu-esn
command. After the previous operations are complete, ensure that both MPUs are in position
at the same time, and then perform subsequent operations.
----End
Context
The license file to be loaded on the device is a .dat file. This file is not delivered with the
device and is independently generated by the license center of Huawei.
Procedure
Step 1 The license on each device is unique. For the license center to generate the license for your
device, you need to collect the following information:
l Contract No.
It is available in the license certificate that is delivered with the device.
l Equipment serial number (ESN)
It is displayed after you run the display license command in any view of the CLI.
NOTE
l The ESN identifies a device from all other devices. It is recorded in the electrical label of the MPU.
If the device has two MPUs, record the ESNs of both the active and standby MPUs.
l The ESN is case-sensitive. Note the case when you record the ESN.
Step 2 Provide the previous information to the local technical support personnel of Huawei. The
application will be handled as soon as possible.
Step 3 ou need to obtain a new license if you want to enlarge the license capacity or use new services
that are subject to license control. In this case, the previous procedure still is applicable. The
license center automatically combines the licenses for new features with the existing license,
and generates a new license.
----End
Upgrade successful
or not
Check of upgrade
operations
CF Compact Flash
IP Internet Protocol
IPSec IP Security
3 IPS Module
NOTICE
1. Before an upgrade from a patch version, run the patch delete all command to delete the
patch.
2. Perform the upgrade.
V500R001C00SPC300,V500R001C00SPC500,V500R001C20SPC100,
V500R001C20SPC200 and V500R001C20SPC300 cannot directly upgrade to
V500R001C50SPC100. Instead, upgrade them to V500R001C50SPC100 first or install the
following patches:
l For V500R001C20SPC100,V500R001C20SPC200 and V500R001C20SPC300, install
V500R001SPH002.
NOTICE
1. Patch upgrades cannot be performed in BootROM.
2. V1 upgrades are not recommended. If there are such requirements, contact Huawei
engineers.
3. To roll back from V500R001C50 to an early version, run the set system-software check-
mode all command. For other version, rollback can be directly performed.
Note the following items for patch upgrades:
l After activating the patch and setting the startup configuration file, ensure that the patch is
in activated state when the reboot or reboot fast command is used to restart the system.
Otherwise, the system restart may fail.
l If the patch is mistakenly deleted and the system restart fails after the startup configuration
file is set, you must re-activate the patch and restart the system again. For a high-end
firewall with dual MPUs, check whether the patch status of both MPUs is normal. If not,
delete the patch and then install and activate it again.
The device can parse To allow the device to parse and forward NSH
1
NSH packets. packets.
IPSec forwarding
adapts the user- To identify IKE or ESP packets based on the
8
configured IPSec user-configured port.
source port.
The northbound
interface is added.
Virtual-if- To improve the Controller's delivery efficiency.
9 [vsysname] can be The device does not obtain the ID of a created
used to deliver the virtual system.
Virtual-if
configuration.
Mainten
ance
and
The usage of virtual
manage
systems and ARP Function
2 ment of None.
resources can be enhanced.
the
obtained.
logical
resource
pool
Before modification,
traffic statistics on all
If the
interfaces apply to
maximum
virtual system
number of
Web interfaces. After the
virtual
interface modification, traffic
3 systems are None.
traffic statistics on all
created, too
statistics interfaces equal the
many memory
sum of traffic on
resources are
interfaces in the
occupied.
corresponding
system.
The firewall
AAPT can As old devices do not have
Cloud sandbox interconnect preset certificates, you must
5 AAPT interworking with a cloud manually import the
supports HTTPS. sandbox certificate and key for cloud
through sandbox interworking.
HTTPS.
The SSL
server
SSL The certificate can be
6 certificate None.
proxy virtualized.
supports
virtualization.
l The alarm
threshold
reminders are
added for daily
duration quota,
daily traffic Agile
quota, and Controller-
Quota monthly traffic Campus
7 control quota. None.
supports
policy
l A device domain traffic
name can be set statistics.
to hide the device
IP address on the
pushed alarm and
quota exhaustion
web pages.
Deleted Features
None.
New Commands
Command Description Impact
This command is
used in the root
system before C50.
After the upgrade to
C50, you must run
display ipsec display ipsec The keyword all-
the display ipsec
statistics statistics all-systems systems is added.
statistics all-
systems command
to display IPSec
statistics in the root
system.
Original Change
New Command Upgrade Impact
Command Description
Deleted Commands
None.
The license can still be used after the upgrade from V500R001C50 to V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C50 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
Deleted Features
Collection of the
accumulated value
This feature enables the NMS to analyze the
3 of specific policy
traffic and policy in a more convenient way.
traffic through the
OID
System memory
To detect memory overwriting and memory
10 detection
leak issues.
mechanism
Detection of abrupt
To detect abrupt changes of the memory, CPU
11 KPI information
usage, and session, and send alarms.
change
Disabling of the
bound interface
To disable the previously bound interface when
12 when the CPU usage
the CPU usage exceeds the specified threshold.
exceeds the
threshold
Customization of
session log
14 The function is enhanced.
templates in syslog
format
Enhanced session
15 The function is enhanced.
log function
Real-time traffic
16 The function is enhanced.
statistics collection
Alarm on the
exhaustion of
17 forwarding The function is enhanced.
resources on the
firewall
Enhanced restriction
18 on the number of The function is enhanced.
new connections
Alarm on abrupt
21 The function is enhanced.
session changes
Multicast packet
22 The function is enhanced.
filtering
Filtering and
23 viewing of blacklists The function is enhanced.
of various types
In policy query,
related policies can
be rapidly located
based on quintuple
information (or
accurate source and
destination The ease of
1 Policy information, and use shall be None
source and improved.
destination address
segments). Policy
objects support fuzzy
query and
association with the
drop-down list.
The support of
The function
6 HRP smooth upgrade is None
is enhanced.
added.
The northbound
function is added for
the per-user
maximum The function
8 BWM None
connection rate and is enhanced.
per-IP address
maximum
connection rate.
Virtualization is
supported.
When the certificate
or key pair is
imported through the
CLI, the file shall be
uploaded to the The function
9 PKI None
corresponding is enhanced.
directory (public on
the root firewall and
vsys+vsysid on the
virtual firewall)
under cfcard:/pki or
hda1:/pki.
Sending encrypted
Session session logs over an The function
13 None
log IPsec tunnel is is enhanced.
supported.
After the SA
signature database is
updated, application
names of functions
that reference
applications, such as
integrated policy,
application group,
Applicat and port mapping, The function
15 are smoothly updated None
ion is enhanced.
to new names after
configuration update.
For example,
QQ_Webmail is
updated to
WebMail_QQ, and
GMail to
WebMail_GMail.
None
New commands
For new command details, see the product document.
Modified commands
Original Change Impact of the
New Command
Command Description Upgrade
ssl whitelist
ssl whitelist
userdefined- Modify keywords. None
hostname xxx
hostname xxx
startup patch
STRING<5-48>
[ slave-board | all | The configuration
startup patch chassis patch file of the
None
STRING<5-48> STRING<1-16> standby board is
{ master | slave } | added.
slot
STRING<1-64> ]
display diag-logfile
STRING<1-64>
[ INTEGER<0-2147
display diag-logfile 483647> | hex ] * [ | The pipe character-
STRING<1-64> count ] [ | [ before based filtering and
None
[ INTEGER<0-2147 INTEGER<1-999> | query function is
483647> | hex ] * after added.
INTEGER<1-999> ]
* { begin | include |
exclude } TEXT0 ]
info-center info-center
timestamp { log | timestamp { log |
trap | debugging } trap | debugging }
{ { none | boot } | { { boot } | { date | In security
{ date | short-date | short-date | format- rectification, the no-
None
format-date } date } [ precision- timestamp mode is
[ precision-time time { tenth-second | deleted.
{ tenth-second | millisecond |
millisecond | second } ] }
second } ] } [ without-timezone ]
The function is
enhanced. The null
snmp-agent acl snmp-agent acl configuration at the
{ INTEGER<0-4294 INTEGER<0-42949 end of the ACL is None
967295> | null } 67295> meaningless, and no
buildrun information
is generated.
snmp-agent target-
snmp-agent target- host trap ipv6
host trap ipv6 address { udp-
address { udp- domain X:X::X:X
domain X:X::X:X [ udp-port
[ udp-port INTEGER<0-65535
INTEGER<0-65535 > | vpn-instance
> ] } params STRING<1-31> ]
securityname * } params Keyword vpn-
None
STRING<1-32> securityname instance is added.
[ { v3 STRING<1-32>
[ authentication | [ { v3
privacy ] | v2c | v1 } [ authentication |
| notify-filter-profile privacy ] | v2c | v1 }
STRING<1-32> | | notify-filter-profile
private-netmanager | STRING<1-32> |
ext-vb ] * private-netmanager |
ext-vb ] *
snmp-agent target-
snmp-agent target- host trap ipv6
host trap ipv6 address { udp-
address { udp- domain X:X::X:X
domain X:X::X:X [ udp-port
[ udp-port INTEGER<0-65535
INTEGER<0-65535 > | vpn-instance
> ] } params STRING<1-31> ] Keyword vpn-
None
securityname cipher * } params instance is added.
STRING<1-68> securityname cipher
[ { v2c | v1 } | STRING<1-68>
notify-filter-profile [ { v2c | v1 } |
STRING<1-32> | notify-filter-profile
private-netmanager | STRING<1-32> |
ext-vb ] * private-netmanager |
ext-vb ] *
undo snmp-agent
undo snmp-agent target-host ipv6
target-host ipv6 X:X::X:X
X:X::X:X securityname
Keyword vpn-
securityname { STRING<1-32> | None
instance is added.
{ STRING<1-32> | cipher
cipher STRING<1-68> }
STRING<1-68> } [ vpn-instance
STRING<1-31> ]
undo snmp-agent
undo snmp-agent target-host trap ipv6
target-host trap ipv6 address { udp-
address { udp- domain X:X::X:X
domain X:X::X:X [ udp-port
[ udp-port INTEGER<0-65535
Keyword vpn-
INTEGER<0-65535 > | vpn-instance None
instance is added.
> ] } params STRING<1-31> ]
securityname * } params
{ STRING<1-32> | securityname
cipher { STRING<1-32> |
STRING<1-68> } cipher
STRING<1-68> }
stelnet [ -a X.X.X.X
stelnet [ -a X.X.X.X | -i
| -i { STRING<1-256>
{ STRING<1-256> STRING<1-256> |
STRING<1-256> | STRING<1-256> } ]
STRING<1-256> } ] STRING<1-255>
STRING<1-255> [ INTEGER<1-6553
[ INTEGER<1-6553 5> ] [ [ -vpn-
5> ] [ [ -vpn- instance
instance STRING<1-31> ] |
STRING<1-31> ] | [ prefer_kex
[ prefer_kex STRING<1-64> ] |
STRING<1-64> ] | [ identity-key { rsa |
ECC authentication
[ identity-key { rsa | dsa | ecc } ] | [ user-
is added in response
dsa } ] | identity-key { rsa | None
to a new
[ prefer_ctos_cipher dsa | ecc } ] |
requirement.
STRING<1-32> ] | [ prefer_ctos_cipher
[ prefer_stoc_cipher STRING<1-32> ] |
STRING<1-32> ] | [ prefer_stoc_cipher
[ prefer_ctos_hmac STRING<1-32> ] |
STRING<1-32> ] | [ prefer_ctos_hmac
[ prefer_stoc_hmac STRING<1-32> ] |
STRING<1-32> ] | [ prefer_stoc_hmac
[ -ki STRING<1-32> ] |
INTEGER<1-3600> [ -ki
] | [ -kc INTEGER<1-3600>
INTEGER<3-10> ] ] ] | [ -kc
* INTEGER<3-10> ] ]
*
stelnet ipv6 [ -a
stelnet ipv6 [ -a X:X::X:X ]
X:X::X:X ] STRING<1-255> [ -
STRING<1-46> [ - oi
oi { STRING<1-256>
{ STRING<1-256> STRING<1-256> |
STRING<1-256> | STRING<1-256> } ]
STRING<1-256> } ] [ INTEGER<1-6553
[ INTEGER<1-6553 5> ] [ [ prefer_kex
5> ] [ [ prefer_kex STRING<1-64> ] |
STRING<1-64> ] | [ identity-key { rsa |
[ identity-key { rsa | dsa | ecc } ] | [ user-
ECC authentication
dsa } ] | identity-key { rsa |
is added in response
[ prefer_ctos_cipher dsa | ecc } ] | None
to a new
STRING<1-32> ] | [ prefer_ctos_cipher
requirement.
[ prefer_stoc_cipher STRING<1-32> ] |
STRING<1-32> ] | [ prefer_stoc_cipher
[ prefer_ctos_hmac STRING<1-32> ] |
STRING<1-32> ] | [ prefer_ctos_hmac
[ prefer_stoc_hmac STRING<1-32> ] |
STRING<1-32> ] | [ prefer_stoc_hmac
[ -ki STRING<1-32> ] |
INTEGER<1-3600> [ -ki
] | [ -kc INTEGER<1-3600>
INTEGER<3-10> ] ] ] | [ -kc
* INTEGER<3-10> ] ]
*
Traffic interruption
reset arp { static | all reset arp { static | resulting from
None
| dynamic } dynamic } misoperations is
prevented.
nssa [ default-route-
nssa [ default-route- advertise { [ [ cost
advertise { [ [ cost INTEGER<1-16777
INTEGER<1-16777 214> ] | [ type
214> ] | [ type INTEGER<1-2> ] |
INTEGER<1-2> ] | [ tag
[ tag INTEGER<0-42949
Integrated from the
INTEGER<0-42949 67295> ] ] * } | no-
OSPFv3 FA None
67295> ] ] * } | no- import-route | no-
requirement.
import-route | no- summary |
summary | translator-always |
translator-always | translator-interval
translator-interval INTEGER<1-120> |
INTEGER<1-120> | set-n-bit | suppress-
set-n-bit ] * forwarding-address ]
*
rserver rserver
[ INTEGER<0-31> [ INTEGER<0-31>
[ to [ to
INTEGER<0-31> ] ] INTEGER<0-31> ] ]
The command that
rip X.X.X.X [ port rip X.X.X.X [ port
restricts the
INTEGER<0-65535 INTEGER<0-65535
maximum number
> | weight > | weight
of connections of the
INTEGER<1-1024> INTEGER<1-8192> None
physical server
| status { inactive | | status { inactive |
(max-connection
health-check } | health-check } |
INTEGER<0-6553
description description
5>) is added.
STRING<1-32> ] * STRING<1-32> |
max-connection
INTEGER<0-65535
>]*
packet-capture packet-capture
queue queue The view is changed
INTEGER<0-3> to- INTEGER<0-42949 from system view to None
file STRING<5-64> 67295> to-file any view.
STRING<5-64>
packet-capture packet-capture
startup [ packet-len startup [ packet-len
INTEGER<40-1500 INTEGER<40-1500
The view is changed
> ] [ sample-rate > ] [ sample-rate
from system view to None
INTEGER<1-10000 INTEGER<1-10000
any view.
> ] [ packet-num > ] [ packet-num
INTEGER<1-1000> INTEGER<1-1000>
] ]
packet-capture packet-capture
{ ipv4-packet { ipv4-packet
INTEGER<3000-39 INTEGER<3000-39
99> | ipv6-packet 99> | ipv6-packet
INTEGER<3000-39 INTEGER<3000-39
99> | no-ip-packet | 99> | no-ip-packet |
The view is changed
all-packet } [ queue all-packet } [ queue
from system view to None
INTEGER<0-3> ] INTEGER<0-42949
any view.
[ interface 67295> ] [ interface
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } STRING<1-256> }
[ inbound | [ inbound |
outbound ] ] outbound ] ]
configure disk type configure disk type The size of the audit
audit-log audit-log log disk space can None
INTEGER<1-100> INTEGER<0-100> be set to 0%.
configure disk type configure disk type The size of the data
{ content-report } { content-report } filtering report disk
None
INTEGER<1-100> INTEGER<0-100> space can be set to
0%.
configure disk type configure disk type The size of the file
{ file-block-report } { file-block-report } blocking report disk
None
INTEGER<1-100> INTEGER<0-100> space can be set to
0%.
configure disk type configure disk type The size of the mail
{ mail-log } { mail-log } filtering log disk
None
INTEGER<1-100> INTEGER<0-100> space can be set to
0%.
configure disk type configure disk type The size of the URL
{ url-log } { url-log } log disk space can None
INTEGER<1-100> INTEGER<0-100> be set to 0%.
configure disk type configure disk type The size of the URL
{ url-report } { url-report } report disk space can None
INTEGER<1-100> INTEGER<0-100> be set to 0%.
configure disk type configure disk type The size of the user
{ user-log } { user-log } log disk space can None
INTEGER<1-100> INTEGER<0-100> be set to 0%.
report type threat- report type threat- The virus, attack The virus, attack
report item { threat- report item { threat- region, and attacked region, and attacked
type | application | type | application | region dimensions region dimensions
attacker | victim | attacker | victim | are deleted from are deleted from
threat-name | virus- threat-name | defend threat reports. threat reports.
name | defend | | all | map } enable (1) The virus (1) The virus
attacker-location | dimension can be dimension can be
victim-location | all | replaced by replaced by
map } enable advanced search of advanced search of
the threat name the threat name
dimension with the dimension with the
virus threat type. virus threat type.
(2) The attack and (2) The attack and
attacked region attacked region
dimensions can be dimensions can be
replaced by threat replaced by threat
map query. map query.
report type traffic- report type traffic- The application Traffic reports do
report item { source- report item { source- category, address not contain
ip | destination-ip | ip | destination-ip | type, source region, application category,
application | application | and destination address type, source
application-category application-sub- region dimensions region, and
| application-sub- category | all | map | are deleted from destination region
category | source- out-interface } traffic reports. dimensions.
location | enable (1) The application (1) The application
destination-location | category dimension category dimension
address-type | all | can be replaced can be replaced
map } enable using the application using the application
sub-category sub-category
dimension. dimension.
(2) The source and (2) The source and
destination region destination region
dimensions can be dimensions can be
replaced by traffic replaced by traffic
map query. map query.
undo report type undo report type The application Traffic reports do
traffic-report item traffic-report item category, address not contain
{ source-ip | { source-ip | type, source region, application category,
destination-ip | destination-ip | and destination address type, source
application | application | region dimensions region, and
application-category application-sub- are deleted from destination region
| application-sub- category | all | map | traffic reports. dimensions.
category | source- out-interface } (1) The application (1) The application
location | enable category dimension category dimension
destination-location | can be replaced can be replaced
address-type | all | using the application using the application
map } enable sub-category sub-category
dimension. dimension.
(2) The source and (2) The source and
destination region destination region
dimensions can be dimensions can be
replaced by traffic replaced by traffic
map query. map query.
Deleted commands
Command Cause of Deletion Impact
The license can still be used after the upgrade from V500R001C30SPC300 to V500R001C50.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C30SPC300 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
New features
None
Modified features
No. Feature Change Cause Impact of the Upgrade
Description
Enhanced reliability
The function
2 HRP of the HRP command None.
is enhanced.
backup mechanism.
Interface shutdown
triggered when the
number of sessions,
Reliabili The function
3 CPU usage, or None.
ty is enhanced.
interface traffic rate
exceeds the
threshold.
Command added to
Security check whether the The function
5 None.
zone detection function is is enhanced.
enabled.
Deleted Features
None
New commands
Command Description Impact
firewall exceeded cpu-usage Sets a threshold for the CPU To enhance maintainability,
threshold<integer<60-100> usage. so that interfaces can be shut
> down if the CPU usage
exceeds the threshold.
hrp base config enable Restores commands upon To enhance hot standby
enhanced startup. reliability.
Modified features
None
Deleted commands
None
The license can still be used after the upgrade from V500R001C30SPC200 to
V500R001C30SPC300.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C30SPC200to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
New features
None
Modified features
No. Feature Change Cause Impact of the Upgrade
Description
Deleted Features
None
display ipsec fpath statistics Displays IPsec data plane Added an IPsec debugging
related statistics. command.
display ipsec fpath statistics Displays IPsec data plane Added an IPsec debugging
[slot <slotid> ]cpu <cpu- related statistics on a CPU. command.
id>]
reset ipsec fpath statistics Displays IPsec data plane Added an IPsec debugging
related statistics. command.
reset ipsec fpath statistics Displays IPsec data plane Added an IPsec debugging
[ slot <slotid>cpu <cpu-id>] related statistics on a CPU. command.
reset security-policy statistic Clears statistics on the Added a function that allows
number of packets and bytes you to view the statistics
that match security policies. through MIB.
[undo] api netconf validate Enables the verification The verification function is
function. originally enabled by
default, compromising the
performance. Therefore, it is
modified to be disabled by
default. You can use this
command to enable it again.
firewall defend tcp split- Enables the function of Added a function. After this
handshake-spoof enable defending against split function is enabled, the
handshake spoofing attacks. firewall can block TCP split
handshake spoofing attacks,
defend against malicious
data injection, and discard
SYN packets with data.
ssh server dh-exchange min- Specifies the minimum DH Enhanced the existing
len length supported by the function.
server when SSH uses the
dh_exchange key exchange
algorithm.
display firewall display firewall Changed the default After the upgrade,
session aging-time session aging-time aging time of SQLNET sessions
SQLNET from 600 are persistent
seconds to 14400 sessions whose
seconds. default aging time is
14400 seconds.
When the number of
persistent
connections exceeds
1/3 of the session
specification, their
aging time is
automatically
changed to that of
common TCP
sessions.
display gpm method display gpm method Modified the output None.
of the display gpm
method command.
display gpm flow display gpm flow Modified the output None.
of the display gpm
method command.
Deleted commands
None.
The license can still be used after the upgrade from V500R001C30SPC100 to
V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C30SPC100to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
V500R001C20SPC300 V500R001C30SPC100
In mail audit logs, attachment names are In mail audit logs, attachment names are
separated using commas or spaces. separated using slashes (/).
The [undo] traffic-policy bandwidth force The default state is changed from enabled to
statistic enable command enables or disabled for high-end firewalls. The default
disables the traffic policy statistics function. state is still enabled for low-end and mid-
By default, the function is enabled. range firewalls.
The [undo] firewall packet-filter basic- The default state of this command is
protocol enable command enables or changed from enabled to disabled.
disables security policy control for BGP,
LDP, BFD, and OSPF unicast packets. By
default, the function is enabled.
V500R001C20SPC300 V500R001C30SPC100
When user management uses the SSL When user management uses the SSL
protocol, the cipher list supports low-, protocol, the cipher list supports medium-
medium-, and high-length encryption and high-length encryption algorithms.
algorithms.
Static mapping deletion on the MIB deletes Only static mappings that are not referenced
all static mappings configured on the are deleted.
device.
audit-policy security-policy
interzone trust untrust outbound policy 1 rule name 1
action audit session logging
Session log sending is controlled through Session logs are controlled through security
audit policies. policies.
[undo] ssl ssl version { tlsv10 | The keyword sslv3 is SSL3.0 is no longer
version { tlsv10 tlsv11 | tlsv12 } deleted. By default, supported. After a
| tlsv11 | tlsv12 TLS11 and TLS12 are device enabled with
| sslv3 } supported. SSL3.0 is upgraded,
the restored default
configuration is
TLS11 and TLS12.
speed {10 | 100 speed {10 | 100 | The function is added. None.
| 1000} undo 1000} undo speed The negotiation mode,
speed [undo] [undo] negotiation duplex mode, and rate
negotiation auto duplex { half | can be set in the view
auto duplex full } undo duplex of an Eth-Trunk
{ half | full } member interface.
undo duplex
The license can still be used after the upgrade from V500R001C20SPC300 to
V500R001C30SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C20SPC300 to V500R001C30SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
Packet discard logs is not caused by UNRs Packet discard logs caused by UNRs and
and PAT port conflicts are generated. PAT port conflicts are generated.
The maintenance method is enhanced.
SSL VPN virtualization scenarios are not SSL VPN virtualization scenarios (the
supported. virtual gateways in different virtual systems
use the same IP address in the root system
as their virtual gateway addresses) are
supported.
Only low-end and mid-range models
support SSL VPN.
The VPN client can't parately upgraded and The VPN client can be separately upgraded
imported to the device. and imported to the device.
Only low-end and mid-range models
support SSL VPN.
undo report type undo report type The map keyword is None.
threat-report item threat-report item added to control the
{ threat-type | { threat-type | enabling report.
application | attacker application | attacker
| victim | threat- | victim | threat-
name | virus-name | name | virus-name |
defend | attacker- defend | attacker-
location | victim- location | victim-
location | all } location | all | map }
enable enable
undo report type undo report type The map keyword is None.
traffic-report item traffic-report item added to control the
{ source-ip | { source-ip | enabling report.
destination-ip | destination-ip |
application | application |
application-category application-category
| application-sub- | application-sub-
category | source- category | source-
location | location |
destination-location | destination-location |
address-type | all } address-type | all |
enable map } enable
acl ipv6 { [ number ] acl ipv6 [ number ] IPv6 addresses are None.
{ INTEGER<0-4294 { INTEGER<0-4294 supported in virtual
967295> | 967295> | systems.
INTEGER<0-42949 INTEGER<0-42949
67295> } } [ vpn- 67295> } [ vpn-
instance instance
STRING<1-31> ] STRING<1-31> ]
report type threat- report type threat- The map keyword is None.
report item { threat- report item { threat- added to control the
type | application | type | application | enabling report.
attacker | victim | attacker | victim |
threat-name | virus- threat-name | virus-
name | defend | name | defend |
attacker-location | attacker-location |
victim-location | victim-location | all |
all } enable map } enable
report type traffic- report type traffic- The map keyword is None.
report item { source- report item { source- added to control the
ip | destination-ip | ip | destination-ip | enabling report.
application | application |
application-category application-category
| application-sub- | application-sub-
category | source- category | source-
location | location |
destination-location | destination-location |
address-type | all } address-type | all |
enable map } enable
The license can still be used after the upgrade from V500R001C20SPC200 to V500R001C30
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C20SPC200 to V500R001C30. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
The firewall system statistics function is The default status of this function is
disabled by default. changed from disabled to enabled.
The root firewall does not have the Add the following default setting.
worktime time range setting after the time-range worktime period-range 08:00:00
configuration is restored. to 18:00:00 working-day.
The license can still be used after the upgrade from V500R001C20SPC100 to
V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C20SPC100 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
Security policy groups are not supported. Security policy groups are not supported.
Setting the policy acceleration delay is not [system] policy accelerate delay delay-time.
supported.
Layer-2 packet filtering based on MAC Layer-2 packet filtering based on MAC
addresses is not supported. addresses is supported, and the MAC
address can be configured as a policy
matching condition.
Domain name matching is not supported. Domain name matching is supported, and
the address object in a policy can reference
a domain name group as the match
condition.
V500R001C00SPC500 V500R001C50SPC100
Device type and access mode matching is Device type and access mode matching is
not supported. supported.
In the security policy view, run:
[ undo ] device-classification device-
category <device-category-name>
[ undo ] device-classification device-group
<device-category-name>
[ undo ] access-authentication { wireless-
portal | wireless-8021x | wired-8021x |
wired-portal }
The BFD protocol of the firewall is not The BFD protocol of the firewall is
controlled by security policies. controlled by security policies.
If the live network uses BFD, but
corresponding CFD rules are not configured
in the security policies, you need to allow
the BFD sessions through in security policy
rules. For example:
[sys] ip service-set bfd type object
[sys-object-service-set-bfd] service 0
protocol udp source-port 0 to 65535
destination-port 3784
[sys-object-service-set-bfd] service 1
protocol udp source-port 0 to 65535
destination-port 4784
[sys-object-service-set-bfd] quit
[sys] security-policy
[sys-policy-security] rule name allow_bfd
[sys-policy-security-rule-allow_bfd]
description BFD
[sys-policy-security-rule-allow_bfd] service
bfd
[sys-policy-security-rule-allow_bfd] action
permit
The license can still be used after the upgrade from V500R001C00SPC500 to
V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C00SPC500 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
V500R001C00SPC300 V500R001C50SPC100
Security policy groups are not supported. Security policy groups are not supported.
Setting the policy acceleration delay is not [system] policy accelerate delay delay-time.
supported.
Layer-2 packet filtering based on MAC Layer-2 packet filtering based on MAC
addresses is not supported. addresses is supported, and the MAC
address can be configured as a policy
matching condition.
V500R001C00SPC300 V500R001C50SPC100
Domain name matching is not supported. Domain name matching is supported, and
the address object in a policy can reference
a domain name group as the match
condition.
Device type and access mode matching is Device type and access mode matching is
not supported. supported.
In the security policy view, run:
[ undo ] device-classification device-
category <device-category-name>
[ undo ] device-classification device-group
<device-category-name>
[ undo ] access-authentication { wireless-
portal | wireless-8021x | wired-8021x |
wired-portal }
The BFD protocol of the firewall is not The BFD protocol of the firewall is
controlled by security policies. controlled by security policies.
If the live network uses BFD, but
corresponding CFD rules are not configured
in the security policies, you need to allow
the BFD sessions through in security policy
rules. For example:
[sys] ip service-set bfd type object
[sys-object-service-set-bfd] service 0
protocol udp source-port 0 to 65535
destination-port 3784
[sys-object-service-set-bfd] service 1
protocol udp source-port 0 to 65535
destination-port 4784
[sys-object-service-set-bfd] quit
[sys] security-policy
[sys-policy-security] rule name allow_bfd
[sys-policy-security-rule-allow_bfd]
description BFD
[sys-policy-security-rule-allow_bfd] service
bfd
[sys-policy-security-rule-allow_bfd] action
permit
The license can still be used after the upgrade from V500R001C00SPC300 to
V500R001C50SPC100.
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C00SPC300 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
Upgrade Description:
NOTICE
1. After the manual update is complete, you can query history logs and reports, but
cannot roll back the system.
2. Manual update will overwrite the logs of the source version with new logs. Therefore,
you are advised to manually update the log database immediately after upgrading the
system software if the customer does not require version rollback.
3. The time and time zone after the upgrade must be correct.
Network
management eSight V300R007C00
software (NMS)
Agile Controller-
Controller V200R003C20
Campus
Agile Controller-
V300R001C10
DCN
Agile Controller-
V200R002C00
Cloud Manager
Configuration
V100R006C00B023
conversion tool
NOTICE
All patches cannot be upgraded.
The patch loading procedure is the same for hot-standby and single-device scenarios.
Whether the patch is first loaded to the active or standby device does not affect the patch
loading effect.
3.3.2 Precautions
Precautions
During the upgrade, take the following precautions:
l Ensure the stable power supply during the upgrade and avoid power failures. If the
device cannot start normally after a power failure, try to upgrade in BootROM mode. For
details, see Appendix A: Upgrading System Software Using BootROM.
l The registration of boards takes a period of time. After the device is restarted, do not
perform any operations until all the boards are registered. When you run the display
device command to display the registration status of a board, Registered is displayed in
the Register field and Normal is displayed in the Status field.
Figure 1 shows the flow for upgrading to V500R001C50SPC100 from an earlier version.
NOTE
For details on how to upgrade the version software using BootROM, see Appendix A: Upgrading
System Software Using BootROM.
Configur License file See license impact in To analyze the display license
ation analysis Upgrade Impact command output and check whether
analysis the license file needs to be converted
or merged according to the
description in section License
Impact.
Prerequisites
To upgrade system software using the Web UI, upload the system software to the CF card of
the properly operating NIP6300/6600 , specify the system software to be used at the next
startup, and restart the NIP6300/6600 .
The premise is that you have logged in to the Web environment using the Web UI. If the login
using the Web UI is not configured, log in to the NIP6300/6600 using the console port to
configure the Web environment. For configuration details, see Setting Up an Environment
for Upgrading System Software Using Web.
By default, the device allows an administrator to log in to the web UI using HTTPS.
NOTE
The network using two PCs is used as an example to facilitate description. You can use only one PC as
Telnet/SSH and HTTPS clients.
Figure 3-2 Schematic diagram of the IPS Module serving as the Web server
The Web service is enabled on the IPS Module by default. You can use the IP address
192.168.0.1 of interface GigabitEthernet 0/0/0 on the IPS Module and the default user name
admin and password Admin@123 to log in to the web UI of the IPS Module through HTTPS.
If you have disabled the Web service or deleted the default user, do as follows to reconfigure
the service.
NOTE
You can use only one PC on which you run both the Telnet/SSH client and the browser/FTP server. To
facilitate description, the network using two PCs is used as an example. The following steps apply to this
two-PC network.
Procedure
Step 1 On PC1, log in to the CLI of the IPS Module through Telnet or SSH.
You are recommended to use interface GigabitEthernet 0/0/0 on the IPS Module for log in. By
default, the IP address for interface GigabitEthernet 0/0/0 is 192.168.0.1, the user name is
admin, and the password is Admin@123.
Step 2 Enter the system view and start the Web service. Configure a user with user name webuser
and password Admin@1234 and the level of the Web user. You can use other user names and
passwords as required.
<IPS Module> system-view
[IPS Module] web-manager enable
[IPS Module] web-manager security enable port 8443
[IPS Module] aaa
[IPS Module-aaa] manager-user admin
[IPS Module-aaa-manager-user-admin] password cipher Admin@1234
[IPS Module-aaa-manager-user-admin] service-type web telnet ssh
[IPS Module-aaa-manager-user-admin] level 15
[IPS Module-aaa-manager-user-admin] quit
[IPS Module-aaa] quit
[IPS Module] interface GigabitEthernet0/0/0
[IPS Module-GigabitEthernet0/0/0] service-manage enable
[IPS Module-GigabitEthernet0/0/0] service-manage http permit
[IPS Module-GigabitEthernet0/0/0] service-manage https permit
[IPS Module-GigabitEthernet0/0/0] quit
Step 3 Log in to https://192.168.0.1 using the Internet Explorer on PC2 to verify the configurations.
If the login interface of the Web server is displayed in the IE browser, and the login succeeds
through admin and Admin@1234, it indicates that you can log in to the Web server normally.
After the configuration is verified, you can either keep this connection for further use, or exit
from the Web server and relog in to it when required.
----End
Context
Obtain the following files for the upgrade:
1. System software file.
The file name extension is .bin. This document uses V500R001C50SPC100 (with about
196,369,777 bytes),MD5 :83bfa0e68390f05b8812b7c884de1ece as an example.
2. (Optional) License file
The file name extension is .dat. Based on Checking the Use of Licenses, obtain the file
only if you need to apply for a license.
3. (Optional) Sensitive Feature Component Package
The file name extension is .mod. You can obtain the file from http://sec.huawei.com/
sec. If the device does not require any content security or the signature database can be
upgrade in online mode, the signature database file is not required.
4. (Optional) Local signature database file
The file name extension is .zip. You can obtain the file from http://sec.huawei.com/sec.
If the device does not require any content security or the signature database can be
upgrade in online mode, the signature database file is not required.
Save the file into the root directory (such as D:\Web) of PC2 that serves as a Web browser.
You can specify another directory as required.
Obtain the following documents for reference during the upgrade. For example, to upgrade
NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100, obtain the
following documents:
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 Product Documentation
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 Release Notes
Procedure
Step 1 Access the home page of http://support.huawei.com/enterprise.
Step 2 If you are not a registered member of the website, perform 3 to register. If you are a registered
member, go to 4.
Step 3 Click Register and register as prompted. If the registration succeeds, you will receive your
user name and password.
Step 4 Enter the user name, password, and verification code. Then click Login.
Step 5 After login, choose Support > Software > Enterprise Networking > Security > Firewall &
VPN Gateway . In the navigation tree, choose the corresponding version of
V500R001C50SPC100 to display the list of system software and documents. You can
download a file by clicking its file name.
----End
Context
Content security feature component packages are not released along with the software
package. You must access the security center website and load the packages in online mode,
or download and load them locally.
Procedure
Step 1 Access Huawei security center at http://sec.huawei.com/sec. (Internet Explorer: version 8.0
or later or Firefox)
Step 2 Expand the IPS Module Series tab and select the product model and version, such as
V500R001C50.
Step 3 Select and download the component package. The component packages are as follows:
CSG: content security component package, including the application behavior control, URL
logging and SSL decryption.
NOTE
Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content security
feature component packages.
----End
Context
The premise is that you have logged in to the Web environment of the device from PC2 using
the Web UI. On the Web UI, you can query the current system software and perform
subsequent operations.
After login, you can query the version information of the running system software in System
Information on the DashBoard page, as shown in figure 1. V500R001C50SPC100 is used as
an example
Click Upgrade at the right side of Version, as shown in figure 2, to query the existing system
software. Record the system software file name for file backup
NOTE
The root directory of the CF card is hda1:/. You can use the system software on the CF card to start the
device.
Context
If no license-controlled function, such as content security function (intrusion prevention/anti-
virus/pre-defined URL category query) is used, skip this section.
Procedure
Step 1 Check information about the current license. You do not need to apply for another license if
the current license does not expire or no function needs to be added.After login, you can
query the license information in License Information on the DashBoard page, as shown in
figure 1:
The preceding information is about an activated license file. Service Expire Time in the
figure indicates the expiry time of the IPS/AV signature database upgrade service or the URL
predefined category query service, not the expiry time of the license file.
Use the Notepad on the PC to open and check the license file. license.dat is used only as an
example. In practice, replace license.dat with the actual file name:
........
Product=FW
Feature=FWVSYS01
Esn="030UEKZxxxxxxxxx"
Attrib="COMM,2014-06-04,60,NULL,NULL,NULL"
Function="LFWVSYS08=1"
Resource="LFWVSYS07=700"
Comment=",,V544HUP32MUW-7W4A"
Sign=3694DA7AE8190BF77FC8D6A08689E64DCDC1CDB8AE70E625AF2490B755A828D1619795F892C
7708CCDD512AADC816D2C6074CEF5FCFB18305CC6FF87DC2E9E0F1F84C65511344DA2BB3C1F4BD92
B2EECEB8670DDC42DC83385D8DC36B8547638653FFC7CE27A1A09943936B79C3152D73C8C416583F
01B3413518B4B9110A53C9C673C1A56CE6C6FC70877DA393131A6161A4380CA0FF3FEE8E0982ADD3
5E53834F649BF1CC36F4AA6C8BAFE75582A2C5E0D22442F0E929A3A16CC876D2EA0B7932499718F3
2951238DB8BE8D6B31EEEB53CFC34646B2A48A884DEB9DE6569ACC3AA4CBE02214FAED74ACFA66C8
E3191930F53F941BDEED02A717F6154ABB6BC
........
Note the fields in bold of the Attrib attribute. COMM indicates a commercial license and
2014-06-04 indicates the expiry date of the license.
Step 2 Apply for a license file.For details on how to apply for a license file, see Appendix :
Applying for a License
After you obtain the license file, save it in the same directory as the system software
NOTICE
l Each license file corresponds to one equipment serial number (ESN).
l To successfully activate a license file, ensure that the name of the license file (including
the complete absolute path) does not exceed 64 characters. It is recommended that the
name of the license file be as short as possible without spaces
----End
Prerequisites
After you log in to the Web UI, check the device operating status on the Dashboard page
Context
The diagnosis information contains the output of multiple commonly-used display
commands. You can check the operating status of each device module.
On the Web UI, choose Monitor > Diagnosis Center > Diagnosis Infomation. Click Collect
to view device diagnosis information, as shown in figure 1. You can also save the diagnosis
information to a text file
You can either view the diagnosis information or export it for backup to facilitate subsequent
troubleshooting, as shown in figure 2:
Context
Important data includes the current system software, configuration file, license file, patch file,
diagnosis file, signature file.
NOTE
The license file, signature file, sensitive feature component packaget not support export from webpages.
Please see Performing the Upgrade Using the CLI
On the Web UI, you can use One-Touch Version Upgrade to back up important data before
the upgrade.
Procedure
Step 1 Display the System Update pageOn the Web UI, choose System > System Upgrade. On the
System Upgrade page, click One-Touch Version Upgrade, as shown in figure 1:
NOTICE
You need to save the configuration file before backing it up.
On the One-Touch Version Upgrade page, you can export alarms, logs, and configurations
and save configurations, as shown in figure 2
----End
NOTICE
Open the conversion result file, manually convert each command starting with ****, and
delete the commands starting with @@@@ because they are not supported in V500R001.
Here is an example:
profile type ips name ids
signature-set name default
action alert
**** os android | ios | unix-like | windows | other //This command must be
manually converted.
target both
severity low medium high
protocol all
#
@@@@ isp set filename CERNET.csv next-hop 202.112.41.177
@@@@ isp set filename china-educationnet.csv next-hop 202.112.41.177
@@@@ isp filename cernet_as4538.csv enable
//Confirm with the customer to check whether these commands can be deleted.
Context
It is strongly recommended that you load the converted configuration to a device, start the
device, save the configuration, export the configuration, and compare it with the original
configuration. The two copies of configuration must be consistent. If the verification
environment is unavailable on the site, You are advised to contact technical support engineers
for support.
NOTICE
If the remaining available space of the CF card is insufficient during the one-touch version
upgrade, the system automatically deletes the running system software
NOTE
Because the size of system software (*.bin files) is large, deleting unwanted system software can greatly
save the space on the CF card. You can delete the software that is running
Context
Figure 3-19 Flowchart of the version software upgrade through the Web
Procedure
Step 1 On PC2, open the Internet Explorer, access https://192.168.0.1, and enter user name admin
and password Admin@1234 to log in to the NGFW. User name admin and password
Admin@1234 are used as an example. You can set another user name and password as
required.
Step 2 Upload the system program.
NOTICE
Ensure that a configuration conversion tool is used to convert the original configuration file to
a configuration file applicable to the target version. For details, see Configuration
Conversion.
After the upload succeeds, the Configuration File Management page is displayed. The
available configuration files are listed on the page. Check whether the size of the uploaded
file in the list and the size of the file on PC2 are the same. If no, upload the file again.
1. ChooseSystem > Configuration File Management. You can view configuration file
information in Current System Software and Next Startup System Software.
2. Click Select for the Next Startup System Software, the Configuration File
Management page is displayed. Click . The Upload File dialog box is displayed.
Delete unwanted files if the free space in the CF card is insufficient.
3. Click Browse..., select the configuration file (must be a .cfg file or .zip file) to be
uploaded, and click Upload. The name of the file to be uploaded cannot be the same as
the name of any existing file in the CF card.
Step 3 Specify the configuration file to be used for the next startup. On the Configuration File
Management page, click of the uploaded file and then click OK to specify the file as the
configuration file for the next startup.
Step 4 (Optional) Upload and activate a new license file if required. Skip this step if no new license
file is required.
Choose System > License Management and use Local Manual Activation to upload a
license file and activate it.
Before upgrading the signature database, ensure that the activated license file contains the
content security function.
If the latest signature databases are not required, skip this step. The NGFW will automatically
load the default signature databases after startup.
If the latest signature database is required, you can upgrade the signature database in either
the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100
Product Documentation.
Step 6 Upload the system software.
1. Choose System > System Upgrade. You can view system software information in
System Software
2. Click Select for System Software. The System Software Management page is
displayed.
Click . The Upload File dialog box is displayed.
Delete unwanted files if the free space in the CF card is insufficient.
Upload a file.
NOTICE
The name of the file to be uploaded cannot exceed 48 characters.
After the upload succeeds, the System Software Management page is displayed. The
corresponding files are listed on the page. Check whether the size of the uploaded file in
the list and the size of the file on PC2 are the same. If no, upload the file again.
3. Click Browse..., select the system software (must be a .bin file) to be uploaded, and click
Upload. The name of the file to be uploaded cannot be the same as the name of any
existing file in the CF card.
Step 7 If the file fails to be uploaded, the uploaded incomplete file cannot be deleted immediately.
Therefore, you need to delete the incomplete file after the device is restarted. Specify the
system software to be used for the next startup.
On the System Software Management page, click of the uploaded file and then click OK
to specify the file as system software for the next startup.
If the configuration file for the next startup is imported, restart the device without saving the running
configuration. Otherwise, the running configuration will overwrite the imported configuration.
If sensitive features are not involved, the upgrade to V500R001C50SPC100 is complete. Otherwise, go
to the next step.
l Ensure that an activated license file is available. If the license file is not activated, the upgrade fails.
l Ensure that the device can access the security center directly or through a proxy server.
l Configure a security policy to permit HTTP and FTP packets when the device directly connects to
the security center or permit HTTP packets when the device connects to the security center through a
proxy server. For details, see the description of security policies and content security in
NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100 Administrator
Guide.
l Before executing the following online loading procedure, ensure that the DNS server address has
been configured and the DNS server can correctly parse http://sec.huawei.com.
l Upgrading V500R001 to V500R001C50SPC100
URL component package
install-module URLRMT_H50010000_yyy.mod next-startup
1. Move the pointer to on the lower right of the page and click to open
the CLI console. Click any space on the page. If the command prompt <sysname> is
displayed, you can perform configurations on the CLI.
2. After the loading in either local or online mode, run the display module-information
verbose command to view details on the dynamically loaded component package. The
following information is a part of the command output. If the State value is
INSTALL_OK, the component packet has been successfully loaded.
<sysname> display module-information verbose
Module
Information
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
NOTICE
If the configuration file for the next startup is imported, restart the device without
saving the running configuration. Otherwise, the running configuration will overwrite
the imported configuration.
For the upgrade from V500R001 to V500R001C50SPC100, if the configuration file
is not imported, you are advised to save the current configurations before restarting
the device.
Step 10 Now, the upgrade to V500R001C50SPC100 is complete. The optional follow-up task is to
restore and test services.
----End
If the login page fails to be displayed, clear the browser buffer or use another browser.
In System Software, you can view the running system version and the version for the next
startup.
Figure 3-25 Displaying the running system version and the version for the next startup
Choose System > Configuration File Management. You can view the running configuration
file and the configuration file for the next startup.
Figure 3-26 Displaying the running configuration file and the configuration file for the next
startup
View system log information on the Dashboard page, as shown in figure 10.
On the web UI, choose Monitor > Diagnosis Center > Diagnosis Info. Click Collect to view
device diagnosis information, as shown in figure 11. You can also save the diagnosis
information to a text file.
You can either view the diagnosis information or export it for backup to facilitate subsequent
troubleshooting, as shown in figure 12.
You can also use Beyond Compare to compare the configuration files before and after the
upgrade.
Recover the configuration based on the check result or contact the technical support
personnel.
l Compare the entries (such as routes, session entries, and FIB entries) before and after the
upgrade to see if any entry is lost and check whether the service traffic before and after
the upgrade are identical.
l Consult the network administrator to check whether services are running properly.
NOTE
You can use only one PC on which you run both the Telnet/SSH client and the FTP client. To facilitate
description, the network using two PCs is used as an example. The following steps apply to this two-PC
network.
The file name extension is .zip. You can obtain the file from sec.huawei.com. If the
device does not require any content security or the signature database can be upgrade in
online mode, the signature database file is not required.
Procedure
The following is an example in which the IPS Module functions as an FTP server. This
method is easy because it does not require a third-party FTP server. For details on other
modes, see Appendix C: Uploading and Downloading Files. You are advised to use SFTP
to transfer files to secure data transfer.
As shown in Figure 1, the IPS Module is configured as the FTP server and version software is
located on PC2 serving as the FTP client. On PC2, log in to the FTP server and upload the
version software to CF card 1 of the IPS Module through FTP.
Figure 3-36 Schematic diagram of the IPS Module serving as the FTP server
Perform the following steps to configure the IPS Module as the FTP server:
3. Set the file transfer mode. Set the directory for saving the backup files on PC2 to D:
\FTP\Backup. The folder must already exist. You can specify another directory as
required.
ftp> binary /Run the binary command to specify file transmission in binary
mode.
ftp> lcd "d:\FTP\Backup" /Set the directory that stores the backup files on
PC2.
NOTE
The binary mode is required for file integrity, especially in the Linux or Unix system.
4. Run the get remote-filename[ local-filename] command to download the file and save it
to local directory D:\FTP\Backup
For example, before the upgrade, download the existing version software (for example,
V500R001C00SPC300.bin), vrpcfg.zip, Sensitive Feature Component
Packages($_install_mod/*.mod),license.dat, and diagnosis file (for example, diagnostic-
info.txt) to PC2 for backup.
ftp> get vrpcfg.zip
ftp> get license.dat
ftp> get V500R001C00SPC300.bin
ftp> get diagnostic-info.txt
ftp> get av_h20010000_2013081700.zip //Back up the antivirus signature
database file of V500R001C00SPC300.bin to PC2.
ftp> get ips_h20010000_2013083100.zip //Back up the intrusion prevention
signature database file of V500R001C00SPC300.bin to PC2.
ftp> get sa_h50010000_2013111300.zip //Back up the application identification
signature database file of V500R001C00SPC300.bin to PC2.
ftp>cd $_install_mod
ftp>get CSG_H50010000.mod
After the download is complete, check whether the sizes of the files on PC2 are
consistent with those in the device. If no, re-download the files to ensure that they are
completely backed up to PC2.
It takes a long time to delete the *.bin file. Please wait and do not restart the device.
Files are deleted and cannot be restored after the delete command with the /unreserved
parameter is executed. If the /unreserved parameter is not specified, the files are stored in the
recycle bin. To optimize space for the CF card, run the reset recycle-bin hda1: command to
empty the recycle bin.
NOTE
Because the version software (*.bin file) is large, deleting unwanted version software can release large
space on the CF card.
You can not delete the software that is running.
Context
Content security feature component packages are not released along with the software
package. You must access the security center website and load the packages in online mode,
or download and load them locally.
Procedure
Step 1 Access Huawei security center at http://sec.huawei.com/sec. (Internet Explorer: version 8.0
or later or Firefox)
Step 2 Expand the IPS Module Series tab and select the product model and version, such as
V500R001C50.
Step 3 Select and download the component package. The component packages are as follows:
CSG: content security component package, including the application behavior control, URL
logging and SSL decryption.
NOTE
Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content security
feature component packages.
----End
NOTICE
Open the conversion result file, manually convert each command starting with ****, and
delete the commands starting with @@@@ because they are not supported in V500R001.
Here is an example:
profile type ips name ids
signature-set name default
action alert
**** os android | ios | unix-like | windows | other //This command must be
manually converted.
target both
severity low medium high
protocol all
#
@@@@ isp set filename CERNET.csv next-hop 202.112.41.177
@@@@ isp set filename china-educationnet.csv next-hop 202.112.41.177
@@@@ isp filename cernet_as4538.csv enable
//Confirm with the customer to check whether these commands can be deleted.
Context
It is strongly recommended that you load the converted configuration to a device, start the
device, save the configuration, export the configuration, and compare it with the original
configuration. The two copies of configuration must be consistent. If the verification
environment is unavailable on the site, You are advised to contact technical support engineers
for support.
Context
Figure 3-37 Flowchart of the version software upgrade through the CLI
NOTE
FTP is used as an example. For SFTP file upload and download, see Device Serving as the SFTP
Server to Upload or Download Files Through SFTP.
Procedure
Step 1 Log in to the NGFW from PC2 using FTP. This document uses the Windows FTP client as an
example. In practice, you are advised to use a proven third-party FTP client (such as Cute
FTP) to transfer files.
The following information is displayed:
C:\> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): ftpuser
331 Password required for ftpuser.
Password:
230 User logged in.
ftp>
Step 2 Set the file transfer mode. Set the directory for saving upgrade-related files on PC2 to D:\FTP.
The folder must already exist. You can specify another directory as required.
ftp> binary /Run the binary command to specify file transmission in binary
mode.
ftp> lcd D:\FTP /Set the directory that stores the files required for the upgrade
on PC2.
Step 3 Run the put command to upload the IPSModuleV500R001C50SPC100.bin file to the CF card
of the NGFW. The name of the file to be uploaded cannot be the same as the name of any
existing file in the CF card. If a file with the same name already exists in the CF card, the file
is replaced by the uploaded file.
ftp> put D:\FTP\ IPSModuleV500R001C50SPC100.bin
Depending on the network conditions, the upload of the version software may take some time.
Please wait. After the upload is complete, check whether the size of the file in the CF card is
consistent with that on PC2. If no, re-upload the file to ensure that the file is completely
uploaded to the CF card.
NOTICE
Convert the configuration file of the original version to that of V500R001C50SPC100. For
details, seeConfiguration Conversion.
Step 4 Run the put command to upload the configuration file that has been converted (for example,
vrpcfg_new.cfg) to the CF card of the NGFW. The name of the file to be uploaded cannot be
the same as the name of any existing file in the CF card. If a file with the same name already
exists in the CF card, the file is replaced by the uploaded file.
ftp> put D:\FTP\vrpcfg_new.cfg
After the upload is complete, check whether the size of the file in the CF card is consistent
with that on PC2. If no, re-upload the file to ensure that the file is completely uploaded to the
CF card.
Step 5 When the file upload is complete, exit the FTP environment. Log in to the CLI of the NGFW
through Telnet or SSH from PC1.
Step 6 In the user view, run the startup system-software filename command to specify the version
software for the next startup of the NGFW.
<NGFW> startup system-software IPSModuleV500R001C50SPC100.bin
Info:System software for the next startup:hda1:/IPSModuleV500R001C50SPC100.bin,
start read file....
Succeeded in setting the software for booting system.
Step 7 In the user view, run the startup saved-configuration filename command to specify the
configuration file for the next startup of the NGFW as the uploaded file.
<NGFW> startup saved-configuration vrpcfg_new.cfg
Info: Succeeded in setting the configuration for booting system.
Step 8 (Optional) Upload and activate a new license file if required. Skip this step if no new license
file is required.
Run the put command to upload the new license file (for example, license_new.dat) to the CF
card of the NGFW. The name of the file to be uploaded cannot be the same as the name of any
existing file in the CF card. If a file with the same name already exists in the CF card, the file
is replaced by the uploaded file.
Run the license file filename command in the system view to activate the license file.
[NGFW] license active license_new.dat
Info:License is successfully activated.
NOTICE
l If no content security feature is involved, skip this step.
l Ensure that an activated license file is available. If the license file is not activated, the
upgrade fails.
l You must obtain the component package from the security center (http://sec.huawei.com)
in advance and upload it to the $_install_mod folder in the root directory. Then, load the
component package as follows:
Upgrading the content security feature component package applies to the following
scenarios:
l Upgrading V500R001 to V500R001C50SPC100.
install-module CSG_H50010000_yyy.mod next-startup
After the configuration is complete, run the display module-information verbose command
to view details on the dynamically loaded component package. The following information is a
part of the command output. If the State value is INSTALL_OK, the component package has
been successfully loaded.
<sysname> display module-information verbose
Module Information
------------------------------------------------------------------------
Module Version InstallTime PackageName
------------------------------------------------------------------------
ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_yyy.mod
************************************************************************
* Content Security Group information, as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
* URL Filter information , as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
NOTICE
l If the configuration file for the next startup is imported, restart the device without saving
the running configuration. Otherwise, the running configuration will overwrite the
imported configuration.
l For the upgrade from V500R001 to V500R001C50SPC100, if the configuration file is not
imported, you are advised to save the current configurations before restarting the device.
----End
Then run the display startup command in any view to check the current version software and
configuration file, and those for the next startup.
<sysname>display startup
MainBoard:
Configured startup system software: hda1:/V500R001C50SPC100.bin
Startup system software: hda1:/V500R001C50SPC100.bin
Next startup system software: hda1:/V500R001C50SPC100.bin
CPU utilization for ten seconds: 13.0% : one minute: 13.0% : five minutes:
13.0%
In any view, run the display health command to check the CPU and memory usage.
<sysname> display health
System Memory Usage
Information:
System memory usage at 2015-11-17
21:10:41
-------------------------------------------------------------------------------
0 13%
80%
-------------------------------------------------------------------------------
If the CPU and memory usage before and after the upgrade differ slightly, the device runs
properly.
In normal cases, the interface card status is Normal. If the Status field is displayed as
Abnormal, the interface card in the slot runs improperly.
If the interface cards in certain slots do not work properly, contact the technical support
personnel.
You can also use Beyond Compare to compare the configuration files before and after the
upgrade.
Recover the configuration based on the check result or contact the technical support
personnel.
Prerequisites
NOTICE
To roll back to the source version, for V500R001C50, run the set system-software check-
mode all command; for other versions, directly roll back the version.
Before rolling back the original version, make sure that the corresponding configuration file
(already backed up before the upgrade) is loaded to the CF card of the device and is specified
as the file for next startup by running the startup saved-configuration cfg-filename command.
Then restart the device, avoiding configuration loss due to CLI differences between versions.
Upload the sensitive feature component package *.mod corresponding to the source version
to the device.
Application Scenario
The version rollback needs to be implemented if:
l The device cannot start normally after upgrade, and the current version needs to be rolled
back to the previous one.
In this case, you need to roll the version to the backup source version in BootROM
mode. The detailed procedure is the same as that of upgrading the version software in
BootROM mode. For details, see Appendix A: Upgrading System Software Using
BootROM.
l The device can start normally after upgrade, but a certain function cannot run normally,
and therefore the current version needs to be rolled back to the previous one.
In this case, you can adopt either of the following modes to roll back the version:
Roll back the version through command lines. The detailed procedure is the same as
that of upgrading the version software in CLI mode. For details, see Upgrade
Through CLI.
Roll back the version through Web. The detailed procedure is the same as that of
upgrading the version software in Web mode. For details, see Upgrade Through
Web.
Roll back the version using BootROM. The operations are the same as those for
upgrading the system software using BootROM. For operation details, see
Appendix A: Upgrading System Software Using BootROM.
NOTICE
As the database is different, the following operation will clear all logs.
ii. In the system view, run the delete log sdb command to delete the IDNAME
log file.
NOTICE
l If the folder does not exist, the One-click version rollback fails.
l Version rollback does not involve license rollback. If the license files are different in the
source and target versions, use the corresponding backup license or re-apply for a license
and manually load the license file according to the product documentation.
Upgrade operations:
1. Check whether the backup file (backcfg.zip) is available. The backup file should be in
the hda1:/backupyyyyMMddHHmmss/ folder. If the backup file is unavailable, the
follow-up procedure cannot be performed.
<FW>dir backup/ --Check whether the backup file is in the backup
folder.
Directory of hda1:/backup/
NOTICE
l If multiple hda1:/backup/yyyyMMddHHmmss folders exist, use the latest one for
the version rollback.
Precautions
During the version rollback, note the following:
1. The precautions and the result check method of the version rollback operation are the
same as those of the version upgrade operation. For details, see the descriptions of
corresponding upgrade modes.
2. During the version rollback, services are interrupted temporarily. The interruption
duration depends on the rollback mode and the service configuration.
Before the version rollback, contact technical support personnel to determine whether the
target version needs to be patched. If yes, install the patch immediately after the version
rollback is complete. For how to install the patch, see the usage guide of the corresponding
patch version.
3.4.1 Overview
Dual-system hot backup is an important feature of the device . Dual-system hot backup
indicates that two device are deployed, if one device is faulty, the other takes over the work
immediately. In this way, the single point failure is avoided, and the network stability and
reliability are improved. For details, refer to the corresponding product document.
You should comply with certain procedure and principle to upgrade version software in the
dual-system hot backup networking. The main principle of the upgrade is upgrading the
backup device and then the master device independently. Note that the HRP backup channel
(the heartbeat line) must be disconnected during the upgrade.
NOTICE
Upgrading version software in dual-system hot backup, the target version software of the
master device must be the same as that of the backup device.
Context
Figure 1 shows the detailed upgrade procedure, which is adopted for the master/backup mode
and the load balancing mode.
Figure 3-38 Flowchart of the version software upgrade in dual-system hot backup
environments
Use the active/standby mode as an example. Before the upgrade, FW_A serves as the active
device and FW_B as the standby oneProcedure.
Procedure
Step 1 Disconnect FW_B (the prompt is HRP_S<FW_B>) and its upstream and downstream devices,
and the HRP backup channel (the heartbeat line) between FW_B and FW_A. Only the HRP
backup channel of FW_B can be closed.
Log in to FW_B through Telnet or SSH. Run the shutdown command on the interfaces
connecting FW_B to upstream and downstream devices, and interface of the HRP backup
channel between FW_B and FW_A. Suppose that on FW_B, the interfaces connected to
upstream and downstream devices are GigabitEthernet 1/0/3 and GigabitEthernet 1/0/1, and
the interface of the HRP backup channel connected to FW_A is GigabitEthernet 1/0/2. Do as
follows:
HRP_S<FW_B> system-view
HRP_S[FW_B] interface GigabitEthernet 1/0/3
HRP_S[FW_B-GigabitEthernet1/0/3] shutdown
HRP_S[FW_B-GigabitEthernet1/0/3] interface GigabitEthernet 1/0/1
HRP_S[FW_B-GigabitEthernet1/0/1] shutdown
HRP_S[FW_B-GigabitEthernet1/0/1] interface GigabitEthernet 1/0/2
HRP_S[FW_B-GigabitEthernet1/0/2] shutdown
Then wait one to two minutes, ensuring that session information on FW_B is completely
backed up to FW_A. You can run the display firewall session table command to check
whether the numbers of sessions on both devices are consistent. If yes, perform further
operations.
After previous operations are performed, FW_B becomes active, while FW_A becomes
standby. If the preemption function is enabled, FW_A will become active after a while and
start to forward service traffic.
Step 6 Observe the service running status. Check the information about the session tables on FW_A
and FW_B to verify the upgrade. If the services are running properly, run the save command
to save the configurations on FW_A and FW_B.Perform the following operations:
HRP_M<FW_A> save
HRP_S<FW_B> save
In addition, simulate link or device faults (run the shutdown command on relevant interfaces)
after successful upgrade and service tests, so that the device performs an active/standby
switchover. Then check whether the dual-system hot backup function is normal after upgrade.
Roll back the version to that before the upgrade if necessary. For details on version rollback,
see Version RollBack . The version rollback process in dual-system hot backup networking is
similar to that in single-device networking. During version rollback in dual-system hot
backup networking, change the target version to the source version.
----End
3.5.1 Background
When the device fails to load the system software, and you cannot log in to the device using
the Web UI or CLI, upgrade the system software using BootROM.
At present, the device supports the system software transmission to the CF card using FTP or
TFTP in the BootROM menu. The device, serving as the client, downloads the system
software from the FTP/TFTP server, as shown in Figure 1. You must install the third-party
FTP/TFTP server software on PC2.
NOTE
You can use only one PC as both the HyperTerminal program and the FTP client. To facilitate
description, two PCs are used as an example.
The following section provides an example of how the device downloads the system software
from the FTP server.
Context
Figure 1 shows the process for upgrading the system software using BootROM.
Figure 3-40 Flowchart for upgrading the system software using BootROM
Context
The serial port of PC1 is connected to the console port of the device with a standard RS-232
configuration cable. Run the terminal emulation program (use the HyperTerminal in the
Windows XP as an example) on PC1 to ensure that PC1 communicates with the console port
of the device.
Procedure
Step 1 Configure the FTP server.
Install the FTP server program on PC2 and configure the FTP server using the document
delivered with the program. The premise is that you obtain the FTP server program in a
legitimate way. You have already created an FTP user whose name is 123 and password is
123 and configured the root directory of the user as the directory of the files to be uploaded or
downloaded.
Step 2 Power on or reboot the device.
Step 3 After the device is powered on, you can run the terminal emulation program on PC1 to check
the device startup process. When the following information is displayed, press Ctrl+B within
three seconds.
Password:
********
Step 4 In the BootROM main menu, enter 3 to access file management menu.
==================< File Management Menu >==================
| <1> Display File List |
| <2> Rename File |
| <3> Delete File |
| <4> Copy File |
| <5> Format Device |
| <0> Return to Main Menu |
============================================================
Enter your choice(0-5):
In the file management menu, enter 1 to check the available space in the CF card. If the
available space of the CF card is insufficient, enter 3 to delete unnecessary files.
Ensure that the CF card has sufficient available space. Enter 0 to return to the BootROM main
menu.
Step 5 In the BootROM main menu, enter 4 to access the load and upgrade menu.
=================< Load and Upgrade Menu >==================
| <1> Display File List |
| <2> Upgrade Application Software |
| <3> Download File from External Server |
| <4> Upload File to External Server |
| <5> Upgrade Extended Bootrom |
| <6> Upgrade Base Bootrom |
| <0> Return to Main Menu |
============================================================
Enter your choice(0-6):
In the load and upgrade menu, enter 2 to access the application software upgrade menu. The
current parameter settings are displayed.
Net Paramter:
Protocol type : 1
Unit number : 0
In the application software upgrade menu, enter 2 to modify the load parameters.
Protocol type:
<1> FTP <2> TFTP
NOTE: TFTP protocol limits the file length to 32M bytes.
Protocol type : 1
Unit number : 0
................................................................................
................................................................................
................................................................................
................................................................................
..................................................................Done.
FTP user name Indicates the user name, which must be the
same as that specified on the FTP server.
After the download is complete, the device automatically specifies the downloaded system
software as that to be used at the next startup. Enter 0 to return to the load and upgrade menu.
Then, enter 0 to return to the BootROM main menu.
Step 6 In the load and upgrade menu, enter 3 to download the converted configuration file.
Net
paramter:
Protocol type : 1
Unit number : 0
Load file
name :vrpcfg_new.cfg
Download file to :
hda1:
<1> Download
file.
<2> Modify parameters.
<0>
Quit
After the downloading is complete, enter 0 to return to the load and upgrade menu. Then,
enter 0 to return to the BootROM main menu.
Step 7 In the BootROM main menu, enter 2 to specify the system software and configuration file.
====================< Extend Main Menu >====================
| <1> Boot System
|
| <2> Set Startup Application Software and Configuration |
| <3> File Management Menu...
|
| <4> Load and Upgrade Menu...
|
| <5> Modify Bootrom Password
|
| <6> Reset Factory Configuration
|
| <0> Reboot
|
|
---------------------------------------------------------|
|
| Press Ctrl+Z to Enter Diagnose Menu... |
============================================================
<1> Modify
setting
<0>
Quit
After the setting is complete, enter 0 to return to the BootROM main menu.
----End
Prerequisites
The prerequisites for console port login are as follows:
Context
IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the IPS Module by
default. You can use this IP address and the default user name admin and password
Admin@123 to log in to the CLI of the IPS Module through Telnet. If the Telnet
configuration is cancelled or you desire to use SSH for the login, log in to the IPS Module
from the console port to construct the Telnet or SSH environment.
Figure 1 shows the connection for configuring the upgrade environment using the console
port. The serial port of the PC is connected to the console port of the device with a standard a
serial cable.
The device has two types of console ports: RJ45 and mini USB console ports. If an RJ45
console port is used, use the console cable delivered with the device. Using the cables of other
vendors might cause unexpected faults. If a mini USB console port is used, purchase the mini
USB-to-USB cable as required. The RJ45 and mini USB console ports cannot be used
together. If both ports are connected, only the mini USB console port is available.
Figure 3-41 Establishing the upgrade environment through the console port
Procedure
Step 1 Select Start > All Programs > Accessories > Communication > HyerTerminal to start the
terminal simulation program (for example, Windows XP HyerTerminal) on the PC. The
Connection Description dialog box is displayed, as shown in Figure 2.
Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1)
of the PC for connecting to the IPS Module from the Connect using drop-down list box, as
shown in Figure 3.
Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parameters
of the port, as shown in Figure 4. The communication parameters of COM1 must be the same
as those of the console port on the IPS Module.
By default, the user name and password are admin and Admin@123 respectively for logging
in to the IPS Module through the console port. If you forget the user name and password
configured on the console port, see Password of the Console Port Is Forgotten.
Step 5 Configure upgrade environment.
l Configure Telnet for login.
Enable the Telnet service on GE 0/0/0 of the device. Configure AAA authentication and
Telnet for the virtual type terminal (VTY) user interface. Create a local Telnet user and
set the user name to user1, and password to Password1 for the Telenet user. Enable the
Telnet service on the device.
V500R001:
<IPS Module> system-view
[IPS Module] telnet server enable
[IPS Module] interface GigabitEthernet 0/0/0
[IPS Module-GigabitEthernet1/0/3] ip address 192.168.1.1 255.255.255.0
[IPS Module-GigabitEthernet1/0/3] service-manage telnet permit
[IPS Module-GigabitEthernet1/0/3] service-manage enable
[IPS Module-GigabitEthernet1/0/3] quit
[IPS Module] user-interface vty 0 4
[IPS Module-ui-vty0-4] authentication-mode aaa
[IPS Module-ui-vty0-4] user privilege level 3
[IPS Module-ui-vty0-4] quit
[IPS Module] aaa
[IPS Module-aaa] authorization-scheme default
[IPS Module-aaa-auth-default] quit
[IPS Module-aaa] manager-user user1
[IPS Module-aaa-manager-user-user1] password cipher Password1
[IPS Module-aaa-manager-user-user1] level 15
[IPS Module-aaa-manager-user-user1] service-type telnet
[IPS Module-aaa-manager-user-user1] quit
[IPS Module-aaa] bind manager-user user1 role system-admin
[IPS Module-aaa] quit
[IPS Module] firewall zone trust
[IPS Module-zone-trust] add interface GigabitEthernet1/0/3
[IPS Module-zone-trust] quit
----End
Prerequisites
Before you log in to the IPS Module using the console port, complete the following tasks:
Context
When the system software needs to be upgraded remotely, but the Web environment is not
configured, you can log in to the IPS Module through the console port and then configure the
Web environment. Then you can log in to the IPS Module remotely using Web to upgrade the
system software.
This section describes how to establish the HTTP-based upgrade environment through the
console port.
Figure 1 shows the connection for configuring the upgrade environment using the console
port. The serial port of the PC is connected to the console port of the IPS Module with a
standard a serial cable.
The device has two types of console ports: RJ45 and mini USB console ports. If an RJ45
console port is used, use the console cable delivered with the IPS Module. Using the cables of
other vendors might cause unexpected faults. If a mini USB console port is used, purchase the
mini USB-to-USB cable as required. The RJ45 and mini USB console ports cannot be used
together. If both ports are connected, only the mini USB console port is available.
Procedure
Step 1 Run the terminal emulation program, such as the HyperTerminal of Windows XP, on the PC.
Choose Start > Programs > Accessories > Communications > HyperTerminal.
The Connection Description dialog box is displayed, as shown in Figure 2.
Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1) of
the PC for connecting to the IPS Module from the Connect using drop-down list box, as
shown in Figure 3.
Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parameters
of the port, as shown in Figure 4. The communication parameters of COM1 must be must be
consistent with those of the console port on the NGFW.
NOTE
If an administrator uses HTTP for access Web UI, the device automatically redirects to a more secure
service, HTTPS. If the browser displays a notification for an insecure certificate, you can continue the
browsing
----End
Procedure
Step 1 Restart the NIP6300/6600 and access the BootROM main menu
|
=============================================================
Step 4 After device startup, use the default user name admin and password Admin@123 for login
and use FTP to save the renamed configuration file to the PC.
Step 5 Reconfigure a user and copy the user information generated by the device to the renamed
configuration file.
manager-user newuser
password cipher %@%@@)wB&=/Q1Fvhl1W=,4C)Vpg^C.0{VCnlxU^3svMxY@^A)vmh%@%@
service-type web terminal telnet
level 15
Step 6 Upload the modified configuration file to the device and specify the file as that to be used at
the next startup. After device restart, you can use the configured user information to log in
----End
Context
As shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from the IPS
Module and upload or download files through FTP. This method requires the third-party FTP
server software to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the FTP server. The following example
describes takes the two-PC deployment.
Figure 3-49 Schematic diagram of uploading/downloading files through FTP and with the
IPS Moduleserving as the FTP client
Procedure
Step 1 Configure the FTP server.
Install the FTP server program on PC2 and configure the FTP server using the document
available with the program. Suppose that you obtain the FTP server program in a legitimate
way and description of the program is beyond the coverage of this document. Assume that an
FTP user already exists with the user name 123 and password 123, and that the root directory
of the user is set to the storage path of files to be uploaded/downloaded.
Step 3 Log in to the FTP server on the IPS Module.Run the ftp ip-address command in the user view
to establish an FTP connection to the PC and enter the FTP client view. The following
operation assumes that the IP address of the FTP server as 192.168.0.2.
<IPS Module> ftp 192.168.0.2
Trying 192.168.0.2 ...
Press CTRL+K to abort
Connected to 192.168.0.2.
220 ready for new user
User(192.168.0.2:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp]
Step 4 Upload files in storage media of the IPS Module to the FTP server.Run the put local-filename
[ remote-filename ] command in the FTP client view to upload files to the FTP server.
[ftp] binary /Run the binary command to specify file transmission in binary
mode.
[ftp] put test.bin
After the uploading is complete, check whether the sizes of files on the FTP server are the
same as those in the CF card. If no, re-upload the files to ensure that they are completely
uploaded to the FTP server.
Step 5 Download files from the FTP server to storage media of the IPS Module.Run the get remote-
filename [ local-filename ] command in the FTP client view to download files from the FTP
server.
[ftp] binary /Run the binary command to specify file transmission in binary
mode.
[ftp] get temp.bin
After the downloading is complete, check whether the sizes of files in the CF card are the
same as those on the FTP server. If no, re-download the files to ensure that they are
completely downloaded to the CF card.
----End
Context
As shown in Figure 1, IPS Module serves as the SFTP server. Log in to the SFTP server from
the PC2 and upload/download files through SFTP. This method requires the third-party SFTP
client program (such as WinSCP) to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the SFTP server. The following example
describes takes the two-PC deployment.
Figure 3-50 Schematic diagram of uploading/downloading files through SFTP and with the
IPS Module serving as the SFTP server
The roadmap for configuring an SFTP client (PC2) to communicate with an SSH server (IPS
Module) is as follows (RSA authentication is used):
Procedure
Step 1 Enable the SSH service on interface GigabitEthernet 0/0/0.
<NGFW> system-view
[NGFW] interface GigabitEthernet 0/0/0
[NGFW-GigabitEthernet0/0/0] service-manage ssh permit
[NGFW-GigabitEthernet0/0/0] service-manage enable
[NGFW-GigabitEthernet0/0/0] quit
Create SSH user client and set the authentication type to rsa, service type to SFTP, and
service directory to hda1:
Step 4 Generate a local key pair on PC2. The local key pair consists of host key and server key.
Step 5 Use password RsaKey001 to copy the host key of PC2 to the IPS Module.
[IPS Module] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[IPS Module-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[IPS Module-rsa-key-code] 3047
[IPS Module-rsa-key-code] 0240
[IPS Module-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[IPS Module-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[IPS Module-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[IPS Module-rsa-key-code] 1D7E3E1B
[IPS Module-rsa-key-code] 0203
[IPS Module-rsa-key-code] 010001
[IPS Module-rsa-key-code] public-key-code end
[IPS Module-rsa-public-key] peer-public-key end
----End
Example
After the SFTP client connects to the SSH server, run the display ssh server status and
display ssh server session commands on the SSH server to check whether the SFTP service
is enabled and whether the SFTP client is connected to the SSH server.
l Check SSH server status.
[IPS Module] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server : Enable
STELNET server : Disable
Conn : VTY 4
Version : 2.0
State : started
Username : client
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : sftp
Authentication Type : rsa
Context
As shown in Figure 1, PC2 serves as the TFTP server. Log in to the TFTP server from the IPS
Module and upload or download files through TFTP. This method requires the third-party
TFTP server software to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the TFTP server. The following example
describes takes the two-PC deployment.
Figure 3-51 Schematic diagram of uploading/downloading files through TFTP and with the
IPS Module serving as the TFTP client
Procedure
Step 1 Configure the TFTP server.Install the TFTP server program on PC2 and configure the TFTP
server using the document available with the program. Suppose that you obtain the TFTP
server program in a legitimate way and description of the program is beyond the coverage of
this document. The following operation assumes that the root directory of the TFTP server is
set to the storage path of files to be uploaded/downloaded.
Step 3 Upload files in storage media of the IPS Module to the TFTP server.
NOTICE
Due to the limitation of third-party TFTP server software, TFTP upload of files larger than 16
MB may fail. Therefore, you are advised to use FTP to upload the files larger than 16 MB.
Run the tftp ip-address put source-filename [ destination-filename ] command in the user
view to upload files to the TFTP server. The following operation assumes that the IP address
of the TFTP server as 192.168.0.2.
<IPS Module> tftp 192.168.0.2 put test.bin
After the uploading is complete, check whether the sizes of files on the TFTP server are the
same as those in the CF card. If no, re-upload the files to ensure that they are completely
uploaded to the TFTP server.
Step 4 Download files from the TFTP server to CF card of the IPS Module.Run the tftpip-
addressgetsource-filename [ destination-filename ] command in the user view to download
files from the TFTP server.
<IPS Module> tftp 192.168.0.2 get temp.bin
After the downloading is complete, check whether the sizes of files in the CF card are the
same as those on the TFTP server. If no, re-download the files to ensure that they are
completely downloaded to the CF card.
----End
Context
The license file to be loaded on the device is a .dat file. This file is not delivered with the
device and is independently generated by the license center of Huawei.
Procedure
Step 1 Obtain a license authorization code (Entitlement ID).
Find the license authorization certificate in the delivery accessories and obtain the Entitlement
ID, as shown in Figure 1.
NOTE
The license authorization certificate is delivered together with the product to the customer in A4 papers
or CD-ROMs.
Log in to the http://app.huawei.com/isdp and obtain the license file according to the procedure
in the system help or displayed information.
NOTICE
To apply for the licenses of multiple devices, make sure that the entitlement ID corresponds to
the ESN.
If you cannot obtain the license file, contact the local technical support personnel.
Step 4 You need to obtain a new license file if you want to expand the license capacity or use new
features that are subject to license control. In this case, follow the preceding steps to apply for
the new license.
The license center automatically combines the licenses for new features with the existing
license, and generates a new license.
----End
Upgrade successful
or not
Check of upgrade
operations
CF Compact Flash
IP Internet Protocol
IPSec IP Security