Huawei Nip6000&Nip6800&Ips Module v500r001c50spc100 Upgrade Guide

HUAWEI NIP6000&NIP6800&IPS Module
V500R001C50SPC100
Upgrade Guide
Issue 01
Date 2017-03-29
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2017-03-29) Huawei Proprietary and Confidential i

Copyright Huawei Technologies Co., Ltd.
Upgrade Guide About This Document
About This Document
Content Conventions
The purchased products, services and features are stipulated by the contract made between
Huawei Technologies Co., Ltd. and the customer. All or part of the products, services and
features described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and recommendations
in this document are provided "AS IS" without warranties, guarantees or representations of
any kind, either express or implied.
Encryption Algorithm Declaration

Currently, the device uses the following encryption algorithms: DES, 3DES, AES, RSA,
SHA1, SHA2, and MD5. The encryption algorithm depends on the applicable scenario. Use
the recommended encryption algorithm; otherwise, security defense requirements may be not
met.
l The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digital
signature scenarios and password encryption)/SHA1 (in digital signature scenarios) have
a low security, which may bring security risks. If protocols allowed, using more secure
encryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/HMAC-SHA2, is
recommended.
l For the symmetrical encryption algorithm, use AES with the key of 128 bits or more.
l For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits or more.
l For the hash algorithm, use SHA2 with the key of 256 bits or more.
l For the HMAC algorithm, use HMAC-SHA2.
l SHA2 is irreversible encryption algorithm. The irreversible encryption algorithm must
be used for the administrator password.
Personal Data Declaration

Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features. Huawei Technologies Co., Ltd. alone is unable to
collect or save the content of users' communications. It is suggested that you activate the user
data-related functions based on the applicable laws and regulations in terms of purpose and
Issue 01 (2017-03-29) Huawei Proprietary and Confidential ii

Upgrade Guide About This Document
scope of usage. You are obligated to take considerable measures to ensure that the content of
users' communications is fully protected when the content is being used and saved.
Feature Usage Declaration

The IPSec VPN and SSL VPN functions are not provided in versions shipped to Russia in
accordance with Russian laws.
l The features such as antivirus, IPS, and URL filtering may involve the collection of
users' communication contents such as the browsed websites and transmitted files. You
are advised to clear unnecessary sensitive information in a timely manner.
l Antivirus and IPS support attack evidence collection to analyze data packets for viruses
or intrusions. However, the attack evidence collection process may involve the collection
of user's communication content. The device provides dedicated audit administrators to
obtain collected attack evidence. Other administrators do not have such permissions.
Please keep the audit administrator account safe and clear the attack evidence collection
history in time.
l Data feedback function(user experience plan ) may involve transferring or processing
users' communication contents or personal data. Huawei Technologies Co., Ltd. alone is
unable to transfer or process the content of users' communications and personal data. It is
suggested that you activate the user data-related functions based on the applicable laws
and regulations in terms of purpose and scope of usage.
l The device can transfer files through FTP, TFTP, SFTPv1, SFTPv2, and FTPS. Using
FTP, TFTP or SFTPv1 has potential security risks. SFTPv2 or FTPS is recommended.
l Telnet and STelnetv1&v2 can be used to log in to the device. Using Telnet or STelnetv1
has potential security risks. STelnetv2 is recommended.
l SNMPv1&v2c&v3 can be used to manage network elements. Using SNMPv1&v2c has
potential security risks. SNMPv3 is recommended.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
Issue 01 (2017-03-29)
Initial commercial release.
Issue 01 (2017-03-29) Huawei Proprietary and Confidential iii

Upgrade Guide Contents
Contents
About This Document.....................................................................................................................ii

1 NIP6300/6600...................................................................................................................................1
1.1 Application Scenarios.....................................................................................................................................................2
1.2 Upgrade Impact.............................................................................................................................................................. 3
1.2.1 Impact of the Upgrade from V500R001C50............................................................................................................... 3
1.2.1.1 Impact of Feature Changes....................................................................................................................................... 3
1.2.1.2 Impact of Command Changes.................................................................................................................................. 6
1.2.1.3 License Impact........................................................................................................................................................10
1.2.1.4 Impact of Sensitive Features...................................................................................................................................10
1.2.2 Impact of the Upgrade from V500R001C30SPC300................................................................................................ 10
1.2.2.1 Impact of Feature Changes..................................................................................................................................... 10
1.2.2.2 Impact of Command Changes................................................................................................................................ 14
1.2.2.3 License Impact........................................................................................................................................................33
1.2.3.3 License Impact........................................................................................................................................................36
1.2.4.3 License Impact........................................................................................................................................................45
1.2.5.3 License Impact........................................................................................................................................................53
1.2.6.3 License Impact........................................................................................................................................................71
Issue 01 (2017-03-29) Huawei Proprietary and Confidential iv


1.2.7.3 License Impact........................................................................................................................................................73
1.2.8.3 License Impact........................................................................................................................................................77
1.2.9.3 License Impact........................................................................................................................................................79
1.2.10 Other Upgrade Impacts............................................................................................................................................80
1.3 Upgrading Version Software in Single-System............................................................................................................ 82
1.3.1 Upgrade Schemes...................................................................................................................................................... 82
1.3.2 Precautions.................................................................................................................................................................83
1.3.3 Upgrade Flow............................................................................................................................................................ 83
1.3.4 Upgrade Through Web.............................................................................................................................................. 87
1.3.4.1 Preparing for the upgrade....................................................................................................................................... 87
1.3.4.1.1 Preparing the Upgrade Environment................................................................................................................... 87
1.3.4.1.2 Obtaining Upgrade Files......................................................................................................................................89
1.3.4.1.3 Downloading Content Feature Component Packages......................................................................................... 90
1.3.4.1.4 Querying the Current System Software...............................................................................................................91
1.3.4.1.5 Checking the Use of Licenses............................................................................................................................. 92
1.3.4.1.6 Checking the Device Operating Status................................................................................................................ 94
1.3.4.1.7 Collecting Device Diagnosis Information........................................................................................................... 97
1.3.4.1.8 Checking the Service Operating Status............................................................................................................... 98
1.3.4.1.9 Saving and Backing Up Important Data..............................................................................................................99
1.3.4.1.10 Configuration Conversion............................................................................................................................... 100
1.3.4.1.11 Checking the Remaining Space of the CF Card.............................................................................................. 101
1.3.4.2 Upgrade Flow....................................................................................................................................................... 103
1.3.4.3 Upgrade Result Verification................................................................................................................................. 108
1.3.5 Upgrade Through CLI............................................................................................................................................. 113
1.3.5.1 Preparations for the Upgrade................................................................................................................................ 113
1.3.5.1.1 Obtaining Upgrade Files....................................................................................................................................113
1.3.5.1.2 Downloading Sensitive Feature Component Packages..................................................................................... 118
1.3.5.1.3 Configuration Conversion..................................................................................................................................118
1.3.5.2 Upgrade Flow....................................................................................................................................................... 119
Issue 01 (2017-03-29) Huawei Proprietary and Confidential v


1.3.6 Version Rollback......................................................................................................................................................126
1.4 Upgrading Version Software in Dual-System Hot Backup........................................................................................ 127
1.4.1 Overview................................................................................................................................................................. 127
1.4.2 Upgrade Procedure.................................................................................................................................................. 128
1.5 Appendix A: Upgrading System Software Using BootROM.....................................................................................130
1.5.1 Background..............................................................................................................................................................130
1.5.2 Upgrade Process Overview..................................................................................................................................... 130
1.5.3 Performing the Upgrade.......................................................................................................................................... 131
1.6 Appendix B : Establishing the Upgrade Environment Through the Console Port..................................................... 136
1.6.1 Setting Up an Environment for Upgrading System Software Using Telnet/SSH................................................... 136
1.6.2 Setting Up an Environment for Upgrading System Software Using Web...............................................................140
1.6.3 Upgrade Troubleshooting........................................................................................................................................ 143
1.6.3.1 Password of the Console Port Is Forgotten...........................................................................................................143
1.7 Appendix C: Uploading and Downloading Files....................................................................................................... 144
1.7.1 Device Serving as the FTP Client to Upload or Download Files Through FTP..................................................... 144
1.7.2 Device Serving as the SFTP Server to Upload or Download Files Through SFTP................................................ 145
1.7.3 Device Serving as the TFTP Client to Upload or Download Files Through TFTP................................................ 148
1.8 Appendix D: Applying for a License......................................................................................................................... 149
1.9 Appendix E: Upgrade Record Table...........................................................................................................................151
1.10 Appendix F: Abbreviations...................................................................................................................................... 151
2 NIP6800........................................................................................................................................153
2.1 Upgrade Preparation and Evaluation.......................................................................................................................... 154
2.1.1 Supported Source Versions...................................................................................................................................... 154
2.1.2 Hardware Support....................................................................................................................................................155
2.1.3 Upgrade Impact....................................................................................................................................................... 157
2.1.3.1 Impact of the Upgrade from V500R001C50........................................................................................................ 157
2.1.3.1.1 Impact of Feature Changes................................................................................................................................ 157
2.1.3.1.2 Impact of Command Changes........................................................................................................................... 160
2.1.3.1.3 Impact of Licenses.............................................................................................................................................163
2.1.3.1.4 Impact of Sensitive Features..............................................................................................................................163
2.1.3.2 Upgrade Impact from V500R001C30SPC300..................................................................................................... 164
2.1.3.2.1 Impact of Feature Changes................................................................................................................................ 164
2.1.3.2.2 Impact of Command Changes........................................................................................................................... 168
2.1.3.2.3 Impact of Licenses.............................................................................................................................................190
2.1.3.2.4 Impact of Sensitive Features..............................................................................................................................190
2.1.3.3 Other Upgrade Impacts.........................................................................................................................................190
2.1.4 System Software...................................................................................................................................................... 191
2.2 Upgrading Version Software in Single-System.......................................................................................................... 191
2.2.1 Impact of the Upgrade............................................................................................................................................. 192
2.2.1.1 Impact on the Current System During the Upgrade............................................................................................. 192
2.2.2 Precautions...............................................................................................................................................................192
Issue 01 (2017-03-29) Huawei Proprietary and Confidential vi

2.2.3 Upgrade Flow.......................................................................................................................................................... 192

2.2.4 Preparations for the Upgrade................................................................................................................................... 196
2.2.4.1 Obtaining the Version Software Required By the Upgrade..................................................................................196
2.2.4.2 Downloading Content Security Feature Component Packages............................................................................ 198
2.2.4.3 Preparing the Upgrade Environment.................................................................................................................... 199
2.2.4.4 Checking the Information About the Current Version Software.......................................................................... 204
2.2.4.5 Checking the License In Use................................................................................................................................ 204
2.2.4.6 Checking the Running Status of the Device......................................................................................................... 206
2.2.4.7 Backing Up the Important Data in CF Card......................................................................................................... 208
2.2.4.8 Configuration Conversion.................................................................................................................................... 209
2.2.4.9 Checking the Remaining Space of the CF Card................................................................................................... 210
2.2.5.1 Upgrade Modes.....................................................................................................................................................211
2.2.5.2 Upgrade Through CLI.......................................................................................................................................... 212
2.2.5.3 Upgrade Through Web......................................................................................................................................... 218
2.2.5.4 Upgrade Through CF Card................................................................................................................................... 222
2.2.5.5 Upgrade Through BootROM................................................................................................................................225
2.2.6 Upgrade Result Verification.................................................................................................................................... 233
2.2.6.1 Checking the Information About the Current Version Software.......................................................................... 233
2.2.6.2 Checking Whether Boards Have Been Successfully Registered..........................................................................234
2.2.6.3 Checking License Status.......................................................................................................................................234
2.2.6.4 Checking the Running Status of the Device......................................................................................................... 235
2.2.6.5 Checking Whether Configurations Are Recovered.............................................................................................. 236
2.2.6.6 Checking Whether Services Are Normal............................................................................................................. 237
2.2.6.7 Running Inspection Tool.......................................................................................................................................237
2.3.1 Overview................................................................................................................................................................. 239
2.4 Appendix: Establishing the Upgrade Environment Through the Console Port..........................................................241
2.5 Appendix: Uploading and Downloading Files........................................................................................................... 245
2.6 Appendix: Activating the ESN................................................................................................................................... 249
2.7 Appendix: Applying for a License............................................................................................................................. 249
2.8 Appendix: Upgrade Record Table.............................................................................................................................. 250
2.9 Appendix: Abbreviations............................................................................................................................................251
3 IPS Module................................................................................................................................. 252

3.1 Application Scenarios.................................................................................................................................................253
3.2 Upgrade Impact.......................................................................................................................................................... 254
3.2.1 Impact of the Upgrade from V500R001C50........................................................................................................... 254
Issue 01 (2017-03-29) Huawei Proprietary and Confidential vii

3.2.1.1 Impact of Feature Changes................................................................................................................................... 254

3.2.1.2 Impact of Command Changes.............................................................................................................................. 257
3.2.1.3 License Impact......................................................................................................................................................261
3.2.1.4 Impact of Sensitive Features.................................................................................................................................261
3.2.2 Impact of the Upgrade from V500R001C30SPC300.............................................................................................. 261
3.2.2.3 License Impact......................................................................................................................................................284
3.2.3.3 License Impact......................................................................................................................................................287
3.2.4.3 License Impact......................................................................................................................................................296
3.2.5.3 License Impact......................................................................................................................................................304
3.2.6.3 License Impact......................................................................................................................................................322
3.2.7.3 License Impact......................................................................................................................................................324
3.2.8 Upgrade Impact from V500R001C00SPC500........................................................................................................ 325
3.2.8.3 License Impact......................................................................................................................................................328
3.2.9 Upgrade Impact from V500R001C00SPC300........................................................................................................ 328
Issue 01 (2017-03-29) Huawei Proprietary and Confidential viii

3.2.9.3 License Impact......................................................................................................................................................330

3.2.10 Other Upgrade Impacts..........................................................................................................................................331
3.3 Upgrading Version Software in Single-System.......................................................................................................... 333
3.3.1 Upgrade Schemes.................................................................................................................................................... 333
3.3.2 Precautions...............................................................................................................................................................334
3.3.3 Upgrade Flow.......................................................................................................................................................... 334
3.3.4 Upgrade Through Web............................................................................................................................................ 338
3.3.4.1 Preparing for the upgrade..................................................................................................................................... 338
3.3.4.1.1 Preparing the Upgrade Environment................................................................................................................. 339
3.3.4.1.3 Downloading Content Security Component Packages...................................................................................... 342
3.3.4.1.4 Querying the Current System Software.............................................................................................................342
3.3.4.1.5 Checking the Use of Licenses........................................................................................................................... 344
3.3.4.1.6 Checking the Device Operating Status.............................................................................................................. 345
3.3.4.1.7 Collecting Device Diagnosis Information......................................................................................................... 348
3.3.4.1.8 Checking the Service Operating Status............................................................................................................. 349
3.3.4.1.9 Saving and Backing Up Important Data............................................................................................................350
3.3.4.1.10 Configuration Conversion............................................................................................................................... 351
3.3.4.1.11 Checking the Remaining Space of the CF Card.............................................................................................. 352
3.3.4.2 Upgrade Flow....................................................................................................................................................... 354
3.3.5 Upgrade Through CLI............................................................................................................................................. 364
3.3.5.1 Preparations for the Upgrade................................................................................................................................ 365
3.3.5.1.2 Downloading Sensitive Feature Component Packages..................................................................................... 369
3.3.5.1.3 Configuration Conversion................................................................................................................................. 370
3.3.5.2 Upgrade Flow....................................................................................................................................................... 370
3.4.1 Overview................................................................................................................................................................. 379
3.5 Appendix A: Upgrading System Software Using BootROM.....................................................................................382
3.5.1 Background..............................................................................................................................................................382
3.5.2 Upgrade Process Overview..................................................................................................................................... 382
3.5.3 Performing the Upgrade.......................................................................................................................................... 383
3.6 Appendix B : Establishing the Upgrade Environment Through the Console Port..................................................... 388
3.6.1 Setting Up an Environment for Upgrading System Software Using Telnet/SSH................................................... 388
3.6.2 Setting Up an Environment for Upgrading System Software Using Web...............................................................392
3.6.3 Upgrade Troubleshooting........................................................................................................................................ 395
3.6.3.1 Password of the Console Port Is Forgotten...........................................................................................................395
Issue 01 (2017-03-29) Huawei Proprietary and Confidential ix

3.7 Appendix C: Uploading and Downloading Files....................................................................................................... 396

3.8 Appendix D: Applying for a License......................................................................................................................... 401
3.9 Appendix E: Upgrade Record Table...........................................................................................................................403
3.10 Appendix F: Abbreviations...................................................................................................................................... 403
Issue 01 (2017-03-29) Huawei Proprietary and Confidential x

Upgrade Guide 1 NIP6300/6600
1 NIP6300/6600
About This Chapter
1.1 Application Scenarios

1.2 Upgrade Impact
1.3 Upgrading Version Software in Single-System
1.4 Upgrading Version Software in Dual-System Hot Backup
1.5 Appendix A: Upgrading System Software Using BootROM
1.6 Appendix B : Establishing the Upgrade Environment Through the Console Port
1.7 Appendix C: Uploading and Downloading Files
1.8 Appendix D: Applying for a License
1.9 Appendix E: Upgrade Record Table
1.10 Appendix F: Abbreviations
Issue 01 (2017-03-29) Huawei Proprietary and Confidential 1


This document applies to the NIP6000 series.
For version software, the following scenarios are covered:
l Upgrade from V500R001C00SPC300 to V500R001C50SPC100
l Upgrade from V500R001C50 to V500R001C50SPC100
NOTICE
1. Before an upgrade from a patch version, run the patch delete all command to delete the
patch.
2. Perform the upgrade.
V500R001C00SPC300,V500R001C00SPC500,V500R001C20SPC100,
V500R001C20SPC200 and V500R001C20SPC300 cannot directly upgrade to
V500R001C50SPC100. Instead, upgrade them to V500R001C50SPC100 first or install the
following patches:
l For V500R001C20SPC100,V500R001C20SPC200 and V500R001C20SPC300, install
V500R001SPH002.
NOTICE
1. Patch upgrades cannot be performed in BootROM.
2. V1 upgrades are not recommended. If there are such requirements, contact Huawei
engineers.
3. To roll back from V500R001C50 to an early version, run the set system-software check-
mode all command. For other version, rollback can be directly performed.
Note the following items for patch upgrades:
l After activating the patch and setting the startup configuration file, ensure that the patch is
in activated state when the reboot or reboot fast command is used to restart the system.
Otherwise, the system restart may fail.
l If the patch is mistakenly deleted and the system restart fails after the startup configuration
file is set, you must re-activate the patch and restart the system again. For a high-end
firewall with dual MPUs, check whether the patch status of both MPUs is normal. If not,
delete the patch and then install and activate it again.

1.2 Upgrade Impact
1.2.1 Impact of the Upgrade from V500R001C50
1.2.1.1 Impact of Feature Changes
Table 1-1 New features

No. Description Purpose
The device can parse To allow the device to parse and forward NSH
1
NSH packets. packets.
The log and alarm

are generated if the
To remind the administrator if the number of
2 number of L2TP
L2TP online users reaches the upper limit.
online users reaches
the upper limit.
The rate of received

To prevent a large number of L2TP negotiation
3 L2TP negotiation
packets from affecting service packets.
packets is limited.
The SSL proxy

4 certificate can be To virtualize the certificate.
virtualized.
The alarm is added,

indicating that SSL
To notify the administrator of the exhaustion of
5 VPN online user
SSL VPN online user resources.
resources are used
up.
The log and alarm

6 number of SSL VPN
SSL VPN online users reaches the upper limit.
the upper limit.
The alarm is added,

indicating that
addresses in the SSL To notify the administrator of the address
7
VPN network exhaustion.
extension address
pool are used up.

IPSec forwarding
adapts the user- To identify IKE or ESP packets based on the
8
configured IPSec user-configured port.
source port.
The northbound
interface is added.
Virtual-if- To improve the Controller's delivery efficiency.
9 [vsysname] can be The device does not obtain the ID of a created
used to deliver the virtual system.
Virtual-if
configuration.
The device supports

the CIS The CIS can interwork with the firewall to
10
interworking identify and block malicious sessions.
function.
To meet the carrier's QoS requirements. The

TWAMP Lite device creates statistical sessions and records
11 network quality test results to provide the NMS with
detection is added. performance statistics about bidirectional delay,
jitter, and packet loss rate.
The device supports

To allow cross-version HRP dual-system
12 HRP smooth
upgrades without service interruption.
upgrade.
Table 1-2 Modified features

No. Feature Change Cause Upgrade Impact
Description
Virtual getState is added to

system view the used and Function
1 None.
northbo left virtual system enhanced.
und resources.
Mainten
ance
and
The usage of virtual
manage
systems and ARP Function
2 ment of None.
resources can be enhanced.
the
obtained.
logical
resource
pool


Description
Before modification,
traffic statistics on all
If the
interfaces apply to
maximum
virtual system
number of
Web interfaces. After the
virtual
interface modification, traffic
3 systems are None.
created, too
statistics interfaces equal the
many memory
sum of traffic on
resources are
interfaces in the
occupied.
corresponding
system.
The license provides

a NETCONF
interface, so that the
This is a new
4 License license can be None.
requirement.
activated online
through an activation
code.
The firewall
AAPT can As old devices do not have
Cloud sandbox interconnect preset certificates, you must
5 AAPT interworking with a cloud manually import the
supports HTTPS. sandbox certificate and key for cloud
through sandbox interworking.
HTTPS.
The SSL
server
SSL The certificate can be
6 certificate None.
proxy virtualized.
supports
virtualization.


Description
l The alarm
threshold
reminders are
added for daily
duration quota,
daily traffic Agile
quota, and Controller-
Quota monthly traffic Campus
7 control quota. None.
supports
policy
l A device domain traffic
name can be set statistics.
to hide the device
IP address on the
pushed alarm and
quota exhaustion
web pages.
l The upstream rate

and downstream
rate fields are
added to the
online user You can query
monitoring table the real-time
Online on the web UI. upstream and
user downstream
8 l The upstream rate
manage rates of a
ment and downstream single IP
rate are added to address or
the detailed user.
online user
information in the
related command
output.
Deleted Features
None.
1.2.1.2 Impact of Command Changes

New Commands
Command Description Impact
[ undo ] firewall dynamic- Enables or disables the None.

resource used-up alarm alarm that forwarding
sslvpn-user enable dynamic resources are used
up.
firewall dynamic-resource Sets the threshold for the None.

used-up alarm sslvpn-user alarm indicating that
threshold <integer<1-100>> forwarding dynamic
resources are used up. The
default value is 80%.
undo firewall dynamic- Restores the threshold to the None.

resource used-up alarm default value for the alarm
sslvpn-user threshold indicating that forwarding
dynamic resources are used
up. The default value is
80%.

resource used-up alarm alarm that SSL VPN user
sslvpn-user enable resources are used up.

used-up alarm sslvpn-user alarm indicating that SSL
threshold <interger> VPN user resources are used
80%.

sslvpn-user threshold indicating that SSL VPN
user resources are used up.
The default value is 80%.
interface virtual-if api Vritual-if-[vsysname]

transform Sets the virtual-if replaces Virtual-if[vsysid] as
northbound delivery the virtual-if name,
configuration mode. improving the Controller's
delivery efficiency.
display firewall detect Displays the ASPF detection None

[ global | zone function.
STRING<1-256> | interzone
STRING<1-256>
STRING<1-256> ]
[ undo ] hrp configuration Enables or disables the None.

auto-check warning enable alarm function of hot
standby configuration
consistency check.

[ undo ] hrp track spu enable Configures the VGMP None.

group to monitor the VLAN
status.
[undo] device-domain Sets the device domain None.

<domain-name> name.
The device domain name is
used in the quota control
policy alarm and the
redirected page upon quota
exhaustion to replace the
device IP address.
Table 1-3 Modified commands

Original Change
New Command Upgrade Impact
Command Description
This command is
used in the root
system before C50.
After the upgrade to
C50, you must run
display ipsec display ipsec The keyword all-
the display ipsec
statistics statistics all-systems systems is added.
statistics all-
systems command
to display IPSec
statistics in the root
system.
app-proxy built-in- app-proxy built-in- This command

ca { trust | untrust } ca { trust | untrust } applies to virtual None.
filename <filename> filename <filename> systems.
undo app-proxy undo app-proxy This command

built-in-ca { trust | built-in-ca { trust | applies to virtual None.
untrust } untrust } systems.
[ undo ] app-proxy [ undo ] app-proxy This command

ca trust filename ca trust filename applies to virtual None.
<filename> <filename> systems.
[ undo ] ] app-proxy [ undo] app-proxy This command

server certificate server certificate applies to virtual None.

Original Change
Command Description
Before C50, virtual

systems use the root
PKI supports
display app-proxy system certificate.
display app-proxy virtualization. The
dynamic-cert cache After the upgrade to
dynamic-cert cache keyword all-systems
[ all-systems ] C50, the keyword
is added.
all-systems is
required.
Before C50, virtual

PKI supports
reset app-proxy system certificate.
reset app-proxy virtualization. The
is added.
all-systems is
required.
api call-home host

api call-home host <host- The parameter vpn-
<hostname>{domain instance-name is
name>{<domain- <domain-name> | ip added for the
name> | ip x.x.x.x } x.x.x.x } port <port- scenario where the None.
port <port- number>[ source-ip outbound interface
number>[ source-ip x.x.x.x ] [ vpn- is bound to a VPN
x.x.x.x ] instance <vpn- instance.
instance-name>]
[undo] time-daily [undo] time-daily

<time-daily> <time-
daily>[ reminder- A reminder
None.
threshold threshold can be set.
<reminder-
threshold-value>]
[undo] stream-daily [undo] stream-daily

<stream-daily> <stream-
None.
<reminder-
threshold-value>]
[undo] stream- [undo] stream-

monthly <stream- monthly <stream-
monthly> monthly>[ reminder- A reminder
None.
<reminder-
threshold-value>]
Deleted Commands
None.

1.2.1.3 License Impact
The license can still be used after the upgrade from V500R001C50 to V500R001C50SPC100.
1.2.1.4 Impact of Sensitive Features
Note that you must dynamically load the sensitive features after the upgrade from
V500R001C50 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
l The sensitive feature component package to be loaded must be compatible with the system
software.
l Sensitive features are license-controlled and unavailable by default. To use them, you must
dynamically load them.
l After the upgrade, you must dynamically load these features.
l After the sensitive feature component package is loaded successfully, the configuration
regarding the sensitive feature component does not take effect. In this case, you must leave
the configuration unsaved and restart the device. Then, the device will load and save the
configuration to restore services.
1.2.2 Impact of the Upgrade from V500R001C30SPC300
Deleted Features

No. Description Objective
To enrich the SSL decryption function, the SSL

Encrypted traffic
1 decryption proxy policy is extracted to form the
detection policy
encrypted traffic detection policy.
The policy label is added, which enables

network maintenance personnel to search for or
2 Policy label
modify a policy more conveniently and
improves the ease of use.
Collection of the
accumulated value
This feature enables the NMS to analyze the
3 of specific policy
traffic and policy in a more convenient way.
traffic through the
OID

4 TWAMP Network quality detection.
The firewall interworks with the CIS to block

5 CIS interworking
malicious traffic.
Files matching the cloud sandbox interworking

6 Cloud sandbox policy are sent to the cloud sandbox for in-
depth detection.
Support of AES256 This feature guarantees the security of IDS

7
in IDS interworking interworking messages.
SSL inbound and

SSL inbound and outbound decryption
8 outbound decryption
detection is supported.
detection
This feature applies to scenarios, such as DCN

Configuration scenarios, where a device restarts due to a fault
consistency between and needs to restore basic configurations locally
9
the local and remote and synchronize service configurations from
ends the remote end. This feature helps guarantee
configuration consistency.
System memory
To detect memory overwriting and memory
10 detection
leak issues.
mechanism
Detection of abrupt
To detect abrupt changes of the memory, CPU
11 KPI information
usage, and session, and send alarms.
change
Disabling of the
bound interface
To disable the previously bound interface when
12 when the CPU usage
the CPU usage exceeds the specified threshold.
exceeds the
threshold
Customization of
session log
14 The function is enhanced.
templates in syslog
format
Enhanced session
log function
Real-time traffic
statistics collection
Alarm on the
exhaustion of
17 forwarding The function is enhanced.
resources on the
firewall

Enhanced restriction
18 on the number of The function is enhanced.
new connections
ICMP fast reply

function
Alarm on abrupt
session changes
Multicast packet
filtering
Filtering and
23 viewing of blacklists The function is enhanced.
of various types
No. Feature Change Cause Impact of the Upgrade

Description
In policy query,
related policies can
be rapidly located
based on quintuple
information (or
accurate source and
destination The ease of
1 Policy information, and use shall be None
source and improved.
destination address
segments). Policy
objects support fuzzy
query and
association with the
drop-down list.
The security, traffic,

and decryption
policies support the The function
2 Policy None
configuration of is enhanced.
URL category
conditions.
The security policy

supports the
reference of the The function
3 Policy None
Cloud Access is enhanced.
Security Awareness
(CASA) profile.


Description
The range of well-

The function
4 Service known ports of the None
is enhanced.
service set is added.
The firewall supports

The function
5 Log the audit of outbound None
is enhanced.
files.
The support of
The function
6 HRP smooth upgrade is None
is enhanced.
added.
The northbound
function is added for
the per-user
maximum The function
8 BWM None
connection rate and is enhanced.
per-IP address
maximum
connection rate.
Virtualization is
supported.
When the certificate
or key pair is
imported through the
CLI, the file shall be
uploaded to the The function
9 PKI None
corresponding is enhanced.
directory (public on
the root firewall and
vsys+vsysid on the
virtual firewall)
under cfcard:/pki or
hda1:/pki.
Log sending when

the source IP address
Session The function
12 and source port are None
log is enhanced.
not configured is
supported.
Sending encrypted
Session session logs over an The function
13 None
log IPsec tunnel is is enhanced.
supported.
Displaying log sever-

14 specific statistics is None
log is enhanced.
supported.


Description
After the SA
signature database is
updated, application
names of functions
that reference
applications, such as
integrated policy,
application group,
Applicat and port mapping, The function
15 are smoothly updated None
ion is enhanced.
to new names after
configuration update.
For example,
QQ_Webmail is
updated to
WebMail_QQ, and
GMail to
WebMail_GMail.
None
New commands
For new command details, see the product document.
Modified commands
Original Change Impact of the
New Command
Command Description Upgrade
undo ssl whitelist

undo ssl whitelist
userdefined-
hostname { host- Modify keywords. None
hostname { name
name-xxx | all }
xxx | all }
ssl whitelist
ssl whitelist
userdefined- Modify keywords. None
hostname xxx
hostname xxx
display vrrp error

display vrrp error This slot is not
packet [ slot None
packet supported.
STRING<1-256> ]


New Command
startup patch
STRING<5-48>
[ slave-board | all | The configuration
startup patch chassis patch file of the
None
STRING<5-48> STRING<1-16> standby board is
{ master | slave } | added.
slot
STRING<1-64> ]
display diag-logfile
STRING<1-64>
[ INTEGER<0-2147
display diag-logfile 483647> | hex ] * [ | The pipe character-
STRING<1-64> count ] [ | [ before based filtering and
None
[ INTEGER<0-2147 INTEGER<1-999> | query function is
483647> | hex ] * after added.
INTEGER<1-999> ]
* { begin | include |
exclude } TEXT0 ]
info-center info-center
timestamp { log | timestamp { log |
trap | debugging } trap | debugging }
{ { none | boot } | { { boot } | { date | In security
{ date | short-date | short-date | format- rectification, the no-
None
format-date } date } [ precision- timestamp mode is
[ precision-time time { tenth-second | deleted.
{ tenth-second | millisecond |
millisecond | second } ] }
second } ] } [ without-timezone ]
The function is
enhanced. The null
snmp-agent acl snmp-agent acl configuration at the
{ INTEGER<0-4294 INTEGER<0-42949 end of the ACL is None
967295> | null } 67295> meaningless, and no
buildrun information
is generated.


New Command
snmp-agent group snmp-agent group

v3 STRING<1-32> v3 STRING<1-32>
{ authentication | { authentication |
privacy | privacy |
The function is
noauthentication } noauthentication }
enhanced. The null
[ read-view [ read-view
configuration at the
STRING<1-32> | STRING<1-32> |
end of the ACL is None
write-view write-view
meaningless, and no
notify-view notify-view
is generated.
STRING<1-32> ] * STRING<1-32> ] *
[ acl [ acl
{ INTEGER<0-4294 INTEGER<0-42949
967295> | null } ] 67295> ]
snmp-agent target-
snmp-agent target- host trap ipv6
host trap ipv6 address { udp-
address { udp- domain X:X::X:X
domain X:X::X:X [ udp-port
[ udp-port INTEGER<0-65535
INTEGER<0-65535 > | vpn-instance
> ] } params STRING<1-31> ]
securityname * } params Keyword vpn-
None
STRING<1-32> securityname instance is added.
[ { v3 STRING<1-32>
[ authentication | [ { v3
privacy ] | v2c | v1 } [ authentication |
| notify-filter-profile privacy ] | v2c | v1 }
STRING<1-32> | | notify-filter-profile
private-netmanager | STRING<1-32> |
ext-vb ] * private-netmanager |
ext-vb ] *
snmp-agent target-
> ] } params STRING<1-31> ] Keyword vpn-
None
securityname cipher * } params instance is added.
STRING<1-68> securityname cipher
[ { v2c | v1 } | STRING<1-68>
notify-filter-profile [ { v2c | v1 } |
STRING<1-32> | notify-filter-profile
ext-vb ] *


New Command
undo snmp-agent
undo snmp-agent target-host ipv6
target-host ipv6 X:X::X:X
X:X::X:X securityname
Keyword vpn-
securityname { STRING<1-32> | None
instance is added.
{ STRING<1-32> | cipher
cipher STRING<1-68> }
STRING<1-68> } [ vpn-instance
STRING<1-31> ]
undo snmp-agent
undo snmp-agent target-host trap ipv6
target-host trap ipv6 address { udp-
Keyword vpn-
INTEGER<0-65535 > | vpn-instance None
instance is added.
securityname * } params
{ STRING<1-32> | securityname
cipher { STRING<1-32> |
STRING<1-68> } cipher
STRING<1-68> }
ping ipv6 [ -a ping ipv6 [ -a

X:X::X:X | -c X:X::X:X | -c
INTEGER<1-42949 INTEGER<1-42949
67295> | -s 67295> | -s
> | -t > | -t
> | -m > | -m
The number of
> | { vpn6-instance > | { vpn6-instance
characters in the
hostname is None
vpn-instance vpn-instance
increased from 46 to
STRING<1-31> } | - STRING<1-31> } | -
255.
tc tc
INTEGER<0-255> | INTEGER<0-255> |
-h -h
-name ] * -name ] *
STRING<1-46> [ -i STRING<1-255> [ -
{ STRING<1-256> | i { STRING<1-256>
STRING<1-256> | STRING<1-256>
STRING<1-256> } ] STRING<1-256> } ]


New Command
tracert ipv6 [ -f tracert ipv6 [ -f

-m -m
-p -p
> | -q > | -q
The number of
characters in the
> | -w > | -w
hostname is None
255.
STRING<1-31> } | - STRING<1-31> } | -
a X:X::X:X | -s a X:X::X:X | -s
> | -name ] * > | -name ] *
STRING<1-46> STRING<1-255>
[ undo ] debugging [ undo ] debugging

arp-proxy [ inner- arp-proxy inner-sub-
sub-vlan-proxy ] vlan-proxy The status of arp-
[ interface [ interface proxy debugging None
{ STRING<1-256> | { STRING<1-256> | can be controlled.
STRING<1-256> } ] STRING<1-256> } ]


New Command
stelnet [ -a X.X.X.X
stelnet [ -a X.X.X.X | -i
| -i { STRING<1-256>
{ STRING<1-256> STRING<1-256> |
STRING<1-256> | STRING<1-256> } ]
STRING<1-256> } ] STRING<1-255>
STRING<1-255> [ INTEGER<1-6553
[ INTEGER<1-6553 5> ] [ [ -vpn-
5> ] [ [ -vpn- instance
instance STRING<1-31> ] |
STRING<1-31> ] | [ prefer_kex
[ prefer_kex STRING<1-64> ] |
STRING<1-64> ] | [ identity-key { rsa |
ECC authentication
[ identity-key { rsa | dsa | ecc } ] | [ user-
is added in response
dsa } ] | identity-key { rsa | None
to a new
[ prefer_ctos_cipher dsa | ecc } ] |
requirement.
STRING<1-32> ] | [ prefer_ctos_cipher
[ prefer_stoc_cipher STRING<1-32> ] |
STRING<1-32> ] | [ prefer_stoc_cipher
[ prefer_ctos_hmac STRING<1-32> ] |
STRING<1-32> ] | [ prefer_ctos_hmac
[ prefer_stoc_hmac STRING<1-32> ] |
STRING<1-32> ] | [ prefer_stoc_hmac
[ -ki STRING<1-32> ] |
INTEGER<1-3600> [ -ki
] | [ -kc INTEGER<1-3600>
INTEGER<3-10> ] ] ] | [ -kc
* INTEGER<3-10> ] ]
*


New Command
stelnet ipv6 [ -a
stelnet ipv6 [ -a X:X::X:X ]
X:X::X:X ] STRING<1-255> [ -
STRING<1-46> [ - oi
oi { STRING<1-256>
{ STRING<1-256> STRING<1-256> |
STRING<1-256> | STRING<1-256> } ]
STRING<1-256> } ] [ INTEGER<1-6553
[ INTEGER<1-6553 5> ] [ [ prefer_kex
5> ] [ [ prefer_kex STRING<1-64> ] |
ECC authentication
dsa } ] | identity-key { rsa |
[ prefer_ctos_cipher dsa | ecc } ] | None
to a new
requirement.
[ -ki STRING<1-32> ] |
] | [ -kc INTEGER<1-3600>
INTEGER<3-10> ] ] ] | [ -kc
* INTEGER<3-10> ] ]
*
Traffic interruption
reset arp { static | all reset arp { static | resulting from
None
| dynamic } dynamic } misoperations is
prevented.
Whether the private

routing-table rib- routing-table rib- network route in
only [ route-policy only [ route-policy BGP delivers the IP None
STRING<1-40> ] STRING<1-40> ] routing table is
controlled.
The status of slow

peer detection is
changed from
slow-peer detection slow-peer detection disabled by default
[ threshold threshold to enabled by
None
INTEGER<120-360 INTEGER<120-360 default, the
0> ] 0> command syntax is
changed, and it is
compatible with
system upgrade.


New Command
Whether the private

network route in
undo routing-table undo routing-table
BGP delivers the IP None
rib-only rib-only
routing table is
controlled.
The status of slow

peer detection is
changed from
undo slow-peer disabled by default
undo slow-peer detection [ threshold to enabled by
None
detection INTEGER<120-360 default, the
0> ] command syntax is
changed, and it is
compatible with
system upgrade.
nssa [ default-route-
nssa [ default-route- advertise { [ [ cost
advertise { [ [ cost INTEGER<1-16777
INTEGER<1-16777 214> ] | [ type
214> ] | [ type INTEGER<1-2> ] |
INTEGER<1-2> ] | [ tag
[ tag INTEGER<0-42949
Integrated from the
INTEGER<0-42949 67295> ] ] * } | no-
OSPFv3 FA None
67295> ] ] * } | no- import-route | no-
requirement.
import-route | no- summary |
summary | translator-always |
translator-always | translator-interval
translator-interval INTEGER<1-120> |
INTEGER<1-120> | set-n-bit | suppress-
set-n-bit ] * forwarding-address ]
*
The [ undo ] mpls

ldp command is
split into two
commands undo
[ undo ] mpls ldp [ undo ] mpls ldp mpls ldp and mpls None
ldp. As a result, this
command no longer
exists in the system
view.
receive-time utc receive-time [ utc ]

The UTC time
format is permitted,
and an individual None
duration duration
command is added
{ INTEGER<1-2628 { INTEGER<1-2628
for control.
0000> | infinite } 0000> | infinite }


New Command
receive-time utc receive-time [ utc ] The UTC time

STRING<1-5> STRING<1-5> format is permitted,
STRING<1-10> to STRING<1-10> to and an individual None
STRING<1-5> STRING<1-5> command is added
STRING<1-10> STRING<1-10> for control.
send-time utc send-time [ utc ]

The UTC time
duration duration
command is added
for control.
send-time utc send-time [ utc ] The UTC time

ips associated pre- ips associated pre-

defined signature-id defined signature-id
777215> { threshold 777215> { threshold
INTEGER<1-500> | INTEGER<1-2000> The threshold range
interval | interval in the configuration
None
INTEGER<1-7200> INTEGER<1-7200> information is
| block-time | block-time modified.
INTEGER<1-1000> INTEGER<1-1000>
| correlateby | correlateby
STRING<1-256> } STRING<1-256> }
* *
condition condition The user-defined

[ INTEGER<1-4> ] [ INTEGER<1-4> ] signature detection
field field function is enhanced
STRING<1-256> STRING<1-256> in response to a new
operate operate requirement.
value value
[ offset [ offset None
5> | begin } ] [ depth 5> | begin } ] [ depth
>] > ] [ direction
STRING<1-256> |
qualifier http-
method
STRING<1-256> ] *


New Command
display slb { vserver display slb { vserver The command for

[ STRING<1-32> ] [ STRING<1-32> ] displaying the group
[ verbose ] | group [ verbose ] | group verbose information None
[ STRING<1-32> ] [ STRING<1-32> ] is added.
} [ verbose ] }
protocol { tcp | udp | The support of

protocol { tcp | udp |
any } HTTP/SSL/
any | http | ssl | https None
HTTPS/ESP is
| esp }
added.
rserver rserver The command that

INTEGER<0-31> INTEGER<0-31> restricts the
{ port { port maximum number
INTEGER<0-65535 INTEGER<0-65535 of connections of the
> | weight > | weight physical server
INTEGER<1-1024> INTEGER<1-8192> (max-connection
| status { inactive | | status { inactive | INTEGER<0-6553 None
health-check } | health-check } | 5>) is added.
description description
STRING<1-32> } * STRING<1-32> |
max-connection
INTEGER<0-65535
>}*
rserver rserver
[ INTEGER<0-31> [ INTEGER<0-31>
[ to [ to
INTEGER<0-31> ] ] INTEGER<0-31> ] ]
The command that
rip X.X.X.X [ port rip X.X.X.X [ port
restricts the
maximum number
> | weight > | weight
of connections of the
INTEGER<1-1024> INTEGER<1-8192> None
physical server
| status { inactive | | status { inactive |
(max-connection
health-check } | health-check } |
INTEGER<0-6553
5>) is added.
STRING<1-32> ] * STRING<1-32> |
max-connection
INTEGER<0-65535
>]*
display packet- display packet-

capture queue capture queue
The view is changed
INTEGER<0-3> INTEGER<0-42949
from system view to None
[ INTEGER<0-1999 67295>
any view.
>] [ INTEGER<0-4294
967295> ]


New Command
packet-capture drop packet-capture drop

[ ipv4-packet [ ipv4-packet
99> | ipv6-packet 99> | ipv6-packet
INTEGER<3000-39 INTEGER<3000-39 The view is changed
99> ] [ queue 99> ] [ queue from system view to None
INTEGER<0-3> ] INTEGER<0-42949 any view.
[ interface 67295> ] [ interface
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } ] STRING<1-256> } ]

drop-type drop-type
{ blackhole | { blackhole |
The view is changed
default-filter | fib- default-filter | fib-
miss | arp-miss } miss | arp-miss }
any view.
[ queue [ queue
INTEGER<0-3> ] INTEGER<0-42949
67295> ]
packet-capture packet-capture
queue queue The view is changed
INTEGER<0-3> to- INTEGER<0-42949 from system view to None
file STRING<5-64> 67295> to-file any view.
STRING<5-64>
startup [ packet-len startup [ packet-len
The view is changed
> ] [ sample-rate > ] [ sample-rate
any view.
> ] [ packet-num > ] [ packet-num
] ]
{ ipv4-packet { ipv4-packet
99> | no-ip-packet | 99> | no-ip-packet |
The view is changed
all-packet } [ queue all-packet } [ queue
any view.
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } STRING<1-256> }
[ inbound | [ inbound |
outbound ] ] outbound ] ]


New Command
reset packet-capture reset packet-capture

The view is changed
queue queue
{ INTEGER<0-3> | { INTEGER<0-4294
any view.
all } 967295> | all }
reset packet-capture reset packet-capture The view is changed

statistic statistic from system view to None
any view.
undo packet-capture undo packet-capture

[ interface [ interface
{ STRING<1-256> { STRING<1-256> The view is changed
STRING<1-256> | STRING<1-256> | from system view to None
STRING<1-256> } STRING<1-256> } any view.

drop [ interface drop [ interface The view is changed
{ STRING<1-256> { STRING<1-256> from system view to None
STRING<1-256> | STRING<1-256> | any view.
STRING<1-256> } ] STRING<1-256> } ]
[ undo ] debugging [ undo ] debugging The keyword is

vsys-resource vsys [ event | msg | changed for the
[ event | msg | error | error | trace | rpc ] debugging of the None
trace | rpc ] virtual system
module.
alias TEXT0 alias TEXT0 The command for

the virtual system
None
interface view is
added.
undo alias undo alias The command for

the virtual system
None
interface view is
added.
configure disk type configure disk type The size of the audit
audit-log audit-log log disk space can None
INTEGER<1-100> INTEGER<0-100> be set to 0%.
configure disk type configure disk type The size of the

{ content-log } { content-log } content log disk
None
INTEGER<1-100> INTEGER<0-100> space can be set to
0%.
configure disk type configure disk type The size of the data
{ content-report } { content-report } filtering report disk
None
0%.


New Command
configure disk type configure disk type The size of the file
{ file-block-report } { file-block-report } blocking report disk
None
0%.
configure disk type configure disk type The size of the mail
{ mail-log } { mail-log } filtering log disk
None
0%.

{ policy-log } { policy-log } policy matching log
None
INTEGER<1-100> INTEGER<0-100> disk space can be set
to 0%.

{ policy-report } { policy-report } policy matching
None
INTEGER<1-100> INTEGER<0-100> report disk space can
be set to 0%.

{ system-log } { system-log } system log disk
None
0%.

{ threat-log } { threat-log } threat log disk space None
INTEGER<1-100> INTEGER<0-100> can be set to 0%.

{ threat-report } { threat-report } threat report disk
None
0%.

{ traffic-report } { traffic-report } traffic report disk
None
0%.
configure disk type configure disk type The size of the URL
{ url-log } { url-log } log disk space can None
{ url-report } { url-report } report disk space can None
configure disk type configure disk type The size of the user
{ user-log } { user-log } log disk space can None


New Command
report type threat- report type threat- The virus, attack The virus, attack
report item { threat- report item { threat- region, and attacked region, and attacked
type | application | type | application | region dimensions region dimensions
attacker | victim | attacker | victim | are deleted from are deleted from
threat-name | virus- threat-name | defend threat reports. threat reports.
name | defend | | all | map } enable (1) The virus (1) The virus
attacker-location | dimension can be dimension can be
victim-location | all | replaced by replaced by
map } enable advanced search of advanced search of
the threat name the threat name
dimension with the dimension with the
virus threat type. virus threat type.
(2) The attack and (2) The attack and
attacked region attacked region
dimensions can be dimensions can be
replaced by threat replaced by threat
map query. map query.
report type traffic- report type traffic- The application Traffic reports do
report item { source- report item { source- category, address not contain
ip | destination-ip | ip | destination-ip | type, source region, application category,
application | application | and destination address type, source
application-category application-sub- region dimensions region, and
| application-sub- category | all | map | are deleted from destination region
category | source- out-interface } traffic reports. dimensions.
location | enable (1) The application (1) The application
destination-location | category dimension category dimension
address-type | all | can be replaced can be replaced
map } enable using the application using the application
sub-category sub-category
dimension. dimension.
(2) The source and (2) The source and
destination region destination region
replaced by traffic replaced by traffic


New Command
undo report type undo report type The virus, attack

Threat reports do not
threat-report item threat-report item region, and attacked
contain virus, attack
{ threat-type | { threat-type | region dimensions
region, and attacked
application | attacker application | attacker are deleted from
region dimensions.
| victim | threat- | victim | threat- threat reports.
name | virus-name | name | defend | all | (1) The virus
(1) The virus
defend | attacker- map } enable dimension can be
dimension can be
location | victim- replaced by
replaced by
location | all | map } advanced search of
advanced search of
enable the threat name
the threat name
dimension with the
dimension with the
virus threat type.
virus threat type.
(2) The attack and
(2) The attack and
attacked region
attacked region
dimensions can be
dimensions can be
replaced by threat
replaced by threat
map query.
map query.
undo report type undo report type The application Traffic reports do
traffic-report item traffic-report item category, address not contain
{ source-ip | { source-ip | type, source region, application category,
destination-ip | destination-ip | and destination address type, source
application | application | region dimensions region, and
application-category application-sub- are deleted from destination region
| application-sub- category | all | map | traffic reports. dimensions.
category | source- out-interface } (1) The application (1) The application
location | enable category dimension category dimension
destination-location | can be replaced can be replaced
address-type | all | using the application using the application
map } enable sub-category sub-category
update log database update log database

[ { traffic-log |
threat-log | url-log | The update of log
content-log | system- databases of only
None
log | audit-log | user- specific types can be
activity-log | policy- implemented.
matching-log | mail-
filtering-log } * ]


New Command
mime-header-group mime-header-group The mail proxy for

name name IMAP is added.
STRING<1-256> STRING<1-256> Therefore, the
[ smtp | pop3 ] [ smtp | pop3 | mime-header- None
action { alert | block imap ] action { alert group configuration
| declare } | block | declare } of IMAP shall also
exist.
[ undo ] firewall [ undo ] firewall

The range of the
blacklist item user blacklist item user
blacklist aging time
is expanded from None
[ timeout [ timeout
1000 to 6535
minutes.
] >]
firewall blacklist firewall blacklist

item { destination-ip item { destination-ip
{ X.X.X.X | { X.X.X.X |
X:X::X:X } X:X::X:X }
The range of the
destination-port destination-port
> } [ protocol { tcp | > } [ protocol { tcp |
1000 to 6535
udp | icmp | udp | icmp |
minutes.
} ] [ timeout } ] [ timeout
] >]

{ X.X.X.X | { X.X.X.X |
The range of the
X:X::X:X } } X:X::X:X } }
[ protocol { tcp | udp [ protocol { tcp | udp
| icmp | | icmp |
1000 to 6535
minutes.
] >]

item { source-ip item { source-ip
{ X.X.X.X | { X.X.X.X |
X:X::X:X } source- X:X::X:X } source-
The range of the
port port
1000 to 6535
minutes.
] >]


New Command

{ X.X.X.X | { X.X.X.X |
The range of the
X:X::X:X } } X:X::X:X } }
| icmp | | icmp |
1000 to 6535
minutes.
] >]
display self- display self-

diagnose diagnose
information information { iic | The statistics
{ sadp_channel | gfpi-channel } all collection
gfpi_channel | commands for the None
iic_channel | gfpi and iic modules
iic_table } mp_info are optimized.
INTEGER<1-256>
all
Deleted commands
Command Cause of Deletion Impact
refresh fib slot The tailored macro that does None

STRING<1-256> not take effect originally
now takes effect.
[ undo ] super password This super function is not None

complexity-check disable supported.
set default ftp-directory This command is obsolete None

STRING<1-160> and supported only by the
router.
undo set default ftp- This command is obsolete None

directory and supported only by the
router.
mpls lsp-number-limit bgp The firewall does not None

INTEGER<10000-10000> support dynamic BGP-LSP
specification adjustment.
undo detect { java-blocking | The command definition is None

activex-blocking } repeated.

display log type merged The report aggregation None

policy security hash mode is changed in a way
information that aggregation no longer
uses the hash table.
display log type merged The collection of statistics None

policy security { 5m | 60m } on discarded merged packets
disk_database information is added. Displaying disk
information is not required
for now.

threat { av | ips | bwt | ddos | mode is changed in a way
application-and-type | that aggregation no longer
application | attacker | victim uses the hash table.
| attacker-and-threat-name |
victim-and-threat-name |
type } hash information

threat { av | ips | bwt | ddos | on discarded merged packets
application-and-type | is added. Displaying disk
application | attacker | victim information is not required
| attacker-and-threat-name | for now.
type } { 5m | 60m }
disk_database information

threat { user-and-application mode is changed in a way
| user } hash information that aggregation no longer

threat { user-and-application on discarded merged packets
| user } { 5m | 60m } is added. Displaying disk
disk_database information information is not required
for now.

traffic { application | source- mode is changed in a way
ip-and-application | that aggregation no longer
destination-ip-and- uses the hash table.
application | source-ip |
destination-ip | application-
subcategory | application-
category } hash information


traffic { application | source- on discarded merged packets
ip-and-application | is added. Displaying disk
destination-ip-and- information is not required
application | source-ip | for now.
category } { 5m | 60m }

traffic { source-ip-and- mode is changed in a way
application | destination-ip- that aggregation no longer
and-application } cache uses the hash table.
information

traffic { user-and- mode is changed in a way
application | user } hash that aggregation no longer
information uses the hash/cache table.

traffic { user-and- on discarded merged packets
application | user } { 5m | is added. Displaying disk
60m } disk_database information is not required
information for now.

application } cache that aggregation no longer
display log type merged url The collection of statistics None

host { 5m | 60m } on discarded merged packets
for now.
display log type merged url The report aggregation None

host { cache | hash } mode is changed in a way
uses the hash/cache table.

subcategory hash mode is changed in a way

subcategory { 5m | 60m } on discarded merged packets
for now.

log audit decrypt By default, audit content None

logs are stored in cipher
text.
log audit password By default, audit content None

STRING<1-256> logs are stored in cipher
text, and the configuration
of passwords is not required.
undo log audit decrypt By default, audit content None

text.

text.
undo log audit password By default, audit content None

[ undo ] debugging proxy None

{ event | error | packet | trace The architecture is modified.
| all }
[ undo ] mail-proxy-adapt None

The architecture is modified.
session statistics enable
display mail-proxy-adapt None

session table [ source
X.X.X.X ] [ destination
X.X.X.X ] [ source-port
INTEGER<1-65535> ] The architecture is modified.
[ destination-port
INTEGER<1-65535> ]
[ timeout ] [ verbose ]
[ protocol { smtp | pop3 } ]

{ session | aging } statistics
reset mail-proxy-adapt None

reset { mail-proxy-adapt | None

mail-proxy } session table
The license can still be used after the upgrade from V500R001C30SPC300 to V500R001C50.

V500R001C30SPC300 to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
software.
New features
None
Modified features
Description
HRP smooth The function

1 HRP None.
upgrade. is enhanced.
Enhanced reliability
The function
2 HRP of the HRP command None.
is enhanced.
backup mechanism.
Interface shutdown
triggered when the
number of sessions,
Reliabili The function
3 CPU usage, or None.
ty is enhanced.
interface traffic rate
exceeds the
threshold.
CF card failure The function

4 CF card None.
alarm. is enhanced.


Description
Command added to
Security check whether the The function
5 None.
zone detection function is is enhanced.
enabled.
Deleted Features
None
New commands
display firewall Displays interzone To display whether the

detect[global|zone<zone- configuration. detection function is
name>|interzone<source- enabled.
zone-name><destination-
zone-name>]
[ undo ]firewall exceeded Enables or disables the To enhance maintainability,

{session |cpu-usage|input- function of check whether so that interfaces can be shut
rate}enable the number of sessions, down if the number of
CPU usage, or interface sessions, CPU usage, or
traffic rate exceeds the interface traffic rate exceeds
threshold. the threshold.
[undo]firewall exceeded Disables the selected To enhance maintainability,

session shutdown interface interface if the number of so that interfaces can be shut
[ interface-name | interface- sessions exceeds the down if the number of
type interface-number ] threshold. sessions exceeds the
&<1-16> threshold.
[ undo ]firewall exceeded Disables the selected To enhance maintainability,

input-rate shutdown interface if the interface so that interfaces can be shut
interface [ interface-name | traffic rate exceeds the down if the interface traffic
interface-type interface- threshold. rate exceeds the threshold.
number ] &<1-16>
firewall exceeded cpu-usage Sets a threshold for the CPU To enhance maintainability,
threshold<integer<60-100> usage. so that interfaces can be shut
> down if the CPU usage
exceeds the threshold.
hrp base config enable Restores commands upon To enhance hot standby
enhanced startup. reliability.

Modified features
None
Deleted commands
None
The license can still be used after the upgrade from V500R001C30SPC200 to
V500R001C30SPC300.
V500R001C30SPC200to V500R001C50SPC100. Otherwise, these features are unavailable.
NOTICE
software.
New features
None

Modified features
Description
Added 600G hard

Hardwar The function
1 disks for 1 U None.
e is enhanced.
firewalls.
Added the DHCPv6 The function

2 DHCP None.
Server function. is enhanced.
Added the 802.1x

The function
3 WLAN authentication None.
is enhanced.
function.
Added the WMM,

priority mapping,
The function
4 WLAN user isolation, and None.
is enhanced.
802.1x authentication
functions.
User Added the WMM,

and priority mapping,
The function
5 User user isolation, and None.
is enhanced.
Authenti 802.1x authentication
cation functions.
Deleted Features
None
Table 1-6 New commands

display ipsec fpath statistics Displays IPsec data plane Added an IPsec debugging
related statistics. command.
[slot <slotid> ]cpu <cpu- related statistics on a CPU. command.
id>]
reset ipsec fpath statistics Displays IPsec data plane Added an IPsec debugging
[ slot <slotid>cpu <cpu-id>] related statistics on a CPU. command.

display ipsec share-flow Displays share-flow Added an IPsec debugging

hash-table statistics statistics in the data plane command.
hash table.

hash-table statistics [ slot statistics in the data plane command.
<slotid> cpu <cpu-id> hash table on a CPU.
[ undo ] security-policy Enables or disables the Added a function that allows

statistic enable function of collecting you to view the statistics
statistics on the number of through MIB.
packets and bytes that match
security policies.
reset security-policy statistic Clears statistics on the Added a function that allows
number of packets and bytes you to view the statistics
that match security policies. through MIB.
sync-address Specifies the IP address Added a function that

range in online user specifies the source IP
information synchronization address range in online user
on the TSM server. information synchronization
on the TSM server. Only
users whose source IP
addresses are within the
range can trigger the query.
user-manage server-sync Accesses the online user Added a function.

tsm information synchronization
view of the TSM SSO
server.
user-manage xff-parse Configures the function of Added a function, which

proxy-ip user management and must be enabled for security
control by parsing the x- management and control
forwarded-for field in over users that access the
HTTP proxy scenarios. Internet through the HTTP
proxy server. The device
parses the x-forwarded-for
field in HTTP packets to
obtain users' actual IP
addresses. If the proxy
server does not support this
field, the management and
control cannot be
implemented.
tsm server-sync enable/ Enables or disables online Added a function.

disable user information
synchronization on the TSM
server.

display user-manage server- Displays configuration Added a function.

sync-config information of online user
information synchronization
on the TSM server,
including the function
status, query packet sending
rate, source IP address range
of the query, and destination
sever IP address of the
query.
Added a function. The

firewall sends query packets
that contain users' IP
addresses to the TSM server
controller. If IP addresses
contained in the packets are
already online after the
Specifies the packet rate in server receives the packets,
online user information TSM SSO login messages
sync-rate
synchronization on the TSM are returned to the firewall.
server. In this way, online user
entries on the firewall and
server are synchronized. To
prevent query packets from
overloading the server and
compromising the server
performance, you need to
configure the query rate.
user-manage clear-invalid- Configures daily or weekly Added a function.

users deletion of invalid users.
[undo] api netconf validate Enables the verification The verification function is
function. originally enabled by
default, compromising the
performance. Therefore, it is
modified to be disabled by
default. You can use this
command to enable it again.
firewall defend tcp split- Enables the function of Added a function. After this
handshake-spoof enable defending against split function is enabled, the
handshake spoofing attacks. firewall can block TCP split
handshake spoofing attacks,
defend against malicious
data injection, and discard
SYN packets with data.

display self-diagnose Displays assertion records. Added a function that

information assert { all | displays the location and
{ slot <integer<1 number of times an assertion
16>>cpu<integer<0 is printed. The black box
3>>}} records same assertions only
for once.
display im rule Enhances the Added a function that allows

maintainability of QQ you to view QQ rules in the
requirements so that you can diagnose view.
view QQ rules that are
currently loaded.
ssh server dh-exchange min- Specifies the minimum DH Enhanced the existing
len length supported by the function.
server when SSH uses the
dh_exchange key exchange
algorithm.

Original New Command Change Impact of the
display firewall display firewall Changed the default After the upgrade,
session aging-time session aging-time aging time of SQLNET sessions
SQLNET from 600 are persistent
seconds to 14400 sessions whose
seconds. default aging time is
14400 seconds.
When the number of
persistent
connections exceeds
1/3 of the session
specification, their
aging time is
automatically
changed to that of
common TCP
sessions.


snmp-agent session snmp-agent session l Modified the After the upgrade,

history-max-number history-max-number buildrun buildrun is not
enable [ interval enable [ interval configuration so enabled by default.
interval ] interval ] that buildrun is
not enabled by
default and is
enabled only
after the undo
command is
executed.
l Modified the
help information,
in which the
default interval is
one minute.
undo os undo os [ windows | Enhanced the None.

android | unix-like | existing function so
ios | other ] that one piece of
system information
can be deleted.
undo severity undo severity [ high Enhanced the None.

| low | medium | existing function so
information ] that one piece of
severity information
can be deleted.
ftp-detect ftp-detect If no response action Before: If no

is configured for one response action is
time, the action configured for one
configured last time time, the action
is used. If no action configured last time
is ever configured, is used. After: If no
the default value response action is
block is used. configured for one
time, the action
configured last time
is used. If no action
is ever configured,
the default value
block is used.


smb-detect smb-detect If no response action Before: If no

time, the action
is ever configured,
the default value
block is used.
http-detect http-detect If no response action Before: If no

time, the action
is ever configured,
the default value
block is used.
file-frame web- file-frame web- Changed the None.

reputation enable reputation enable command view from
the diagnose view to
system view.
undo file-frame undo file-frame Deleted keyword all. None.

web-reputation add web-reputation add
white-host all white-host
display gpm method display gpm method Modified the output None.
of the display gpm
method command.
display gpm flow display gpm flow Modified the output None.
of the display gpm
method command.


resource-item-limit resource-item-limit Increased the The specification on

user reserved- user reserved- specification on the the number of users
number user- number user- number of users supported by the
reserved-number reserved-number supported by the firewall is increased,
firewall in response with no impact on
to JD.com the upgrade.
requirements.

user-group reserved- user-group reserved- specification on the the number of user
number user-group- number user-group- number of user groups supported by
reserved-number reserved-number groups supported by the firewall is
the firewall in increased, with no
response to JD.com impact on the
requirements. upgrade.

online-user online-user specification on the the number of online
{ [ reserved-number { [ reserved-number number of online users supported by
online-user- online-user- users supported by the firewall is
reserved-number ] | reserved-number ] | the firewall in increased, with no
[ maximum online- [ maximum online- response to JD.com impact on the
user-maximum ] } * user-maximum ] } * requirements. upgrade.
portal-type access portal-type access Increased the The specification on

[ time-out time | [ time-out time | specification on the the number of local
online-limit online-limit number of local users supported by
number ] * number ] * users supported by the firewall is
requirements. The upgrade.
default value is the
maximum number
of local users that
the firewall
supports.
display role { name display role { name Changed the None.

STRING<1-64> | STRING<1-64> | command view from
all } all } all views to the
AAA view.


[ undo ] debugging [ undo ] debugging Deleted keyword The verification

api netconf { agent | api netconf { agent | no-validate, which function is originally
server | transapi | ssh server | transapi | is used to disable the enabled by default,
| no-validate } ssh } verification compromising the
function. performance.
Therefore, it is
modified to be
disabled by default.
You can use the
newly added [undo]
api netconf validate
command to enable
it again.


display spu display spu Added the display of u64ErrCnt_PktMal:

Interlaken statistics Interlaken statistics statistics on 0 //Number of
slot integer<1-16> slot integer<1-16> discarded packets at malformed packets
cpu integer<0-3> cpu integer<0-3> the spu interlaken u64ErrCnt_PktStart:
and rgmii interfaces. 0// Number of
packets with invalid
start addresses
u64ErrCnt_PrepaC
md: 0// Number of
packets with failed
packet sending
command words
u64ErrCnt_SendFail
: 0// Number of
packets that fail to
be sent
u64ErrCnt_WqeChe
ck: 0// Number of
error packets parsed
from WQE
u64ErrCnt_Wqebuf
Null: 0// Number of
packets with empty
WQE buf
u64ErrCnt_DatBlkN
ull: 0// Number of
packets whose
second block is
empty
u64ErrCnt_PktVirad
dNull: 0// Number
of packets with
empty virtual
addresses
u64ErrCnt_PkiOpco
de[0x1]: 1// Number
of packets with error
code 1.
Deleted commands
None.
V500R001C50SPC100.

NOTICE
software.
Change Description of Important Features
V500R001C20SPC300 V500R001C50SPC100
In mail audit logs, attachment names are In mail audit logs, attachment names are
separated using commas or spaces. separated using slashes (/).
Firewalls cannot be directly upgraded to the The function is enhanced.

cloud management mode through USB flash The RUNMODE field is added to the index
drive using a specific field. file for the upgrade through USB flash
drive. Firewalls can be directly upgraded to
the cloud management mode through this
field.
The [undo] traffic-policy bandwidth force The default state is changed from enabled to
statistic enable command enables or disabled for high-end firewalls. The default
disables the traffic policy statistics function. state is still enabled for low-end and mid-
By default, the function is enabled. range firewalls.
The [undo] firewall packet-filter basic- The default state of this command is
protocol enable command enables or changed from enabled to disabled.
disables security policy control for BGP,
LDP, BFD, and OSPF unicast packets. By
default, the function is enabled.

V500R001C20SPC300 V500R001C50SPC100
When user management uses the SSL When user management uses the SSL
protocol, the cipher list supports low-, protocol, the cipher list supports medium-
medium-, and high-length encryption and high-length encryption algorithms.
algorithms.
Static mapping deletion on the MIB deletes Only static mappings that are not referenced
all static mappings configured on the are deleted.
device.
For detailed change information, see HUAWEI NIP6000&NIP6800&IPS Module

V500R001C50SPC100 V500R001C50SPC100 Release Notes.

firewall ipv6 firewall ipv6 session In the source version, If threshold-value

session create- create-rate log threshold-value ranges from 1 to 100
rate log threshold specifies the alarm in the source version,
threshold INTEGER<1-100> threshold for new the value directly
threshold-value IPv6 sessions. In the serves as the ratio in
target version, the target version. If
threshold-value threshold-value is
specifies the ratio greater than 100 in the
threshold of new IPv6 source version, the
sessions. The ratio is a alarm threshold in the
percentage of new target version is
IPv6 session threshold-value
specification for a divided by new IPv6
single CPU. session specification
for a single CPU.



session total- total-number log threshold-value ranges from 1 to 100
number log threshold specifies the alarm in the source version,
threshold INTEGER<1-100> threshold for the value directly
threshold-value concurrent IPv6 serves as the ratio in
sessions. In the target the target version. If
version, threshold- threshold-value is
value specifies the greater than 100 in the
ratio threshold of source version, the
concurrent IPv6 alarm threshold in the
sessions. The ratio is a target version is
percentage of threshold-value
concurrent IPv6 divided by concurrent
session specification IPv6 session
for a single CPU. specification for a
single CPU.
snmp-agent snmp-agent session In the source version, If threshold-value

session trap trap threshold threshold-value ranges from 1 to 100
threshold INTEGER<1-100> specifies the alarm in the source version,
threshold-value threshold for new the value directly
IPv4 sessions. In the serves as the ratio in
for a single CPU.
snmp-agent snmp-agent session- In the source version, If threshold-value

session-rate rate trap threshold threshold-value ranges from 1 to 100
trap threshold INTEGER<1-100> specifies the alarm in the source version,
threshold-value threshold for the value directly
concurrent IPv4 serves as the ratio in
single CPU.


firewall mac- firewall mac-binding The IP-MAC binding None.

binding x.x.x.x x.x.x.x h-h-h [ vpn- description is added.
h-h-h [ vpn- instance
instance string<1-31> ] [ vid
string<1-31> ] integer<1-4094> ]
[ vid [ description
integer<1-4094 <description>]
>] undo firewall mac-
binding x.x.x.x
[ description ] [ vpn-
instance
string<1-31> ]
undo period- undo period-range The undo command is None.

range { all | { all | <start-time> to added to delete a
<start-time> to <end- specified time range.
<end- time>[<weekday>]&< This command does
time><weekda 17> not affect existing
y>&<17> commands.
display log display log state The command line None.

state remains unchanged,
but the command
output changes. The
status of the function
of sending logs during
a specified period and
the last sending time
are added.
The keywords of the

[undo] license [undo] hrp check
command are None.
hrp-alert enable license enable
changed.
The command output

changes as follows:
l Device ESN
Before the change,
preferentially
Device ESN displays
displays the ESN
the ESN of the master
of the slave MPU.
MPU. After the
If there is no slave
change, Device ESN
MPU, the ESN of
display license display license preferentially displays
the master MPU is
the ESN of the slave
displayed.
MPU. If there is no
l The License ESN slave MPU, the ESN
field is changed to of the master MPU is
License file ESN, displayed.
which still displays
the ESN in the
license file.


user-manage user-manage security The keyword sslv3 is SSL3.0 is no longer

security version version { tlsv1 | deleted. supported. After a
{ tlsv1 | tlsv1.1 tlsv1.1 | tlsv1.2 } * By default, TLS1.1 device enabled with
| tlsv1.2 | and TLS1.2 are SSL3.0 is upgraded,
sslv3 } * supported. the restored default
configuration is
TLS1.1 and TLS1.2.
web-manage web-manage security The keyword sslv3 is SSL3.0 is no longer

security version version { tlsv1 | deleted. By default, supported. After a
{ tlsv1 | tlsv1.1 tlsv1.1 | tlsv1.2 } * TLS1.1 and TLS1.2 device enabled with
| tlsv1.2 | are supported. SSL3.0 is upgraded,
sslv3 } * the restored default
configuration is
TLS1.1 and TLS1.2.
[undo] ssl ssl version { tlsv10 | The keyword sslv3 is SSL3.0 is no longer
version { tlsv10 tlsv11 | tlsv12 } deleted. By default, supported. After a
| tlsv11 | tlsv12 TLS11 and TLS12 are device enabled with
| sslv3 } supported. SSL3.0 is upgraded,
the restored default
configuration is
TLS11 and TLS12.
display firewall display firewall [ipv6] The function is None.

[ipv6] session session statistics all- enhanced. The peak
statistics all- systems time of session
systems creation and
concurrent
connections is added.
display firewall display firewall The function is None.

session aging- session aging-time enhanced. The session
time [ type [ type { pre-defined | aging time of a
{ pre-defined | user-defined } predefined or user-
user-defined } ] [service-name] ] defined service set can
be displayed.
display - display diagnostic- The function is None.

information inform diagnostic enhanced.
ation In diagnosis
information, the
display interface
brief ,display ip
interface brief and
display dp-assert 40
slot xxx commands
are added, and the
display interface
brief main command
is deleted.


speed {10 | 100 speed {10 | 100 | The function is added. None.
| 1000} undo 1000} undo speed The negotiation mode,
speed [undo] [undo] negotiation duplex mode, and rate
negotiation auto duplex { half | can be set in the view
auto duplex full } undo duplex of an Eth-Trunk
{ half | full } member interface.
undo duplex


file-type XXX file-type XXX XXX in the original

(aapt profile command specifies
view) the type of files sent
to the sandbox. The
file type must be
supported by the
sandbox. A maximum
of eight file types can
be specified each
time.
Currently, the
following types are
supported: BAT,
CLASS, PE32, MSI,
HLP, HTM, HTML,
JAR, DOC, RTF,
XLS, PPT, PDF, SWF,
CHM, MHT, VBS,
JPG, PNG, GIF, BMP,
TIF, DOCX, PPTX,
PPS, XLSX, WPS,
DPS, ET, RAR, ZIP,
GZ, 7Z, CAB, BZIP2,
TAR, EML, MSG, File types HTM, PPS,
and JS. If you set the and MSG are no
all parameter, any longer supported.
type of files is
matched.
XXX in the new
command specifies
the type of files sent
to the sandbox. The
file type must be
supported by the
sandbox. A maximum
be specified each
time.
Currently, the
following types are
supported: BAT,
CLASS, PE32, MSI,
HLP, HTML, JAR,
DOC, RTF, XLS,
PPT, PDF, SWF,
CHM, MHT, VBS,
JPG, PNG, GIF, BMP,
TIF, DOCX, PPTX,
XLSX, WPS, DPS,


ET, RAR, ZIP, GZ,

7Z, CAB, BZIP2,
TAR, EML, JS. If you
set the all parameter,
any type of files is
matched.
Three unsupported
file types are deleted:
HTM, PPS, and MSG.
[undo] dataflow [undo] dataflow The command scope

enable enable is changed. The log The virtual system
sending function does configuration is the
not support same as the root
virtualization. The system configuration,
command can be used and the function is not
only in the root affected.
system.
[undo] dataflow [undo] dataflow type

The command scope
type { traffic { traffic [ ipv4 | ipv6 ]
is changed. The The virtual system
[ ipv4 | ipv6 ] | | url | content | policy |
format setting of sent configuration is the
url | content | audit | mail-filtering |
logs does not support same as the root
policy | audit | av | ips | bwt | aapt |
mail-filtering | ddos } enable
av | ips | bwt |
aapt | ddos }
system.
enable
V500R001C50SPC100.

NOTICE
software.
Table 1-9 Change Description of security policy

V500R001C20SPC200 V500R001C50SPC100
Packet discard logs is not caused by UNRs Packet discard logs caused by UNRs and
and PAT port conflicts are generated. PAT port conflicts are generated.
The maintenance method is enhanced.
SSL VPN virtualization scenarios are not SSL VPN virtualization scenarios (the
supported. virtual gateways in different virtual systems
use the same IP address in the root system
as their virtual gateway addresses) are
supported.
Only low-end and mid-range models
support SSL VPN.
The VPN client can't parately upgraded and The VPN client can be separately upgraded
imported to the device. and imported to the device.
support SSL VPN.


[ undo ] user-manage The captive-bypass function None.

captive-bypass enable is added.
snmp-agent trap enable The function of enabling None.

feature-name manager trap- and disabling administrator
name hwloginsucceed login success traps is added.
snmp-agent trap enable The function of enabling

feature-name manager trap- and disabling administrator None.
name hwloginfailed login failure traps is added.

name hwlogoutsucceed logout success traps is
added.

name hwlogoutfailed logout failure traps is added.
display snmp-agent trap All functions for enabling/ None.

feature-name manager all disabling administrator-
related traps are displayed.
file download sftp X.X.X.X An app file is downloaded None.

user-name password app from an SFTP server.
file-name
user-manage delete app An app file is deleted. None.

XXXX
[Huawei-diagnose]set The effective time of the This command is used in the

emtest delaytime <0-48> delivery tag is set to 0 to 48 equipment phase and is
hours. ineffective when used by the
customer.
[Huawei-diagnose]display The time when the device None.

recodetime sets the RTC is displayed.
display api call-home This is a new northbound None.

connection status feature.
display api restconf This is a new northbound None.

configuration feature.
display resource global-

IPv6 addresses are
resource resource-item ipv6 None.
supported in virtual systems.
{ session | session-rate }
display resource resource- IPv6 addresses are None.

usage vsys STRING<1-31> supported in virtual systems.
resource-item ipv6 { session
| session-rate }


usage resource-item ipv6 supported in virtual systems.
display api netconf session This is a new northbound None.

feature.
display api netconf This is a new northbound None.

display api user privilege This is a new northbound None.

level feature.
display notification-trap This is a new northbound None.

{ success | fail } feature.
clear notification-trap record This is a new northbound None.

feature.
[ undo ] debugging firewall The view of this command

defend ipcar { packet | event is changed from the cli_8f None.
| error } view to the shell view.
[ undo ] debugging api This is a new northbound None.

netconf { packet | event | feature.
error | all }

restconf { all | packet | error feature.
| event }
[ undo ] user-manage This is a new command for None.

captive-bypass enable commercial Wi-Fi.
undo firewall ipv6 import- IPv6 addresses are None.

flow public X:X::X:X supported in virtual systems.
X:X::X:X
undo v-gateway public-ip SVN virtualization

scenarios (the virtual
gateways in different virtual
systems use the same IP None.
address in the root system as
their virtual gateway
addresses) are supported.
undo v-gateway public- SVN virtualization None.

domain scenarios (the virtual
systems use the same IP

undo v-gateway public ssl SVN virtualization None.

version scenarios (the virtual

ciphersuit scenarios (the virtual
undo v-gateway public SVN virtualization None.

certificate-server scenarios (the virtual
firewall ipv6 import-flow IPv6 addresses are None.

public X:X::X:X X:X::X:X supported in virtual systems.
vpn-instance
STRING<1-31>
user-manage delete app { all This is a new command for None.

| STRING<1-256> } commercial Wi-Fi.
file download sftp [ source- This is a new function for None.

interface app promotion.
{ STRING<1-256>
STRING<1-256> |
STRING<1-256> } ]
STRING<1-20>
STRING<1-31>
PASSWORD<1-15> app
STRING<1-64>
api This is a new northbound

None.
feature.
dataflow local-store sftp- The requirement for None.

server X.X.X.X port uploading logs during idle
INTEGER<1-65535> time is added.
dataflow local-store speed The requirement for None.

INTEGER<1-10000> uploading logs during idle
time is added.

dataflow local-store source- The requirement for None.

ip X.X.X.X uploading logs during idle
time is added.
dataflow local-store { sftp | The requirement for None.

stream } uploading logs during idle
time is added.
dataflow local-store user The requirement for None.

STRING<1-20> password uploading logs during idle
PASSWORD<1-256> time is added.
v-gateway STRING<1-15> SVN virtualization None.

public-ip [ port scenarios (the virtual
INTEGER<1024-50000> ] gateways in different virtual
private [ STRING<1-127> ] systems use the same IP
v-gateway STRING<1-15> SVN virtualization

public STRING<1-127> systems use the same IP None.

public-ip new-port scenarios (the virtual
INTEGER<0-4294967295> gateways in different virtual
[ new-domain systems use the same IP
STRING<1-127> ] address in the root system as
v-gateway public-ip SVN virtualization None.

X.X.X.X scenarios (the virtual
v-gateway public-domain SVN virtualization None.

STRING<1-127> scenarios (the virtual

Command: v-gateway SVN virtualization None.

public ssl version { tlsv10 | scenarios (the virtual
tlsv11 | tlsv12 | sslv30 } * gateways in different virtual
v-gateway public ssl SVN virtualization None.

ciphersuit allciphersuit scenarios (the virtual

ciphersuit custom { aes256- scenarios (the virtual
sha | non-aes256-sha } gateways in different virtual
{ des-cbc3-sha | non-des- systems use the same IP
cbc3-sha } { rc4-sha | non- address in the root system as
rc4-sha } { rc4-md5 | non- their virtual gateway
rc4-md5 } { aes128-sha | addresses) are supported.
non-aes128-sha } { des-cbc-
sha | non-des-cbc-sha }
v-gateway public certificate- SVN virtualization None.

server STRING<1-64> scenarios (the virtual
enable gateways in different virtual
reset acl ipv6 counter IPv6 addresses are

{ INTEGER<2000-2999> | supported in virtual systems.
None.
INTEGER<3000-3999> |
all }
undo acl ipv6 { { [ number ] IPv6 addresses are None.

{ INTEGER<0-4294967295 supported in virtual systems.
>|
INTEGER<0-4294967295>
} } | all }
acl ipv6 [ number ] IPv6 addresses are None.

>|
INTEGER<0-4294967295>
}
[ undo ] nat64 enable NAT64 supports new None.

virtualization commands.

[ undo ] nat64 prefix NAT64 supports new None.

X:X::X:X virtualization commands.
INTEGER<32-96>
[ undo ] nat64 static NAT64 supports new None.

[ protocol icmp ] X:X::X:X virtualization commands.
X.X.X.X

protocol { tcp | udp } virtualization commands.
X:X::X:X
[ INTEGER<1-65535> ]
X.X.X.X
[ INTEGER<1-65535> ]
[ undo ] nat64 icmp need- NAT64 supports new None.

frag enable virtualization commands.
undo nat64 static all NAT64 supports new

None.

l address in the root system as

public STRING<1-127> l systems use the same IP

STRING<1-127> ] l address in the root system as
display performance The cloud management None.

configuration performance data report
function is added.

collection statistics performance data report
function is added.

display api restconf client This is a new northbound None.

feature.

verbose feature.
[ undo ] debugging api This is a new northbound

netconf { agent | server | feature. None.
transapi | ssh | no-validate }
[ undo ] debugging ssl-vpn An SVN memory debugging None.

memory command is added for fault
location.
debugging dataplane nat A NAT Server debugging None.

nat-server [ number command is added in the
INTEGER<8-2048> ] diagnose view.
debugging ssl-vpn memory An SVN memory debugging None.

print command is added for fault
location.
undo debugging dataplane A NAT Server debugging None.

nat nat-server command is added in the
diagnose view.

undo resource-item-limit IPv6 addresses are None.

ipv6 session supported in virtual systems.

ipv6 session-rate supported in virtual systems.
resource-item-limit ipv6 IPv6 addresses are

session reserved-number supported in virtual systems.
INTEGER<1-960000000>
[ maximum { equal-to- None.
reserved | unlimited |
INTEGER<1-960000000> }
]
resource-item-limit ipv6 IPv6 addresses are None.

session-rate supported in virtual systems.
INTEGER<1-12000000>
[ undo ] detect ipv6 { ftp | ASPF6 supports new None.

rtsp | sip } virtualization commands.
[ undo ] public-ip The public IP address None.

destination match enable matching function is added.
[ undo ] destination-address IPv6 addresses are None.

range X:X::X:X X:X::X:X supported in virtual systems.


X:X::X:X supported in virtual systems.
INTEGER<1-128>
[ undo ] source-address IPv6 addresses are None.


INTEGER<1-128>
[ undo ] service protocol IPv6 addresses are

{ icmpv6 | supported in virtual systems.
INTEGER<58-58> }
[ icmpv6-type
{ INTEGER<0-255> None.
{ INTEGER<0-255> [ to
INTEGER<0-255> ] }
&<1-64> |
STRING<1-32> } ]
destination-address range IPv6 addresses are None.

X:X::X:X X:X::X:X supported in virtual systems.

INTEGER<1-128>


INTEGER<1-128>
[ undo ] service protocol IPv6 addresses are None.

INTEGER<58-58> }
[ icmpv6-type
{ INTEGER<0-255>
INTEGER<0-255> ] }
&<1-64> |
STRING<1-32> } ]
[ undo ] destination-address NAT64 supports None.

range X:X::X:X X:X::X:X virtualization.

X:X::X:X virtualization.
INTEGER<1-128>
[ undo ] source-address NAT64 supports

None.

[ undo ] source-address NAT64 supports None.

INTEGER<1-128>
[ undo ] service protocol NAT64 supports None.

{ icmpv6 | virtualization.
INTEGER<58-58> }
[ icmpv6-type
{ INTEGER<0-255>
INTEGER<0-255> ] }
&<1-64> |
STRING<1-32> } ]
nat-type nat64 NAT64 supports None.

virtualization.
rule IPv6 addresses are None.

[ INTEGER<0-4294967294 supported in virtual systems.
> ] { permit | deny }
[ [ source { X:X::X:X/M |
any | X:X::X:X
INTEGER<1-128> } ] |
[ logging ] | [ time-range
STRING<1-34> ] ] *
undo rule IPv6 addresses are None.

INTEGER<0-4294967294> supported in virtual systems.
[ [ source ] | [ logging ] |
[ time-range ] ] *
undo step IPv6 addresses are None.

undo description IPv6 addresses are None.

step INTEGER<1-20> IPv6 addresses are

None.
description TEXT0 IPv6 addresses are None.

return IPv6 addresses are None.



{ INTEGER<1-5> |
INTEGER<7-16> |
INTEGER<18-57> | ipv6 |
gre | ospfv3 |
INTEGER<59-255> |
INTEGER<0-0> } [ [ source
{ X:X::X:X/M | any |
X:X::X:X
INTEGER<1-128> } ] |
[ destination { X:X::X:X/M
| any | X:X::X:X
INTEGER<1-128> } ] |
[ time-range
STRING<1-34> ] |
[ logging ] ] *

{ icmpv6 |
INTEGER<58-58> }
any | X:X::X:X
INTEGER<1-128> } ] |
| any | X:X::X:X
INTEGER<1-128> } ] |
[ time-range
STRING<1-34> ] |
[ logging ] | [ icmp6-type
{ INTEGER<0-255>
INTEGER<0-255> |
STRING<1-32> } ] ] *


> ] { permit | deny } { tcp |
X:X::X:X
INTEGER<1-128> } ] |
| any | X:X::X:X
INTEGER<1-128> } ] |
[ time-range
STRING<1-34> ] |
[ logging ] | [ source-port
{ STRING<1-32>
STRING<1-32> | range
STRING<1-32>
STRING<1-32> } ] |
[ destination-port
{ STRING<1-32>
STRING<1-32>
STRING<1-32> } ] ] *

> ] { permit | deny } { udp |
INTEGER<17-17> }
any | X:X::X:X
INTEGER<1-128> } ] |
| any | X:X::X:X
INTEGER<1-128> } ] |
[ time-range
STRING<1-34> ] |
{ STRING<1-32>
STRING<1-32>
STRING<1-32> } ] |
[ destination-port
{ STRING<1-32>
STRING<1-32>
STRING<1-32> } ] ] *


[ [ source ] | [ destination ] |
[ icmp6-type ] | [ time-
range ] | [ logging ] |
[ source-port ] |
[ destination-port ] ] *
undo step IPv6 addresses are

None.

step INTEGER<1-20> IPv6 addresses are None.


[ undo ] ssl-connection This command is added for None.

allow use public-parameter SSL VPN virtualization.
enable
health-check type { tcp | dns The port parameter is None.

| radius } [ tx-interval added.
INTEGER<3-10> | times
INTEGER<2-10> | port
INTEGER<0-65535> ] *
health-check type http [ tx- The req-url, ept-code, and None.

interval INTEGER<3-10> | port parameters are added.
times INTEGER<2-10> |
req-url STRING<1-255> |
ept-code
INTEGER<0-4294967295>
| port
INTEGER<0-65535> ] *
undo vip X.X.X.X The virtual server IP address None.

is deleted.
rule STRING<1-63> os The Windows 10 operating

version win10 sp ignore system is added in the host
None.
check function to adapt to
client requirements.
[ undo ] rule The Windows 10 operating None.

STRING<1-63> os version system is added in the host
win10 logincheck enable check function to adapt to
undo api netconf port This is a new northbound None.

feature.

undo api { http | https } This is a new northbound None.

enable feature.
undo security server- This is a new northbound None.

certificate feature.
[ undo ] api netconf enable This is a new northbound None.

feature.
[ undo ] connection aging- This is a new northbound None.

time INTEGER<3-7200> feature.
api netconf port This is a new northbound None.

INTEGER<830-50000> feature.
api http [ port This is a new northbound

INTEGER<1025-50000> ] feature. None.
enable
api https [ port This is a new northbound None.

INTEGER<1025-50000> ] feature.
enable
api call-home host This is a new northbound None.

STRING<1-31> { domain feature.
STRING<1-64> | ip
X.X.X.X } port
INTEGER<1-65535>
[ source-ip X.X.X.X ]
api user privilege level This is a new northbound None.

undo api call-home host This is a new northbound None.

[ STRING<1-31> ] feature.
undo api user privilege level This is a new northbound None.

feature.
[ undo ] api call-home This is a new northbound None.

connect [ host feature.
STRING<1-31> ]
reset api call-home connect This is a new northbound None.

[ host STRING<1-31> ] feature.
security server-certificate This is a new northbound None.

STRING<1-64> feature.
security version { { sslv3 | This is a new northbound None.

tlsv1 | tlsv1.1 | tlsv1.2 } * | feature.
all }
return This is a new northbound None.

feature.


display manager- display manager- This is a new None.

user service-type user service-type northbound feature.
{ ssh | telnet | web | { ssh | telnet | web |
terminal | ftp } terminal | ftp | api }
[ undo ] debugging [ undo ] debugging Session debugging None.

tcp-proxy [ adapter | tcp-proxy [ adapter | commands are
session | ustack | ustack | http ] deleted.
http ] { packet | { packet | event |
event | error | all } error | all }
debugging debugging This is a new None.

bandwidth { all | bandwidth { all | northbound feature.
error | packet | event error | packet | event
| timer } | timer | netconf }
undo debugging undo debugging This is a new None.

undo nat server { id undo nat server { id NAT Server None.

INTEGER<0-40959 INTEGER<0-40959 supports automatic
> | name > | name delivery of new
STRING<1-256> } STRING<1-256> } UNR command
[ unr-route ] keywords.
undo report type undo report type The map keyword is None.
threat-report item threat-report item added to control the
{ threat-type | { threat-type | enabling report.
application | attacker application | attacker
| victim | threat- | victim | threat-
name | virus-name | name | virus-name |
defend | attacker- defend | attacker-
location | victim- location | victim-
location | all } location | all | map }
enable enable


traffic-report item traffic-report item added to control the
{ source-ip | { source-ip | enabling report.
destination-ip | destination-ip |
application | application |
application-category application-category
| application-sub- | application-sub-
category | source- category | source-
location | location |
destination-location | destination-location |
address-type | all } address-type | all |
enable map } enable
acl ipv6 { [ number ] acl ipv6 [ number ] IPv6 addresses are None.
{ INTEGER<0-4294 { INTEGER<0-4294 supported in virtual
967295> | 967295> | systems.
67295> } } [ vpn- 67295> } [ vpn-
instance instance
STRING<1-31> ] STRING<1-31> ]
report type threat- report type threat- The map keyword is None.
report item { threat- report item { threat- added to control the
type | application | type | application | enabling report.
attacker | victim | attacker | victim |
threat-name | virus- threat-name | virus-
name | defend | name | defend |
attacker-location | attacker-location |
victim-location | victim-location | all |
all } enable map } enable
report type traffic- report type traffic- The map keyword is None.
report item { source- report item { source- added to control the
ip | destination-ip | ip | destination-ip | enabling report.
enable map } enable
undo nat server { id undo nat server NAT Server None.

INTEGER<0-40959 { { id supports automatic
> | name INTEGER<0-40959 delivery of new
STRING<1-256> | > | name UNR command
all } STRING<1-256> } keywords.
[ unr-route ] | all }


nat server nat server NAT Server None.

STRING<1-256> STRING<1-256> supports automatic
[ INTEGER<0-4095 [ INTEGER<0-4095 delivery of new
9> ] [ zone 9> ] [ zone UNR command
STRING<1-256> ] STRING<1-256> ] keywords.
[ protocol [ protocol
global X.X.X.X global X.X.X.X
[ X.X.X.X ] [ X.X.X.X ]
[ STRING<1-32> [ STRING<1-32>
[ INTEGER<1-6553 [ INTEGER<1-6553
5> ] ] inside 5> ] ] inside
X.X.X.X X.X.X.X
[ X.X.X.X ] [ X.X.X.X ]
5> ] ] [ vrrp 5> ] ] [ vrrp
INTEGER<1-255> ] INTEGER<1-255> ]
[ no-reverse ] [ no-reverse ]
[ description [ description
TEXT0 ] TEXT0 ] [ unr-
route ]
display cpu-usage display cpu-usage The CPU core- and None.

history { history | core | task-based methods
task } for displaying the
CPU usage are
added.
service-manage service-manage This is a new None.

{ http | https | ping | { http | https | ping | northbound feature.
ssh | snmp | telnet | ssh | snmp | telnet |
all } { permit | all | netconf }
deny } { permit | deny }

ssh | telnet | all } ssh | telnet | all |
{ permit | deny } netconf } { permit |
deny }
port-block-size port-block-size The CGN sub- None.

INTEGER<8-4096> INTEGER<8-16384 functions are
[ extended-times > { [ extended-times supported.
[ port-range
INTEGER<256-655
35>
INTEGER<256-655
35> ] }


service-type { web | service-type { api | This is a new None.

ftp | terminal | telnet web | ftp | terminal | northbound feature.
| ssh } * telnet | ssh } *
[ undo ] rule [ undo ] rule Antivirus software is None.

STRING<1-63> STRING<1-63> added in the host
antivirus { any | 0 | 1 antivirus { any | 0 | 1 check function to
|2|3|4|5|6|7|8 |2|3|4|5|6|7|8 adapt to client
| 9 | 10 | 11 | 12 | 13 | | 9 | 10 | 11 | 12 | 13 | requirements.
14 | 15 | 16 | 17 | 18 | 14 | 15 | 16 | 17 | 18 |
19 | 21 | 22 } 19 | 20 | 21 | 22 | 23 |
24 | 25 }
[ undo ] rule [ undo ] rule Firewall software is None.

firewall { any | 0 | 1 | firewall { any | 0 | 1 | check function to
2|3|4|5|6} 2|3|4|5|6|7} adapt to client
requirements.
Table 1-12 Deleted commands

Command: [ undo ] The global view is changed None.

debugging firewall defend to the user view.
ipcar { packet | event |
error }
V500R001C50SPC100

NOTICE
software.

V500R001C20SPC100 V500R001C50SPC100
The firewall system statistics function is The default status of this function is
disabled by default. changed from disabled to enabled.
The root firewall does not have the Add the following default setting.
worktime time range setting after the time-range worktime period-range 08:00:00
configuration is restored. to 18:00:00 working-day.



l display link- l display link- The link-group If the root system

group group function supports interface and a
l link-group l link-group virtualization. virtual system
Link-groups in the interface belong to
l link-group clean l link-group clean one link-group, after
root system and
virtual systems are the upgrade, the
independent. interfaces are no
longer in the same
link-group, and they
are not associated.
For example, if the
root system interface
is down, the virtual
system interface will
not go down. After
the upgrade, the root
system and virtual
system are
configured with
separate link-groups.
Do not configure the
interfaces of
different virtual
systems in one link-
group.
V500R001C50SPC100.

NOTICE
software.

V500R001C00SPC500 V500R001C50SPC100
Security policy groups are not supported. Security policy groups are not supported.
Setting the policy acceleration delay is not [system] policy accelerate delay delay-time.
supported.
Backup acceleration cannot be disabled on Backup acceleration can be disabled on

high-end devices. high-end devices.
undo policy accelerate standby enable.
Layer-2 packet filtering based on MAC Layer-2 packet filtering based on MAC
addresses is not supported. addresses is supported, and the MAC
address can be configured as a policy
matching condition.
Domain name matching is not supported. Domain name matching is supported, and
the address object in a policy can reference
a domain name group as the match
condition.

V500R001C00SPC500 V500R001C50SPC100
Device type and access mode matching is Device type and access mode matching is
not supported. supported.
In the security policy view, run:
[ undo ] device-classification device-
category <device-category-name>
[ undo ] device-classification device-group
<device-category-name>
[ undo ] access-authentication { wireless-
portal | wireless-8021x | wired-8021x |
wired-portal }
The BFD protocol of the firewall is not The BFD protocol of the firewall is
controlled by security policies. controlled by security policies.
If the live network uses BFD, but
corresponding CFD rules are not configured
in the security policies, you need to allow
the BFD sessions through in security policy
rules. For example:
[sys] ip service-set bfd type object
[sys-object-service-set-bfd] service 0
protocol udp source-port 0 to 65535
destination-port 3784
[sys-object-service-set-bfd] quit
[sys] security-policy
[sys-policy-security] rule name allow_bfd
[sys-policy-security-rule-allow_bfd]
description BFD
[sys-policy-security-rule-allow_bfd] service
bfd
[sys-policy-security-rule-allow_bfd] action
permit


Original New Command Description Impact of the
Command Upgrade
application name application name The Command is None

STRING<1-256> STRING<1-32>/ modified.
cache type <3-34> cache type
{ acceleration aging- { acceleration aging-
time time
> | multi-channel > | multi-channel
aging-time aging-time
>} >}
out-interface out-interface Add a key word. None

{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } STRING<1-256> }
map X.X.X.X map { X.X.X.X |
weight-rule }
server-certificate server-certificate Certificate None

file-name file-name verification is added.
If the certificate fails
verification, the
command cannot be
delivered. The
configuration will be
lost after the
upgrade.

Command Description Impact of the Upgrade
url-filter [ blacklist- Pushed information is None

notification | userdefined- imported from or exported
notification | predefined- to files, and the command
notification | malicious- configuration is no longer
notification ] supported.
[undo] firewall statistic The function has been This command is

fragment enable supportted by firewall overwritten by a new
statistic system enable. command.

throughput enable supportted by firewall overwritten by a new

V500R001C50SPC100.
NOTICE
software.
V500R001C00SPC300 V500R001C50SPC100
supported.

matching condition.

V500R001C00SPC300 V500R001C50SPC100
condition.
wired-portal }
rules. For example:
description BFD
bfd
permit


Command Upgrade
application name application name The name length of None

STRING<1-256> STRING<1-32>/ a predefined
cache type <3-34> cache type application is
{ acceleration aging- { acceleration aging- shortened.
time time
>} >}

{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } STRING<1-256> }
weight-rule }

verification, the
command cannot be
delivered. The
lost after the
upgrade.


V500R001C50SPC100.

NOTICE
software.
1.2.10 Other Upgrade Impacts

1. Impact on NLOG:
Table 1-21 NLog system difference description

Version Version Whether Support Difference from
the Upgrade to the Source
V500R001C50SP Version
C100
V500R001C00 No Yes Difference from

the Source Version
V500R001C20SPC Yes Yes None

100

200

300

100

200

300
V500R001C50 Yes Yes None
Upgrade Description:

Upgrade with a hard disk:

i. Upgrade V500R001 to V500R001C50SPC100.
ii. After the device is started and the hard disk is online, run the update log
database command to update the log database.
NOTICE
1. After the manual update is complete, you can query history logs and reports, but
cannot roll back the system.
2. Manual update will overwrite the logs of the source version with new logs. Therefore,
you are advised to manually update the log database immediately after upgrading the
system software if the customer does not require version rollback.
3. The time and time zone after the upgrade must be correct.
2. Impact on MIB nodes:

Use the mapping MIB database.
3. Impact on mapping devices:
Upgrade the mapping devices or software to corresponding versions.
Table 1-22 Product version

Product Name Version
Network
management eSight V300R007C00
software (NMS)
FireHunter FireHunter V100R001C60
Log system LogCenter V100R001C20SPC205
Agile Controller-
Controller V200R003C20
Campus
Agile Controller-
V300R001C10
DCN
Agile Controller-
V200R002C00
Cloud Manager
Policy Center Policy Center V100R003C10
Inspection tool eDesk V100R001C00SPC300
Configuration
V100R006C00B023
conversion tool
4. Impact on the signature databases:

After the software version is upgrade, you must upgrade the signature databases as well.

5. Impact on patch upgrade:
NOTICE
All patches cannot be upgraded.
The patch loading procedure is the same for hot-standby and single-device scenarios.
Whether the patch is first loaded to the active or standby device does not affect the patch
loading effect.
1.3.1 Upgrade Schemes

When upgrading the software version during the running of the device, to make the new
software version effective, you need to restart the device, which interrupts services.
When to restart the device, for the upgrade depends on your requirements. You need to choose
a suitable upgrade time to minimize the impacts on services.
Table 1-23 Update Mode

Update Mode Usage Advantages Prerequisites Location in
Scenario the Document
Web When the This mode This mode Upgrade

device is applies to all applies to all Through Web
running upgrade upgrade
normally and scenarios. The scenarios. The
carries service GUI provides GUI provides
traffic, users easy operation easy operation
familiar with with visible with visible
graphical effects and effects and
interfaces can exerts minimal exerts minimal
use this mode impacts on impacts on
for the upgrade services. services.


CLI When the All versions The network Upgrade

(recommended) device is support this must transmit Through CLI
running mode. The upgrade files
normally and procedure is properly during
carries service simple and the upgrade.
traffic, the CLI exerts a small The device
is impact on needs to be
recommended services. configured as
for the upgrade. an FTP server,
or a third-party
FTP server
program needs
to be
configured.
BootROM When the When the The RS-232 Appendix A:

device cannot device fails and cables are used Upgrading
be started or the loading system to connect the System
version software fails, serial port of Software Using
software is the upgrade can the PC and BootROM
faulty, use this be performed Console port of
mode for the only in this the device.
upgrade. mode. The network
must transmit
upgrade files
properly, and
therefore the
third-party FTP
server program
is required.
1.3.2 Precautions
Precautions
During the upgrade, take the following precautions:
l Ensure the stable power supply during the upgrade and avoid power failures. If the
device cannot start normally after a power failure, try to upgrade in BootROM mode. For
details, see Appendix A: Upgrading System Software Using BootROM.
l The registration of boards takes a period of time. After the device is restarted, do not
perform any operations until all the boards are registered. When you run the display
device command to display the registration status of a board, Registered is displayed in
the Register field and Normal is displayed in the Status field.
1.3.3 Upgrade Flow

Figure 1 shows the flow for upgrading to V500R001C50SPC100 from an earlier version.
Figure 1-1 Upgrade flowchart
NOTE
For details on how to upgrade the version software using BootROM, see Appendix A: Upgrading
System Software Using BootROM.
Table 1 lists the description of each step during the upgrade.
Table 1-24 Preparation before the upgrade
Categor Item Operation Objective

y
Informat Part Run the display device To collect hardware information

ion information and display esn including the BOM code.
collectio commands.
n
Version Run the display version l To collect the software version
information command. information.
l Check whether the associated
NMS needs to be upgraded. If the
NMS version does not match, do
not perform the upgrade.
License Run the display license To collect the license information.

information command.


y
Data Configurati l Web:Save the To back up the currently used

backup on file configuration file configuration file.
and export it to a
local PC
l CLI:Save the
configuration file
and export it to a
local PC
Software l Web:Save the To back up the currently used

version configuration file software package.
and export it to a
local PC
l CLI:Save the
configuration file
and export it to a
local PC
License file CLI:Save the To back up the currently used license

(license.dat configuration file and file.
) export it to a local PC
Patch file CLI:Save the To back up the currently used patch

configuration file and file.
export it to a local PC
Sensitive CLI:Save the To back up the sensitive feature

Feature configuration file and component files loaded in the system
Component export it to a local PC (upgrade from V500R001 or later
Packages versions).
(Optional) Obtaining Upgrade V500R001C50SPC100 license file

License file Files
(Optional) Downloading Sensitive To download the sensitive feature

Sensitive Feature Component component package.
feature Packages
component
package
(Optional) Obtaining Upgrade To update the signature databases.

Signature Files
database
update file
Configur License file See license impact in To analyze the display license
ation analysis Upgrade Impact command output and check whether
analysis the license file needs to be converted
or merged according to the
description in section License
Impact.


y
Configurati See "Impact of Sensitive l To search the configuration for

on Features" in Upgrade sensitive features in V500R001
conversion Impact based on keywords in the current
analysis version according to section
Impact of Sensitive features.
These features are license-
controlled in V500R001, and you
must re-sign a contract with the
customer for a new license file.
You need to merge the new
license file with the original one.
The sensitive feature component
package needs to be separately
downloaded and loaded based on
the license.
l To obtain the sensitive feature
component package.
l Web:Tool-based To use the configuration conversion

Configuration tool to convert the configuration.
Conversion
l CLI:Tool-based
Configuration
Conversion
Importing l Web:Manual To analyze the tool-based

files for the Configuration configuration conversion result and
upgrade Conversion manually convert the commands that
l CLI:Manual cannot be converted using the tool.
Configuration
Conversion
l Web:Configuration To verify the converted configuration

Verification on physical devices.
l CLI:Configuration
Verification
l Web:Importing l To import the license file.

Files for the l To import the configuration file.
Upgrade
l To import the sensitive feature
l CLI:Importing component package.
Files for the
Upgrade l To specify the startup
configuration file.


y
Upgrade Upgrade to l WEB:Upgrade to l Restart the device to complete the

operatio V500R001 V500R001 upgrade to V500R001.
ns l CLI:Upgrade to l To specify the startup
(operatio V500R001 configuration file.
ns l To load the license file for
performe V500R001 but do not save the
d after configuration.
the
device is
isolated
from the
service
environ
ment)
Upgrade Upgrade l WEB:Upgrade Upgrade Result Verification.

Verificati Verification Result Verification
on l CLI:Upgrade
Result Verification
Version Version Version Rollback l To import backup data.

Rollback Rollback l To specify the configuration file
for the next startup.
l (optional)To apply for the license
of the source version and activate
it.
1.3.4 Upgrade Through Web
1.3.4.1 Preparing for the upgrade
1.3.4.1.1 Preparing the Upgrade Environment
Prerequisites
To upgrade system software using the Web UI, upload the system software to the CF card of
the properly operating NIP6300/6600 , specify the system software to be used at the next
startup, and restart the NIP6300/6600 .
The premise is that you have logged in to the Web environment using the Web UI. If the login
using the Web UI is not configured, log in to the NIP6300/6600 using the console port to
configure the Web environment. For configuration details, see Setting Up an Environment
for Upgrading System Software Using Web.

By default, the device allows an administrator to log in to the web UI using HTTPS.
NOTE
The network using two PCs is used as an example to facilitate description. You can use only one PC as
Telnet/SSH and HTTPS clients.
Preparing the Upgrade Tool

Prepare the following tools for the upgrade:
l Login tool
Login tools help you log in to the device on the Web UI. This document uses the tool in
Windows (Windows XP+SP2) as an example. The browser of the PC must meet any of
the following requirements:
Internet Explorer: version 8.0 or later
Firefox (recommended): version 10.0 or later
Chrome: version 17.0 or later
l File comparison tool.
A file comparison tool is used to compare the configuration files before and after the
upgrade. Use proven third-party tools, such as Beyond Compare.
Preparing the Upgrade Environment in Web Mode

As shown in Figure 1, the NIP6300/6600 is configured as the Web server and the version
software is located on PC2. On PC2, log in to the NIP6300/6600 using the browser and then
upload the version software to the CF card of the NIP6300/6600 through Web.
Figure 1-2 Schematic diagram of the NIP6300/6600 serving as the Web server
The Web service is enabled on the NIP6300/6600 by default. You can use the IP address
192.168.0.1 of interface GigabitEthernet 0/0/0 on the NIP6300/6600 and the default user
name admin and password Admin@123 to log in to the web UI of the NIP6300/6600 through
HTTPS. If you have disabled the Web service or deleted the default user, do as follows to
reconfigure the service.

NOTE
You can use only one PC on which you run both the Telnet/SSH client and the browser/FTP server. To
facilitate description, the network using two PCs is used as an example. The following steps apply to this
two-PC network.
Do as follows to configure the NIP6300/6600 as the Web server:
Procedure
Step 1 On PC1, log in to the CLI of the NIP6300/6600 through Telnet or SSH.
You are recommended to use interface GigabitEthernet 0/0/0 on the NIP6300/6600 for log in.
By default, the IP address for interface GigabitEthernet 0/0/0 is 192.168.0.1, the user name is
admin, and the password is Admin@123.
Step 2 Enter the system view and start the Web service. Configure a user with user name webuser
and password Admin@1234 and the level of the Web user. You can use other user names and
passwords as required.
<NIP> system-view
[NIP] web-manager enable
[NIP] web-manager security enable port 8443
[NIP] aaa
[NIP-aaa] manager-user admin
[NIP-aaa-manager-user-admin] password cipher Admin@1234
[NIP-aaa-manager-user-admin] service-type web telnet ssh
[NIP-aaa-manager-user-admin] level 15
[NIP-aaa-manager-user-admin] quit
[NIP-aaa] quit
[NIP] interface GigabitEthernet0/0/0
[NIP-GigabitEthernet0/0/0] service-manage enable
[NIP-GigabitEthernet0/0/0] service-manage http permit
[NIP-GigabitEthernet0/0/0] service-manage https permit
[NIP-GigabitEthernet0/0/0] quit
Step 3 Log in to https://192.168.0.1 using the Internet Explorer on PC2 to verify the configurations.
If the login interface of the Web server is displayed in the IE browser, and the login succeeds
through admin and Admin@1234, it indicates that you can log in to the Web server normally.
After the configuration is verified, you can either keep this connection for further use, or exit
from the Web server and relog in to it when required.
----End
1.3.4.1.2 Obtaining Upgrade Files
Context
Obtain the following files for the upgrade:
1. System software file.

The file name extension is .bin. This document uses NIPV500R001C50SPC100.bin
(with about 196,369,777 bytes) MD5:83bfa0e68390f05b8812b7c884de1ece
NIPV500R001C50SPC100PWE.bin (with about 172,735,857 bytes as an example.
2. (Optional) License file
The file name extension is .dat. Based on Checking the Use of Licenses, obtain the file
only if you need to apply for a license.

3. (Optional) Sensitive Feature Component Package

The file name extension is .mod. You can obtain the file from http://sec.huawei.com/
sec. If the device does not require any content security or the signature database can be
upgrade in online mode, the signature database file is not required.
4. (Optional) Local signature database file
The file name extension is .zip. You can obtain the file from http://sec.huawei.com/sec.
If the device does not require any content security or the signature database can be
Save the file into the root directory (such as D:\Web) of PC2 that serves as a Web browser.
You can specify another directory as required.
Obtain the following documents for reference during the upgrade. For example, to upgrade
NIP6000&NIP6800&IPS Module V500R001C50SPC100 , obtain the following documents:
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 Product Documentation
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 Release Notes
Procedure
Step 1 Access the home page of http://support.huawei.com/enterprise.
Step 2 If you are not a registered member of the website, perform 3 to register. If you are a registered
member, go to 4.
Step 3 Click Register and register as prompted. If the registration succeeds, you will receive your
user name and password.
Step 4 Enter the user name, password, and verification code. Then click Login.
Step 5 After login, choose Support > Software > Enterprise Networking > Security > Firewall &
VPN Gateway . In the navigation tree, choose the corresponding version of
V500R001C50SPC100 to display the list of system software and documents. You can
download a file by clicking its file name.
----End
1.3.4.1.3 Downloading Content Feature Component Packages
Context
Content feature component packages are not released along with the software package. You
must access the security center website and load the packages in online mode, or download
and load them locally.
In V500R001C50SPC100, the following Content features compose the content security
component package: application behavior control, SSL decryption and URL logging.
Procedure
Step 1 Access Huawei security center at http://sec.huawei.com/sec. (Internet Explorer: version 8.0
or later or Firefox)
Step 2 Expand the NIP6300/6600 Series tab and select the product model and version, such as
NIP6680 - V500R001C50SPC100.

Step 3 Select and download the component package. The component packages are as follows:
CSG: content security component package, including the application behavior control, URL
logging and SSL decryption.
NOTE
Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content feature
component packages.
The content feature component package to be loaded must be compatible with the system software.
----End
1.3.4.1.4 Querying the Current System Software
Context
The premise is that you have logged in to the Web environment of the device from PC2 using
the Web UI. On the Web UI, you can query the current system software and perform
subsequent operations.
After login, you can query the version information of the running system software in System
Information on the DashBoard page, as shown in figure 1. V500R001C50SPC100 is used as
an example

Figure 1-3 Interface for displaying system information
Click Upgrade at the right side of Version, as shown in figure 2, to query the existing system
software. Record the system software file name for file backup
Figure 1-4 System update
NOTE
The root directory of the CF card is hda1:/. You can use the system software on the CF card to start the
device.
1.3.4.1.5 Checking the Use of Licenses

Context
If no license-controlled function, such as content security function (intrusion prevention/anti-
virus/pre-defined URL category query) is used, skip this section.
The licenses can be either commercial or non-commercial:

l Commercial license
A commercial license is purchased under contract.
l Non-commercial license
A non-commercial license is used for test only and is valid usually for three months.
After the version is upgraded to V5, the license validity also has impact on the service
availability after the upgrade. Ensure that the current license is within its validity period.
Procedure
Step 1 Check information about the current license. You do not need to apply for another license if
the current license does not expire or no function needs to be added.After login, you can
query the license information in License Information on the DashBoard page, as shown in
figure 1:
Figure 1-5 License information
The preceding information is about an activated license file. Service Expire Time in the
figure indicates the expiry time of the IPS/AV signature database upgrade service or the URL
predefined category query service, not the expiry time of the license file.
Use the Notepad on the PC to open and check the license file. license.dat is used only as an
example. In practice, replace license.dat with the actual file name:
........
Product=FW
Feature=FWVSYS01
Esn="030UEKZxxxxxxxxx"
Attrib="COMM,2014-06-04,60,NULL,NULL,NULL"
Function="LFWVSYS08=1"
Resource="LFWVSYS07=700"
Comment=",,V544HUP32MUW-7W4A"
Sign=3694DA7AE8190BF77FC8D6A08689E64DCDC1CDB8AE70E625AF2490B755A828D1619795F892C
7708CCDD512AADC816D2C6074CEF5FCFB18305CC6FF87DC2E9E0F1F84C65511344DA2BB3C1F4BD92
B2EECEB8670DDC42DC83385D8DC36B8547638653FFC7CE27A1A09943936B79C3152D73C8C416583F
01B3413518B4B9110A53C9C673C1A56CE6C6FC70877DA393131A6161A4380CA0FF3FEE8E0982ADD3
5E53834F649BF1CC36F4AA6C8BAFE75582A2C5E0D22442F0E929A3A16CC876D2EA0B7932499718F3
2951238DB8BE8D6B31EEEB53CFC34646B2A48A884DEB9DE6569ACC3AA4CBE02214FAED74ACFA66C8
E3191930F53F941BDEED02A717F6154ABB6BC
........

Note the fields in bold of the Attrib attribute. COMM indicates a commercial license and
2014-06-04 indicates the expiry date of the license.
If the license expires, contact Huawei technical support personnel.
Step 2 Apply for a license file.For details on how to apply for a license file, see Appendix :
Applying for a License
After you obtain the license file, save it in the same directory as the system software
NOTICE
l Each license file corresponds to one equipment serial number (ESN).
l To successfully activate a license file, ensure that the name of the license file (including
the complete absolute path) does not exceed 64 characters. It is recommended that the
name of the license file be as short as possible without spaces
----End
1.3.4.1.6 Checking the Device Operating Status
Prerequisites
After you log in to the Web UI, check the device operating status on the Dashboard page
Checking the CPU, Memory, and Storage Space Usage

View System Resource on the Dashboard page, as shown in figure 1:
Figure 1-6 Displaying device resource information
Checking System Information

View System Information on the Dashboard page, as shown in figure 2:

Figure 1-7 Displaying system information
Checking Device Status and Interface Traffic Information

View Device Information on the Dashboard page, as shown in figure 3:
Figure 1-8 Displaying the device status
View Traffic History on the Dashboard page, as shown in figure 4:

Figure 1-9 Displaying interface traffic statistics
Checking Alarms and Logs

View Alarm Information on the Dashboard page, as shown in figure 5:
Figure 1-10 Displaying alarm information
View Syslog List on the Dashboard page, as shown in figure 6:

Figure 1-11 Displaying system log information
1.3.4.1.7 Collecting Device Diagnosis Information
Context
The diagnosis information contains the output of multiple commonly-used display
commands. You can check the operating status of each device module.
On the Web UI, choose Monitor > Diagnosis Center > Diagnosis Infomation. Click Collect
to view device diagnosis information, as shown in figure 1. You can also save the diagnosis
information to a text file

Figure 1-12 Information collecting
You can either view the diagnosis information or export it for backup to facilitate subsequent
troubleshooting, as shown in figure 2:
Figure 1-13 Displaying or exporting diagnosis information
1.3.4.1.8 Checking the Service Operating Status

Checking System Statistics

On the Web UI, choose Monitor > System Statistics to check system statistics as shown. By
viewing system statistics, you can learn about statistics on sessions and sent/received/
discarded packets of the system. You can use these statistics to determine whether services are
normal.
Figure 1-14 Displaying system statistics
1.3.4.1.9 Saving and Backing Up Important Data
Context
Important data includes the current system software, configuration file, license file, patch file,
diagnosis file, signature file.
NOTE
The license file, signature file, sensitive feature component packaget not support export from webpages.
Please see Performing the Upgrade Using the CLI
On the Web UI, you can use One-Touch Version Upgrade to back up important data before
the upgrade.
Procedure
Step 1 Display the System Update pageOn the Web UI, choose System > System Upgrade. On the
System Upgrade page, click One-Touch Version Upgrade, as shown in figure 1:

Figure 1-15 Displaying the System Update page
Step 2 Back up important data.
NOTICE
You need to save the configuration file before backing it up.
On the One-Touch Version Upgrade page, you can export alarms, logs, and configurations
and save configurations, as shown in figure 2
Figure 1-16 Interface for displaying upgrade preparation
----End
1.3.4.1.10 Configuration Conversion

Manual Configuration Conversion
NOTICE
Open the conversion result file, manually convert each command starting with ****, and
delete the commands starting with @@@@ because they are not supported in V500R001.
Here is an example:
profile type ips name ids
signature-set name default
action alert
**** os android | ios | unix-like | windows | other //This command must be
manually converted.
target both
severity low medium high
protocol all
#
@@@@ isp set filename CERNET.csv next-hop 202.112.41.177
@@@@ isp set filename china-educationnet.csv next-hop 202.112.41.177
@@@@ isp filename cernet_as4538.csv enable
//Confirm with the customer to check whether these commands can be deleted.
Convert the commands starting with **** according to NIP6000&NIP6800&IPS Module

V500R001C50SPC100 Command Manual Conversion Guide.
Context
It is strongly recommended that you load the converted configuration to a device, start the
device, save the configuration, export the configuration, and compare it with the original
configuration. The two copies of configuration must be consistent. If the verification
environment is unavailable on the site, You are advised to contact technical support engineers
for support.
1.3.4.1.11 Checking the Remaining Space of the CF Card
Checking the Remaining Space

On the One-Touch Version Upgrade page, the remaining space of the CF card is displayed,
as shown in figure 1. Ensure that the CF card has sufficient space to store the system software
to be upgraded.

Figure 1-17 Displaying the remaining space of the CF card
NOTICE
If the remaining available space of the CF card is insufficient during the one-touch version
upgrade, the system automatically deletes the running system software
Deleting Unnecessary System Software Packages

If the remaining space of the CF card is smaller than the size of the target system software,
delete unnecessary files.
On the System Upgrade page, click Select. On the System Software Management page that
is displayed, select the unnecessary system software packages and click Delete, as shown in
figure 2:
Figure 1-18 Deleting unnecessary system software packages

NOTE
Because the size of system software (*.bin files) is large, deleting unwanted system software can greatly
save the space on the CF card. You can delete the software that is running
1.3.4.2 Upgrade Flow
Context
Figure 1-19 Flowchart of the version software upgrade through the Web
Procedure
Step 1 On PC2, open the Internet Explorer, access https://192.168.0.1, and enter user name admin
and password Admin@1234 to log in to the NGFW. User name admin and password
Admin@1234 are used as an example. You can set another user name and password as
required.
Step 2 Upload the system program.
NOTICE
Ensure that a configuration conversion tool is used to convert the original configuration file to
a configuration file applicable to the target version. For details, see Configuration
Conversion.
After the upload succeeds, the Configuration File Management page is displayed. The
available configuration files are listed on the page. Check whether the size of the uploaded
file in the list and the size of the file on PC2 are the same. If no, upload the file again.
1. ChooseSystem > Configuration File Management. You can view configuration file
information in Current System Software and Next Startup System Software.

Figure 1-20 Viewing configuration file information
2. Click Select for the Next Startup System Software, the Configuration File
Management page is displayed. Click . The Upload File dialog box is displayed.
Delete unwanted files if the free space in the CF card is insufficient.
Figure 1-21 Uploading the configuration file
3. Click Browse..., select the configuration file (must be a .cfg file or .zip file) to be
uploaded, and click Upload. The name of the file to be uploaded cannot be the same as
the name of any existing file in the CF card.
During the upload, do not close the Internet Explorer.
Step 3 Specify the configuration file to be used for the next startup. On the Configuration File
Management page, click of the uploaded file and then click OK to specify the file as the
configuration file for the next startup.
Step 4 (Optional) Upload and activate a new license file if required. Skip this step if no new license
file is required.
Choose System > License Management and use Local Manual Activation to upload a
license file and activate it.
Step 5 (Optional) Update the signature databases of security functions.
Before upgrading the signature database, ensure that the activated license file contains the
content security function.

If the latest signature databases are not required, skip this step. The NGFW will automatically
load the default signature databases after startup.
If the latest signature database is required, you can upgrade the signature database in either
the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 Product Documentation.
Step 6 Upload the system software.
1. Choose System > System Upgrade. You can view system software information in
System Software
Figure 1-22 Viewing system software information
2. Click Select for System Software. The System Software Management page is
displayed.
Click . The Upload File dialog box is displayed.
Upload a file.

Figure 1-23 Uploading a file
NOTICE
The name of the file to be uploaded cannot exceed 48 characters.
After the upload succeeds, the System Software Management page is displayed. The
corresponding files are listed on the page. Check whether the size of the uploaded file in
the list and the size of the file on PC2 are the same. If no, upload the file again.
3. Click Browse..., select the system software (must be a .bin file) to be uploaded, and click
Upload. The name of the file to be uploaded cannot be the same as the name of any
existing file in the CF card.
Step 7 If the file fails to be uploaded, the uploaded incomplete file cannot be deleted immediately.
Therefore, you need to delete the incomplete file after the device is restarted. Specify the
system software to be used for the next startup.
On the System Software Management page, click of the uploaded file and then click OK
to specify the file as system software for the next startup.
Step 8 Restart the device.

Figure 1-24 reboot
NOTE
If the configuration file for the next startup is imported, restart the device without saving the running
configuration. Otherwise, the running configuration will overwrite the imported configuration.
If sensitive features are not involved, the upgrade to V500R001C50SPC100 is complete. Otherwise, go
to the next step.
Step 9 (Optional) Upgrade sensitive features.

NOTE
l Ensure that an activated license file is available. If the license file is not activated, the upgrade fails.
l Ensure that the device can access the security center directly or through a proxy server.
l Configure a security policy to permit HTTP and FTP packets when the device directly connects to
the security center or permit HTTP packets when the device connects to the security center through a
proxy server. For details, see the description of security policies and content security in
NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100 Administrator
Guide.
l Before executing the following online loading procedure, ensure that the DNS server address has
been configured and the DNS server can correctly parse http://sec.huawei.com.
l Upgrading V500R001 to V500R001C50SPC100.
URL component package
install-module URLRMT_H50010000_yyy.mod next-startup
Cloud sandbox component package

install-module CSB_H50010000_yyy.mod next-startup
1. Move the pointer to on the lower right of the page and click to open
the CLI console. Click any space on the page. If the command prompt <sysname> is
displayed, you can perform configurations on the CLI.
2. After the loading in either local or online mode, run the display module-information
verbose command to view details on the dynamically loaded component package. The
following information is a part of the command output. If the State value is
INSTALL_OK, the component packet has been successfully loaded.
<sysname> display module-information verbose
Module
Information
------------------------------------------------------------------------
Module Version InstallTime

PackageName
------------------------------------------------------------------------
ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00

CSG_H50010000_2015123023.mod
************************************************************************

* Content Security Group information, as follows:

*
************************************************************************
Slot Type State

Detail
------------------------------------------------------------------------
- NP INSTALL_OK -

NOTICE
If the configuration file for the next startup is imported, restart the device without
saving the running configuration. Otherwise, the running configuration will overwrite
the imported configuration.
For the upgrade from V500R001C00 to V500R001C50SPC100, if the configuration
file is not imported, you are advised to save the current configurations before
restarting the device.
Step 10 Now, the upgrade to V500R001C30 is complete. The optional follow-up task is to restore and
test services.
----End
1.3.4.3 Upgrade Result Verification
Checking the Running Software Version

After the device is started, log in to the web UI, choose System > System Upgrade, and view
information about the running system version.
You can click Details to view detailed version information.
NOTE
If the login page fails to be displayed, clear the browser buffer or use another browser.
Figure 1-25 Viewing the running system version
In System Software, you can view the running system version and the version for the next
startup.
Choose System > Configuration File Management. You can view the running configuration
file and the configuration file for the next startup.

Figure 1-26 Displaying the running configuration file and the configuration file for the next
startup
Checking the License Status

You can query the license information in License Information on the DashBoard page. Skip
this step if no function requires a license.
Figure 1-27 Viewing the license information
Checking the Device Operating Status

After you log in to the web UI, check the device operating status on the Dashboard page.

View system resource information on the Dashboard page, as shown in figure 5.
Figure 1-28 Viewing the system resource information

View system information on the Dashboard page, as shown in figure 6.

Figure 1-29 Viewing the system information

View device information on the Dashboard page, as shown figure 7.
Figure 1-30 Viewing the device status
View interface traffic statistics on the Dashboard page, as shown in figure 8.

Figure 1-31 Viewing interface traffic statistics

View alarm information on the Dashboard page, as shown in figure 9.
Figure 1-32 Viewing alarm information
View system log information on the Dashboard page, as shown in figure 10.

Figure 1-33 Viewing system log information
Collecting Device Diagnosis Information

On the web UI, choose Monitor > Diagnosis Center > Diagnosis Info. Click Collect to view
device diagnosis information, as shown in figure 11. You can also save the diagnosis
information to a text file.
Figure 1-34 Collecting diagnosis information
troubleshooting, as shown in figure 12.

Figure 1-35 Viewing or exporting diagnosis information
Checking Whether Configurations Are Recovered

After the system software is upgraded, compare the current configuration file with the
configuration file backed up before the upgrade is performed to check whether any
configuration is lost or modified.
You can also use Beyond Compare to compare the configuration files before and after the
upgrade.
Recover the configuration based on the check result or contact the technical support
personnel.
Checking Whether Services Are Normal

Check whether services run properly in either of the following ways:
l Compare the entries (such as routes, session entries, and FIB entries) before and after the
upgrade to see if any entry is lost and check whether the service traffic before and after
the upgrade are identical.
l Consult the network administrator to check whether services are running properly.
1.3.5 Upgrade Through CLI
1.3.5.1 Preparations for the Upgrade

Preparing the Upgrade Environment

When the device works properly, you can use the CLI to transfer the version software to the
storage media of the device, specify the version software for the next startup, and then restart
the device.
In the example, Telnet or SSH login parameters have been set, and you have logged in to the
CLI using Telnet or SSH. If Telnet or SSH login parameters are not set, log in to the device
from the console port and set the Telnet or SSH login parameters. For details, see Appendix
B : Establishing the Upgrade Environment Through the Console Port.
NOTE
You can use only one PC on which you run both the Telnet/SSH client and the FTP client. To facilitate
description, the network using two PCs is used as an example. The following steps apply to this two-PC
network.
Preparing Upgrade Tools

It is recommended that you prepare the following tools for upgrade:
l Login tool
Login tools help you log in to the device through the console port, Telnet, or SSH. This
document uses the tool in Windows as an example. In practice, it is recommended that
you use a legitimate third-party tool, for example, SecureCRT, to log the upgrade
operations in detail.
l File comparison tool
File comparison tools help you compare the configuration files before and after upgrade
for configuration loss. In practice, it is recommended that you use a legitimate third-
party tool, for example, Beyond Compare.
Obtaining Upgrade Files

The file name extension is .bin. This document uses NIPV500R001C50SPC100.bin
(with about 196,369,777 bytes) as an example.
The file name extension is .mod. You can obtain the file from sec.huawei.com. If the
device does not require any content security or the signature database can be upgrade in
online mode, the signature database file is not required.
The file name extension is .zip. You can obtain the file from sec.huawei.com. If the
Procedure
1. Access the home page of http://support.huawei.com/enterprise.

2. If you are not a registered member of the website, perform 3 to register. If you are a
registered member, go to 4.
3. Click Register and register as prompted. If the registration succeeds, you will receive
your user name and password.
4. Enter the user name, password, and verification code. Then click Login.
5. After login, choose Support > Software > Enterprise Networking > Security >
Firewall & VPN Gateway . In the navigation tree, choose the corresponding version of
Preparing the Environment for the Upgrade Through CLI

The key to the upgrade through the CLI is how to transfer the version software to CF card 1
of the NIP6300/6600. Currently, the following modes are supported:
l FTP mode with the NIP6300/6600 as the FTP server
l FTP mode with the NIP6300/6600 as the FTP client
l TFTP mode with the NIP6300/6600 as the TFTP client
l SFTP mode with the NIP6300/6600 as the SFTP server
The following is an example in which the NIP6300/6600 functions as an FTP server. This
method is easy because it does not require a third-party FTP server. For details on other
modes, see Appendix C: Uploading and Downloading Files. You are advised to use SFTP
to transfer files to secure data transfer.
As shown in Figure 1, the NIP6300/6600 is configured as the FTP server and version software
is located on PC2 serving as the FTP client. On PC2, log in to the FTP server and upload the
version software to CF card 1 of the NIP6300/6600 through FTP.
Figure 1-36 Schematic diagram of the NIP6300/6600 serving as the FTP server
Perform the following steps to configure the NIP6300/6600 as the FTP server:
Saving and Backing Up Important Data

1. Save the configuration file.
You must save the configuration file before each upgrade in case some configurations
that are not saved during device running are lost when the device is restarted. By default,
the configuration file is stored on the CF card by default. The default loading path is the
same as the saving path.

Detailed operations are as follows:

<NGFW> save
The current configuration will be written to the
device.
Are you sure to continue?[Y/
N]y
Now saving the current configuration to the
device......................
Info:The current configuration was saved to the device successfully.
<NGFW> dir
Directory of
hda1:/
Idx Attr Size(Byte) Date Time
FileName
0 drw- - Oct 08 2013 09:17:10
nlog_db
1 drw- - Jul 31 2013 11:15:36
umdb
2 -rw- 3247 Dec 13 2013 00:42:34
vrpcfg.zip
3 -rw- 3151 Dec 07 2013 20:52:52
scep_ra.cer
4 -rw- 194531064 Nov 29 2013 10:29:52
V500R001C00SPC300.bin
5 -rw- 302167 Dec 12 2013 21:02:54 diagnostic-
info.txt
1438376 KB total (861872 KB free)
2. Log in to the NGFW from PC2 using FTP.

This document uses the Windows FTP client as an example. In practice, you are advised
to use a proven third-party FTP client (such as Cute FTP) to transfer files.
The following information is displayed:
C:\> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): ftpuser
331 Password required for ftpuser.
Password:
230 User logged in.
ftp>
3. Set the file transfer mode. Set the directory for saving the backup files on PC2 to D:
\FTP\Backup. The folder must already exist. You can specify another directory as
required.
ftp> binary /Run the binary command to specify file transmission in binary
mode.
ftp> lcd "d:\FTP\Backup" /Set the directory that stores the backup files on
PC2.
NOTE
The binary mode is required for file integrity, especially in the Linux or Unix system.
4. Run the get remote-filename[ local-filename] command to download the file and save it
to local directory D:\FTP\Backup
For example, before the upgrade, download the existing version software (for example,
V500R001C00SPC300.bin), vrpcfg.zip, Sensitive Feature Component
Packages($_install_mod/*.mod),license.dat, and diagnosis file (for example, diagnostic-
info.txt) to PC2 for backup.
ftp> get vrpcfg.zip
ftp> get license.dat
ftp> get V500R001C00SPC300.bin

ftp> get diagnostic-info.txt

ftp> get av_h20010000_2013081700.zip //Back up the antivirus signature
database file of V500R001C00SPC300.bin to PC2.
ftp> get ips_h20010000_2013083100.zip //Back up the intrusion prevention
signature database file of V500R001C00SPC300.bin to PC2.
ftp> get sa_h50010000_2013111300.zip //Back up the application identification
ftp>cd $_install_mod
ftp>get CSG_H50010000.mod
After the download is complete, check whether the sizes of the files on PC2 are
consistent with those in the device. If no, re-download the files to ensure that they are
completely backed up to PC2.

Based on the actual situation, run the dir hda1: command in the user view to check the
remaining space on the CF card. Ensure that the available space on the CF card is sufficient
for the version software to be upgraded.
<NGFW> dir hda1:
Directory of hda1:/
Idx Attr Size(Byte) Date Time FileName
0 drw- - Oct 08 2012 09:17:10 nlog_db
1 drw- - Jul 31 2012 11:15:36 umdb
2 -rw- 4351023 Aug 02 2012 15:15:10 autotest2.cfg
3 -rw- 8192 Dec 11 2012 23:31:58 userinfo.db
4 -rw- 3247 Dec 13 2012 00:42:34 vrpcfg.zip
5 -rw- 9747 Dec 05 2012 01:33:32 tete.cfg
6 -rw- 3151 Dec 07 2012 20:52:52 scep_ra.cer
7 -rw- 9394 Aug 08 2012 07:53:20 test1.cfg
8 drw- - Sep 25 2012 12:37:44 history
9 -rw- 1037 Nov 15 2012 00:11:52 offline.req
10 -rw- 168509595 Nov 16 2015 05:44:36 V500R001C00SPC300.bin
11 -rw- 608656 Nov 15 2012 07:54:00 url.sdb
12 -rw- 987 Nov 21 2012 05:27:26 certcrl.crl
13 -rw- 948 Nov 21 2012 05:49:24 ssl.req
14 -rw- 302167 Dec 12 2012 21:02:54 diagnostic-info.txt
1138376 KB total (1161872 KB free)
The bold information indicates the remaining space of the CF card.
Deleting Unnecessary Files

If the remaining space is smaller than the size of the target version software, delete
unnecessary files. In the user view, run the delete /unreserved hda1:/filename command to
delete unnecessary files from the CF card.
<NGFW> delete /unreserved hda1:/test1.cfg
The contents cannot be recycled!!! Delete hda1:/test1.cfg?[Y/
N]:y
%Deleting file hda1:/test1.cfg...Done!
It takes a long time to delete the *.bin file. Please wait and do not restart the device.
Files are deleted and cannot be restored after the delete command with the /unreserved
parameter is executed. If the /unreserved parameter is not specified, the files are stored in the
recycle bin. To optimize space for the CF card, run the reset recycle-bin hda1: command to
empty the recycle bin.
NOTE
Because the version software (*.bin file) is large, deleting unwanted version software can release large
space on the CF card.
You can not delete the software that is running.

1.3.5.1.2 Downloading Sensitive Feature Component Packages
Context
Content feature component packages are not released along with the software package. You
must access the security center website and load the packages in online mode, or download
and load them locally.
In V500R001C50SPC100, the following Content features compose the content security
component package: application behavior control, SSL decryption and URL logging.
Procedure
Step 2 Expand the NIP6300/6600 Series tab and select the product model and version, such as
NIP6680 - V500R001C50SPC100.
NOTE
Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content feature
component packages.
The content feature component package to be loaded must be compatible with the system software.
----End

NOTICE
Here is an example:
action alert
manually converted.
target both
protocol all
#

Context
for support.

Context
Figure 1-37 Flowchart of the version software upgrade through the CLI
NOTE
FTP is used as an example. For SFTP file upload and download, see Device Serving as the SFTP
Server to Upload or Download Files Through SFTP.
Procedure
Step 1 Log in to the NGFW from PC2 using FTP. This document uses the Windows FTP client as an
example. In practice, you are advised to use a proven third-party FTP client (such as Cute
FTP) to transfer files.
C:\> ftp 192.168.0.1
Password:
230 User logged in.
ftp>
Step 2 Set the file transfer mode. Set the directory for saving upgrade-related files on PC2 to D:\FTP.
The folder must already exist. You can specify another directory as required.
mode.
ftp> lcd D:\FTP /Set the directory that stores the files required for the upgrade
on PC2.
Step 3 Run the put command to upload the NIPV500R001C50SPC100.bin file to the CF card of the
NGFW. The name of the file to be uploaded cannot be the same as the name of any existing
file in the CF card. If a file with the same name already exists in the CF card, the file is
replaced by the uploaded file.
ftp> put D:\FTP\ NIPV500R001C50SPC100.bin

Depending on the network conditions, the upload of the version software may take some time.
Please wait. After the upload is complete, check whether the size of the file in the CF card is
consistent with that on PC2. If no, re-upload the file to ensure that the file is completely
uploaded to the CF card.
NOTICE
Convert the configuration file of the original version to that of V500R001C50SPC100. For
details, seeConfiguration Conversion.
Step 4 Run the put command to upload the configuration file that has been converted (for example,
vrpcfg_new.cfg) to the CF card of the NGFW. The name of the file to be uploaded cannot be
the same as the name of any existing file in the CF card. If a file with the same name already
exists in the CF card, the file is replaced by the uploaded file.
ftp> put D:\FTP\vrpcfg_new.cfg
After the upload is complete, check whether the size of the file in the CF card is consistent
with that on PC2. If no, re-upload the file to ensure that the file is completely uploaded to the
CF card.
Step 5 When the file upload is complete, exit the FTP environment. Log in to the CLI of the NGFW
through Telnet or SSH from PC1.
Step 6 In the user view, run the startup system-software filename command to specify the version
software for the next startup of the NGFW.
<NGFW> startup system-software NIPV500R001C50SPC100.bin
Info:System software for the next startup:hda1:/NIPV500R001C50SPC100.bin, start
read file....
Succeeded in setting the software for booting system.
Step 7 In the user view, run the startup saved-configuration filename command to specify the
configuration file for the next startup of the NGFW as the uploaded file.
<NGFW> startup saved-configuration vrpcfg_new.cfg
Info: Succeeded in setting the configuration for booting system.
file is required.
Run the put command to upload the new license file (for example, license_new.dat) to the CF
card of the NGFW. The name of the file to be uploaded cannot be the same as the name of any
existing file in the CF card. If a file with the same name already exists in the CF card, the file
is replaced by the uploaded file.
Run the license file filename command in the system view to activate the license file.
[NGFW] license active license_new.dat
Info:License is successfully activated.


HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100

Product Documentation.
Step 10 (Optional) Upgrade Content Security Features.
Run the put command to upload the content security feature component package (such as
CSG_H50010000_yyy.mod) of V500R001C50SPC100 to the $_install_mod folder in the CF
card of the NIP6300/6600. The name of the file to be uploaded cannot be the same as the
name of any existing file in the CF card. If a file with the same name already exists in the CF
card, the file is replaced by the uploaded file.
NOTICE
l If no content security feature is involved, skip this step.
l Ensure that an activated license file is available. If the license file is not activated, the
upgrade fails.
l You must obtain the component package from the security center (http://sec.huawei.com)
in advance and upload it to the $_install_mod folder in the root directory. Then, load the
component package as follows:
Upgrading the content security feature component package applies to the following
scenarios:
install-module CSG_H50010000_yyy.mod next-startup
After the configuration is complete, run the display module-information verbose command
to view details on the dynamically loaded component package. The following information is a
part of the command output. If the State value is INSTALL_OK, the component package has
been successfully loaded.
Module Information
------------------------------------------------------------------------
Module Version InstallTime PackageName
------------------------------------------------------------------------
ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_yyy.mod
************************************************************************
* Content Security Group information, as follows: *
************************************************************************
Slot Type State Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
* URL Filter information , as follows: *
************************************************************************
------------------------------------------------------------------------
- NP INSTALL_OK -

Step 11 Restart the NGFW.

NOTICE
l If the configuration file for the next startup is imported, restart the device without saving
the running configuration. Otherwise, the running configuration will overwrite the
imported configuration.
l For the upgrade from V500R001 to V500R001C50SPC100, if the configuration file is not
imported, you are advised to save the current configurations before restarting the device.
<NIP> reboot fast
Now, the upgrade to V500R001C50SPC100 is complete. The optional follow-up task is to

restore and test services.
----End
Checking the Information About the Current Version Software

After the device is started, log in to the CLI. In any view, run the display version command to
check the information about the running version software. The following is a sample output
for this command.
<sysname> display version
Huawei Versatile Routing Platform Software
VRP (R) Software, Version 5.160 (NIP6000 V500R001C50SPC100)
Copyright (C) 2014-2015 Huawei Technologies Co., Ltd
NIP6000 uptime is 0 week, 0 day, 17 hours, 53 minutes
AV Signature Database Version :
IPS Signature Database Version : 2015031400
IPS Engine Version : V200R002C00SPC070
SA Signature Database Version : 2015006040
C&C Domain Name Database Version :
IP Reputation Database Version :
Location Database Version : 2014010414
SDRAM Memory Size : 4096 M bytes
Flash Memory Size : 16 M bytes
NVRAM Memory Size : 1024 K bytes
CF Card Memory Size : 2048 M bytes
RPU version information :
1. PCB Version : VER.A
2. CPLD Version : 110
3. BootROM Version : 103 Apr 2 2015 14:04:09
4. BootLoad Version : 103 Apr 2 2015 14:08:13
5. Disk 1 Firware Version :
6. DiskIO Firware Version : 0x0
Slot 1 :
FIB version information :
2. Board Type : FIBA
Then run the display startup command in any view to check the current version software and
configuration file, and those for the next startup.
<sysname>display startup
MainBoard:
Configured startup system software: hda1:/
V500R001C50SPC100.bin
Startup system software: hda1:/ V500R001C50SPC100.bin

Next startup system software: hda1:/ V500R001C50SPC100.bin

Startup saved-configuration file: hda1:/vrpcfg_new.cfg
Next startup saved-configuration file: hda1:/vrpcfg_new.cfg
Startup paf file: default
Next startup paf file: default
Startup license file: default
Next startup license file: default
Startup patch package: NULL
Next startup patch package: NULL
Checking License Status

Run the display license command in any view to check the license status.
<sysname> display license
Device ESN is: 210235XXXXXXXXXXXXXX
The file activated is: hda1:/license.dat
The time when activated is: 2015/09/23 14:02:20
The time when expired is: 2016/06/20
Encrypted SSL traffic inspection function: Disabled
IPS Update : Enabled; service expire time: 2016/05/27
Anti Virus Update : Enabled; service expire time: 2016/05/27
Checking the CPU and Memory Usage

In any view, run the display cpu-usage command to check the CPU usage.
[sysname] cpu-usage monitor
<sysname> display cpu-usage
PU Usage Stat. Cycle: 10
(Second)
CPU Usage : 13.0% Max:

14.2%
CPU Usage Stat. Time : 2015-09-18

22:12:58
CPU utilization for ten seconds: 13.0% : one minute: 13.0% : five minutes:
13.0%

In any view, run the display health command to check the CPU and memory usage.
<sysname> display health

System Memory Usage
Information:
System memory usage at 2015-11-17
21:10:41
-------------------------------------------------------------------------------
Slot Total Memory(MB) Used Memory(MB) Used Percentage Upper

Limit
-------------------------------------------------------------------------------
0 7850 4789 60%

95%
-------------------------------------------------------------------------------
System CPU Usage

Information:
System cpu usage at 2015-11-17
21:10:41
-------------------------------------------------------------------------------
Slot CPU Usage Upper

Limit

-------------------------------------------------------------------------------
0 13%
80%
-------------------------------------------------------------------------------

If the CPU and memory usage before and after the upgrade differ slightly, the device runs
properly.
Checking the Registration Status of Interface Cards

Run the display device command in any view to check the registration status of interface
cards.
<sysname> display device
Device status:
Slot Sub Type Online Power Register Status
Role
-------------------------------------------------------------------------------
0 - RPU Present PowerOn Registered Normal

Master
1 - FIBA Present PowerOn Registered Normal
NA
6 - PWR Present PowerOn Registered Normal
NA
7 - FAN Present PowerOn Registered Normal NA
In normal cases, the interface card status is Normal. If the Status field is displayed as
Abnormal, the interface card in the slot runs improperly.
If the interface cards in certain slots do not work properly, contact the technical support
personnel.

In the diagnose view, run the display diagnostic-information diagnostic-information.txt
command to collect the diagnosis information of the device.
[sysname-diagnose] display diagnostic-information hda1:/diagnostic-
information_new.txt
Now saving the diagnostic information to the device.............................
................................................................................
..................
info: The diagnostic information was saved to the device successfully.
The diagnosis information is saved in the hda1:/diagnostic-information_new.txt file by

default. Back up this file to facilitate subsequent troubleshooting.

After the system is upgraded to V500R001C50SPC100, the implementation and CLI change.
You need to compare the current configuration file with the configuration file in the CF card
to check whether any configuration is lost or modified.
upgrade.
personnel.


There are two methods of checking whether the service is normal:
l Collect several tables and compare the tables with those before upgrade to check whether
certain entries are lost, including routing table, FIB table, MAC table, session table
entries, and whether service traffic amount after upgrade is approximately the same as
that before upgrade.
l Contact the network administrator of the office and check whether the service is normal.
1.3.6 Version Rollback
Prerequisites
NOTICE
To roll back to the source version, for V500R001C50, run the set system-software check-
mode all command; for other versions, directly roll back the version.
Before rolling back the original version, make sure that the corresponding configuration file
(already backed up before the upgrade) is loaded to the CF card of the device and is specified
as the file for next startup by running the startup saved-configuration cfg-filename command.
Then restart the device, avoiding configuration loss due to CLI differences between versions.
Upload the sensitive feature component package *.mod corresponding to the source version
to the device.
Application Scenario
The version rollback needs to be implemented if:
l The device cannot start normally after upgrade, and the current version needs to be rolled
back to the previous one.
In this case, you need to roll the version to the backup source version in BootROM
mode. The detailed procedure is the same as that of upgrading the version software in
BootROM mode. For details, see Appendix A: Upgrading System Software Using
BootROM.
l The device can start normally after upgrade, but a certain function cannot run normally,
and therefore the current version needs to be rolled back to the previous one.
In this case, you can adopt either of the following modes to roll back the version:
Roll back the version through command lines. The detailed procedure is the same as
that of upgrading the version software in CLI mode. For details, see Upgrade
Through CLI.
Roll back the version through Web. The detailed procedure is the same as that of
upgrading the version software in Web mode. For details, see Upgrade Through
Web.
Roll back the version using BootROM. The operations are the same as those for
upgrading the system software using BootROM. For operation details, see
Appendix A: Upgrading System Software Using BootROM.

Roll back the version in one-click mode.
Log Rollback Description

l Rollback with a disk
a. The user has not manually updated the log database.
n Roll back to the source version.
b. The user has manually updated the log database.
NOTICE
As the database is different, the following operation will clear all logs.
i. Before V500R001C50SPC100 rollback, format the disk.

<system> system
[system] disk offline //Hard disk offline
[system] diagnose
[system-diagnose] reset disk
ii. In the system view, run the delete log sdb command to delete the IDNAME
log file.
Precautions
During the version rollback, note the following:
1. The precautions and the result check method of the version rollback operation are the
same as those of the version upgrade operation. For details, see the descriptions of
corresponding upgrade modes.
2. During the version rollback, services are interrupted temporarily. The interruption
duration depends on the rollback mode and the service configuration.
Before the version rollback, contact technical support personnel to determine whether the
target version needs to be patched. If yes, install the patch immediately after the version
rollback is complete. For how to install the patch, see the usage guide of the corresponding
patch version.
1.4 Upgrading Version Software in Dual-System Hot

Backup
1.4.1 Overview
Dual-system hot backup is an important feature of the device . Dual-system hot backup
indicates that two device are deployed, if one device is faulty, the other takes over the work
immediately. In this way, the single point failure is avoided, and the network stability and
reliability are improved. For details, refer to the corresponding product document.
You should comply with certain procedure and principle to upgrade version software in the
dual-system hot backup networking. The main principle of the upgrade is upgrading the

backup device and then the master device independently. Note that the HRP backup channel
(the heartbeat line) must be disconnected during the upgrade.
NOTICE
Upgrading version software in dual-system hot backup, the target version software of the
master device must be the same as that of the backup device.
1.4.2 Upgrade Procedure
Context
Figure 1 shows the detailed upgrade procedure, which is adopted for the master/backup mode
and the load balancing mode.
Figure 1-38 Flowchart of the version software upgrade in dual-system hot backup
environments
Use the active/standby mode as an example. Before the upgrade, NIP_A serves as the active
device and FW_B as the standby oneProcedure.
Procedure
Step 1 Disconnect FW_B (the prompt is HRP_S<FW_B>) and its upstream and downstream devices,
and the HRP backup channel (the heartbeat line) between FW_B and FW_A. Only the HRP
backup channel of FW_B can be closed.
Log in to FW_B through Telnet or SSH. Run the shutdown command on the interfaces
connecting FW_B to upstream and downstream devices, and interface of the HRP backup
channel between FW_B and FW_A. Suppose that on FW_B, the interfaces connected to
upstream and downstream devices are GigabitEthernet 1/0/3 and GigabitEthernet 1/0/1, and
the interface of the HRP backup channel connected to FW_A is GigabitEthernet 1/0/2. Do as
follows:
HRP_S<FW_B> system-view
HRP_S[FW_B] interface GigabitEthernet 1/0/3

HRP_S[FW_B-GigabitEthernet1/0/3] shutdown
HRP_S[FW_B-GigabitEthernet1/0/3] interface GigabitEthernet 1/0/1
Step 2 Upgrade the version software of FW_B.

In the system view of FW_B, you need to upgrade the software version. The precautions and
the detailed procedure are the same as those of upgrading a single device. Select a proper
upgrade directory if desired. For details, see Upgrading Version Software in Single-System.
Step 3 After the upgrade and re-startup of FW_B are complete and FW_B becomes active, restore
the connection between FW_B and its upstream and downstream devices, and do not recover
the HRP backup channel (the heartbeat line) between FW_B and FW_A. Run the undo
shutdown command on the interfaces connecting FW_B to upstream and downstream
devices. Do as follows:
HRP_M<FW_B> system-view
HRP_M[FW_B] interface GigabitEthernet 1/0/3
HRP_M[FW_B-GigabitEthernet1/0/3] undo shutdown
HRP_M[FW_B-GigabitEthernet1/0/3] interface GigabitEthernet 1/0/1
HRP_M[FW_B-GigabitEthernet1/0/1] quit
Step 4 Upgrade the version software of FW_A.

The precautions and the detailed procedure are the same as those of upgrading a single device.
Select a proper upgrade directory if desired. For details, see Upgrading Version Software in
Single-System.
After the connections between FW_A and its upstream and downstream devices are
disconnected, service traffic is forwarded through FW_B. As FW_B cannot obtain session
information from FW_A, certain services need to re-establish connections. Thus, certain
services are interrupted for a period.
Step 5 Recover the connection of the HRP backup channel (the heartbeat line) between FW_B and
FW_A.After the upgrade and re-startup of FW_A are complete, run the undo shutdown
command on the interface connecting FW_B and FW_A as follows:
Then wait one to two minutes, ensuring that session information on FW_B is completely
backed up to FW_A. You can run the display firewall session table command to check
whether the numbers of sessions on both devices are consistent. If yes, perform further
operations.
After previous operations are performed, FW_B becomes active, while FW_A becomes
standby. If the preemption function is enabled, FW_A will become active after a while and
start to forward service traffic.
Step 6 Observe the service running status. Check the information about the session tables on FW_A
and FW_B to verify the upgrade. If the services are running properly, run the save command
to save the configurations on FW_A and FW_B.Perform the following operations:
HRP_M<NIP_A> save
HRP_S<NIP_B> save
In addition, simulate link or device faults (run the shutdown command on relevant interfaces)
after successful upgrade and service tests, so that the device performs an active/standby
switchover. Then check whether the dual-system hot backup function is normal after upgrade.
Roll back the version to that before the upgrade if necessary. For details on version rollback,
see Version RollBack . The version rollback process in dual-system hot backup networking is

similar to that in single-device networking. During version rollback in dual-system hot

backup networking, change the target version to the source version.
----End
1.5 Appendix A: Upgrading System Software Using

BootROM
1.5.1 Background
When the device fails to load the system software, and you cannot log in to the device using
the Web UI or CLI, upgrade the system software using BootROM.
At present, the device supports the system software transmission to the CF card using FTP or
TFTP in the BootROM menu. The device, serving as the client, downloads the system
software from the FTP/TFTP server, as shown in Figure 1. You must install the third-party
FTP/TFTP server software on PC2.
NOTE
You can use only one PC as both the HyperTerminal program and the FTP client. To facilitate
description, two PCs are used as an example.
Figure 1-39 Transferring files through an FTP or TFTP server
The following section provides an example of how the device downloads the system software
from the FTP server.
1.5.2 Upgrade Process Overview
Context
Figure 1 shows the process for upgrading the system software using BootROM.

Figure 1-40 Flowchart for upgrading the system software using BootROM
1.5.3 Performing the Upgrade
Context
The serial port of PC1 is connected to the console port of the device with a standard RS-232
configuration cable. Run the terminal emulation program (use the HyperTerminal in the
Windows XP as an example) on PC1 to ensure that PC1 communicates with the console port
of the device.
Procedure
Step 1 Configure the FTP server.
Install the FTP server program on PC2 and configure the FTP server using the document
delivered with the program. The premise is that you obtain the FTP server program in a
legitimate way. You have already created an FTP user whose name is 123 and password is
123 and configured the root directory of the user as the directory of the files to be uploaded or
downloaded.
Step 2 Power on or reboot the device.
Step 3 After the device is powered on, you can run the terminal emulation program on PC1 to check
the device startup process. When the following information is displayed, press Ctrl+B within
three seconds.
Base Bootrom Ver: 021 May 8 2014 15:58:31

Extended Bootrom Ver: 028 May 8 2014 16:01:28

CPLD BigVer : 003B
CPLD SmlVer : 005B 2013-08-15
PCB Ver: SUA2MPUA REV B
CPU Type : CN6880 Rev 2.1
CPU L2 Cache : 2048 KB
CPU Core Frequency : 1200 MHz
BUS Frequency : 900 MHz
Mem Size : 16384 MB
Press Ctrl+B to enter main menu...

3
Password:
********
For the sake of security, please modify the original password.
Enter password O&m15213 to access the BootROM main menu.

====================< Extend Main Menu >====================
| <1> Boot System |
| <2> Set Startup Application Software and Configuration |
| <3> File Management Menu... |
| <4> Load and Upgrade Menu... |
| <5> Modify Bootrom Password |
| <6> Reset Factory Configuration |
| <0> Reboot |
| ---------------------------------------------------------|
| Press Ctrl+T to Enter Manufacture Test Menu... |
| Press Ctrl+Z to Enter Diagnose Menu... |
============================================================
Enter your choice(0-6):
Step 4 In the BootROM main menu, enter 3 to access file management menu.
==================< File Management Menu >==================
| <1> Display File List |
| <2> Rename File |
| <3> Delete File |
| <4> Copy File |
| <5> Format Device |
| <0> Return to Main Menu |
============================================================
In the file management menu, enter 1 to check the available space in the CF card. If the
available space of the CF card is insufficient, enter 3 to delete unnecessary files.
Ensure that the CF card has sufficient available space. Enter 0 to return to the BootROM main
menu.
Step 5 In the BootROM main menu, enter 4 to access the load and upgrade menu.
=================< Load and Upgrade Menu >==================
| <2> Upgrade Application Software |
| <3> Download File from External Server |
| <4> Upload File to External Server |
| <5> Upgrade Extended Bootrom |
| <6> Upgrade Base Bootrom |
============================================================
In the load and upgrade menu, enter 2 to access the application software upgrade menu. The
current parameter settings are displayed.

Net Paramter:
Protocol type : 1
Unit number : 0
Server IP address : 3.3.3.3
Board IP address : 3.3.3.104
Board Mask address : 255.255.255.0
FTP user name : ngfw
FTP user password : ngfw
Load file name : sup.bin
Target file name : sup.bin
Download file to : hda1:
<1> Download file.

<2> Modify parameters.
<0> Quit
In the application software upgrade menu, enter 2 to modify the load parameters.
Protocol type:
<1> FTP <2> TFTP
NOTE: TFTP protocol limits the file length to 32M bytes.
Protocol type : 1
Unit number : 0
Board IP mask : 255.255.255.0
FTP user name : 123
FTP user password : 123
Target file name : V500R001C**.bin
Choose one of following devices where the file in:

<1> hda1: <2> sdram
Download file to : 1
<1> Download file.

<0> Quit
Enter your choice(0-2): 1
Enter 1 to download the upgrade file.

Using FTP client...
File < V500R001C**.bin> 170014779 bytes downloaded.
Writing hda1:/V500R001C**.bin, please wait.................................

................................................................................
................................................................................
................................................................................
................................................................................

................................................................................
................................................................................
................................................................................
................................................................................
..................................................................Done.
The next boot package file is <hda1:/V500R001C**.bin
Table 1-25 Parameters of FTP download

Parameter Description
Protocol type Indicates the protocol used for download.

The value 1 indicates FTP, and the value 2
indicates TFTP.
Unit number Indicates the interface connected to the

external FTP server (PC 2). Only 0 can be
entered in this field to identify
GigabitEthernet0/0/0.
Server IP address Indicates the IP address of the external FTP

server (PC2).
Board IP address Indicates the IP address of the device

interface.
FTP user name Indicates the user name, which must be the
same as that specified on the FTP server.
FTP user password Indicates the password, which must be the

Load file name Indicates the name of the system software.
Target file name Indicates the name of the system software to

be saved.
Download file to Indicates the location in which the system

software is saved.
After the download is complete, the device automatically specifies the downloaded system
software as that to be used at the next startup. Enter 0 to return to the load and upgrade menu.
Then, enter 0 to return to the BootROM main menu.
Step 6 In the load and upgrade menu, enter 3 to download the converted configuration file.

| <1> Display File List
|
| <2> Upgrade Application Software
|
| <0> Return to Main Menu
|
============================================================


3
Net
paramter:
Protocol type : 1
Unit number : 0
Board IP mask : 255.255.255.0
FTP user name : 1234
FTP user password : ****
Load file
name :vrpcfg_new.cfg
Target file name :

vrpcfg_new.cfg
Download file to :
hda1:
<1> Download
file.
<0>
Quit
After the downloading is complete, enter 0 to return to the load and upgrade menu. Then,
enter 0 to return to the BootROM main menu.
Step 7 In the BootROM main menu, enter 2 to specify the system software and configuration file.
====================< Extend Main Menu >====================
| <1> Boot System
|
| <3> File Management Menu...
|
| <4> Load and Upgrade Menu...
|
| <5> Modify Bootrom Password
|
| <6> Reset Factory Configuration
|
| <0> Reboot
|
|
---------------------------------------------------------|
| Press Ctrl+T to Enter Manufacture Test Menu...

|
============================================================

2
Current boot application software: <hda1:/

V500R001C**.bin>
Current boot configuration: <hda1:/

vrpcfg_new.cfg>
<1> Modify
setting
<0>
Quit
Enter your choice (0-1):

1
After the setting is complete, enter 0 to return to the BootROM main menu.
Step 8 In the BootROM main menu, enter 0 to restart the device.
----End
1.6 Appendix B : Establishing the Upgrade Environment

Through the Console Port
1.6.1 Setting Up an Environment for Upgrading System Software

Using Telnet/SSH
Prerequisites
The prerequisites for console port login are as follows:
l A PC (with RS232 serial port) and an RS-232 cable are available.

l A terminal simulation program (such as Windows XP HyerTerminal) is installed on the
PC.
l The NIP6300/6600 is powered on and running properly.
Context
IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the NIP6300/6600
by default. You can use this IP address and the default user name admin and password
Admin@123 to log in to the CLI of the NIP6300/6600 through Telnet. If the Telnet

configuration is cancelled or you desire to use SSH for the login, log in to the NIP6300/6600
from the console port to construct the Telnet or SSH environment.
Figure 1 shows the connection for configuring the upgrade environment using the console
port. The serial port of the PC is connected to the console port of the device with a standard a
serial cable.
The device has two types of console ports: RJ45 and mini USB console ports. If an RJ45
console port is used, use the console cable delivered with the device. Using the cables of other
vendors might cause unexpected faults. If a mini USB console port is used, purchase the mini
USB-to-USB cable as required. The RJ45 and mini USB console ports cannot be used
together. If both ports are connected, only the mini USB console port is available.
Figure 1-41 Establishing the upgrade environment through the console port
Procedure
Step 1 Select Start > All Programs > Accessories > Communication > HyerTerminal to start the
terminal simulation program (for example, Windows XP HyerTerminal) on the PC. The
Connection Description dialog box is displayed, as shown in Figure 2.
Figure 1-42 Connection Description dialog box
Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1)
of the PC for connecting to the NIP6300/6600 from the Connect using drop-down list box, as
shown in Figure 3.

Figure 1-43 Connection to dialog box
Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parameters
of the port, as shown in Figure 4. The communication parameters of COM1 must be the same
as those of the console port on the NIP6300/6600.
Figure 1-44 Setting port properties
Step 4 Log in to the NGFW, and enter the CLI.

By default, the user name and password are admin and Admin@123 respectively for logging
in to the NIP6300/6600 through the console port. If you forget the user name and password
configured on the console port, see Password of the Console Port Is Forgotten.
Step 5 Configure upgrade environment.
l Configure Telnet for login.
Enable the Telnet service on GE 0/0/0 of the device. Configure AAA authentication and
Telnet for the virtual type terminal (VTY) user interface. Create a local Telnet user and
set the user name to user1, and password to Password1 for the Telenet user. Enable the
Telnet service on the device.
V500R001:
<NIP> system-view
[NIP] telnet server enable
[NIP] interface GigabitEthernet 0/0/0
[NIP-GigabitEthernet1/0/3] ip address 192.168.1.1 255.255.255.0
[NIP-GigabitEthernet1/0/3] service-manage telnet permit
[NIP] user-interface vty 0 4
[NIP-ui-vty0-4] authentication-mode aaa
[NIP-ui-vty0-4] user privilege level 3
[NIP-ui-vty0-4] quit
[NIP] aaa
[NIP-aaa] authorization-scheme default
[NIP-aaa-auth-default] quit
[NIP-aaa] manager-user user1
[NIP-aaa-manager-user-user1] password cipher Password1
[NIP-aaa-manager-user-user1] level 15
[NIP-aaa-manager-user-user1] service-type telnet
[NIP-aaa-manager-user-user1] quit
[NIP-aaa] bind manager-user user1 role system-admin
[NIP-aaa] quit
[NIP] firewall zone trust
[NIP-zone-trust] add interface GigabitEthernet1/0/3
[NIP-zone-trust] quit
l Configure SSH for login.

Enable the SSH service on GE 0/0/0 of the device. Configure AAA authentication and
SSH for the virtual type terminal (VTY) user interface. Create a local SSH user and set
the user name to user1, and password to Password1 for the SSH user. Enable the
STelnet service on the device.
V500R001:
<NIP>system-view
[NIP-GigabitEthernet1/0/3] service-manage ssh permit
[NIP] quit
[NIP-ui-vty0-4] user privilege level 3
[NIP-ui-vty0-4] protocol inbound ssh
[NIP] aaa
[NIP-aaa-manager-user-user1] service-type ssh
[NIP-aaa] bind manager-user user1 role system-admin
[NIP-aaa] quit
[NIP] stelnet server enable
[NIP] ssh user user1

[NIP] ssh user user1 authentication-type password

[NIP] ssh user user1 service-type stelnet
[NIP] ssh server port 1025
[NIP] ssh server timeout 80
[NIP] ssh server authentication-retries 4
[NIP] ssh server rekey-interval 1
[NIP] ssh server compatible-ssh1x enable
----End

Using Web
Prerequisites
Before you log in to the NIP6300/6600 using the console port, complete the following tasks:
l Prepare a PC (with an RS232 serial port) and a serial cable.

l Install an emulation program, such as HyperTerminal on the Windows XP, on the PC.
l Power on the NIP6300/6600 and ensure that the NIP6300/6600 runs properly.
Context
When the system software needs to be upgraded remotely, but the Web environment is not
configured, you can log in to the NIP6300/6600 through the console port and then configure
the Web environment. Then you can log in to the NIP6300/6600 remotely using Web to
upgrade the system software.
This section describes how to establish the HTTP-based upgrade environment through the
console port.
port. The serial port of the PC is connected to the console port of the NIP6300/6600 with a
standard a serial cable.
console port is used, use the console cable delivered with the NIP6300/6600. Using the cables
of other vendors might cause unexpected faults. If a mini USB console port is used, purchase
the mini USB-to-USB cable as required. The RJ45 and mini USB console ports cannot be
used together. If both ports are connected, only the mini USB console port is available.
Figure 1-45 Upgrade topology through the console port

Procedure
Step 1 Run the terminal emulation program, such as the HyperTerminal of Windows XP, on the PC.
Choose Start > Programs > Accessories > Communications > HyperTerminal.
The Connection Description dialog box is displayed, as shown in Figure 2.
Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1) of
the PC for connecting to the NIP6300/6600 from the Connect using drop-down list box, as
shown in Figure 3.
Figure 1-47 Connect to dialog box
of the port, as shown in Figure 4. The communication parameters of COM1 must be must be
consistent with those of the console port on the NGFW.

Step 4 Log in to the NIP6300/6600 and access the CLI.

By default, user name admin and password Admin@123 are used to log in to the
NIP6300/6600 through the console port. If you forget the user name and password configured
on the console port, see Password of the Console Port Is Forgotten.
Step 5 Configure the web for login.
Enable HTTP and HTTPS on GE 0/0/0 of the NIP6300/6600. Create a local web user and
configure the user name to user1,user level to level 15, and password to Password1 for the
web user. Enable the HTTP and HTTPS service on the device.
<NIP> system-view
[NIP-GigabitEthernet0/0/0] service-manage http permit
[NIP-GigabitEthernet0/0/0] service-manage https permit
[NIP] aaa
[NIP-aaa-manager-user-user1] service-type web
[NIP-aaa] quit
[NIP] web-manager enable
[NIP] web-manager security enable port 8443

NOTE
If an administrator uses HTTP for access Web UI, the device automatically redirects to a more secure
service, HTTPS. If the browser displays a notification for an insecure certificate, you can continue the
browsing
----End
1.6.3 Upgrade Troubleshooting
1.6.3.1 Password of the Console Port Is Forgotten
Password of the Console Port Is Forgotten

Perform the following steps when you forget the password of the console port.
Procedure
Step 1 Restart the NIP6300/6600 and access the BootROM main menu
========================< Main Menu

>========================
| <1> Boot System
|
| <2> Set Startup Application Software and Configuration
|
|
|
|
|
| <0> Reboot
|
|
----------------------------------------------------------|

|
| Press Ctrl+Z to Enter Diagnose Menu...
|
=============================================================
Step 2 Enter 3 to access the file management menu.
================< File Management Menu

>=====================
| <2> Rename File
|
| <3> Delete File
|
| <4> Copy File
|
| <5> Format Device
|

|
=============================================================
Step 3 Enter 2 to rename the current configuration file for startup.

Input the file name you want to rename(eg: hda1:/sup.bin): hda1:/vrpcfg.cfg
Input the new file name: hda1:/vrpcfgrename.cfg
Step 4 After device startup, use the default user name admin and password Admin@123 for login
and use FTP to save the renamed configuration file to the PC.
Step 5 Reconfigure a user and copy the user information generated by the device to the renamed
configuration file.
manager-user newuser
password cipher %@%@@)wB&=/Q1Fvhl1W=,4C)Vpg^C.0{VCnlxU^3svMxY@^A)vmh%@%@
service-type web terminal telnet
level 15
Step 6 Upload the modified configuration file to the device and specify the file as that to be used at
the next startup. After device restart, you can use the configured user information to log in
----End
1.7.1 Device Serving as the FTP Client to Upload or Download

Files Through FTP
Context
As shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from the
NIP6300/6600 and upload or download files through FTP. This method requires the third-
party FTP server software to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the FTP server. The following example
describes takes the two-PC deployment.
Figure 1-49 Schematic diagram of uploading/downloading files through FTP and with the
NIP6300/6600 serving as the FTP client

Procedure
available with the program. Suppose that you obtain the FTP server program in a legitimate
way and description of the program is beyond the coverage of this document. Assume that an
FTP user already exists with the user name 123 and password 123, and that the root directory
of the user is set to the storage path of files to be uploaded/downloaded.
Step 2 Log in to the NIP6300/6600 from PC1 through Telnet/SSH.
Step 3 Log in to the FTP server on the NIP6300/6600.Run the ftp ip-address command in the user
view to establish an FTP connection to the PC and enter the FTP client view. The following
operation assumes that the IP address of the FTP server as 192.168.0.2.
<NIP> ftp 192.168.0.2
Trying 192.168.0.2 ...
Press CTRL+K to abort
220 ready for new user
User(192.168.0.2:(none)):123
331 Give me your password, please
Password:
230 Logged in successfully
[ftp]
Step 4 Upload files in storage media of the NIP6300/6600 to the FTP server.Run the put local-
filename [ remote-filename ] command in the FTP client view to upload files to the FTP
server.
[ftp] binary /Run the binary command to specify file transmission in binary
mode.
[ftp] put vrpcfg.zip
After the uploading is complete, check whether the sizes of files on the FTP server are the
same as those in the CF card. If no, re-upload the files to ensure that they are completely
uploaded to the FTP server.
Step 5 Download files from the FTP server to storage media of the NIP6300/6600.Run the get
remote-filename [ local-filename ] command in the FTP client view to download files from
the FTP server.
mode.
[ftp] get vrpcfg.zip
After the downloading is complete, check whether the sizes of files in the CF card are the
same as those on the FTP server. If no, re-download the files to ensure that they are
completely downloaded to the CF card.
----End
1.7.2 Device Serving as the SFTP Server to Upload or Download

Files Through SFTP
Context
As shown in Figure 1, NIP6300/6600 serves as the SFTP server. Log in to the SFTP server
from the PC2 and upload/download files through SFTP. This method requires the third-party
SFTP client program (such as WinSCP) to be installed on the PC2.

NOTE
You can also use a PC as both the Telnet/SSH client and the SFTP server. The following example
Figure 1-50 Schematic diagram of uploading/downloading files through SFTP and with the
NIP6300/6600 serving as the SFTP server
The roadmap for configuring an SFTP client (PC2) to communicate with an SSH server
(NIP6300/6600) is as follows (RSA authentication is used):
l Create an SSH user on the NIP6300/6600.

l Configure a local key pair for PC2 and the NIP6300/6600.
l Copy the public key of PC2 to the NIP6300/6600.
l On the NIP6300/6600, bind the SSH user to the public key of PC2.
l Enable SFTP services on the NIP6300/6600.
l Configure the SSH user to log in to the NIP6300/6600 from PC2.
Procedure
Step 1 Enable the SSH service on interface GigabitEthernet 0/0/0.
<NGFW> system-view
[NGFW] interface GigabitEthernet 0/0/0
[NGFW-GigabitEthernet0/0/0] service-manage ssh permit
[NGFW-GigabitEthernet0/0/0] service-manage enable
[NGFW-GigabitEthernet0/0/0] quit
Log in to the NIP6300/6600 from PC1 through Telnet/SSH.
Step 2 Create an SSH user on the NIP6300/6600.
Enable the SFTP service

[NIP] sftp server enable
Configure an authentication mode and a protocol on the VTY interface.

[NIP-ui-vty0-4] protocol inbound ssh
Create SSH user client and set the authentication type to rsa, service type to SFTP, and
service directory to hda1:

[NIP] ssh user sftpadmin

[NIP] ssh user sftpadmin authentication-type password
[NIP] aaa
[NIP-aaa] manager-user sftpadmin
[NIP-aaa-manager-user-sftpadmin] service-type ssh
[NIP-aaa-manager-user-sftpadmin] level 3
[NIP-aaa-manager-user-sftpadmin] password
Enter Password:
Confirm Password:
[NIP-aaa-manager-user-sftpadmin] quit
[NIP-aaa] quit
[NIP] ssh user sftpadmin service-type sftp
[NIP] ssh user sftpadmin sftp-directory hda1:
Step 3 Generate a local key pair on the NIP6300/6600.

[NIP] rsa local-key-pair create
The key name will be: NIP_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 4 Generate a local key pair on PC2. The local key pair consists of host key and server key.
Step 5 Use password RsaKey001 to copy the host key of PC2 to the NIP6300/6600.
[NIP] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[NIP-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[NIP-rsa-key-code] 3047
[NIP-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[NIP-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[NIP-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[NIP-rsa-key-code] 1D7E3E1B
[NIP-rsa-key-code] public-key-code end
[NIP-rsa-public-key] peer-public-key end
Step 6 On PC2, connect the SFTP client to the SSH server.
----End
Example
After the SFTP client connects to the SSH server, run the display ssh server status and
display ssh server session commands on the SSH server to check whether the SFTP service
is enabled and whether the SFTP client is connected to the SSH server.
l Check SSH server status.
[NIP] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server : Enable
STELNET server : Disable
l Check SSH server connection information.

[NIP] display ssh server session
Session 1:

Conn : VTY 4
Version : 2.0
State : started
Username : client
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : sftp
Authentication Type : rsa
1.7.3 Device Serving as the TFTP Client to Upload or Download

Files Through TFTP
Context
As shown in Figure 1, PC2 serves as the TFTP server. Log in to the TFTP server from the
NIP6300/6600 and upload or download files through TFTP. This method requires the third-
party TFTP server software to be installed on the PC2.
NOTE
You can also use a PC as both the Telnet/SSH client and the TFTP server. The following example
Figure 1-51 Schematic diagram of uploading/downloading files through TFTP and with the
NIP6300/6600 serving as the TFTP client
Procedure
Step 1 Configure the TFTP server.Install the TFTP server program on PC2 and configure the TFTP
server using the document available with the program. Suppose that you obtain the TFTP
server program in a legitimate way and description of the program is beyond the coverage of
this document. The following operation assumes that the root directory of the TFTP server is
set to the storage path of files to be uploaded/downloaded.
Step 2 Log in to the NIP6300/6600 from PC1 through Telnet/SSH.
Step 3 Upload files in storage media of the NIP6300/6600 to the TFTP server.

NOTICE
Due to the limitation of third-party TFTP server software, TFTP upload of files larger than 16
MB may fail. Therefore, you are advised to use FTP to upload the files larger than 16 MB.
Run the tftp ip-address put source-filename [ destination-filename ] command in the user
view to upload files to the TFTP server. The following operation assumes that the IP address
of the TFTP server as 192.168.0.2.
<NIP> tftp 192.168.0.2 put test.bin
After the uploading is complete, check whether the sizes of files on the TFTP server are the
uploaded to the TFTP server.
Step 4 Download files from the TFTP server to CF card of the NIP6300/6600.Run the tftpip-
addressgetsource-filename [ destination-filename ] command in the user view to download
files from the TFTP server.
<NIP> tftp 192.168.0.2 get temp.bin
same as those on the TFTP server. If no, re-download the files to ensure that they are
----End
Context
The license file to be loaded on the device is a .dat file. This file is not delivered with the
device and is independently generated by the license center of Huawei.
Procedure
Step 1 Obtain a license authorization code (Entitlement ID).
Find the license authorization certificate in the delivery accessories and obtain the Entitlement
ID, as shown in Figure 1.
NOTE
The license authorization certificate is delivered together with the product to the customer in A4 papers
or CD-ROMs.

Figure 1-52 License authorization certificate
Step 2 Obtain an equipment serial number (ESN).

l Log in to the device in CLI mode and run the display firewall esn command in any view
to obtain the ESN.
l Log in the device in Web mode and view the ESN in System Information of the
Dashboard page.
Figure 1-53 System Information
Step 3 Obtain the license file from the license self-service.
Log in to the http://app.huawei.com/isdp and obtain the license file according to the procedure
in the system help or displayed information.
NOTICE
To apply for the licenses of multiple devices, make sure that the entitlement ID corresponds to
the ESN.
If you cannot obtain the license file, contact the local technical support personnel.
Step 4 You need to obtain a new license file if you want to expand the license capacity or use new
features that are subject to license control. In this case, follow the preceding steps to apply for
the new license.

The license center automatically combines the licenses for new features with the existing
license, and generates a new license.
----End
Table 1-26 Upgrade Record Table
Office name Upgrade time
Current version Target version
Upgrade engineer Customer:

Huawei:
Upgrade successful
or not
Check Item Result Anomaly Handling
Check before the

upgrade
Check of upgrade
operations
Check after the

upgrade
Table 1-27 Abbreviations
AAA Authentication, Authorization and

Accounting
ACL Access Control List
AUX Auxiliary port
CF Compact Flash
DNS Domain Name System
ESN Equipment Serial Number

FTP File Transfer Protocol
GRE Generic Routing Encapsulation
GTP GPRS Tunneling Protocol
HTTPS Secure HTTP
ICMP Internet Control Message Protocol
IP Internet Protocol
IPS Intrusion Prevention System
IPSec IP Security
MPU Main Processing Unit
RADIUS Remote Authentication Dial in User Service
SPUA Service Processing Unit A
SSH Secure Shell
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
UDP User Datagram Protocol
VTY Virtual Type Terminal

Upgrade Guide 2 NIP6800
2 NIP6800
About This Chapter
2.1 Upgrade Preparation and Evaluation

2.4 Appendix: Establishing the Upgrade Environment Through the Console Port
2.5 Appendix: Uploading and Downloading Files
2.6 Appendix: Activating the ESN
2.7 Appendix: Applying for a License
2.8 Appendix: Upgrade Record Table
2.9 Appendix: Abbreviations

2.1 Upgrade Preparation and Evaluation
2.1.1 Supported Source Versions

NOTICE
patch.
following patches:
V500R001SPH002.

NOTICE
engineers.
2.1.2 Hardware Support
Table 1 lists all boards applicable to the NIP6800, including MPUs, SPUs, SFUs, and LPUs.
The NIP6800 has many historical boards and software versions. Certain scenarios do not
support the upgrade or have restrictions. Before the upgrade, you must read this section
carefully and confirm that the current hardware configuration meets the upgrade requirement.
Table 2-1 Supported hardware
BOM Model First Version That Whether to

Supports This Support Upgrade
Hardware to V500R001C00
MPU
0305G06R SU9DMPUD0100 V200R001C00 Yes
03056305 E8KE-X3-MPU V500R001C00 Yes
0305G06S EKEX8- V200R001C00 No

FWCD00SRUA00
0305G08N E8KE-X8- V200R001C01 Yes

SRUA-200
0305G06U EKEX16- V200R001C00 Yes

FWCD00MPUB00
SPU
0305G09N SPU-X3-40-E8KE V300R001C00 Yes
0305G09P SPU-X8X16-40- V300R001C00

E8KE

BOM Model First Version That Whether to

Supports This Support Upgrade
Hardware to V500R001C00
0305G09Q SPU-X8X16-80- V300R001C00

E8KE
0305G0B2 SPU-X3-B V300R001C00
0305G09Q SPU-X8X16-B V300R001C00
0305G09T SPU-X3-20-O- V300R001C00

E8KE
0305G09U SPU-X8X16-20-O- V300R001C00

E8KE
SFU
0305G08P E8KE-X8- V200R001C01 Yes

SFUC-200
0305G08Q E8KE-X16- V200R001C01 Yes

SFUC-200
0305G06T EKEX8- V200R001C00 No

FWCD00SFUD00
0305G06V EKEX16- V200R001C00 No

FWCD00SFUG01
LPU
0305G051 LPUF-21 V300R001C00 Yes
0305G074 LPUF-40-A V200R001C00 Yes
0305G09H LPUF-101 V300R001C01 Yes
03056306 LPUF-120 V500R001C00 Yes
03056307 LPUF-240 V500R001C00
The restrictions of boards on the upgrade are as follows:

1. The LPUF-21 and LPUF-40-A do not support the MPLS MTU function.
Solution: Use the LPUF-101, LPUF-120 or LPUF-240 to replace the LPUF-21 or
LPUF-40-A if necessary.
Before the upgrade, you must collect information about the boards on the device.
In the system or user view, run the display esn command to view the BOM codes of all
boards. Compare the BOM codes in the P/N column with table 1 to check whether the device
can be upgraded to V500R001C50SPC100.
[NIP6830]display esn
Service ESN: 210235G6QC10E7000006

License ESN:
210305G06R0000000000,210305G06R0000000000
Slot-Pic Type S/N P/

N
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
1 SPU 210305G09UZ0C8000001
0305G09U
1 -0 SPU_CARD_TYPE_SPCB 210305G09S10E6000022
0305G09S
1 -1 SPU_CARD_TYPE_SPCB 210305G09S10E6000022
0305G09S
2 LPU 020DTB1081000508
03050DTB
3 LPU 21030563060000000011
03056306
3 -0 LAN_WAN_6x10GF_B_CARD 21030563080000000011
03056308
3 -1 LAN_WAN_6x10GF_B_CARD 21030563080000000011
03056308
4 MPU 210305G06R0000000000
0305G06R
5 MPU 210305G06R0000000000
0305G06R
8 PWR 2102120529P0CB000962
02120529
9 PWR 2102120529P0CB001068
02120529
10 FAN 2102120514P0CB000512
02120514
/ BackPlane 210235G6QCZ0CC000004 0235G6QC
Pay attention to the P/N information about the boards in mother slots, not in sub-slots.
For the NIP6830, pay attention to the boards in slots 1 to 3.
For the NIP6860, pay attention to the boards in slots 1 to 8.
For the , pay attention to the boards in slots 1 to 16.
2.1.3 Upgrade Impact
2.1.3.1 Impact of the Upgrade from V500R001C50
2.1.3.1.1 Impact of Feature Changes

1

The log and alarm

2 number of L2TP
the upper limit.

3 L2TP negotiation
packets is limited.
The SSL proxy

virtualized.
The alarm is added,

indicating that SSL
5 VPN online user
resources are used
up.
The log and alarm

6 number of SSL VPN
the upper limit.
The alarm is added,

indicating that
7
extension address
pool are used up.
IPSec forwarding
8
source port.
The northbound
interface is added.
Virtual-if
configuration.
The device supports

10
function.


The device supports

12 HRP smooth
upgrade.

Description

1 None.
und resources.
Mainten
ance
and
manage
2 ment of None.
the
obtained.
logical
resource
pool
If the
interfaces apply to
maximum
virtual system
number of
virtual
3 systems are None.
created, too
many memory
sum of traffic on
resources are
interfaces in the
occupied.
corresponding
system.

a NETCONF
This is a new
requirement.
activated online
code.


Description
The firewall
HTTPS.
The SSL
server
6 certificate None.
proxy virtualized.
supports
virtualization.
l The alarm
threshold
reminders are
added for daily
duration quota,
daily traffic Agile
supports
policy
to hide the device
IP address on the
pushed alarm and
quota exhaustion
web pages.
Deleted Features
None.
2.1.3.1.2 Impact of Command Changes
New Commands

up.



80%.


80%.



STRING<1-256>
STRING<1-256> ]

consistency check.

status.


<domain-name> name.
device IP address.

Original Change
Command Description
This command is
used in the root
system before C50.
C50, you must run
the display ipsec
statistics all-
systems command
to display IPSec
system.




Before C50, virtual

PKI supports
is added.
all-systems is
required.

Original Change
Command Description
Before C50, virtual

PKI supports
is added.
all-systems is
required.
api call-home host

instance-name>]

<time-daily> <time-
None.
<reminder-
threshold-value>]

None.
<reminder-
threshold-value>]

None.
<reminder-
threshold-value>]
Deleted Commands
None.
2.1.3.1.3 Impact of Licenses
2.1.3.1.4 Impact of Sensitive Features

NOTICE
software.
2.1.3.2 Upgrade Impact from V500R001C30SPC300
2.1.3.2.1 Impact of Feature Changes
Deleted Features


Encrypted traffic
detection policy

2 Policy label
Collection of the
accumulated value
traffic through the
OID

5 CIS interworking
malicious traffic.

depth detection.


7
SSL inbound and

detection

9
System memory
10 detection
leak issues.
mechanism
Detection of abrupt
11 KPI information
change
Disabling of the
bound interface
exceeds the
threshold
Customization of
session log
templates in syslog
format
Enhanced session
log function
Real-time traffic
Alarm on the
exhaustion of
resources on the
firewall
new connections
ICMP fast reply

function
Alarm on abrupt
session changes

Multicast packet
filtering
Filtering and
of various types

Description
In policy query,
be rapidly located
based on quintuple
information (or
accurate source and
destination address
segments). Policy
query and
drop-down list.

and decryption
2 Policy None
URL category
conditions.
The security policy

supports the
3 Policy None
Security Awareness
(CASA) profile.
The range of well-

The function
is enhanced.

The function
is enhanced.
files.


Description
The support of
The function
is enhanced.
added.
The northbound
the per-user
7 BWM None
per-IP address
maximum
connection rate.
Virtualization is
supported.
or key pair is
8 PKI None
vsys+vsysid on the
virtual firewall)
hda1:/pki.
Log sending when

log is enhanced.
not configured is
supported.
Sending encrypted
10 None
supported.

log is enhanced.
supported.


Description
After the SA
names of functions
that reference
integrated policy,
application group,
ion is enhanced.
to new names after
For example,
QQ_Webmail is
updated to
WebMail_QQ, and
GMail to
WebMail_GMail.
None
2.1.3.2.2 Impact of Command Changes
New commands
Modified commands
undo ssl whitelist

undo ssl whitelist
userdefined-
hostname { name
name-xxx | all }
xxx | all }
ssl whitelist
ssl whitelist
hostname xxx
hostname xxx


display diag-logfile display diag-logfile The pipe character- None

STRING<1-64> STRING<1-64> based filtering and
[ INTEGER<0-2147 [ INTEGER<0-2147 query function is
483647> | hex ] * 483647> | hex ] * [ | added.
count ] [ | [ before
INTEGER<1-999> |
after
INTEGER<1-999> ]
exclude } TEXT0 ]
info-center info-center The mode without None

timestamp { log | timestamp { log | the timestamp is
trap | debugging } trap | debugging } deleted.
{ { none | boot } | { { boot } | { date |
{ date | short-date | short-date | format-
format-date } date } [ precision-
[ precision-time time { tenth-second |
ssh client ssh client ECC authentication None

STRING<1-255> STRING<1-255> is added.
assign { rsa-key | assign { rsa-key |
dsa-key } dsa-key | ecc-key }
ssh user ssh user ECC authentication None

ssh user ssh user ECC authentication None

authentication-type authentication-type
{ password | rsa | all { password | rsa | all
| password-rsa | dsa | | password-rsa | dsa |
password-dsa } password-dsa | ecc |
password-ecc }
undo ssh client undo ssh client ECC authentication None

undo ssh user undo ssh user ECC authentication None



open ipv6 open ipv6 The keyword range None

STRING<1-46> { - STRING<1-255> { - is enlarged.
oi oi
{ STRING<1-256> | { STRING<1-256> |
STRING<1-256> } STRING<1-256> }
} }
5> ] 5> ]
tftp ipv6 [ -a tftp ipv6 [ -a The keyword range None

X:X::X:X ] X:X::X:X ] is enlarged.
STRING<1-46> [ - STRING<1-255> [ -
oi oi
{ STRING<1-256> | { STRING<1-256> |
STRING<1-256> } ] STRING<1-256> } ]
{ put | get } { put | get }
[ STRING<1-64> ] [ STRING<1-64> ]
snmp-agent snmp-agent An optional None

[ remote-engineid [ remote-engineid keyword is added.
STRING<10-64> ] STRING<10-64> ]
usm-user v3 usm-user v3
[ group [ group
acl acl
INTEGER<2000-29 { INTEGER<2000-3
99> ] * 999> |
STRING<1-32> } ]
*

STRING<10-64> ] STRING<10-64> ]
authentication-mode authentication-mode
{ md5 | sha } { md5 | sha }
[ cipher [ [ localized-
STRING<1-108> ] configuration ]
cipher
STRING<1-108> ]



STRING<10-64> ] STRING<10-64> ]
privacy-mode privacy-mode
{ des56 | aes128 | { des56 | aes128 |
aes192 | aes256 | aes192 | aes256 |
3des } [ cipher 3des } [ [ localized-
STRING<1-108> ] configuration ]
cipher
STRING<1-108> ]
snmp-agent acl snmp-agent acl The ACL keyword None

{ INTEGER<2000-2 { INTEGER<2000-3 range is enlarged.
999> | 999> |
STRING<1-32> } STRING<1-32> }
snmp-agent snmp-agent The ACL keyword None

community { read | community { read | range is enlarged.
write } write }
{ STRING<1-32> | { STRING<1-32> |
cipher cipher
[ [ mib-view [ [ mib-view
STRING<1-32> ] | STRING<1-32> ] |
[ acl [ acl
INTEGER<2000-29 { INTEGER<2000-3
99> ] | [ alias 999> |
STRING<1-32> ] ] STRING<1-32> } ] |
* [ alias
STRING<1-32> ] ]
*
snmp-agent group snmp-agent group The ACL keyword None

v3 STRING<1-32> v3 STRING<1-32> range is enlarged.
acl acl
99> 99>



privacy | privacy |
STRING<1-32> ] * STRING<1-32> ] *
[ acl [ acl
999> | 999> |
STRING<1-32> } ] STRING<1-32> } ]

{ read-view { read-view
STRING<1-32> } * STRING<1-32> } *
[ acl [ acl
99> ] 99> ]
snmp-agent target- snmp-agent target- An optional None

host trap ipv6 host trap ipv6 keyword is added.
address { udp- address { udp-
domain X:X::X:X domain X:X::X:X
[ udp-port [ udp-port
> ] } params > | vpn-instance
securityname STRING<1-31> ]
STRING<1-32> * } params
[ { v3 securityname
[ authentication | STRING<1-32>
privacy ] | v2c | v1 } [ { v3
| notify-filter-profile [ authentication |
STRING<1-32> | privacy ] | v2c | v1 }
private-netmanager | | notify-filter-profile
ext-vb ] * STRING<1-32> |
private-netmanager |
ext-vb ] *


snmp-agent target- snmp-agent target- An optional None

host trap ipv6 host trap ipv6 keyword is added.
securityname cipher STRING<1-31> ]
STRING<1-68> * } params
[ { v2c | v1 } | securityname cipher
notify-filter-profile STRING<1-68>
STRING<1-32> | [ { v2c | v1 } |
private-netmanager | notify-filter-profile
ext-vb ] * STRING<1-32> |
private-netmanager |
ext-vb ] *
undo snmp-agent undo snmp-agent An optional None

target-host ipv6 target-host ipv6 keyword is added.
X:X::X:X X:X::X:X
securityname securityname
{ STRING<1-32> | { STRING<1-32> |
cipher cipher
[ vpn-instance
STRING<1-31> ]
undo snmp-agent undo snmp-agent An optional None

target-host trap ipv6 target-host trap ipv6 keyword is added.
securityname STRING<1-31> ]
{ STRING<1-32> | * } params
cipher securityname
STRING<1-68> } { STRING<1-32> |
cipher
STRING<1-68> }


ping ipv6 [ -a ping ipv6 [ -a The number of None

X:X::X:X | -c X:X::X:X | -c characters in the
INTEGER<1-42949 INTEGER<1-42949 hostname is
67295> | -s 67295> | -s increased from 46 to
INTEGER<20-9600 INTEGER<20-9600 255.
> | -t > | -t
> | -m > | -m
STRING<1-31> } | - STRING<1-31> } | -
tc tc
-si -si
{ STRING<1-256> | { STRING<1-256> |
STRING<1-256> } | STRING<1-256> } |
-h -h
-name | -uniform ] * -name | -uniform ] *
STRING<1-46> [ -i STRING<1-255> [ -
{ STRING<1-256> | i { STRING<1-256>
STRING<1-256> } ] STRING<1-256> } ]
tracert ipv6 [ -f tracert ipv6 [ -f The number of None

INTEGER<1-255> | INTEGER<1-255> | characters in the
-m -m hostname is
INTEGER<1-255> | INTEGER<1-255> | increased from 46 to
-p -p 255.
> | -q > | -q
> | -w > | -w
STRING<1-31> } | - STRING<1-31> } | -
a X:X::X:X | -s a X:X::X:X | -s
> | -name | -v ] * > | -name | -v ] *


[ undo ] port trunk [ undo ] port trunk The wlan-ess None

allow-pass vlan allow-pass vlan interface is no
{ { { INTEGER<1-4 { { { INTEGER<1-4 longer supported,
094> } [ to 094> } [ to and the macro is
INTEGER<1-4094> INTEGER<1-4094> disabled.
] } &<1-10> | all } ] } &<1-10> | all }
port default vlan port default vlan The wlan-ess None

INTEGER<1-4094> INTEGER<1-4094> interface is no
longer supported,
and the macro is
disabled.
undo port default undo port default The wlan-ess None

vlan vlan interface is no
longer supported,
and the macro is
disabled.
reset arp { static | all reset arp { static | Traffic interruption None
| slot slot resulting from
STRING<1-256> | STRING<1-256> | misoperations is
dynamic } dynamic } prevented.


stelnet [ -a X.X.X.X stelnet [ -a X.X.X.X ECC authentication None

| -i | -i is added.
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } ] STRING<1-256> } ]
5> ] [ [ -vpn- 5> ] [ [ -vpn-
instance instance
STRING<1-31> ] | STRING<1-31> ] |
[ prefer_kex [ prefer_kex
STRING<1-64> ] | STRING<1-64> ] |
[ identity-key { rsa | [ identity-key { rsa |
dsa } ] | dsa | ecc } ] | [ user-
[ prefer_ctos_cipher identity-key { rsa |
STRING<1-32> ] | dsa | ecc } ] |
[ prefer_stoc_cipher [ prefer_ctos_cipher
STRING<1-32> ] | STRING<1-32> ] |
[ prefer_ctos_hmac [ prefer_stoc_cipher
STRING<1-32> ] | STRING<1-32> ] |
[ prefer_stoc_hmac [ prefer_ctos_hmac
STRING<1-32> ] | STRING<1-32> ] |
[ -ki [ prefer_stoc_hmac
INTEGER<1-3600> STRING<1-32> ] |
] | [ -kc [ -ki
INTEGER<3-10> ] ] INTEGER<1-3600>
* ] | [ -kc
INTEGER<3-10> ] ]
*


stelnet ipv6 [ -a stelnet ipv6 [ -a ECC authentication None

X:X::X:X ] X:X::X:X ] is added.
STRING<1-46> [ - STRING<1-255> [ -
oi oi
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } ] STRING<1-256> } ]
5> ] [ [ prefer_kex 5> ] [ [ prefer_kex
STRING<1-64> ] | STRING<1-64> ] |
dsa } ] | dsa | ecc } ] | [ user-
STRING<1-32> ] | dsa | ecc } ] |
STRING<1-32> ] | STRING<1-32> ] |
STRING<1-32> ] | STRING<1-32> ] |
STRING<1-32> ] | STRING<1-32> ] |
] | [ -kc [ -ki
* ] | [ -kc
INTEGER<3-10> ] ]
*
scp [ -port scp [ -port ECC authentication None

INTEGER<1-65535 INTEGER<1-65535 is added.
> | { public-net | > | { public-net |
STRING<1-31> } | STRING<1-31> } |
{ -a X.X.X.X | -i { -a X.X.X.X | -i
{ STRING<1-256> | { STRING<1-256> |
STRING<1-256> } STRING<1-256> }
} | -r | identity-key } | -r | identity-key
{ rsa | dsa } | -cipher { rsa | dsa | ecc } |
STRING<1-32> | - user-identity-key
c]* { rsa | dsa | ecc } | -
STRING<1-256> cipher
STRING<1-256> STRING<1-32> | -
c]*
STRING<1-256>
STRING<1-256>


scp ipv6 [ -port scp ipv6 [ -port ECC authentication None

INTEGER<1-65535 INTEGER<1-65535 is added.
> | { public-net | > | { public-net |
STRING<1-31> } | - STRING<1-31> } | -
a X:X::X:X | -r | a X:X::X:X | -r |
identity-key { rsa | identity-key { rsa |
dsa } | -cipher dsa | ecc } | user-
STRING<1-32> | - identity-key { rsa |
c]* dsa | ecc } | -cipher
STRING<1-256> STRING<1-32> | -
STRING<1-256> [ - c]*
oi STRING<1-256>
{ STRING<1-256> | STRING<1-256> [ -
STRING<1-256> oi
STRING<1-256> } ] { STRING<1-256> |
STRING<1-256>
STRING<1-256> } ]
sftp [ -a X.X.X.X | -i sftp [ -a X.X.X.X | -i ECC authentication None

{ STRING<1-256> { STRING<1-256> is added.
STRING<1-256> | STRING<1-256> |
STRING<1-256> } ] STRING<1-256> } ]
5> ] [ [ public-net | - 5> ] [ [ public-net | -
STRING<1-31> ] | STRING<1-31> ] |
STRING<1-64> ] | STRING<1-64> ] |
dsa } ] | dsa | ecc } ] | [ user-
STRING<1-32> ] | dsa | ecc } ] |
STRING<1-32> ] | STRING<1-32> ] |
STRING<1-32> ] | STRING<1-32> ] |
STRING<1-32> ] | STRING<1-32> ] |
] | [ -kc [ -ki
* ] | [ -kc
INTEGER<3-10> ] ]
*


sftp client-transfile sftp client-transfile ECC authentication None

{ get | put } [ -a { get | put } [ -a is added.
X.X.X.X | -i X.X.X.X | -i
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } ] STRING<1-256> } ]
host-ip host-ip
5> ] [ [ public-net | - 5> ] [ [ public-net | -
STRING<1-31> ] | STRING<1-31> ] |
STRING<1-64> ] | STRING<1-64> ] |
dsa } ] | dsa | ecc } ] |
[ prefer_ctos_cipher [ prefer_ctos_cipher
STRING<1-32> ] | STRING<1-32> ] |
[ prefer_stoc_cipher [ prefer_stoc_cipher
STRING<1-32> ] | STRING<1-32> ] |
[ prefer_ctos_hmac [ prefer_ctos_hmac
STRING<1-32> ] | STRING<1-32> ] |
[ prefer_stoc_hmac [ prefer_stoc_hmac
STRING<1-32> ] | STRING<1-32> ] |
[ -ki [ -ki
] | [ -kc ] | [ -kc
* username * username
password password
sourcefile sourcefile
[ destination [ destination
STRING<1-160> ] STRING<1-160> ]


sftp client-transfile sftp client-transfile ECC authentication None

{ get | put } ipv6 [ -a { get | put } ipv6 [ -a is added.
X:X::X:X ] host-ip X:X::X:X ] host-ip
STRING<1-46> [ - STRING<1-255> [ -
oi oi
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } ] STRING<1-256> } ]
STRING<1-64> ] | STRING<1-64> ] |
dsa } ] | dsa | ecc } ] |
[ prefer_ctos_cipher [ prefer_ctos_cipher
STRING<1-32> ] | STRING<1-32> ] |
[ prefer_stoc_cipher [ prefer_stoc_cipher
STRING<1-32> ] | STRING<1-32> ] |
[ prefer_ctos_hmac [ prefer_ctos_hmac
STRING<1-32> ] | STRING<1-32> ] |
[ prefer_stoc_hmac [ prefer_stoc_hmac
STRING<1-32> ] | STRING<1-32> ] |
[ -ki [ -ki
] | [ -kc ] | [ -kc
* username * username
password password
sourcefile sourcefile
[ destination [ destination
STRING<1-160> ] STRING<1-160> ]


sftp ipv6 [ -a sftp ipv6 [ -a ECC authentication None

X:X::X:X ] X:X::X:X ] is added.
STRING<1-46> [ - STRING<1-255> [ -
oi oi
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } ] STRING<1-256> } ]
STRING<1-64> ] | STRING<1-64> ] |
dsa } ] | dsa | ecc } ] | [ user-
STRING<1-32> ] | dsa | ecc } ] |
STRING<1-32> ] | STRING<1-32> ] |
STRING<1-32> ] | STRING<1-32> ] |
STRING<1-32> ] | STRING<1-32> ] |
] | [ -kc [ -ki
* ] | [ -kc
INTEGER<3-10> ] ]
*
datasync terminalid datasync terminalid The terminal ID None

INTEGER<1-15> INTEGER<1-21474 range is enlarged.
83647>
display dsa local- display { dsa | ecc } ECC authentication None

key-pair public local-key-pair public is added.
display dsa peer- display { dsa | ecc } ECC authentication None

public-key [ brief | peer-public-key is added.
name [ brief | name
dsa peer-public-key { dsa | ecc } peer- ECC authentication None

STRING<1-30> public-key is added.
encoding-type { pem STRING<1-30>
| der | openssh } encoding-type { pem
| der | openssh }
undo dsa peer- undo { dsa | ecc } ECC authentication None

public-key peer-public-key is added.


port link-type port link-type The wlan-ess None

{ access | hybrid | { access | hybrid | interface is no
trunk } trunk } longer supported,
and the macro is
disabled.
undo port link-type undo port link-type The wlan-ess None

interface is no
longer supported,
and the macro is
disabled.
peer peer Optional keywords None

{ STRING<1-47> | { STRING<1-47> | are added for the
X.X.X.X } allow-as- X.X.X.X } allow-as- beCloud project.
loop loop
[ INTEGER<1-10> ] [ INTEGER<1-10> ]
peer peer Optional keywords None

X:X::X:X } allow- X:X::X:X } allow- beCloud project.
as-loop as-loop
[ INTEGER<1-10> ] [ INTEGER<1-10> ]
[ global-as [ vpn-
as ] ]
routing-table rib- routing-table rib- Whether the private None

only [ route-policy only [ route-policy network route in
STRING<1-40> ] STRING<1-40> ] BGP delivers the IP
routing table is
controlled.
undo peer undo peer Optional keywords None

X.X.X.X } allow-as- X.X.X.X } allow-as- beCloud project.
loop loop
undo peer undo peer Optional keywords None

X:X::X:X } allow- X:X::X:X } allow- beCloud project.
as-loop as-loop
undo routing-table undo routing-table Whether the private None

rib-only rib-only network route in
BGP delivers the IP
routing table is
controlled.


receive-time utc receive-time [ utc ] The UTC time None

STRING<1-10> STRING<1-10> and an individual
duration duration command is added
{ INTEGER<1-2628 { INTEGER<1-2628 for control.
receive-time utc receive-time [ utc ] The UTC time None

STRING<1-10> to STRING<1-10> to and an individual
send-time utc send-time [ utc ] The UTC time None

STRING<1-10> STRING<1-10> and an individual
duration duration command is added
{ INTEGER<1-2628 { INTEGER<1-2628 for control.
send-time utc send-time [ utc ] The UTC time None

STRING<1-10> to STRING<1-10> to and an individual
protocol { tcp | udp | protocol { tcp | udp | The support of None

any } any | http | ssl | https HTTP/SSL/
| esp } HTTPS/ESP is
added.
rserver rserver The support of None

INTEGER<0-31> INTEGER<0-31> HTTP/SSL/
{ port { port HTTPS/ESP is
INTEGER<0-65535 INTEGER<0-65535 added.
STRING<1-32> } * STRING<1-32> |
max-connection
INTEGER<0-65535
>}*


rserver rserver The command that None

[ INTEGER<0-31> [ INTEGER<0-31> restricts the
[ to [ to maximum number
INTEGER<0-31> ] ] INTEGER<0-31> ] ] of connections of the
rip X.X.X.X [ port rip X.X.X.X [ port physical server
INTEGER<0-65535 INTEGER<0-65535 (max-connection
> | weight > | weight INTEGER<0-65535
INTEGER<1-1024> INTEGER<1-8192> >) is added.
STRING<1-32> ] * STRING<1-32> |
max-connection
INTEGER<0-65535
>]*
reset packet-capture reset packet-capture The virtualization None

queue spu queue function is
{ INTEGER<0-3> | { INTEGER<0-4294 enhanced.
all } 967295> | all }
reset packet-capture reset packet-capture The virtualization None

statistic spu statistic function is
enhanced.
[ undo ] debugging [ undo ] debugging The virtual system None

vsys-resource vsys [ event | msg | debugging
[ event | msg | error | error | trace | rpc ] commands have
trace | rpc ] [ slot been unified.
STRING<1-256> ]
display resource display resource The L2TP None

global-resource global-resource virtualization
[ resource-item [ resource-item function is added.
{ session | policy | { session | l2tp-
user | bandwidth | tunnel | policy | user
session-rate | user- | bandwidth |
group | security- session-rate | user-
group } ] group | security-
group } ]



resource-usage resource-usage virtualization
[ resource-item [ resource-item function is added.
{ session | policy | { session | policy |
user | session-rate | user | session-rate |
user-group | user-group |
security-group | security-group |
bandwidth bandwidth
{ inbound | { inbound |
outbound | outbound | entire } |
entire } } ] l2tp-tunnel } ]

resource-usage { all- resource-usage { all- virtualization
systems | vsys systems | vsys function is added.
[ resource-item [ resource-item
{ session | policy | { session | policy |
user | session-rate | user | session-rate |
user-group | user-group |
security-group | security-group |
bandwidth bandwidth
{ inbound | { inbound |
outbound | outbound | entire } |
entire } } ] l2tp-tunnel } ]
alias TEXT0 alias TEXT0 The command for None

the virtual system
interface view is
added.
undo alias undo alias The command for None

the virtual system
interface view is
added.
[ undo ] firewall [ undo ] firewall The range of the None

blacklist item user blacklist item user blacklist aging time
STRING<1-130> STRING<1-130> is expanded from
[ timeout [ timeout 1000 to 6535
INTEGER<1-1000> INTEGER<1-65535 minutes.
] >]


firewall blacklist firewall blacklist The range of the None

item { destination-ip item { destination-ip blacklist aging time
{ X.X.X.X | { X.X.X.X | is expanded from
X:X::X:X } X:X::X:X } 1000 to 6535
destination-port destination-port minutes.
] >]

item { destination-ip item { destination-ip blacklist aging time
X:X::X:X } } X:X::X:X } } 1000 to 6535
[ protocol { tcp | udp [ protocol { tcp | udp minutes.
| icmp | | icmp |
] >]

item { source-ip item { source-ip blacklist aging time
X:X::X:X } source- X:X::X:X } source- 1000 to 6535
port port minutes.
] >]

item { source-ip item { source-ip blacklist aging time
X:X::X:X } } X:X::X:X } } 1000 to 6535
[ protocol { tcp | udp [ protocol { tcp | udp minutes.
| icmp | | icmp |
] >]


authentication- authentication- The control over the None

method { pre-share | method rsa-signature status of the
rsa-signature } certificate feature is
added.
display ipsec sa display ipsec sa The control over the None

{ policy policy status of the profile
STRING<1-15> STRING<1-15> feature is added.
0> ] | profile 0> ]
STRING<1-12> }
local-id-type { ip | local-id-type { ip | The control over the None

fqdn | dn | user-fqdn fqdn | name } status of the
| name } certificate feature is
added.
{ remote-id-type | { remote-id-type | The control over the None

peer-id-type } { ip | peer-id-type } { ip | status of the
fqdn | dn | any | esn | fqdn | any | esn | certificate feature is
name } name } added.
[ undo ] debugging [ undo ] debugging The individual None

pki { http | scep | pki { http | scep | registration of the
ocsp | rsa | sm2 | cfg ocsp | rsa | cfg | all | sm2 command is
| all | pki } pki } { message | added in that certain
{ message | event | event | error | timer | products do not
error | timer | info | info | all } support the sm2
all } command.
Deleted commands
[ undo ] super password The firewall does not None

complexity-check disable support super, and therefore
the related command is
deleted.
[ undo ] ppp compression The firewall does not None

iphc enhanced no-delta support iphc.
ppp compression iphc The firewall does not None

[ nonstandard | udp-only | support iphc.
udpandrtp | static ]

enhanced support iphc.


aging-time { rtp support iphc.
INTEGER<0-30> | tcp
INTEGER<120-3600> }

enhanced n-value support iphc.
INTEGER<1-8>
ppp compression iphc max- The firewall does not None

time INTEGER<0-10> support iphc.

proportion INTEGER<1-5> support iphc.
ppp compression iphc rtp- The firewall does not None

connections support iphc.
INTEGER<3-16384>
[ static ]
undo ppp compression iphc The firewall does not None

support iphc.

aging-time { rtp | tcp } support iphc.

enhanced n-value support iphc.

max-time support iphc.

proportion support iphc.

rtp-connections support iphc.

router.

router.
multicast boundary policy The device does not support None

INTEGER<0-4294967295> mtunnel, and therefore the
[ filter-autorp ] command is obsolete.
multicast boundary policy The device does not support None

{ INTEGER<0-4294967295 mtunnel, and therefore the
>| command is obsolete.
INTEGER<0-4294967295>
} { in | out }

undo multicast boundary The device does not support None

policy mtunnel, and therefore the
INTEGER<0-4294967295> command is obsolete.
[ filter-autorp ]
undo multicast boundary The device does not support None

policy mtunnel, and therefore the
{ INTEGER<0-4294967295 command is obsolete.
>|
INTEGER<0-4294967295>
} { in | out }
undo multicast limit The device does not support None

multicast CAC, and
therefore the command is
obsolete.
group X.X.X.X { X.X.X.X | The device does not support None

INTEGER<4-32> } source ssm-map and ssm-map6
X.X.X.X related functions.
group X:X::X:X The device does not support None

INTEGER<16-128> source ssm-map and ssm-map6
X:X::X:X related functions.
undo group { X.X.X.X The device does not support None

{ X.X.X.X | ssm-map and ssm-map6
INTEGER<4-32> } [ source related functions.
X.X.X.X ] | all }
undo group { X:X::X:X The device does not support None

INTEGER<16-128> ssm-map and ssm-map6
[ source X:X::X:X ] | all } related functions.

[ undo ] debugging proxy The architecture is modified. None

{ event | error | packet | trace
| all }
display mail-proxy-adapt The architecture is modified. None

INTEGER<1-65535> ]
[ destination-port
INTEGER<1-65535> ]

display mail-proxy-adapt The mail proxy for IMAP is None

{ session | aging } statistics added. Therefore, the mime-
header-group configuration
of IMAP shall also exist.
reset mail-proxy-adapt The architecture is modified. None

reset { mail-proxy-adapt | The architecture is modified. None

2.1.3.2.3 Impact of Licenses
2.1.3.2.4 Impact of Sensitive Features
V500R001C30SPC300to V500R001C50. Otherwise, these features are unavailable.
NOTICE
software.
2.1.3.3 Other Upgrade Impacts
l Impact on MIB nodes:

l Impact on mapping devices:


Network eSight V300R007C00

management
software (NMS)
Agile Controller- Controller V200R003C20

Campus
Agile Controller- V300R001C10

DCN
Agile Controller- V200R002C00

Cloud Manager
SecoClient SecoClient 1.50.2
Configuration V100R006C00B023
conversion tool
l Impact on the signature databases:

2.1.4 System Software

The system software required for the upgrade includes the system software (*.cc), PAF file,
and license file.
l During the upgrade, select the system program according to the product model.
Product Model System Software Example
NIP6830 NIP6800_version- NIP6800V500R001C50SP

number.cc C100.cc
NIP6860
l During the upgrade, select the PAF file paf.txt.

l During the upgrade, select the license file license_HUAWEI_X.txt.

2.2.1 Impact of the Upgrade
2.2.1.1 Impact on the Current System During the Upgrade
software version effective, you need to restart the NIP6800, which interrupts services.
When to restart the NIP6800 for the upgrade depends on your requirements. You need to
choose a suitable upgrade time to minimize the impacts on services.
2.2.2 Precautions
1. Ensure the stable power supply during the upgrade and avoid power failures. If the
details, see section Upgrade Through BootROM"."
2. The registration of boards takes a period of time. After the device is restarted, do not
3. Do not use the USB port of the MPU for version upgrade.
4. In case of dual MPUs, if one MPU is faulty and you replace it with a new one, you must
upgrade the new one. For details, see "Appendix: Upgrading the MPU."
2.2.3 Upgrade Flow


Table 2-8 Upgrade overview

y

ion information and display esn all including the BOM code.
collectio commands.
n

Data Configurati Save the software To back up the currently used

backup on file package and export it configuration file. It is recommended
to a local PC. that the exported configuration file
serve as the input for configuration
conversion.
Software Save the software To back up the currently used

version package and export it software package.
to a local PC.


y
License file Save the software To back up the currently used license
(license.dat package and export it file.
) to a local PC.
Patch file Save the software To back up the currently used patch
package and export it file.
to a local PC.
User Save the software To back up the currently used user

managemen package and export it management database (upgrade from
t database to a local PC. V500R001 or later versions).
(usermana
ge.db)
Sensitive Save the software To back up the sensitive feature

Feature package and export it component files loaded in the system
Component to a local PC. (upgrade from V500R001 or later
Packages verTo convert the source
configuration files
accordingly.sions).
Upgrade V500R001 Obtaining the Version V500R001C50SPC100 version

preparati C50SPC10 Software Required By software.
on tool 0 version the Upgrade
software
V500R001 Obtaining the Version V500R001C50SPC100 version

C50SPC10 Software Required By software.
0 version the Upgrade
software
paf file Obtaining the Version Select the paf.txt file.

Software Required By
the Upgrade
Chassis Obtaining the Version Select the license_HUAWEI_X.txt

license file Software Required By file.
the Upgrade

feature Packages
component
package
(Optional) Obtaining the Version To update the signature databases.

Signature Software Required By
database the Upgrade
update file


y
Configur License file See "Impact of To analyze the display license

ation analysis Command Changes" in command output and check whether
analysis Upgrade Impact the license file needs to be converted
Impact.

the license.
Importing Manual Configuration To analyze the tool-based

files for the Conversion configuration conversion result and
upgrade manually convert the commands that
cannot be converted using the tool.
Configuration Configuration Verifications.

Verification
Importing Files for the l To import the license file.

Upgrade l To import the configuration file.
component package.
l To specify the startup
configuration file.


y
Upgrade Upgrade to Upgrade to V500R001 l Restart the device to complete the

operatio V500R001 upgrade to
ns V500R001C50SPC100.
(operatio l To specify the startup
ns configuration file.
performe l To load the license file for
d after V500R001C50SPC100 but do not
the save the configuration.
device is
isolated
from the
service
environ
ment)
Upgrade Upgrade Verifying the Upgrade To verify the upgrade.

verificati verification
on
Version Version Version rollback l To import backup data.

rollback rollback l To specify the configuration file
l (Optional)To apply for the license
it.
2.2.4 Preparations for the Upgrade
2.2.4.1 Obtaining the Version Software Required By the Upgrade
Context
You need to collect the following files for the upgrade:
1. System program (*.cc)

Indicates the file with file name extension as .cc.
(NIP6830)NIP6800_V500R001C50SPC100.cc: Its size is bytes.
(NIP6830)NIP6800_V500R001C50SPC100PWE.cc: Its size is bytes.
(NIP6860&)NIP6800_V500R001C50SPC100.cc: Its size is bytes.
(NIP6860&)NIP6800_V500R001C50SPC100PWE.cc: Its size is bytes.
2. License file
Indicates a version information file. Select the llicense_HUAWEI_X.txt file.

3. PAF file
Indicates a version information file. Select the paf.txt file.
You need to prepare the following documents for reference:
l NIP6800 V500R001C50SPC100 Version Upgrade Instructions

l NIP6800 V500R001C50SPC100 Usage Guide
l NIP6800 V500R001C50SPC100 Release Notes
Procedure
Step 1 Log in to the homepage of Huawei at http://support.huawei.com/enterprise.
Step 2 If you are not a registered user, you need to go to 3 to register first. If you are already a
registered user, go to 4 to log in.
Step 3 Click Register and register with the system according to the prompt. After the registration
succeeds, you will obtain your account and password. Keep them safe.
Step 4 Enter the user name, password, and displayed verification code, and then click Login.
Step 5 Click SUPPORT, Choose Enterprise Security_Seco Space > Firewall Application
Security Gateway > Firewall&VPN Gateway>. Choose V500R001 >
V500R001C50SPC100from the Product Version drop-down list. Then click Product
Software and the Patches tab. Choose V500R001C50SPC100, and download the software
and release documents.
----End
Follow-up Procedure
After obtaining the system program, PAF file, and license file, choose Software Center >
Controlled Tool (Mini-tool Software) > Core Network Product Line > Wireless-OSS >
iManager M2000-II > Public Tools to download HASH verification tool
HashMyFiles_1.68en.zip for verifying the MD5 values of the preceding files. You can use
this tool in the Windows2000/XP/2003/Vista/Windows 7 operating system. Details are as
follows:
1. Double-click HashMyFiles.exe to start the verification tool.

2. In the HashMyFiles window, choose File > Add Files.
3. Select the file to be verified in the Select one or more filenames to add window.
4. The verification tool generates the MD5 value of the file and displays the value in the
HashMyFiles window.
The verified MD5 values of the system program, PAF file, and license file should be the same
as those listed in the table. If they are different, the files may have been modified. Contact the
technical support personnel.
File MD5
(NIP6830)NIP6800_V500R001C50SPC100
.cc

File MD5
NIP6830)NIP6800V500R001C50SPC100P
WE
(NIP6860&)NIP6800_V500R001C50SPC1
00.cc
(NIP6860&)NIP6800_V500R001C50SPC1
00PWE.cc
paf.txt
license_HUAWEI_X.txt
PWE :
paf.txt
PWE :
license_HUAWEI_X.txt
2.2.4.2 Downloading Content Security Feature Component Packages
Context
Content security feature component packages are not released along with the software
package. You must access the security center website and load the packages in online mode,
or download and load them locally.
In V500R001, the following content security features compose the content security
component package: file blocking, data filtering, application behavior control, mail
filtering, SSL proxy, smart DNS, URL logging, and audit.
Procedure
Step 1 Access Huawei security center at http://sec.huawei.com/sec .(Internet Explorer: version 8.0
Step 2 Expand the tab and select the product model and version, such as NIP6830 -
V500R001C50SPC100.
URLRMT: component package for the URL remote query feature.
CSG: content security component package, including the file blocking, data filtering, mail
filtering, application behavior control, audit, URL logging, SSL proxy, and smart DNS
features.

NOTE
Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content security
feature component packages.
The content security feature component package to be loaded must be compatible with the system
software.
----End
2.2.4.3 Preparing the Upgrade Environment
Prerequisites
Before the upgrade, you need to log in to the CLI of the NIP6800 to prepare the upgrade
environment.
By default, IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the
MPU of the NIP6800.Or another accessible IP address on the device has been set.
l You can use this IP address and the default user name admin and password Admin@123
to log in to the CLI of the NIP6800 through Telnet.
l If the Telnet configuration is canceled or you desire to use SSH for the login, log in to
the NIP6800 from the console port to construct the Telnet or SSH environment. For
details, see chapter "Appendix: Establishing the Upgrade Environment Through the
Console Port." You are advised to use SSH to log in to the NIP6800 to secure data
transfer.

l Login tool
l Inspection tool
Inspection tools, SmartKit NSE2700 for example, help you comprehensively inspect the
device after upgrade to ensure no problems exist. In practice, it is recommended that you
use a certain version of the inspection tool that is applicable the target version.

of the NIP6800. Currently, the following modes are supported:
l FTP mode with the NIP6800 as the FTP server
l FTP mode with the NIP6800 as the FTP client

l TFTP mode with the NIP6800 as the TFTP client

l SFTP mode with the NIP6800 as the SFTP server
NOTICE
Use interface GigabitEthernet 0/0/0 on the MPU of the NIP6800 to transfer the version
software. If you use an interface on the LPU to transfer the version software, use the FTP
service but not the TFTP service for transfer.
The following is an example in which the NIP6800 functions as an FTP server. This method
is easy because it does not require a third-party FTP server. For details on other modes, see
"Appendix: Uploading and Downloading Files." You are advised to use SFTP to transfer
files to secure data transfer.
As shown in Figure 1, the NIP6800 is configured as the FTP server and version software is
located on PC2 serving as the FTP client. On PC2, log in to the FTP server and upload the
version software to CF card 1 of the NIP6800 through FTP.
NOTE
network.
Figure 2-2 Schematic diagram of the NIP6800 serving as the FTP server
Perform the following steps to configure the NIP6800 as the FTP server:
1. On PC1, log in to the CLI of the NIP6800 through Telnet or SSH.

You are recommended to use interface GigabitEthernet 0/0/0 on the MPU of the
NIP6800 for login. By default, the IP address for interface GigabitEthernet 0/0/0 is
192.168.0.1, the user name is admin, and the password is Admin@123.
If both MPUs can be detected, use GigabitEthernet 0/0/0 on the active MPU for the
upgrade. You can check whether the MPU is active through the ACT indicator on it. If
the ACT indicator is on, the MPU is active. If the ACT indicator is off, the MPU is
standby.

2. Enter the system view and start the FTP service. Configure a user account with user
name ftpuser and password Admin@123, and specify the storage path of the FTP file.
This storage path must be cfcard:. You can use other user accounts as required.
V500R001:
[sysname] ftp server enable
[sysname]aaa
[sysname-aaa] manager-user ftpuser
[sysname-aaa-manager-user-ftpuser] password
Enter Password:
Confirm Password:
[sysname-aaa-manager-user-ftpuser] service-type ftp
Warning: The user access modes include Telnet or FTP, so security risks exist.
[sysname-aaa-manager-user-ftpuser] level 3
[sysname-aaa-manager-user-ftpuser] ftp-directory cfcard:/
[sysname-aaa-manager-user-ftpuser] quit
[sysname-aaa] quit
3. On PC2, log in to the FTP server to check whether configurations are effective.
The following uses the configuration of Windows FTP client as an example. In practice,
you are advised to use a legitimate third-party FTP client (such as Cute FTP) to transfer
files.
Click Start and then Run. Enter cmd and then press Enter.
Enter ftp 192.168.0.1. This IP address is used when you log in to the NIP6800
through Telnet or SSH.
Enter the user name after the User (192.168.0.1:(none)) prompt and the password
after the Password prompt.
C:\> ftp 192.168.0.1
Password:
230 User logged in.
ftp>
If 230 User logged in. is displayed on the FTP client, you have logged in to the FTP
server normally.
After the configuration is verified, you can either keep this connection for further use, or
exit from the FTP server and relog in to it when required.
Preparing for the Environment for the Upgrade Through Web (HTTPS)
As shown in Figure 2, the NIP6800 is configured as the Web server and the version software
is located on PC2. On PC2, log in to the NIP6800 using the browser and then upload the
version software to the CF card of the NIP6800 through Web.
To transfer PAF file to the CF card of the NIP6800, you need to configure PC2 as the FTP
server so that the NIP6800 can download PAF file and license file from PC2 as an FTP client.
The Web service is enabled on the NIP6800 by default. You can use the IP address
192.168.0.1 of interface GigabitEthernet 0/0/0 on the MPU and the default user name admin
and password Admin@123 to log in to the web UI of the NIP6800 through HTTPS. If you
have disabled the Web service or deleted the default user, do as follows to reconfigure the
service.

NOTE
facilitate description, the network using two PCs is used as an example. The following steps apply to
this two-PC network.
Figure 2-3 Schematic diagram of the NIP6800 serving as the Web server
Do as follows to configure the NIP6800 as the Web server:
1. On PC1, log in to the CLI of the NIP6800 through Telnet or SSH.

You are recommended to use interface GigabitEthernet 0/0/0 on the MPU of the
NIP6800 for login. By default, the IP address for interface GigabitEthernet 0/0/0 is
192.168.0.1, the user name is admin, and the password is Admin@123.
If both MPUs can be detected, use GigabitEthernet 0/0/0 on the active MPU for the
upgrade. You can check whether the MPU is active through the ACT indicator on it. If
the ACT indicator is on, the MPU is active. If the ACT indicator is off, the MPU is
standby.
2. Enter the system view and start the Web service. Configure a user with user name
webuser and password Admin@123 and the level of the Web user. You can use other
user names and passwords as required.
V500R001:
[sysname]web-manager security
enable
Info: Web server has been enabled.
[sysname]aaa
[sysname-aaa] manager-user webuser

[sysname-aaa-manager-user-
webuser]password
Enter
Password:
Confirm Password:
[sysname-aaa-manager-user-webuser]level 3
[sysname-aaa-manager-user-webuser]service-type web
[sysname-aaa-manager-user-webuser]quit
[sysname-aaa]quit
3. Log in to https://192.168.0.1:8443 using the Internet Explorer on PC2 to verify the

configurations.

If the login interface of the Web server is displayed in the IE browser, and the login
succeeds through webuser and Admin@123, it indicates that you can log in to the Web
server normally.
After the configuration is verified, you can either keep this connection for further use, or
exit from the Web server and relog in to it when required.
4. Configure the FTP server.
This document does not provide the details about the FTP server program. Obtain the
FTP server program in a legitimate way, and configure the program according to related
documents. Assume that you have already created an FTP user account whose name is
123 and password is 123, and specified the root directory of the user as the directory for
saving the downloaded files.
Preparing for the Environment for the Upgrade Through CF card

When you use a CF card to upgrade the device, no network environment is required for
transferring the version software. However, to verify the upgrade result, you still need to issue
commands. Therefore, you need to build up an environment in which you can log in to the
device through the console port, telnet, or SSH.
Preparing the Environment for the Upgrade Through BootROM

During the device startup, you can access the BootROM menu. In BootROM environment,
transfer the version software to CF card 1 of the device, specify this version software for the
next startup, and restart the device.
NOTICE
Use interface GigabitEthernet 0/0/0 on the MPU of the NIP6800 to transfer the version
software.
The NIP6800 currently allows you to transfer the version software to CF card 1 through FTP
or TFTP in the BootROM menu. No matter you use FTP or TFTP, the NIP6800 functions as
the client that downloads the version software from the FTP or TFTP server.Figure 3 shows
the network for this case. In both modes, you must install third-party FTP or TFTP server
software on PC2.
NOTE
You can use only one PC on which you run both the HyperTerminal program and the FTP/TFTP server.
To facilitate description, the network using two PCs is used as an example. The following steps apply to
this two-PC network.

Figure 2-4 Schematic diagram of the NIP6800 serving as the FTP/TFTP client
This section uses the NIP6800 serving as the FTP client as an example.
This document does not provide the details about the FTP server program. Obtain the FTP
server program in a legitimate way, and configure the program according to related
documents. Assume that you have already created an FTP user account whose name is 123
and password is 123, and specified the root directory of the user as the directory for saving the
downloaded files.
2.2.4.4 Checking the Information About the Current Version Software
Example
In any view, run the display version command to check the information about the running
version software. The following uses v500r001c00spc500.cc as an example. Part of output is
omitted.
<NIP6800> display version
Huawei Technologies Versatile Security Platform Software
Software Version: NIP6830 V500R001C00 (VSP (R) Software, Version 5.70)
..........
In any view, run the display startup command to check the version software and
configuration file in use. You need to record the underscored file names, facilitating file
backup.
<NIP6800> display startup
MainBoard:
Configed startup system software: cfcard:/v500r001c00spc500.cc
Startup system software: cfcard:/v500r001c00spc500.cc
Next startup system software: cfcard:/NIPV500R001C50SPC100.cc
Startup saved-configuration file: cfcard:/config.cfg
Next startup saved-configuration file: cfcard:/config.cfg
Startup paf file: cfcard:/paf.txt
Next startup paf file: cfcard:/paf.txt
Startup license file: cfcard:/license.txt
Next startup license file: cfcard:/license.txt
Startup patch package: cfcard:/patchpackage.pat
Next startup patch package: cfcard:/patchpackage.pat
2.2.4.5 Checking the License In Use

Prerequisites
If the license function is not in use, skip this section.
Background Information
The licenses of the NIP6800 comprise the commercial and non-commercial ones.
l Commercial licenses
Indicates the licenses purchased by signing official contracts.
l Non-commercial licenses
Indicates the licenses used for testing. Non-commercial licenses have time limitations
and the general validity period is three months.
Before the upgrade, it is recommended that you perform the following procedure to check the
information on the current license, and ensure the validity of the license.
Procedure
Step 1 Check information on the current license
Run the display license command in any view to check the license information.
NOTICE
The length of storage path and file name of the license.dat file cannot be more than 64
characters.
<NIP6800> display license

MainBoard:
Device ESN is:

02734710
The file activated is: cfcard:/license.dat

The time when activated is: 2013/04/12
16:14:11
Number of VPN Tunnels-R:

1000000
Number of Virtual Systems:

4095
GTP:
Enable
6RD Session Scale:

1280M
NAT64 Session Scale:

1280M
DS-Lite Session Scale:

1280M
Firewall Upgrade Additional Performance: 1280Gbps

The underscored fields in the information that is displayed indicate the activated license file.
Here license.dat is only used as an example. In practice, use the actual information.
The following is a sample displayed after the more command is executed in the user view of
the NIP6800 to check the license file. Here license.dat is only used as an example. In
practice, use the actual license name to replace license.dat.
<NIP6800> more license.dat
..........
Product=NIP6800
Feature=FWVTNL1
Esn="ANY"
Attrib="DEMO, 2013-06-01, 60, NULL, NULL, NULL"

Resource="LFWCVTNL07=10000"
Comment="() Activated by FNOWS ON251511-

AA793E790A5-"
Sign=
2DA1A02B097D9151BDF18C71B42FA186733F68A387C4BF9891E7F1AC76AAD020555E5B90382CDC1BAF
B6F907E29AEA581F7C0862082194B3025E39F2A0E7CE
FD9609D654931AD00943B15043CA9ABAC62C1017AEAA8EF237731CC1752225B98E5FD731C0AA38C4C6
F1596E11430D10C9296F2AF663F70333F2BDACBC606765C3
..........
Note the underscored text. DEMO indicates that the license is a non-commercial license
whereas COMM stands for the commercial license. 2013-06-01 indicates the validity period
of the license file.
Apply for a license file.
If the license has expired, you need to apply for a license file, see chapter "Appendix:
Applying for a License."
----End
2.2.4.6 Checking the Running Status of the Device

In any view, run the display health command to check the CPU and memory usage. You need
to record the CPU and memory usage before and after upgrade for comparison. This will help
you check whether the running status of the device is normal after upgrade.
<NIP6800> display health
Slot CPU Usage Memory Usage(Used/Total)
---------------------------------------------------------
9 MPU(Master) 7% 14% 280MB/1887MB
1 LPU 7% 31% 129MB/405MB
6 SPU 5% 41% 382MB/917MB
8 LPU 6% 32% 133MB/405MB
10 MPU(Slave) 6% 14% 279MB/1887MB
Checking the Registration Status of Boards

In any view, run the display device command to check the registration status of the boards. In
normal cases, the Status column should be Normal.
<NIP6800> display device

NIP6830's Device status:

Slot # type online register status primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 LPU Present Registered Normal NA
6 SPU Present Registered Normal NA
9 MPU Present NA Normal Master
10 MPU Present Registered Normal Slave
11 SFU Present Registered Normal NA
15 CLK Present Registered Normal Master
16 CLK Present Registered Normal Slave
17 PWR Present Registered Normal NA
19 FAN Present Registered Normal NA
When Unregistered is displayed in the Register column, it indicates that the board in the slot
fails to be registered. When Abnormal is displayed in the Status column, it indicates that the
board in the slot is running abnormally.
NOTE
If NA is displayed in the Register field, the board is a master MPU.
When the board in a certain slot cannot be registered or runs abnormally, record the board
status and contact technical support personnel to check whether the device can be upgraded or
the board needs to be replaced. After the upgrade, check the status of the board. If the board
cannot run normally still, contact technical support personnel.
Checking Session Statistics

In any view, run the display firewall session statistics command to check session statistics.
You need to record the session statistics before and after upgrade for comparison. This will
help you check whether the services of the device are normal after upgrade.
<NIP6800> display firewall session statistics
Session Statistics:
Slot 6 cpu 0: 0
Slot 6 cpu 1: 0
Slot 6 cpu 2: 0
Slot 6 cpu 3: 0
Total 0 session(s) on all slots.
Session Creation Rate(num/s):
Slot 6 cpu 0: 0
Slot 6 cpu 1: 0
Slot 6 cpu 2: 0
Slot 6 cpu 3: 0
Total session(s) creation rate on all slots is 0.
Checking Traffic Statistics

In any view, run the display interface interface-type interface-number command to check the
traffic statistics on a service interface. You need to record the traffic statistics before and after
upgrade for comparison. This will help you check whether the services of the device are
normal after upgrade.
The following is sample output from this command on GigabitEthernet 1/0/2:
<NIP6800> display interface GigabitEthernet 1/0/2
GigabitEthernet1/0/2 current state : UP
Line protocol current state : UP
Description: test

Route Port,The Maximum Transmit Unit is 1500

Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-8239-1e5c
Media type: twisted-pair ,Link type: auto negotiation
Loopback:none, Maximal BW:1G, Current BW:1G,full-duplex mode, negotiation:
enable, Pause Flowcontrol:Receive Enable and Send
Enable
Last physical up time : 2013-04-12 17:54:44 UTC+08:00
Last physical down time : 2013-04-12 17:54:36 UTC+08:00
Max input bit rate: -
Max output bit rate: -
Max input packet rate: -
Max output packet rate: -
Statistics last cleared:never
Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 216 bits/sec, 0 packets/sec
Input: 228 bytes, 3 packets
Output: 58214 bytes, 647 packets
Input:
Unicast: 0 packets, Multicast: 2 packets
Broadcast: 1 packets, JumboOctets: 0 packets
CRC: 0 packets, Symbol: 0 packets
Overrun: 0 packets, InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
System: 0 packets, Overruns: 0 packets
TxPause: 0 packets
Unknown Vlan: 0 packets
Input bandwidth utilization : 0.00%
Output bandwidth utilization : 0.01%
2.2.4.7 Backing Up the Important Data in CF Card
Context
The important data refers to the configuration file, license file(*.dat), patch file, and system
program before the upgrade. You can use the display startup command to view the
configuration file, patch file, and system program in use and the display license command to
view the license file in use.
Do as follows to back up the important data in CF card:
Procedure
Step 1 On PC2, log in to the NIP6800 through FTP.The following uses the FTP client of the
Windows operating system as an example. In practice, you are advised to use a legitimate
third-party FTP client (such as Cute FTP) to transfer files.

C:\> ftp 192.168.0.1
Password:
230 User logged in.
ftp>

Step 2 Set the transmission mode of the file and configure the directory for storing the backup file as
a directory on PC2, for example, D:\FTP\Backup. Note that the directory must already exist.
You can use another existing directory as required.
ftp> binary /Run the binary command to configure the binary mode for
transmitting files.
ftp> lcd "d:\FTP\Backup" /Configure the directory on PC2 for storing the backup
file.
Step 3 Run the getremote-filename [ local-filename ] command to download the file and save it in
the D:\FTP\Backup directory of PC2.For example, download config.cfg, paf.txt,
license_huawei_x.txt, license.dat (if available),sensitive feature component package*.mod(if
available) and the system program before the upgrade (v500r001c00.cc) to PC2 for backup.
ftp> get config.cfg
..........
ftp: 4545 bytes received in 0.01Seconds 303.00Kbytes/sec.
..........
ftp> get paf.txt
..........
ftp> get v500r001c00.cc
..........
ftp> get license_huawei_x.txt
..........
ftp> get CSG_H50010000.mod
..........
ftp> get URLRMT_H50010000.mod
..........
After the downloading is complete, check whether the sizes of the files on PC2 are the same
as those in the CF card. If no, re-download files to ensure that they are completely backed up
to PC2.
After the configuration is verified, you can either keep this FTP connection for further use, or
exit from the FTP server and relog in to it when required.
----End
2.2.4.8 Configuration Conversion

Here is an example:
action alert
manually converted.
target both
protocol all
#


//These commands are not supported in V500R001. Confirm with the customer to
check whether these functions can be ignored.

Verifying the Converted Configuration

for support.
2.2.4.9 Checking the Remaining Space of the CF Card
Checking Remaining Space

In the user view, run the dir cfcard: command to check the remaining space of CF card 1 and
ensure that CF card 1 has sufficient space to contain the target version software.
<NIP6800> dir cfcard:
Directory of cfcard:/
0 -rw- 53 Jan 25 2010 12:19:36 private-
data.txt
1 -rw- 66033 Jan 25 2010 12:10:50
paf.txt
2 -rw- 12757 Jan 25 2010 12:11:02
license.txt
3 -rw- 4545 Sep 25 2009 16:02:46
config.cfg
4 -rw- 216118051 Jan 25 2010 12:15:38 NIP6800v500r001c00.cc
5 -rw- 2032 Feb 05 2010 11:12:38
license.dat
..........
1013760 KB total (791776 KB free)
The underscored text indicates the remaining space of CF card 1.

In addition, you can run the dir cfcard2: command in the user view to check the free space of
CF card 2. If no log server is deployed on the live network, and the free space of the CF card
2 is insufficient, you can manually save log files to a PC through FTP, preventing new logs
from overriding old ones.
<NIP6800> dir cfcard2:
Directory of cfcard2:/
0 drw- - Jan 06 2011 05:54:48 log
498680 KB total (286512 KB free)
The underscored text in the previous information indicates the free space of CF card 2.

If the remaining space is smaller than the size of the target version software, you need to
delete unnecessary files. In the user view, run the delete command to delete useless files in
CF card 1.
<NIP6800> delete /unreserved cfcard:/bak.txt

The contents cannot be recycled!!! Delete cfcard:/bak.txt?[Y/N]:y

<NIP6800> delete /unreserved slave#cfcard:/bak.txt
The contents cannot be recycled!!! Delete slave#cfcard:/bak.txt?[y/n]:y
Files are directly deleted and cannot be restored after the delete command with the /
unreserved parameter is configured.
NOTE
l The system program (*.cc) is large in size. Deleting unnecessary system programs can greatly save
the space of CF card 1. However, you cannot delete the system program currently used by the
device.
l If you use the BootROM for upgrade, delete the useless files in BootROM environment. For details
on operation methods, see Upgrade Through BootROM.
2.2.5.1 Upgrade Modes
To enable the upgrade from an earlier version to V500R001C50SPC100, select a proper

upgrade mode as required, as shown in Table 2.
Upgrade modes
Upgrade Mode Application Strength Prerequisites

Scenario
CLI (recommended) When the device is All versions support Transmitting the
running normally the CLI mode. The version software
and carries service CLI mode is easy- requires the support
traffic, the CLI is to-operate and has of the network
recommended for small impacts on environment.
the upgrade. services. The device needs to
be configured as the
FTP server or the
third-party FTP/
TFTP server
program is required.

Upgrade Mode Application Strength Prerequisites

Scenario
Web When the device is The Web interfaces Transmitting the

running normally are graphical, easy- version software
and carries service to-operate, and requires the support
traffic, users familiar visualized. This of the network
with graphical mode has small environment and the
interfaces can use impacts on services. device needs to be
this mode for the configured as the
upgrade. Web server.
When you transfer
PAF file and license
file, the device
needs to be
configured as the
FTP server or the
third-party FTP/
TFTP server
program is required.
CF card The upgrade The operations are The CF card needs

environment does easy. This mode to be prepared.
not need to be does not require the
prepared. Users who support of the
are not familiar with network
the CLI or Web environment and has
operations can use small impacts on
this mode for the services.
upgrade.
BootROM When the device All versions support The operations are
cannot be started or this mode. When the complicated and
the version software device is faulty or have great impacts
is faulty, use this the version software on services.
mode for the cannot be loaded, Transmitting the
upgrade. the upgrade can be version software
performed in this requires the support
mode only. of the network
environment.
NOTE
The mentioned version software includes the system program (*.cc), PAF file, Sensitive Feature
Component Package and license file.
Version software must be stored in CF card 1. CF card 1 is located in the circuit board of the MPU and
mainly used to store the version software and configuration file. CF card 2 is located in the panel of the
MPU and mainly used to store log and alarm information.
2.2.5.2 Upgrade Through CLI

Upgrade Flow
Figure 1shows the flow of upgrading the version software through CLI.
Procedure
Step 1 On PC2, log in to the NIP6800 through FTP. FTP is used only as an example. You are advised
to use SFTP to transfer files to secure data transfer.The following uses the Windows FTP
client as an example. In practice, you are advised to use a legitimate third-party FTP client
(such as Cute FTP) to transfer files.
The following uses the Windows FTP client as an example. In practice, you are advised to use
a legitimate third-party FTP client (such as Cute FTP) to transfer files.
If the FTP connection established for backing up the important data to CF card 1 remain,
perform Step 2; if the FTP connection has timed out, log in again.
Step 2 Set the transmission mode of the file and configure the directory for storing the required
upgrade files as a directory on PC2, for example, D:\FTP. Note that the directory must
already exist. You can use another existing directory as required.
ftp> binary /Run the binary command to configure the binary mode for
transferring files.
ftp> lcd "d:\FTP" /Configure the directory on PC2 for storing the required
upgrade files.
CAUTION
Step 3 Run the put command to upload NIP6800 to CF card 1 of the NIP6800.

ftp> put NIPV500R001C50SPC100.cc

..........
ftp: 254711997 bytes sent in 192.90Seconds 970.68Kbytes/sec.
Uploading the system program may take a few minutes, depending on the network conditions.
Please wait patiently.
NOTICE
After the uploading is complete, check whether the size of the file in the CF card is the same
as that on PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.
Step 4 Run the put command to upload the configuration file (such as vrpcfg_new.cfg) to the CF
card on the NIP6800.The name of the file to be uploaded cannot be the same as the name of
any file on the CF card.If a file with the same name exists on the CF card, the file will be
replaced by the uploaded one.
NOTICE
After the uploading is complete, check whether the size of the file on the CF card is the same
Step 5 Rename license_Secospace_X.txt to license_spcxxx.txt, and upload the file to the CF card 1
in the NIP6800. If a file with the same name exists in CF card 1, the system displays a
message to indicate whether to overwrite the original file.
NOTE
You can modify the names of the system program (*.cc), the PAF file, and license file. To ensure that
two software versions work on the same device, you are advised to modify the names of PAF and license
files and add the SPC version at the end of the file name, such as license_spcxxx.txt.
After the uploading is complete, check whether the size of the file in the CF card is the same as that on
PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.
ftp> put license_spcxxx.txt
..........
Step 6 Rename paf.txt to paf_spcxxx.txt and upload it to the CF card 1 in NIP6800. If a file with the
same name exists in CF card 1, the system prompts you to determine whether to overwrite the
original file.
ftp> put paf_spcxxx.txt
..........
NOTICE

Step 7 After files are uploaded, exit from the FTP environment. On PC1, log in to the CLI of the
NIP6800 through Telnet or SSH. You are advised to use SSH to log in to the NIP6800 to
secure data transfer.
Step 8 If both MPUs are present, run the copy command in the user view to copy
NIPV500R001C50SPC100.cc, PAF and license to the standby MPU.
<NIP6800> copy cfcard:/NIPV500R001C50SPC100.cc slave#cfcard:/
<NIP6800> copy cfcard:/vrpcfg_new.cfg slave#cfcard:/
<NIP6800> copy cfcard:/paf_spcxxx.txt slave#cfcard:/
<NIP6800> copy cfcard:/license_spcxxx.txt slave#cfcard:/
Step 9 Run the startup system-softwarefilename command to configure the version software used
for the next startup of the NIP6800.
<NIP6800> startup system-software NIPV500R001C50SPC100.cc
Info: Succeeded in setting the software for booting system.
Step 10 Run the startup licensefilename command to configure the license file used for the next
startup of the NIP6800.
<NIP6800> startup license license_spcxxx.txt
Info: Succeeded in setting main board resource file for system.
Step 11 Run the startup paffilename command to configure the PAF file used for the next startup of
the NIP6800.
<NIP6800> startup paf paf_spcxxx.txt
Info: Succeeded in setting main board resource file for system.
Step 12 Run the startup save-configuration filename command to set the configuration file used for
the next startup of the NIP6800.The uploaded configuration file is the post-conversion one.
<NIP6800> startup save-configuration vrpcfg_new.cfg
Step 13 If both MPUs are in position, run the following commands in the user view to configure the
version software, license file and PAF file for the next startup of the standby MPU of the
NIP6800.
<NIP6800> startup system-software NIPV500R001C50SPC100.cc slave-board
Info: Succeeded in setting the software for booting system.
<NIP6800> startup license license_spcxxx.txt slave-board
Info: Succeeded in setting slave board resource file for system.
<NIP6800> startup paf paf_spcxxx.txt slave-board
Info: Succeeded in setting slave board resource file for system.
Step 14 (Optional) Upgrade Content Security Features.

CSG_H50010000_xxx.mod) of V500R001C50SPC100 to the $_install_mod folder in the CF
card of the NIP6300/6600. The name of the file to be uploaded cannot be the same as the
name of any existing file in the CF card. If a file with the same name already exists in the CF
card, the file is replaced by the uploaded file.

NOTICE
upgrade fails.
Upgrade package:

<NIP6800> display module-information verbose
Module Information
------------------------------------------------------------------------
------------------------------------------------------------------------
URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_yyy.mod
************************************************************************
************************************************************************
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
************************************************************************
------------------------------------------------------------------------
- NP INSTALL_OK -

Step 15 Run the reboot command to restart the NIP6800.
NOTICE
l Before the reboot command is configured, run the display startup command to check the
version software used for the next startup of the NIP6800.
l If the configuration file is imported, do not restart the device.
Restart without save

<NIP6800> reboot fast

mpu 9:
Paf:
V500R001C50SPC100
License:
V500R001C50SPC100
Next startup saved-configuration file: cfcard:/
vrpcfg_new.cfg
Info: The system is now comparing the configuration, please wait.

Warning: All the configuration will be saved to the configuration file for the
next startup:cfcard:/vrpcfg_new.cfg, Continue?[Y/N]:n
System will reboot! Continue?[Y/N]:y
Save and restart

<NIP6800> reboot
mpu 9:
Paf: V500R001C50SPC100
License: V500R001C50SPC100
Next startup saved-configuration file: cfcard:/ vrpcfg_new.cfg
Info: The system is now comparing the configuration, please

wait.
Warning: The configuration has been modified, and it will be saved to the next
startup saved-configuration file cfcard:/ vrpcfg_new.cfg .
Continue? [Y/
N]:y
Now saving the current configuration to the slot

9.
Save the configuration

successfully.
Info: If want to reboot with saving diagnostic information, input 'N' and then
execute 'reboot save diagnostic-information'.
The duration of device startup depends on the hardware configurations and configuration file.
The more boards the device has, the longer the board registration lasts; the more items are
configured, the longer the configuration restoration lasts.
file is required.

----End
2.2.5.3 Upgrade Through Web
Upgrade Flow
Figure 1 shows the flow of upgrading the version software through Web.
Procedure
Step 1 Enter https://192.168.0.1 in the address box of the Internet Explorer on PC2, enter user name
webuser and password Admin@123 to log in to the NIP6800.
1. Choose System > System Upgrade to view the current version.Current version:
V500R001C00SPC300 (VRP (R) Version 5.160)
2. Click Select corresponding to Master MPU. The Master MPU System Software
Management interface is displayed. Click . The Upload File dialog box is displayed.
Click Browse... and select the file to be uploaded. Click Import, as shown in Figure 2.

Figure 2-7 Uploading file
NOTE
If the file fails to be uploaded, the uploaded incomplete file cannot be deleted immediately.
Therefore, you need to delete the incomplete file after the device is restarted.
The file to be uploaded must end with suffix .cc and the file with the same name cannot exist in
the CF card. After the file is successfully uploaded, return to the Master MPU System Software
Management interface.
The corresponding file is displayed in the list. You need to check whether the size of the file in the
list is the same as that on PC2. If no, re-upload the file.
Step 3 Upload the license file and PAF file. (If the files can not be uploaded, run related commands
to perform the upgrade through ClI)
1. Click Select corresponding to Master MPU. The Master MPU PAF File Management
interface is displayed. Click . The Upload File dialog box is displayed. Click
Browse... and select the file to be uploaded. Click Import, as shown in Figure 3.
NOTE
The file to be uploaded must end with suffix .txt. If a file with the same name exists in CF card 1,
the system displays a message to indicate whether to overwrite the original file.
After the file is successfully uploaded, return to the Master MPU PAF File Management
interface. The corresponding file is displayed in the list. You need to check whether the size of the
file in the list is the same as that on PC2. If no, re-upload the file.
2. Click Select corresponding to Master MPU. The Master MPU License File
Management interface is displayed. Click . The Upload File dialog box is displayed.
Click Browse... and select the file to be uploaded. Click Import, as shown in Figure 4.

NOTE
The file to be uploaded must end with suffix .txt. If a file with the same name exists in CF card 1,
the system displays a message to indicate whether to overwrite the original file.
After the file is successfully uploaded, return to the Master MPU License File Management
interface. The corresponding file is displayed in the list. You need to check whether the size of the
file in the list is the same as that on PC2. If no, re-upload the file.
Step 4 If both MPUs are present, perform the following operations to copy the file to the Slave MPU.
1. On the System Upgrade tab, click Select in the Slave MPU Next Startup System
Software, Slave MPU PAF File Management, Slave MPU License File Management
group box respectively. The Slave MPU Next Startup System Software, Slave MPU
PAF File Management, Slave MPU LicenseFile Management interface is displayed
respectively. Click
to select the file to be copied and enter the name of the target file. If no name is
entered, the name of the file to be copied is used as that of the new file. Click OK, as
shown in Figure 5.
Figure 2-10 Copying files from the master MPU to the Slave MPU
Step 5 On the System Software Management interface, click

corresponding to the uploaded file and configure the current file as the version software
used during next startup.
If both MPUs are present, respectively click corresponding to the uploaded files on the
Main MPU System Software Management, Main MPU PAF File Management,Main
MPU License File Management and Slave MPU System Software Management, Slave
MPU PAF File Management, Slave MPU License File Managementinterfaces to configure
the current file as the version software used during next startup.

NOTE
Guide.
the CLI console. Click any space on the page. If the command prompt <NIP> is
download module nextstartup
<NIP6800> display module-information verbose
Module
Information
------------------------------------------------------------------------

PackageName
------------------------------------------------------------------------
ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00

CSG_H50010000_yyy.mod
URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00
URLRMT_H50010000_yyy.mod
************************************************************************

*
************************************************************************
Slot Type State

Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
* URL Filter information , as follows:

*
************************************************************************
Slot Type State

Detail
------------------------------------------------------------------------
- NP INSTALL_OK -

Step 7 Choose System > Setup > Restart. Click Save and Restart to save the configurations and
restart the system. Or Click Restart not to save the configurations and restart the system.

NOTICE
l If the configuration file is imported, do not restart the device.
l For the upgrade from V500R001C00 to V500R001C50SPC100, if the configuration file is
not imported, you are advised to save the current configurations before restarting the
device.
----End
2.2.5.4 Upgrade Through CF Card
Upgrade Flow
Figure 1 shows the flow of upgrading the version software through CF card.

Figure 2-11 Flowchart of the version software upgrade through the CF card
Procedure
Step 1 Copy the files to the startup folder in the CF card.The files related to the upgrade must be
saved in the startup folder in the root directory of the CF card, and their names should satisfy
the following rules:
l The system program must end with suffix .cc and only one can be saved.
l The name of the PAF file must be paf.txt, and that of the license file must be license.txt.
l The name of the configuration file must contain keyword vrpcfg and end with file name
extension .cfg or .zip. In addition, only one configuration file can be saved. It is
recommended that you name the configuration file vrpcfg.cfg or vrpcfg.zip.
One CF card can be used for only one upgrade of one MPU. Therefore, if two MPUs are in
position, two CF cards are required.
Step 2 Insert the CF card into CF card slot 2 of the MPU.
Step 3 Set the startup mode.The MPU of the NIP6800 applies fast startup by default. During fast
startup, the device does not read the CF card, and the upgrade using a CF card is therefore
impossible. If you need to upgrade using a CF card, change the startup mode of the MPU
from fast startup to normal startup mode. Run the display bootmode-next command to view
the current startup mode of the MPU.
In system view, run the diagnose command to access the diagnose view. In the diagnose view,
run the undo set bootmode-next fastboot all command. The detailed operations are as
follows:
<NIP6800> system-view
[NIP6800] diagnose
[NIP6800-diagnose] undo set bootmode-next fastboot all

Caution! After set operation, 'startup' 'modify' 'set atm iwf' and 'set cpos'
command maybe
useless.
Are you sure to do this operation?[Y/N]:y
Set Boot mode successfully.
[NIP6800-diagnose] quit
[NIP6800] quit
Step 4 Run the reboot command in the user view to restart the NIP6800.After the reboot command
is configured, the device displays two prompts for confirmation, and you need to enter y
respectively to continue the operation.
<NIP6800> reboot
mpu 9:
Next startup system software: cfcard:/ v500r001c00spc500.cc
Paf:
V500R001C50SPC100
License:
V500R001C50SPC100
Info: The system is now comparing the configuration, please wait.

Warning: All the configuration will be saved to the configuration file for the
next startup:cfcard:/config.cfg, Continue?[Y/N]:y
During the restart, the device automatically searches the startup folder of CF card 2 and
copies the files to CF card 1. Then the device loads the new version software.
Step 5 (Optional) After the upgrade completes, upgrade the content security feature.
l Local mode
You must obtain the component package from the security center in advance and upload
it to the $_install_mod folder in the root directory. Then, load the component package as
follows:

l Online mode
Ensure that the device can access the security center directly or through a proxy server.
Configure a security policy to permit HTTP and FTP packets when the device directly
connects to the security center or permit HTTP packets when the device connects to the
security center through a proxy server. For details, see the description of security policies
and content security in HUAWEI NIP6300/6600&NIP6800&IPS Module
V500R001C50SPC100 Product Documentation.
NOTE
Before executing the following online loading procedure, ensure that the DNS server address has
install-module filename CSG_H50010000_xxx.mod next-startup
install-module filename URLRMT_H50010000_xxx.mod next-startup
After the loading in either local or online mode, run the display module-information

following information is a part of the command output. If the State value is INSTALL_OK,
the component packet has been successfully loaded.
Module Information
------------------------------------------------------------------------
------------------------------------------------------------------------
ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_xxx.mod
URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_xxx.mod
************************************************************************
************************************************************************
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
************************************************************************
------------------------------------------------------------------------
- NP INSTALL_OK -
NOTICE
Restart the device. Then, the device will automatically load the content security component
package based on the license functions. To ensure that the sensitive feature configuration
takes effect, restart the device without saving the configuration or run the reboot fast
command to restart the device and re-load the configuration.
Now, the upgrade to V500R001 is complete. The optional follow-up task is to restore and test
services.
----End
2.2.5.5 Upgrade Through BootROM
Context
Figure 1 shows the flow of upgrading the version software through BootROM.

Figure 2-12 Flowchart of the version software upgrade through the BootROM
Procedure
Step 1 Switch on the power supply to power on the NIP6800.
Step 2 After the device is powered on, you can view the process of the device startup through the
terminal emulation program (such as the HyperTerminal on Windows XP). When the
following information is displayed, press and hold CTRL+B.
****************************************************
* *
* 8090 boot ROM, Ver 60.01 *
* *
****************************************************
Copyright 2001-2015 Huawei Tech. Co., Ltd.

Creation date: Aug 19 2013, 09:39:45
CPU type : MPC8548E
Press Ctrl+B to enter Main Menu... 1
Password: **********
Then access the BootROM main menu.
NOTE
The default password to access the BootROM main menu is WWW@HUAWEI, which is case
sensitive.
You are advised to change the default password after login for security. Keep your new password secure.

You are advised to change the default password after login for security. Keep
your new password secure.
Main Menu(bootload ver: 60.01)
1. Boot with default mode

2. Boot from CFcard
3. Enter ethernet submenu
4. Set boot file and path
5. Modify boot ROM password
6. Chkdsk CFcard
7. Format CFcard
8. List file in CFcard
9. Delete file from CFcard
10. Set patch mode
11. Set version back signal
12. Reboot
Step 3 Delete the useless files in CFcard.

Check the CF card and delete useless files to ensure that there is enough free space in the CF
card for the target host software.
1. Check the free space in the CF card. Enter 8 to list files in the CF card.
CFcard Content List Submenu
1. List file(s) in
CFcard
2. List file(s) in
CFcard2
3. Return to main
menu
The host software must be stored in CFcard. Enter 1 to list files in CFcard.
1
List contents of selected

CFcard
66820 Aug 6 20:27 cfcard:/
patchpackage_b22.pat
65004 Jul 17 16:29 cfcard:/
patchpackagev2.pat
14321590 Aug 31 12:15 cfcard:/
console_info_record.txt
69680 Aug 6 18:07 cfcard:/
linuxpatchstate.dat
2028 Jul 27 11:29 cfcard:/
patchnpstate.dat
16384 Aug 31 12:20 cfcard:/default-
sdb/
16384 Aug 19 18:22 cfcard:/
gpmbak/
16384 Jul 12 15:16 cfcard:/
update/
255093046 Aug 22 19:20 cfcard:/NIPV500R001C50SPC100.cc
525361 Sep 2 10:25 cfcard:/private-
data.txt
66820 Jul 12 17:26 cfcard:/
patchpackage_0712.pat
991 Aug 5 20:10 cfcard:/
vrpcfg.zip
66852 Aug 12 19:30 cfcard:/

patchpackage0812_1816.pat
66820 Aug 2 10:55 cfcard:/patchpackage_0730.pat ............
Total size: 998656KB, free size:
40976KB
CFcard Content List

Submenu
1. List file(s) in
CFcard
2. List file(s) in
CFcard2
3. Return to main
menu

3
free size indicates the free space in CFcard. Compare the free space and the size of the
target host package.
2. If the free space in CFcard is less than the host package size, enter 9 to delete files from
CFcard.
9
Main Menu(bootload ver:

60.01)
1. Boot with default

mode
2. Boot from
CFcard
3. Enter ethernet
submenu
4. Set boot file and
path
5. Modify boot ROM
password
6. Chkdsk
CFcard
7. Format
CFcard
8. List file in
CFcard
9. Delete file from
CFcard
10. Set patch
mode
11. Set version back
signal
12.
Reboot
Enter 1 to delete files from CFcard. cfcard:/NIPV500R001C50SPC100.cc is used only as

an example. You must enter the absolute path.
BE
CAREFUL!
If you delete a directory, all of its contents will be

deleted!
Please input the file name you want to delete, e.g.:

test.txt
('*' for display all files and directory in
cfcard:)
cfcard:/ NIPV500R001C50SPC100.cc
File "cfcard:/NIPV500R001C50SPC100.cc" will be deleted!

Are you sure? Yes or No(Y/
N)y
Delete successfully!
After the deletion is complete, enter 3 to return to the BootROM main menu.
Step 4 In the BootROM main menu, enter 3 to access the Ethernet submenu.
Ethernet Submenu
1. Download file to SDRAM through ethernet interface and boot

2. Download file to CFcard through ethernet interface
3. Modify ethernet interface boot parameters
4. Return to main menu
Step 5 Change the parameter settings of the Ethernet interface mode. In the Ethernet submenu, enter
3. The following information is displayed. After the parameters are specified, return to the
Ethernet submenu.
Note: two protocols for download, tftp & ftp.

You can modify the flags following the menu.
tftp--0x80, ftp--0x0.
'.' = clear field; '-' = go to previous field; ^D = quit
boot device : motetsec0

processor number : 0
host name : host
file name : NIPV500R001C50SPC100.cc
inet on ethernet (e) : 172.16.104.208
inet on backplane (b):
host inet (h) : 172.16.104.20
gateway inet (g) :
user (u) : 123
ftp password (pw) (blank = use rsh): ***
flags (f) : 0x0
target name (tn) :
startup script (s) :
other (o) :
Parameters to be specified are as follows:

l boot device
The value of parameter boot device is fixed, that is, mottsec3 for the NIP6830 and
motetsec0 for the NIP6860 and .
l file name
Indicates the name of the file to be downloaded. The previous information uses
NIP6800_NIPV500R001C50SPC100.cc as an example. If this parameter is blank, enter
the name of the file that you want to download. If this parameter is a file other than the

wanted one, you can modify it by enter the wanted file next to the existing one and press
Enter. This modification method is also applicable to the following parameters.
l inet on ethernet (e)
Indicates the IP address of the NIP6800. This IP address and that of the PC providing
FTP services should be on the same network segment.
l host inet (h)
Indicates the IP address of the PC providing FTP services.
l gateway inet (g)
Indicates the gateway IP address. When the NIP6800 and PC are not on the same
network segment, specify this parameter.
l user (u)
Indicates the FTP user name. The user name must have been specified on the PC
providing FTP services. The previous information takes 123 as an example.
l ftp password (pw) (blank = use rsh)
Indicates the password of the FTP user. The password must have been specified on the
PC providing FTP services. The previous information takes 123 as an example.
l flags (f)
Indicates the protocol adopted for downloading files. 0x0 indicates FTP, and 0x80
indicates TFTP. The previous information takes FTP as an example.
Other parameters do not need to be specified, and you can adopt the default values.
Step 6 In the Ethernet submenu, enter 2 to download files from the FTP server.
boot device : motetsec0

unit number : 0
processor number : 0
file name : NIPV500R001C50SPC100.cc
inet on ethernet (e) : 172.16.104.208
host inet (h) : 172.16.104.20
gateway inet (g) :
user (u) : 123
ftp password (pw) : ***
flags (f) : 0x0
Loading.........................................................................
................................................................................
................................................................................
................................................................................
.....Done!
Writing to CFcard...Done!
Step 7 Repeat step 5 to set file name to license.txt. Other parameters do not need to be changed.
Step 8 Repeat step 6 to download license.txt to CF card 1. If the file of the same name exists on CF
card 1, the system displays a message to indicate whether to overwrite the original file is
displayed.
Step 9 Repeat step 5 to set file name to paf.txt. Other parameters do not need to be changed.
Step 10 Repeat step 6 to download paf.txt to CF card 1. If the file of the same name exists on CF card
1, the system displays a message to indicate whether to overwrite the original file is
displayed.

Step 11 In the Ethernet submenu, enter 4 to return to the BootROM main menu.
Step 12 In the BootROM main menu, enter 4 to access the Boot Files Submenu. Enter 1 to set the
version software for the next startup.
Boot file is cfcard:/NIPV500R001C50SPC100.cc, modify the file name if

needed.
Please input correctly, e.g.: cfcard:/NIPV500R001C50SPC100.cc cfcard:/
NIPV500R001C50SPC100.cc
The file name you input is cfcard:/NIPV500R001C50SPC100.cc.
Are you sure? Yes or No(Y/N)y

Setting ...Done!
Clear version back signal...Done!
You must enter an absolute path when setting the version software for the next startup.
Step 13 In the Boot Files Submenu, enter 2 to set the PAF file for the next startup.
Paf file is cfcard:/paf.txt, modify the file name if needed.
Please input correctly, e.g.: cfcard:/paf.txt cfcard:/paf.txt

The file name you input is cfcard:/paf.txt.

Setting ...Done!

You must enter an absolute path when setting the PAF file for the next startup.
Step 14 In the Boot Files Submenu, enter 3 to set the license file for the next startup.
License file is cfcard:/license.txt, modify the file name if needed.
Please input correctly, e.g.: cfcard:/license.txt cfcard:/license.txt

The file name you input is cfcard:/license.txt.

Setting ...Done!

You must enter an absolute path when setting the license file for the next startup.
Step 15 In the Boot Files Submenu, enter 7 to return to the BootROM main menu.
Step 16 If both MPUs are in position, insert the cable connected to the console port of PC1 into the
console port of the standby MPU, and the cable connected to the network interface of PC2
into interface GE0/0/0 of the master MPU. Press the Reset button to restart the MPU, enter
the BootROM menu, download the version software, and set the version software, PAF file
and license file for the next startup.
Step 17 In the BootROM main menu, enter 2 to start the device from CF card 1.If both MPUs are in
position, insert the cable connected to the console port into the console ports of the master and

standby MPUs respectively. In the BootROM main menu, enter 2 to start the device from CF
card 1.
Step 18 (Optional) After the upgrade completes, upgrade the content security feature.
There are two modes for loading the content security component package: local mode and
online mode. The local mode is recommended.
l Local mode
You must obtain the component package from the security center in advance and upload
it to the $_install_mod folder in the root directory. Then, load the component package as
follows:

l Online mode
Ensure that the device can access the security center directly or through a proxy server.
Configure a security policy to permit HTTP and FTP packets when the device directly
connects to the security center or permit HTTP packets when the device connects to the
security center through a proxy server. For details, see the description of security policies
and content security in HUAWEI NIP6300/6600&NIP6800&IPS Module
V500R001C50SPC100 Product Documentation.
NOTE
Before executing the following online loading procedure, ensure that the DNS server address has
install-module filename CSG_H50010000_yyy.mod next-startup
install-module filename URLRMT_H50010000_yyy.mod next-startup
After the loading in either local or online mode, run the display module-information
following information is a part of the command output. If the State value is INSTALL_OK,
the component packet has been successfully loaded.
Module Information
------------------------------------------------------------------------
------------------------------------------------------------------------
URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_yyy.mod
************************************************************************
************************************************************************
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
************************************************************************
------------------------------------------------------------------------
- NP INSTALL_OK -

NOTICE
Restart the device. Then, the device will automatically load the content security component
package based on the license functions. To ensure that the sensitive feature configuration
takes effect, restart the device without saving the configuration or run the reboot fast
command to restart the device and re-load the configuration.
Now, the upgrade to V500R001 is complete. The optional follow-up task is to restore and test
services.
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 Product Documentation.
----End
2.2.6 Upgrade Result Verification
2.2.6.1 Checking the Information About the Current Version Software
Example
After the device is started, log in to the CLI. In any view, run the display version command to
check the information about the running version software. The following is a sample output
for this command.
<NIP6800> display version
Huawei Technologies Versatile Security Platform Software
Software Version: NIP6830&NIP6860& V500R001C50SPC100(VSP (R) Software, Version
5.70)
..........
In any view, run the display startup command to check the version software and
configuration file in use.
<NIP6800> display startup
MainBoard:
Configured startup system software: cfcard:/NIPV500R001C50SPC100.cc
Startup system software: cfcard:/NIPV500R001C50SPC100.cc
Startup saved-configuration file: cfcard:/config.cfg
Startup paf file: cfcard:/paf.txt
Next startup paf file: cfcard:/paf.txt
Startup license file: cfcard:/license.txt
Next startup license file: cfcard:/license.txt
Startup patch package: cfcard:/patchpackage.pat
Next startup patch package: cfcard:/patchpackage.pat

The underscored text indicates the version of current software. Check whether the version is
the same as the target version. If no, check the upgrade procedure, locate the fault, and re-
upgrade software to the target version.
2.2.6.2 Checking Whether Boards Have Been Successfully Registered
Context
In any view, run the display device command to check the registration status of the boards. In
normal cases, the Status column should be Normal.
Example
<NIP6800> display device
's Device status:
Slot # type online register status primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6 SPU Present Registered Normal NA
9 MPU Present NA Normal Master
10 MPU Present Registered Normal Slave
15 CLK Present Registered Normal Master
16 CLK Present Registered Normal Slave
19 FAN Present Registered Normal NA
Half an hour after the registration of the MPU, if any board fails in registration, you need to
check whether the board is normal. Remove and re-insert the board. If it still cannot be
registered successfully, contact technical support personnel.
2.2.6.3 Checking License Status
Context
Example
MainBoard:
Device ESN is: 210305G06R
The file activated is: cfcard:/license.dat
The time when expired is: 2023-04-24
Virtual System : 4096
IPSec VPN : 278710
Carrier Network Enhanced Security Supported License: Enabled
Content Security Group: Enabled
Encryption Function : Enabled
Firewall Upgrade Additional Performance: 150Gbps
6RD Session Scale : 16M
NAT64 Session Scale : 16M
DS-Lite Session Scale: 16M
URL Remote Query : Enabled; service expire time: 2023/04/24


2.2.6.4 Checking the Running Status of the Device

In any view, run the display health command to check the CPU and memory usage. If the
CPU and memory usage before and after upgrade differs slightly, it indicates that the device is
running normally.
<NIP6800> display health
Slot CPU Usage Memory Usage(Used/Total) Simulate CPU
-----------------------------------------------------------------------
4 MPU(Master) 7% 45% 772MB/1714MB None
1 LPU 15% 35% 293MB/820MB None
2 SPU-CPU1 82% 17% 85MB/500MB 0%
2 SPU-CPU3 80% 17% 85MB/500MB 0%
2 SPU-CPU6 2% 14% 57MB/398MB None
Checking Session Statistics

In any view, run the display firewall session statistics command to check session statistics. If
the session statistics before and after upgrade differ slightly, it indicates that services are
running normally.
<NIP6800> display firewall session statistics
Session Statistics:
Slot 6 cpu 0: 0
Slot 6 cpu 1: 0
Slot 6 cpu 2: 0
Slot 6 cpu 3: 0
Total 0 session(s) on all slots.
Checking Traffic Statistics

In any view, run the display interface interface-type interface-number command to check the
traffic statistics on a service interface. If the traffic statistics before and after upgrade differ
slightly, it indicates that services are running normally.
The following is sample output from this command on GigabitEthernet 1/0/2:
<NIP6800> display interface GigabitEthernet 1/0/2
GigabitEthernet1/0/2 current state : UP
Line protocol current state : UP
Description:Huawei, FW Series, GigabitEthernet1/1/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 101.1.1.2/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-8239-1e5c
The Vendor PN is PLRXPL-VI-S24-HW
The Vendor SN is CE10QQ8VK
The Vendor Name is JDSU
Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode:
MultiMode
Rx Power: -5.50dBm, Warning range: [-16.99, 0.00]dBm
Tx Power: -4.97dBm, Warning range: [-9.50, 0.00]dBm
Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive
Enable and Send Enable
Last physical up time : 2016-01-28 14:12:56 UTC+08:00
Last physical down time : 2016-01-28 13:56:19 UTC+08:00
Max input bit rate: 837731200 bits/sec at 2016-01-28 19:28:32
Max output bit rate: 96 bits/sec at 2016-01-28 14:23:09

Max input packet rate: 793306 packets/sec at 2016-01-28 19:28:32

Max output packet rate: -
Statistics last cleared:never
Last 300 seconds input rate: 834716840 bits/sec, 790451 packets/sec
Last 300 seconds output rate: 0 bits/sec, 0 packets/sec
Input: 2017488712530 bytes, 15284005410 packets
Output: 1906 bytes, 27 packets
Input:
CRC: 0 packets, Symbol: 0 packets
Overrun: 0 packets, InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
System: 0 packets, Overruns: 0 packets
TxPause: 0 packets
Unknown Vlan: 0 packets
Input bandwidth utilization : 96.12%
Output bandwidth utilization : 0.01%
2.2.6.5 Checking Whether Configurations Are Recovered
Context
Run the compare configuration command in the user view to compare the current
configuration file with that saved on CF card 1 and check whether configurations are lost or
changed.
If no configuration is lost, the following is displayed:
<NIP6800> compare configuration
Info:The current configuration is the SAME as the saved configuration!
If certain configurations are lost, the following shows that the underscored configurations are
lost (only the first difference is displayed; however, multiple differences may exist):
<NIP6800> compare configuration
Warning:The current configuration is NOT the same as the saved configuration!
====== Current configuration line 13343
======
#-----end----
#
#*****begin****vfw1****#
firewall packet-filter default permit interzone local trust direction inbound

====== Configuration file line 13343
======
#-----end----#
The previous information serves as an example, and you should use actual display
information in the network environment.
It is recommended that you use Beyond Compare to compare the configuration files before
and after upgrade for any difference. If any configuration is lost, use the configuration file
before upgrade for recovery or contact technical support personnel.

2.2.6.6 Checking Whether Services Are Normal
Context
2.2.6.7 Running Inspection Tool
Context
It is recommended that you use SmartKit NSE2700 to comprehensively check the device after
upgrade. This will help you discover faults in time, ensuring device operation stability.
Prerequisites
NOTICE
as the file for next startup by running the startup saved-configurationcfg-filename command.
BootROM mode. For details, see Upgrade Through BootROM.

Through CLI.
Web.
Roll back the version through CF card. The detailed procedure is the same as that of
upgrading the version software in CF card mode. For details, see Upgrade
Through CF Card.
One-Click Version Rollbac
NOTICE
l If the folder does not exist, the One-clickversion rollback fails. You can specify the version
to be rolled back and the configuration file.
l Version rollback does not involve license rollback. If the license files are different in the
source and target versions, manually load the required license file according to the product
documentation after the rollback.
Upgrade operations:
1. Check whether the backup file (backcfg.zip) is available. The backup file should be in
the CFcard:/backupyyyyMMddHHmmss/ folder. If the backup file is unavailable, the
follow-up procedure cannot be performed.
<FW>dir backup/ --Check whether the backup file is in the backup
folder.
Directory of CFcard:/backup/

0 drw- - Nov 26 2015 16:30:18 20151126163018
1 drw- - Nov 26 2015 16:58:56 20151126165855
601,328 KB total (253,232 KB free)

<FW>cd backup/
<FW>cd 20151126163018/
dir
Directory of CFcard:/backup/20151126163018/

0 -rw- 2,375 Nov 26 2015 16:30:18 backcfg.zip
601,328 KB total (253,200 KB free)
2. Copy the target version of version rollback to the CF card. For details, see Appendix:
Uploading and Downloading Files.
3. Access the diagnose view and run the recover system filename command.

NOTICE
l If multiple CFcard:/backup/yyyyMMddHHmmss folders exist, use the latest one
for the version rollback.
[FW-diagnose]recover system V500R001C50.cc

Confirm: Will you recover and reboot the system ?[Y/N] y
Procedure
Step 1 The precautions and the result check method of the version rollback operation are the same as
those of the version upgrade operation. For details, see the descriptions of corresponding
upgrade modes.
Step 2 During the version rollback, services are interrupted temporarily. The interruption duration
depends on the rollback mode and the service configuration.
Step 3 Before the version rollback, contact technical support personnel to determine whether the
patch version.
----End

Backup
2.3.1 Overview
indicates that two deviceba are deployed, if one device is faulty, the other takes over the work
NOTICE

Context
environments
Take master/standby backup as an example. Before the upgrade, FW_A serves as the master
device and FW_B as the standby one. Do as follows to perform the upgrade:
Procedure
follows:

In the system view of FW_B, you need to upgrade the software version. The precautions and
the detailed procedure are the same as those of upgrading a single device. Select a proper
<FW_B> system-view
[FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] undo shutdown
[FW_B-GigabitEthernet1/0/3] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] undo shutdown
[FW_B-GigabitEthernet1/0/1] quit

Single-System.
FW_A.After the upgrade and re-startup of FW_A are complete, Meanwhile run the undo
shutdown command on the interface connecting FW_B and FW_A as follows:
operations.
Step 6 Observe service running status, check session information on FW_A and FW_B, and verify
upgrade results.In addition, it is recommended that you simulate link or device faults (run the
shutdown command on related interface) after successful upgrade and service tests, so that
the device performs master/standby switchover. This helps you to check whether the dual-
system hot backup function is normal after upgrade.
If the version rollback is required, roll back the version software to the original version. The
rollback procedure of version software in Dual-System Hot Backup is the same as its upgrade
procedure, just take the original version as the target version.
----End
2.4 Appendix: Establishing the Upgrade Environment


Prerequisites
PC.
l The NIP6800 is powered on and running properly.
Background Information
IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the MPU of the
NIP6800 by default. You can use this IP address and the default user name admin and
password Admin@123 to log in to the CLI of the NIP6800 through Telnet. If the Telnet
configuration is canceled or you desire to use SSH for the login, log in to the NIP6800 from
the console port to construct the Telnet or SSH environment.
Figure 1 shows how to construct the Telnet or SSH environment through the console port. The
serial port of the PC is connected to the console port of the NIP6800 through a standard
RS-232 configuration cable.
Procedure

of the PC for connecting to the NIP6800 from the Connect using drop-down list box, as
shown in figure 3.
of the port, as shown in figure 4. The communication parameters of COM1 must be the same
as those of the console port on the NIP6800.

Step 4 Log in to the NIP6800, and enter the CLI.By default, the user name and password are admin
and Admin@123 respectively for logging in to the NIP6800 through the console port.

1. Configure STelnet for login.
Set the IP address of GigabitEthernet 0/0/0 on the MPU of the NIP6800 to 192.168.0.1
and subnet mask to 255.255.255.0. Set the authentication mode on the virtual type
terminal (VTY) to AAA and protocol to Telnet. Create a local Telnet user with the user
name user1, user level 3, password Password1.
[NIP6800] aaa
[NIP6800-aaa] manager-user vtyadmin
[NIP6800-aaa-manager-user-vtyadmin] password
Enter Password:
Confirm Password:
[NIP6800-aaa-manager-user-vtyadmin] service-type telnet
[NIP6800-aaa-manager-user-vtyadmin] quit
[NIP6800-aaa] bind manager-user vtyadmin role system-admin
If an interface on the interface board is used to construct the Telnet environment, you
need to not only configure the previous commands, but also assign the interface to a
security zone and enable the interzone security policy between this security zone and the
Local zone. The following command output uses assigning GigabitEthernet 1/0/1 to the
Trust zone as an example. The IP address of the Telnet client is 192.168.0.2.
[NIP6800] firewall zone trust
[NIP6800-zone-trust] add interface GigabitEthernet 1/0/1
[NIP6800-zone-trust] quit
[NIP6800] policy interzone local trust inbound
[NIP6800-policy-interzone-local-trust-inbound] policy 1
[NIP6800-policy-interzone-local-trust-inbound-1] policy source 192.168.0.2 0
[NIP6800-policy-interzone-local-trust-inbound-1] policy destination
192.168.0.1 0
[NIP6800-policy-interzone-local-trust-inbound-1] action permit
2. Configure SSH for login.

Set the IP address of GigabitEthernet 0/0/0 on the MPU of the NIP6800 to 192.168.0.1
and subnet mask to 255.255.255.0. Set the authentication mode on the virtual type
terminal (VTY) to AAA and protocol to SSH. Create a local SSH user with the user
name user1, user level 3, password Password1.
[NIP6800] user-interface vty 0 4
[NIP6800-ui-vty0-4] authentication-mode aaa
[NIP6800-ui-vty0-4] user privilege level 3
[NIP6800-ui-vty0-4] quit
[NIP6800] aaa
[NIP6800-aaa] manager-user sshadmin
[NIP6800-aaa-manager-user-sshadmin] password
Enter Password:
Confirm Password:
[NIP6800-aaa-manager-user-user1] service-type ssh
[NIP6800-aaa-manager-user-user1] level 3
[NIP6800-aaa-manager-user-sshadmin] quit
[NIP6800-aaa] bind manager-user sshadmin role system-admin
[NIP6800-aaa] quit
[NIP6800] stelnet server enable
[NIP6800] rsa local-key-pair create
[NIP6800] ssh user sshadmin
[NIP6800] ssh user sshadmin authentication-type password
[NIP6800] ssh user sshadmin service-type stelnet
If an interface on the interface board is used to construct the SSH environment, you need
to not only configure the previous commands, but also assign the interface to a security
zone and enable the interzone security policy between this security zone and the Local

zone. The following command output uses assigning GigabitEthernet 1/0/1 to the Trust
zone as an example. The IP address of the SSH client is 192.168.0.2.
[NIP6800] firewall zone trust
[NIP6800-zone-trust] add interface GigabitEthernet 1/0/1
[NIP6800-zone-trust] quit
[NIP6800] policy interzone local trust inbound
[NIP6800-policy-interzone-local-trust-inbound] policy 1
[NIP6800-policy-interzone-local-trust-inbound-1] policy source 192.168.0.2 0
[NIP6800-policy-interzone-local-trust-inbound-1] policy destination
192.168.0.1 0
[NIP6800-policy-interzone-local-trust-inbound-1] action permit
----End
2.5 Appendix: Uploading and Downloading Files
About This Chapter

Files Through FTP
Context
As shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from the
NIP6800 and upload or download files through FTP. This method requires the third-party FTP
server software to be installed on the PC2.
NOTE
device serving as the FTP client
Procedure
Step 1 Configure the FTP server.Install the FTP server program on PC2 and configure the FTP
server using the document available with the program. Suppose that you obtain the FTP

this document. Assume that an FTP user already exists with the user name 123 and password
123, and that the root directory of the user is set to the storage path of files to be uploaded/
downloaded.
Step 2 Log in to the NIP6800 from PC1 through Telnet/SSH.
Step 3 Log in to the FTP server on the NIP6800.Run the ftp ip-address command in the user view to
establish an FTP connection to the PC and enter the FTP client view. The following operation
assumes that the IP address of the FTP server as 192.168.0.2.
<NIP6800> ftp 192.168.0.2
Trying 192.168.0.2 ...
User(192.168.0.2:(none)):123
Password:
[ftp]
Step 4 Upload files in storage media of the NIP6800 to the FTP server.Run the put local-filename
[ remote-filename ] command in the FTP client view to upload files to the FTP server.
mode.
[ftp] put test.cc
Step 5 Download files from the FTP server to storage media of the NIP6800.Run the get remote-
filename [ local-filename ] command in the FTP client view to download files from the FTP
server.
mode.
[ftp] get temp.cc
----End

Files Through TFTP
Context
As shown in Figure 1, PC2 serves as the TFTP server. Log in to the TFTP server from the
NIP6800 and upload or download files through TFTP. This method requires the third-party
TFTP server software to be installed on the PC2.
NOTE

NIP6800 serving as the TFTP client
Procedure
Step 3 Upload files in storage media of the NIP6800 to the TFTP server.Run the tftp ip-address put
source-filename [ destination-filename ] command in the user view to upload files to the
TFTP server. The following operation assumes that the IP address of the TFTP server as
192.168.0.2.
<NIP6800> tftp 192.168.0.2 put test.cc
Step 4 Download files from the TFTP server to CF card of the NIP6800.Run the tftp ip-address get
source-filename [ destination-filename ] command in the user view to download files from the
TFTP server.
<NIP6800> tftp 192.168.0.2 get temp.cc
----End

Files Through SFTP
Context
As shown in Figure 1, NIP6800 serves as the SFTP server. Log in to the SFTP server from the
PC2 and upload/download files through SFTP. This method requires the third-party SFTP
client program (such as WinSCP) to be installed on the PC2.

NOTE
NIP6800 serving as the SFTP server
Procedure
Step 1 Configure the SFTP client.Install the SFTP client program on PC2 and configure the SFTP
client using the document available with the program. Suppose that you obtain the SFTP
client program in a legitimate way and description of the program is beyond the coverage of
this document.
Step 3 On the NIP6800, create an SFTP user with user name user1 and password Admin@123 and
enable the SFTP server service.
[NIP6800] rsa local-key-pair create
[NIP6800] user-interface vty 0 4
[NIP6800-ui-vty0-4] authentication-mode aaa
[NIP6800-ui-vty0-4] protocol inbound ssh
[NIP6800-ui-vty0-4] quit
[NIP6800] aaa
[NIP6800-aaa] local-user user1 password
Please cofigure the login
password(8-16)
Enter
Password:
Confirm
Password:
Submit password successfully.

[NIP6800-aaa] local-user user1 service-type ssh
[NIP6800-aaa] local-user user1 level 3
[NIP6800-aaa] quit
[NIP6800] ssh user user1
[NIP6800] ssh user user1 authentication-type password
[NIP6800] ssh user user1 service-type sftp
[NIP6800] ssh user user1 sftp-directory cfcard:
[NIP6800] sftp server enable
Step 4 Download files from CF card of the NIP6800 to the SFTP client.After the downloading is
complete, check whether the sizes of files on the SFTP client are consistent with those in the

CF card. If no, re-download the files to ensure that they are completely uploaded to the SFTP
server.
Step 5 Upload files from the SFTP client to CF card of the NIP6800.After the uploading is complete,
check whether the sizes of files in the CF card are consistent with those on the SFTP client. If
no, re-download the files to ensure that they are completely downloaded to the CF card.
----End
2.6 Appendix: Activating the ESN
Context
As the ESNs of certain MPUs manufactured earlier are not activated, you cannot view the
ESNs by running the display license command.
Device ESN is: (null)
License file is not activated, please use default configuration!
In this case, you need to run the active mpu-esn command in the diagnose view to activate
ESNs manually. Then you can view the ESNs of the device.
Procedure
Step 1 In the user view, run the system-view command to access the system view.
[NIP6800]
Step 2 Run the diagnose command, and access the diagnose view.
[NIP6800] diagnose
[NIP6800-diagnose]
Step 3 Run the active mpu-esn command to activate the ESN of the master MPU.
[NIP6800-diagnose] active mpu-esn
If both MPUs can be detected on the device, run the following command to activate the ESN
of the standby MPU.
[NIP6800-diagnose] active mpu-esn slave-board
If the current device does not support the active mpu-esn slave-board command, you need to
run the active mpu-esn command on both MPUs respectively. That is, insert MPU A first.
After MPU A is successfully registered, run the active mpu-esn command. Then pull out
MPU A, and insert MPU B. After MPU B is successfully registered, run the active mpu-esn
command. After the previous operations are complete, ensure that both MPUs are in position
at the same time, and then perform subsequent operations.
----End
2.7 Appendix: Applying for a License

Context
Procedure
Step 1 The license on each device is unique. For the license center to generate the license for your
device, you need to collect the following information:
l Contract No.
It is available in the license certificate that is delivered with the device.
l Equipment serial number (ESN)
It is displayed after you run the display license command in any view of the CLI.
NOTE
l The ESN identifies a device from all other devices. It is recorded in the electrical label of the MPU.
If the device has two MPUs, record the ESNs of both the active and standby MPUs.
l The ESN is case-sensitive. Note the case when you record the ESN.
Step 2 Provide the previous information to the local technical support personnel of Huawei. The
application will be handled as soon as possible.
Step 3 ou need to obtain a new license if you want to enlarge the license capacity or use new services
that are subject to license control. In this case, the previous procedure still is applicable. The
license center automatically combines the licenses for new features with the existing license,
and generates a new license.
----End
2.8 Appendix: Upgrade Record Table

Huawei:
Upgrade successful
or not
Check before the

upgrade
Check of upgrade
operations

Check after the

upgrade
2.9 Appendix: Abbreviations

Accounting
AUX Auxiliary port
CF Compact Flash
HTTPS Secure HTTP
IPSec IP Security
SSH Secure Shell

Upgrade Guide 3 IPS Module
3 IPS Module
About This Chapter

3.2 Upgrade Impact
3.5 Appendix A: Upgrading System Software Using BootROM
3.6 Appendix B : Establishing the Upgrade Environment Through the Console Port


NOTICE
patch.
following patches:
V500R001SPH002.

NOTICE
engineers.
3.2 Upgrade Impact
3.2.1 Impact of the Upgrade from V500R001C50
1
The log and alarm

2 number of L2TP
the upper limit.

3 L2TP negotiation
packets is limited.
The SSL proxy

virtualized.

The alarm is added,

indicating that SSL
5 VPN online user
resources are used
up.
The log and alarm

6 number of SSL VPN
the upper limit.
The alarm is added,

indicating that
7
extension address
pool are used up.
IPSec forwarding
8
source port.
The northbound
interface is added.
Virtual-if
configuration.
The device supports

10
function.

The device supports

12 HRP smooth
upgrade.


Description

1 None.
und resources.
Mainten
ance
and
manage
2 ment of None.
the
obtained.
logical
resource
pool
If the
interfaces apply to
maximum
virtual system
number of
virtual
3 systems are None.
created, too
many memory
sum of traffic on
resources are
interfaces in the
occupied.
corresponding
system.

a NETCONF
This is a new
requirement.
activated online
code.
The firewall
HTTPS.
The SSL
server
6 certificate None.
proxy virtualized.
supports
virtualization.


Description
l The alarm
threshold
reminders are
added for daily
duration quota,
daily traffic Agile
supports
policy
to hide the device
IP address on the
pushed alarm and
quota exhaustion
web pages.
l The upstream rate

and downstream
rate fields are
added to the
online user You can query
monitoring table the real-time
Online on the web UI. upstream and
user downstream
8 l The upstream rate
manage rates of a
ment and downstream single IP
rate are added to address or
the detailed user.
online user
information in the
related command
output.
Deleted Features
None.

New Commands

up.


80%.


80%.



STRING<1-256>
STRING<1-256> ]

consistency check.


status.

<domain-name> name.
device IP address.

Original Change
Command Description
This command is
used in the root
system before C50.
C50, you must run
the display ipsec
statistics all-
systems command
to display IPSec
system.





Original Change
Command Description
Before C50, virtual

PKI supports
is added.
all-systems is
required.
Before C50, virtual

PKI supports
is added.
all-systems is
required.
api call-home host

instance-name>]

<time-daily> <time-
None.
<reminder-
threshold-value>]

None.
<reminder-
threshold-value>]

None.
<reminder-
threshold-value>]
Deleted Commands
None.

NOTICE
software.
Deleted Features


Encrypted traffic
detection policy

2 Policy label
Collection of the
accumulated value
traffic through the
OID


5 CIS interworking
malicious traffic.

depth detection.

7
SSL inbound and

detection

9
System memory
10 detection
leak issues.
mechanism
Detection of abrupt
11 KPI information
change
Disabling of the
bound interface
exceeds the
threshold
Customization of
session log
templates in syslog
format
Enhanced session
log function
Real-time traffic
Alarm on the
exhaustion of
resources on the
firewall

new connections
ICMP fast reply

function
Alarm on abrupt
session changes
Multicast packet
filtering
Filtering and
of various types

Description
In policy query,
be rapidly located
based on quintuple
information (or
accurate source and
destination address
segments). Policy
query and
drop-down list.

and decryption
2 Policy None
URL category
conditions.
The security policy

supports the
3 Policy None
Security Awareness
(CASA) profile.


Description
The range of well-

The function
is enhanced.

The function
is enhanced.
files.
The support of
The function
is enhanced.
added.
The northbound
the per-user
8 BWM None
per-IP address
maximum
connection rate.
Virtualization is
supported.
or key pair is
9 PKI None
vsys+vsysid on the
virtual firewall)
hda1:/pki.
Log sending when

log is enhanced.
not configured is
supported.
Sending encrypted
13 None
supported.

log is enhanced.
supported.


Description
After the SA
names of functions
that reference
integrated policy,
application group,
ion is enhanced.
to new names after
For example,
QQ_Webmail is
updated to
WebMail_QQ, and
GMail to
WebMail_GMail.
None
New commands
Modified commands
New Command
undo ssl whitelist

undo ssl whitelist
userdefined-
hostname { name
name-xxx | all }
xxx | all }
ssl whitelist
ssl whitelist
hostname xxx
hostname xxx
display vrrp error

display vrrp error This slot is not
packet [ slot None
packet supported.
STRING<1-256> ]


New Command
startup patch
STRING<5-48>
[ slave-board | all | The configuration
startup patch chassis patch file of the
None
STRING<5-48> STRING<1-16> standby board is
{ master | slave } | added.
slot
STRING<1-64> ]
display diag-logfile
STRING<1-64>
[ INTEGER<0-2147
display diag-logfile 483647> | hex ] * [ | The pipe character-
STRING<1-64> count ] [ | [ before based filtering and
None
[ INTEGER<0-2147 INTEGER<1-999> | query function is
483647> | hex ] * after added.
INTEGER<1-999> ]
exclude } TEXT0 ]
info-center info-center
timestamp { log | timestamp { log |
trap | debugging } trap | debugging }
{ { none | boot } | { { boot } | { date | In security
{ date | short-date | short-date | format- rectification, the no-
None
format-date } date } [ precision- timestamp mode is
[ precision-time time { tenth-second | deleted.
The function is
enhanced. The null
snmp-agent acl snmp-agent acl configuration at the
{ INTEGER<0-4294 INTEGER<0-42949 end of the ACL is None
967295> | null } 67295> meaningless, and no
is generated.


New Command
snmp-agent group snmp-agent group

v3 STRING<1-32> v3 STRING<1-32>
privacy | privacy |
The function is
enhanced. The null
configuration at the
end of the ACL is None
meaningless, and no
is generated.
STRING<1-32> ] * STRING<1-32> ] *
[ acl [ acl
{ INTEGER<0-4294 INTEGER<0-42949
967295> | null } ] 67295> ]
snmp-agent target-
securityname * } params Keyword vpn-
None
STRING<1-32> securityname instance is added.
[ { v3 STRING<1-32>
[ authentication | [ { v3
privacy ] | v2c | v1 } [ authentication |
| notify-filter-profile privacy ] | v2c | v1 }
STRING<1-32> | | notify-filter-profile
ext-vb ] *
snmp-agent target-
> ] } params STRING<1-31> ] Keyword vpn-
None
securityname cipher * } params instance is added.
STRING<1-68> securityname cipher
[ { v2c | v1 } | STRING<1-68>
notify-filter-profile [ { v2c | v1 } |
STRING<1-32> | notify-filter-profile
ext-vb ] *


New Command
undo snmp-agent
undo snmp-agent target-host ipv6
target-host ipv6 X:X::X:X
X:X::X:X securityname
Keyword vpn-
securityname { STRING<1-32> | None
instance is added.
{ STRING<1-32> | cipher
cipher STRING<1-68> }
STRING<1-68> } [ vpn-instance
STRING<1-31> ]
undo snmp-agent
undo snmp-agent target-host trap ipv6
target-host trap ipv6 address { udp-
Keyword vpn-
INTEGER<0-65535 > | vpn-instance None
instance is added.
securityname * } params
{ STRING<1-32> | securityname
cipher { STRING<1-32> |
STRING<1-68> } cipher
STRING<1-68> }
ping ipv6 [ -a ping ipv6 [ -a

X:X::X:X | -c X:X::X:X | -c
67295> | -s 67295> | -s
> | -t > | -t
> | -m > | -m
The number of
characters in the
hostname is None
STRING<1-31> } | - STRING<1-31> } | -
255.
tc tc
-h -h
-name ] * -name ] *
STRING<1-46> [ -i STRING<1-255> [ -
{ STRING<1-256> | i { STRING<1-256>
STRING<1-256> } ] STRING<1-256> } ]


New Command
tracert ipv6 [ -f tracert ipv6 [ -f

-m -m
-p -p
> | -q > | -q
The number of
characters in the
> | -w > | -w
hostname is None
255.
STRING<1-31> } | - STRING<1-31> } | -
a X:X::X:X | -s a X:X::X:X | -s
> | -name ] * > | -name ] *
[ undo ] debugging [ undo ] debugging

arp-proxy [ inner- arp-proxy inner-sub-
sub-vlan-proxy ] vlan-proxy The status of arp-
[ interface [ interface proxy debugging None
{ STRING<1-256> | { STRING<1-256> | can be controlled.
STRING<1-256> } ] STRING<1-256> } ]


New Command
stelnet [ -a X.X.X.X
stelnet [ -a X.X.X.X | -i
| -i { STRING<1-256>
{ STRING<1-256> STRING<1-256> |
STRING<1-256> | STRING<1-256> } ]
STRING<1-256> } ] STRING<1-255>
STRING<1-255> [ INTEGER<1-6553
[ INTEGER<1-6553 5> ] [ [ -vpn-
5> ] [ [ -vpn- instance
instance STRING<1-31> ] |
STRING<1-31> ] | [ prefer_kex
[ prefer_kex STRING<1-64> ] |
ECC authentication
dsa } ] | identity-key { rsa | None
to a new
[ prefer_ctos_cipher dsa | ecc } ] |
requirement.
[ -ki STRING<1-32> ] |
] | [ -kc INTEGER<1-3600>
INTEGER<3-10> ] ] ] | [ -kc
* INTEGER<3-10> ] ]
*


New Command
stelnet ipv6 [ -a
stelnet ipv6 [ -a X:X::X:X ]
X:X::X:X ] STRING<1-255> [ -
STRING<1-46> [ - oi
oi { STRING<1-256>
{ STRING<1-256> STRING<1-256> |
STRING<1-256> | STRING<1-256> } ]
STRING<1-256> } ] [ INTEGER<1-6553
[ INTEGER<1-6553 5> ] [ [ prefer_kex
5> ] [ [ prefer_kex STRING<1-64> ] |
ECC authentication
dsa } ] | identity-key { rsa |
[ prefer_ctos_cipher dsa | ecc } ] | None
to a new
requirement.
[ -ki STRING<1-32> ] |
] | [ -kc INTEGER<1-3600>
INTEGER<3-10> ] ] ] | [ -kc
* INTEGER<3-10> ] ]
*
Traffic interruption
reset arp { static | all reset arp { static | resulting from
None
| dynamic } dynamic } misoperations is
prevented.
Whether the private

routing-table rib- routing-table rib- network route in
only [ route-policy only [ route-policy BGP delivers the IP None
STRING<1-40> ] STRING<1-40> ] routing table is
controlled.
The status of slow

peer detection is
changed from
slow-peer detection slow-peer detection disabled by default
[ threshold threshold to enabled by
None
INTEGER<120-360 INTEGER<120-360 default, the
0> ] 0> command syntax is
changed, and it is
compatible with
system upgrade.


New Command
Whether the private

network route in
undo routing-table undo routing-table
BGP delivers the IP None
rib-only rib-only
routing table is
controlled.
The status of slow

peer detection is
changed from
undo slow-peer disabled by default
undo slow-peer detection [ threshold to enabled by
None
detection INTEGER<120-360 default, the
0> ] command syntax is
changed, and it is
compatible with
system upgrade.
nssa [ default-route-
nssa [ default-route- advertise { [ [ cost
advertise { [ [ cost INTEGER<1-16777
INTEGER<1-16777 214> ] | [ type
214> ] | [ type INTEGER<1-2> ] |
INTEGER<1-2> ] | [ tag
[ tag INTEGER<0-42949
Integrated from the
INTEGER<0-42949 67295> ] ] * } | no-
OSPFv3 FA None
67295> ] ] * } | no- import-route | no-
requirement.
import-route | no- summary |
summary | translator-always |
translator-always | translator-interval
translator-interval INTEGER<1-120> |
INTEGER<1-120> | set-n-bit | suppress-
set-n-bit ] * forwarding-address ]
*
The [ undo ] mpls

ldp command is
split into two
commands undo
[ undo ] mpls ldp [ undo ] mpls ldp mpls ldp and mpls None
ldp. As a result, this
command no longer
exists in the system
view.
receive-time utc receive-time [ utc ]

The UTC time
duration duration
command is added
for control.


New Command
receive-time utc receive-time [ utc ] The UTC time

send-time utc send-time [ utc ]

The UTC time
duration duration
command is added
for control.
send-time utc send-time [ utc ] The UTC time

ips associated pre- ips associated pre-

defined signature-id defined signature-id
777215> { threshold 777215> { threshold
INTEGER<1-500> | INTEGER<1-2000> The threshold range
interval | interval in the configuration
None
INTEGER<1-7200> INTEGER<1-7200> information is
| block-time | block-time modified.
| correlateby | correlateby
STRING<1-256> } STRING<1-256> }
* *
condition condition The user-defined

[ INTEGER<1-4> ] [ INTEGER<1-4> ] signature detection
field field function is enhanced
STRING<1-256> STRING<1-256> in response to a new
operate operate requirement.
value value
[ offset [ offset None
5> | begin } ] [ depth 5> | begin } ] [ depth
>] > ] [ direction
STRING<1-256> |
qualifier http-
method
STRING<1-256> ] *


New Command
display slb { vserver display slb { vserver The command for

[ STRING<1-32> ] [ STRING<1-32> ] displaying the group
[ verbose ] | group [ verbose ] | group verbose information None
[ STRING<1-32> ] [ STRING<1-32> ] is added.
} [ verbose ] }
protocol { tcp | udp | The support of

protocol { tcp | udp |
any } HTTP/SSL/
any | http | ssl | https None
HTTPS/ESP is
| esp }
added.
rserver rserver The command that

INTEGER<0-31> INTEGER<0-31> restricts the
{ port { port maximum number
INTEGER<0-65535 INTEGER<0-65535 of connections of the
> | weight > | weight physical server
INTEGER<1-1024> INTEGER<1-8192> (max-connection
| status { inactive | | status { inactive | INTEGER<0-6553 None
health-check } | health-check } | 5>) is added.
STRING<1-32> } * STRING<1-32> |
max-connection
INTEGER<0-65535
>}*
rserver rserver
[ INTEGER<0-31> [ INTEGER<0-31>
[ to [ to
The command that
rip X.X.X.X [ port rip X.X.X.X [ port
restricts the
maximum number
of connections of the
INTEGER<1-1024> INTEGER<1-8192> None
physical server
(max-connection
INTEGER<0-6553
5>) is added.
STRING<1-32> ] * STRING<1-32> |
max-connection
INTEGER<0-65535
>]*
display packet- display packet-

capture queue capture queue
The view is changed
[ INTEGER<0-1999 67295>
any view.
>] [ INTEGER<0-4294
967295> ]


New Command

[ ipv4-packet [ ipv4-packet
INTEGER<3000-39 INTEGER<3000-39 The view is changed
99> ] [ queue 99> ] [ queue from system view to None
INTEGER<0-3> ] INTEGER<0-42949 any view.
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } ] STRING<1-256> } ]

drop-type drop-type
{ blackhole | { blackhole |
The view is changed
default-filter | fib- default-filter | fib-
miss | arp-miss } miss | arp-miss }
any view.
[ queue [ queue
67295> ]
queue queue The view is changed
INTEGER<0-3> to- INTEGER<0-42949 from system view to None
file STRING<5-64> 67295> to-file any view.
STRING<5-64>
startup [ packet-len startup [ packet-len
The view is changed
> ] [ sample-rate > ] [ sample-rate
any view.
> ] [ packet-num > ] [ packet-num
] ]
{ ipv4-packet { ipv4-packet
99> | no-ip-packet | 99> | no-ip-packet |
The view is changed
all-packet } [ queue all-packet } [ queue
any view.
{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } STRING<1-256> }


New Command
reset packet-capture reset packet-capture

The view is changed
queue queue
{ INTEGER<0-3> | { INTEGER<0-4294
any view.
all } 967295> | all }
reset packet-capture reset packet-capture The view is changed

statistic statistic from system view to None
any view.

[ interface [ interface
{ STRING<1-256> { STRING<1-256> The view is changed
STRING<1-256> | STRING<1-256> | from system view to None
STRING<1-256> } STRING<1-256> } any view.

drop [ interface drop [ interface The view is changed
{ STRING<1-256> { STRING<1-256> from system view to None
STRING<1-256> | STRING<1-256> | any view.
STRING<1-256> } ] STRING<1-256> } ]
[ undo ] debugging [ undo ] debugging The keyword is

vsys-resource vsys [ event | msg | changed for the
[ event | msg | error | error | trace | rpc ] debugging of the None
trace | rpc ] virtual system
module.
alias TEXT0 alias TEXT0 The command for

the virtual system
None
interface view is
added.
undo alias undo alias The command for

the virtual system
None
interface view is
added.
configure disk type configure disk type The size of the audit
audit-log audit-log log disk space can None

{ content-log } { content-log } content log disk
None
0%.
configure disk type configure disk type The size of the data
{ content-report } { content-report } filtering report disk
None
0%.


New Command
configure disk type configure disk type The size of the file
{ file-block-report } { file-block-report } blocking report disk
None
0%.
configure disk type configure disk type The size of the mail
{ mail-log } { mail-log } filtering log disk
None
0%.

{ policy-log } { policy-log } policy matching log
None
INTEGER<1-100> INTEGER<0-100> disk space can be set
to 0%.

{ policy-report } { policy-report } policy matching
None
INTEGER<1-100> INTEGER<0-100> report disk space can
be set to 0%.

{ system-log } { system-log } system log disk
None
0%.

{ threat-log } { threat-log } threat log disk space None
INTEGER<1-100> INTEGER<0-100> can be set to 0%.

{ threat-report } { threat-report } threat report disk
None
0%.

{ traffic-report } { traffic-report } traffic report disk
None
0%.
{ url-log } { url-log } log disk space can None
{ url-report } { url-report } report disk space can None
configure disk type configure disk type The size of the user
{ user-log } { user-log } log disk space can None


New Command
report type threat- report type threat- The virus, attack The virus, attack
report item { threat- report item { threat- region, and attacked region, and attacked
type | application | type | application | region dimensions region dimensions
attacker | victim | attacker | victim | are deleted from are deleted from
threat-name | virus- threat-name | defend threat reports. threat reports.
name | defend | | all | map } enable (1) The virus (1) The virus
attacker-location | dimension can be dimension can be
victim-location | all | replaced by replaced by
map } enable advanced search of advanced search of
the threat name the threat name
dimension with the dimension with the
virus threat type. virus threat type.
(2) The attack and (2) The attack and
attacked region attacked region
replaced by threat replaced by threat
report type traffic- report type traffic- The application Traffic reports do
report item { source- report item { source- category, address not contain
ip | destination-ip | ip | destination-ip | type, source region, application category,
application | application | and destination address type, source
application-category application-sub- region dimensions region, and
| application-sub- category | all | map | are deleted from destination region
category | source- out-interface } traffic reports. dimensions.
location | enable (1) The application (1) The application
destination-location | category dimension category dimension
address-type | all | can be replaced can be replaced
map } enable using the application using the application
sub-category sub-category


New Command
undo report type undo report type The virus, attack

Threat reports do not
threat-report item threat-report item region, and attacked
contain virus, attack
{ threat-type | { threat-type | region dimensions
region, and attacked
application | attacker application | attacker are deleted from
region dimensions.
| victim | threat- | victim | threat- threat reports.
name | virus-name | name | defend | all | (1) The virus
(1) The virus
defend | attacker- map } enable dimension can be
dimension can be
location | victim- replaced by
replaced by
location | all | map } advanced search of
advanced search of
enable the threat name
the threat name
dimension with the
dimension with the
virus threat type.
virus threat type.
(2) The attack and
(2) The attack and
attacked region
attacked region
dimensions can be
dimensions can be
replaced by threat
replaced by threat
map query.
map query.
undo report type undo report type The application Traffic reports do
traffic-report item traffic-report item category, address not contain
{ source-ip | { source-ip | type, source region, application category,
destination-ip | destination-ip | and destination address type, source
application | application | region dimensions region, and
application-category application-sub- are deleted from destination region
| application-sub- category | all | map | traffic reports. dimensions.
category | source- out-interface } (1) The application (1) The application
location | enable category dimension category dimension
destination-location | can be replaced can be replaced
address-type | all | using the application using the application
map } enable sub-category sub-category
update log database update log database

[ { traffic-log |
threat-log | url-log | The update of log
content-log | system- databases of only
None
log | audit-log | user- specific types can be
activity-log | policy- implemented.
matching-log | mail-
filtering-log } * ]


New Command
mime-header-group mime-header-group The mail proxy for

name name IMAP is added.
STRING<1-256> STRING<1-256> Therefore, the
[ smtp | pop3 ] [ smtp | pop3 | mime-header- None
action { alert | block imap ] action { alert group configuration
| declare } | block | declare } of IMAP shall also
exist.
[ undo ] firewall [ undo ] firewall

The range of the
blacklist item user blacklist item user
[ timeout [ timeout
1000 to 6535
minutes.
] >]

{ X.X.X.X | { X.X.X.X |
X:X::X:X } X:X::X:X }
The range of the
destination-port destination-port
1000 to 6535
minutes.
] >]

{ X.X.X.X | { X.X.X.X |
The range of the
X:X::X:X } } X:X::X:X } }
| icmp | | icmp |
1000 to 6535
minutes.
] >]

{ X.X.X.X | { X.X.X.X |
X:X::X:X } source- X:X::X:X } source-
The range of the
port port
1000 to 6535
minutes.
] >]


New Command

{ X.X.X.X | { X.X.X.X |
The range of the
X:X::X:X } } X:X::X:X } }
| icmp | | icmp |
1000 to 6535
minutes.
] >]
display self- display self-

diagnose diagnose
information information { iic | The statistics
{ sadp_channel | gfpi-channel } all collection
gfpi_channel | commands for the None
iic_channel | gfpi and iic modules
iic_table } mp_info are optimized.
INTEGER<1-256>
all
Deleted commands
refresh fib slot The tailored macro that does None

STRING<1-256> not take effect originally
now takes effect.
[ undo ] super password This super function is not None

complexity-check disable supported.

router.

router.
mpls lsp-number-limit bgp The firewall does not None

INTEGER<10000-10000> support dynamic BGP-LSP
specification adjustment.



policy security hash mode is changed in a way

policy security { 5m | 60m } on discarded merged packets
for now.

threat { av | ips | bwt | ddos | mode is changed in a way
application-and-type | that aggregation no longer
application | attacker | victim uses the hash table.
| attacker-and-threat-name |
type } hash information

threat { av | ips | bwt | ddos | on discarded merged packets
application-and-type | is added. Displaying disk
application | attacker | victim information is not required
| attacker-and-threat-name | for now.
type } { 5m | 60m }

threat { user-and-application mode is changed in a way
| user } hash information that aggregation no longer

threat { user-and-application on discarded merged packets
| user } { 5m | 60m } is added. Displaying disk
disk_database information information is not required
for now.

traffic { application | source- mode is changed in a way
ip-and-application | that aggregation no longer
destination-ip-and- uses the hash table.
application | source-ip |
category } hash information


traffic { application | source- on discarded merged packets
ip-and-application | is added. Displaying disk
destination-ip-and- information is not required
application | source-ip | for now.
category } { 5m | 60m }

traffic { source-ip-and- mode is changed in a way
application | destination-ip- that aggregation no longer
and-application } cache uses the hash table.
information

application | user } hash that aggregation no longer

traffic { user-and- on discarded merged packets
application | user } { 5m | is added. Displaying disk
60m } disk_database information is not required
information for now.

application } cache that aggregation no longer

host { 5m | 60m } on discarded merged packets
for now.

host { cache | hash } mode is changed in a way
uses the hash/cache table.

subcategory hash mode is changed in a way

subcategory { 5m | 60m } on discarded merged packets
for now.

log audit decrypt By default, audit content None

text.
log audit password By default, audit content None

STRING<1-256> logs are stored in cipher

text.

text.
undo log audit password By default, audit content None

[ undo ] debugging proxy None

{ event | error | packet | trace The architecture is modified.
| all }
[ undo ] mail-proxy-adapt None

session statistics enable

INTEGER<1-65535> ] The architecture is modified.
[ destination-port
INTEGER<1-65535> ]

reset mail-proxy-adapt None

reset { mail-proxy-adapt | None


NOTICE
software.
New features
None
Modified features
Description
HRP smooth The function

1 HRP None.
upgrade. is enhanced.
Enhanced reliability
The function
2 HRP of the HRP command None.
is enhanced.
backup mechanism.
Interface shutdown
triggered when the
number of sessions,
Reliabili The function
3 CPU usage, or None.
ty is enhanced.
interface traffic rate
exceeds the
threshold.
CF card failure The function

4 CF card None.
alarm. is enhanced.


Description
Command added to
Security check whether the The function
5 None.
zone detection function is is enhanced.
enabled.
Deleted Features
None
New commands
display firewall Displays interzone To display whether the

detect[global|zone<zone- configuration. detection function is
name>|interzone<source- enabled.
zone-name><destination-
zone-name>]
[ undo ]firewall exceeded Enables or disables the To enhance maintainability,

{session |cpu-usage|input- function of check whether so that interfaces can be shut
rate}enable the number of sessions, down if the number of
CPU usage, or interface sessions, CPU usage, or
traffic rate exceeds the interface traffic rate exceeds
threshold. the threshold.
[undo]firewall exceeded Disables the selected To enhance maintainability,

session shutdown interface interface if the number of so that interfaces can be shut
[ interface-name | interface- sessions exceeds the down if the number of
type interface-number ] threshold. sessions exceeds the
&<1-16> threshold.
[ undo ]firewall exceeded Disables the selected To enhance maintainability,

input-rate shutdown interface if the interface so that interfaces can be shut
interface [ interface-name | traffic rate exceeds the down if the interface traffic
interface-type interface- threshold. rate exceeds the threshold.
number ] &<1-16>
firewall exceeded cpu-usage Sets a threshold for the CPU To enhance maintainability,
threshold<integer<60-100> usage. so that interfaces can be shut
> down if the CPU usage
exceeds the threshold.
hrp base config enable Restores commands upon To enhance hot standby
enhanced startup. reliability.

Modified features
None
Deleted commands
None
V500R001C30SPC300.
NOTICE
software.
New features
None

Modified features
Description
Added 600G hard

Hardwar The function
1 disks for 1 U None.
e is enhanced.
firewalls.
Added the DHCPv6 The function

2 DHCP None.
Server function. is enhanced.
Added the 802.1x

The function
3 WLAN authentication None.
is enhanced.
function.
Added the WMM,

priority mapping,
The function
4 WLAN user isolation, and None.
is enhanced.
802.1x authentication
functions.
User Added the WMM,

and priority mapping,
The function
5 User user isolation, and None.
is enhanced.
Authenti 802.1x authentication
cation functions.
Deleted Features
None

[slot <slotid> ]cpu <cpu- related statistics on a CPU. command.
id>]
[ slot <slotid>cpu <cpu-id>] related statistics on a CPU. command.


hash-table statistics statistics in the data plane command.
hash table.

hash-table statistics [ slot statistics in the data plane command.
<slotid> cpu <cpu-id> hash table on a CPU.
[ undo ] security-policy Enables or disables the Added a function that allows

statistic enable function of collecting you to view the statistics
statistics on the number of through MIB.
packets and bytes that match
security policies.
reset security-policy statistic Clears statistics on the Added a function that allows
number of packets and bytes you to view the statistics
that match security policies. through MIB.
sync-address Specifies the IP address Added a function that

range in online user specifies the source IP
information synchronization address range in online user
on the TSM server. information synchronization
on the TSM server. Only
users whose source IP
addresses are within the
range can trigger the query.
user-manage server-sync Accesses the online user Added a function.

tsm information synchronization
view of the TSM SSO
server.
user-manage xff-parse Configures the function of Added a function, which

proxy-ip user management and must be enabled for security
control by parsing the x- management and control
forwarded-for field in over users that access the
HTTP proxy scenarios. Internet through the HTTP
proxy server. The device
parses the x-forwarded-for
field in HTTP packets to
obtain users' actual IP
addresses. If the proxy
server does not support this
field, the management and
control cannot be
implemented.
tsm server-sync enable/ Enables or disables online Added a function.

disable user information
synchronization on the TSM
server.

display user-manage server- Displays configuration Added a function.

sync-config information of online user
information synchronization
on the TSM server,
including the function
status, query packet sending
rate, source IP address range
of the query, and destination
sever IP address of the
query.
Added a function. The

firewall sends query packets
that contain users' IP
addresses to the TSM server
controller. If IP addresses
contained in the packets are
already online after the
Specifies the packet rate in server receives the packets,
online user information TSM SSO login messages
sync-rate
synchronization on the TSM are returned to the firewall.
server. In this way, online user
entries on the firewall and
server are synchronized. To
prevent query packets from
overloading the server and
compromising the server
performance, you need to
configure the query rate.
user-manage clear-invalid- Configures daily or weekly Added a function.

users deletion of invalid users.
[undo] api netconf validate Enables the verification The verification function is
function. originally enabled by
default, compromising the
performance. Therefore, it is
modified to be disabled by
default. You can use this
command to enable it again.
firewall defend tcp split- Enables the function of Added a function. After this
handshake-spoof enable defending against split function is enabled, the
handshake spoofing attacks. firewall can block TCP split
handshake spoofing attacks,
defend against malicious
data injection, and discard
SYN packets with data.

display self-diagnose Displays assertion records. Added a function that

information assert { all | displays the location and
{ slot <integer<1 number of times an assertion
16>>cpu<integer<0 is printed. The black box
3>>}} records same assertions only
for once.
display im rule Enhances the Added a function that allows

maintainability of QQ you to view QQ rules in the
requirements so that you can diagnose view.
view QQ rules that are
currently loaded.
ssh server dh-exchange min- Specifies the minimum DH Enhanced the existing
len length supported by the function.
server when SSH uses the
dh_exchange key exchange
algorithm.

display firewall display firewall Changed the default After the upgrade,
session aging-time session aging-time aging time of SQLNET sessions
SQLNET from 600 are persistent
seconds to 14400 sessions whose
seconds. default aging time is
14400 seconds.
When the number of
persistent
connections exceeds
1/3 of the session
specification, their
aging time is
automatically
changed to that of
common TCP
sessions.


snmp-agent session snmp-agent session l Modified the After the upgrade,

history-max-number history-max-number buildrun buildrun is not
enable [ interval enable [ interval configuration so enabled by default.
interval ] interval ] that buildrun is
not enabled by
default and is
enabled only
after the undo
command is
executed.
l Modified the
help information,
in which the
default interval is
one minute.
undo os undo os [ windows | Enhanced the None.

android | unix-like | existing function so
ios | other ] that one piece of
system information
can be deleted.
undo severity undo severity [ high Enhanced the None.

| low | medium | existing function so
information ] that one piece of
severity information
can be deleted.
ftp-detect ftp-detect If no response action Before: If no

time, the action
is ever configured,
the default value
block is used.


smb-detect smb-detect If no response action Before: If no

time, the action
is ever configured,
the default value
block is used.
http-detect http-detect If no response action Before: If no

time, the action
is ever configured,
the default value
block is used.
file-frame web- file-frame web- Changed the None.

reputation enable reputation enable command view from
the diagnose view to
system view.
undo file-frame undo file-frame Deleted keyword all. None.

web-reputation add web-reputation add
white-host all white-host
display gpm method display gpm method Modified the output None.
of the display gpm
method command.
display gpm flow display gpm flow Modified the output None.
of the display gpm
method command.



user reserved- user reserved- specification on the the number of users
number user- number user- number of users supported by the
reserved-number reserved-number supported by the firewall is increased,
firewall in response with no impact on
to JD.com the upgrade.
requirements.

user-group reserved- user-group reserved- specification on the the number of user
number user-group- number user-group- number of user groups supported by
reserved-number reserved-number groups supported by the firewall is
requirements. upgrade.

online-user online-user specification on the the number of online
{ [ reserved-number { [ reserved-number number of online users supported by
online-user- online-user- users supported by the firewall is
reserved-number ] | reserved-number ] | the firewall in increased, with no
[ maximum online- [ maximum online- response to JD.com impact on the
user-maximum ] } * user-maximum ] } * requirements. upgrade.
portal-type access portal-type access Increased the The specification on

[ time-out time | [ time-out time | specification on the the number of local
online-limit online-limit number of local users supported by
number ] * number ] * users supported by the firewall is
requirements. The upgrade.
default value is the
maximum number
of local users that
the firewall
supports.
display role { name display role { name Changed the None.

STRING<1-64> | STRING<1-64> | command view from
all } all } all views to the
AAA view.


[ undo ] debugging [ undo ] debugging Deleted keyword The verification

api netconf { agent | api netconf { agent | no-validate, which function is originally
server | transapi | ssh server | transapi | is used to disable the enabled by default,
| no-validate } ssh } verification compromising the
function. performance.
Therefore, it is
modified to be
disabled by default.
You can use the
newly added [undo]
api netconf validate
command to enable
it again.


display spu display spu Added the display of u64ErrCnt_PktMal:

Interlaken statistics Interlaken statistics statistics on 0 //Number of
slot integer<1-16> slot integer<1-16> discarded packets at malformed packets
cpu integer<0-3> cpu integer<0-3> the spu interlaken u64ErrCnt_PktStart:
and rgmii interfaces. 0// Number of
packets with invalid
start addresses
u64ErrCnt_PrepaC
md: 0// Number of
packets with failed
packet sending
command words
u64ErrCnt_SendFail
: 0// Number of
packets that fail to
be sent
u64ErrCnt_WqeChe
ck: 0// Number of
error packets parsed
from WQE
u64ErrCnt_Wqebuf
Null: 0// Number of
packets with empty
WQE buf
u64ErrCnt_DatBlkN
ull: 0// Number of
packets whose
second block is
empty
u64ErrCnt_PktVirad
dNull: 0// Number
of packets with
empty virtual
addresses
u64ErrCnt_PkiOpco
de[0x1]: 1// Number
of packets with error
code 1.
Deleted commands
None.
V500R001C50SPC100.

NOTICE
software.
V500R001C20SPC300 V500R001C30SPC100
In mail audit logs, attachment names are In mail audit logs, attachment names are
separated using commas or spaces. separated using slashes (/).
Firewalls cannot be directly upgraded to the The function is enhanced.

cloud management mode through USB flash The RUNMODE field is added to the index
drive using a specific field. file for the upgrade through USB flash
drive. Firewalls can be directly upgraded to
the cloud management mode through this
field.
The [undo] traffic-policy bandwidth force The default state is changed from enabled to
statistic enable command enables or disabled for high-end firewalls. The default
disables the traffic policy statistics function. state is still enabled for low-end and mid-
By default, the function is enabled. range firewalls.
The [undo] firewall packet-filter basic- The default state of this command is
protocol enable command enables or changed from enabled to disabled.
disables security policy control for BGP,
LDP, BFD, and OSPF unicast packets. By
default, the function is enabled.

V500R001C20SPC300 V500R001C30SPC100
When user management uses the SSL When user management uses the SSL
protocol, the cipher list supports low-, protocol, the cipher list supports medium-
medium-, and high-length encryption and high-length encryption algorithms.
algorithms.
Static mapping deletion on the MIB deletes Only static mappings that are not referenced
all static mappings configured on the are deleted.
device.
audit-policy security-policy
interzone trust untrust outbound policy 1 rule name 1
action audit session logging
Session log sending is controlled through Session logs are controlled through security
audit policies. policies.



session create- create-rate log threshold-value ranges from 1 to 100
rate log threshold specifies the alarm in the source version,
threshold INTEGER<1-100> threshold for new the value directly
threshold-value IPv6 sessions. In the serves as the ratio in
for a single CPU.



session total- total-number log threshold-value ranges from 1 to 100
number log threshold specifies the alarm in the source version,
threshold INTEGER<1-100> threshold for the value directly
threshold-value concurrent IPv6 serves as the ratio in
single CPU.
snmp-agent snmp-agent session In the source version, If threshold-value

session trap trap threshold threshold-value ranges from 1 to 100
threshold INTEGER<1-100> specifies the alarm in the source version,
threshold-value threshold for new the value directly
IPv4 sessions. In the serves as the ratio in
for a single CPU.
snmp-agent snmp-agent session- In the source version, If threshold-value

session-rate rate trap threshold threshold-value ranges from 1 to 100
trap threshold INTEGER<1-100> specifies the alarm in the source version,
threshold-value threshold for the value directly
concurrent IPv4 serves as the ratio in
single CPU.


firewall mac- firewall mac-binding The IP-MAC binding None.

binding x.x.x.x x.x.x.x h-h-h [ vpn- description is added.
h-h-h [ vpn- instance
instance string<1-31> ] [ vid
string<1-31> ] integer<1-4094> ]
[ vid [ description
integer<1-4094 <description>]
>] undo firewall mac-
binding x.x.x.x
[ description ] [ vpn-
instance
string<1-31> ]
undo period- undo period-range The undo command is None.

range { all | { all | <start-time> to added to delete a
<start-time> to <end- specified time range.
<end- time>[<weekday>]&< This command does
time><weekda 17> not affect existing
y>&<17> commands.
display log display log state The command line None.

state remains unchanged,
but the command
output changes. The
status of the function
of sending logs during
a specified period and
the last sending time
are added.
The keywords of the

[undo] license [undo] hrp check
command are None.
hrp-alert enable license enable
changed.
The command output

changes as follows:
l Device ESN
Before the change,
preferentially
Device ESN displays
displays the ESN
the ESN of the master
of the slave MPU.
MPU. After the
If there is no slave
change, Device ESN
MPU, the ESN of
display license display license preferentially displays
the master MPU is
the ESN of the slave
displayed.
MPU. If there is no
l The License ESN slave MPU, the ESN
field is changed to of the master MPU is
License file ESN, displayed.
which still displays
the ESN in the
license file.


user-manage user-manage security The keyword sslv3 is SSL3.0 is no longer

security version version { tlsv1 | deleted. supported. After a
{ tlsv1 | tlsv1.1 tlsv1.1 | tlsv1.2 } * By default, TLS1.1 device enabled with
| tlsv1.2 | and TLS1.2 are SSL3.0 is upgraded,
sslv3 } * supported. the restored default
configuration is
TLS1.1 and TLS1.2.
web-manage web-manage security The keyword sslv3 is SSL3.0 is no longer

security version version { tlsv1 | deleted. By default, supported. After a
{ tlsv1 | tlsv1.1 tlsv1.1 | tlsv1.2 } * TLS1.1 and TLS1.2 device enabled with
| tlsv1.2 | are supported. SSL3.0 is upgraded,
sslv3 } * the restored default
configuration is
TLS1.1 and TLS1.2.
[undo] ssl ssl version { tlsv10 | The keyword sslv3 is SSL3.0 is no longer
version { tlsv10 tlsv11 | tlsv12 } deleted. By default, supported. After a
| tlsv11 | tlsv12 TLS11 and TLS12 are device enabled with
| sslv3 } supported. SSL3.0 is upgraded,
the restored default
configuration is
TLS11 and TLS12.
display firewall display firewall [ipv6] The function is None.

[ipv6] session session statistics all- enhanced. The peak
statistics all- systems time of session
systems creation and
concurrent
connections is added.
display firewall display firewall The function is None.

session aging- session aging-time enhanced. The session
time [ type [ type { pre-defined | aging time of a
{ pre-defined | user-defined } predefined or user-
user-defined } ] [service-name] ] defined service set can
be displayed.
display - display diagnostic- The function is None.

information inform diagnostic enhanced.
ation In diagnosis
information, the
display interface
brief ,display ip
interface brief and
display dp-assert 40
slot xxx commands
are added, and the
display interface
brief main command
is deleted.


speed {10 | 100 speed {10 | 100 | The function is added. None.
| 1000} undo 1000} undo speed The negotiation mode,
speed [undo] [undo] negotiation duplex mode, and rate
negotiation auto duplex { half | can be set in the view
auto duplex full } undo duplex of an Eth-Trunk
{ half | full } member interface.
undo duplex


file-type XXX file-type XXX XXX in the original

(aapt profile command specifies
view) the type of files sent
to the sandbox. The
file type must be
supported by the
sandbox. A maximum
be specified each
time.
Currently, the
following types are
supported: BAT,
CLASS, PE32, MSI,
HLP, HTM, HTML,
JAR, DOC, RTF,
XLS, PPT, PDF, SWF,
CHM, MHT, VBS,
JPG, PNG, GIF, BMP,
TIF, DOCX, PPTX,
PPS, XLSX, WPS,
DPS, ET, RAR, ZIP,
GZ, 7Z, CAB, BZIP2,
TAR, EML, MSG, File types HTM, PPS,
and JS. If you set the and MSG are no
all parameter, any longer supported.
type of files is
matched.
XXX in the new
command specifies
the type of files sent
to the sandbox. The
file type must be
supported by the
sandbox. A maximum
be specified each
time.
Currently, the
following types are
supported: BAT,
CLASS, PE32, MSI,
HLP, HTML, JAR,
DOC, RTF, XLS,
PPT, PDF, SWF,
CHM, MHT, VBS,
JPG, PNG, GIF, BMP,
TIF, DOCX, PPTX,
XLSX, WPS, DPS,


ET, RAR, ZIP, GZ,

7Z, CAB, BZIP2,
TAR, EML, JS. If you
set the all parameter,
any type of files is
matched.
Three unsupported
file types are deleted:
HTM, PPS, and MSG.
[undo] dataflow [undo] dataflow The command scope

enable enable is changed. The log The virtual system
sending function does configuration is the
not support same as the root
system.
[undo] dataflow [undo] dataflow type

The command scope
type { traffic { traffic [ ipv4 | ipv6 ]
is changed. The The virtual system
[ ipv4 | ipv6 ] | | url | content | policy |
format setting of sent configuration is the
url | content | audit | mail-filtering |
logs does not support same as the root
policy | audit | av | ips | bwt | aapt |
mail-filtering | ddos } enable
av | ips | bwt |
aapt | ddos }
system.
enable
V500R001C30SPC100.

NOTICE
software.

V500R001C20SPC200 V500R001C30
Packet discard logs is not caused by UNRs Packet discard logs caused by UNRs and
and PAT port conflicts are generated. PAT port conflicts are generated.
The maintenance method is enhanced.
SSL VPN virtualization scenarios are not SSL VPN virtualization scenarios (the
supported. virtual gateways in different virtual systems
use the same IP address in the root system
as their virtual gateway addresses) are
supported.
support SSL VPN.
The VPN client can't parately upgraded and The VPN client can be separately upgraded
imported to the device. and imported to the device.
support SSL VPN.


[ undo ] user-manage The captive-bypass function None.

captive-bypass enable is added.

name hwloginsucceed login success traps is added.
snmp-agent trap enable The function of enabling

feature-name manager trap- and disabling administrator None.
name hwloginfailed login failure traps is added.

name hwlogoutsucceed logout success traps is
added.

name hwlogoutfailed logout failure traps is added.
display snmp-agent trap All functions for enabling/ None.

feature-name manager all disabling administrator-
related traps are displayed.
file download sftp X.X.X.X An app file is downloaded None.

user-name password app from an SFTP server.
file-name
user-manage delete app An app file is deleted. None.

XXXX
[Huawei-diagnose]set The effective time of the This command is used in the

emtest delaytime <0-48> delivery tag is set to 0 to 48 equipment phase and is
hours. ineffective when used by the
customer.
[Huawei-diagnose]display The time when the device None.

recodetime sets the RTC is displayed.
display api call-home This is a new northbound None.

connection status feature.
display api restconf This is a new northbound None.

display resource global-

IPv6 addresses are
resource resource-item ipv6 None.

usage vsys STRING<1-31> supported in virtual systems.
resource-item ipv6 { session
| session-rate }


usage resource-item ipv6 supported in virtual systems.
display api netconf session This is a new northbound None.

feature.
display api netconf This is a new northbound None.

display api user privilege This is a new northbound None.

level feature.
display notification-trap This is a new northbound None.

{ success | fail } feature.
clear notification-trap record This is a new northbound None.

feature.
[ undo ] debugging firewall The view of this command

defend ipcar { packet | event is changed from the cli_8f None.
| error } view to the shell view.

netconf { packet | event | feature.
error | all }

restconf { all | packet | error feature.
| event }
[ undo ] user-manage This is a new command for None.

captive-bypass enable commercial Wi-Fi.
undo firewall ipv6 import- IPv6 addresses are None.

flow public X:X::X:X supported in virtual systems.
X:X::X:X
undo v-gateway public-ip SVN virtualization

scenarios (the virtual
systems use the same IP None.
undo v-gateway public- SVN virtualization None.

domain scenarios (the virtual


version scenarios (the virtual

ciphersuit scenarios (the virtual
undo v-gateway public SVN virtualization None.

certificate-server scenarios (the virtual
firewall ipv6 import-flow IPv6 addresses are None.

public X:X::X:X X:X::X:X supported in virtual systems.
vpn-instance
STRING<1-31>
user-manage delete app { all This is a new command for None.

| STRING<1-256> } commercial Wi-Fi.
file download sftp [ source- This is a new function for None.

interface app promotion.
{ STRING<1-256>
STRING<1-256> |
STRING<1-256> } ]
STRING<1-20>
STRING<1-31>
PASSWORD<1-15> app
STRING<1-64>
api This is a new northbound

None.
feature.
dataflow local-store sftp- The requirement for None.

server X.X.X.X port uploading logs during idle
INTEGER<1-65535> time is added.
dataflow local-store speed The requirement for None.

INTEGER<1-10000> uploading logs during idle
time is added.

dataflow local-store source- The requirement for None.

ip X.X.X.X uploading logs during idle
time is added.
dataflow local-store { sftp | The requirement for None.

stream } uploading logs during idle
time is added.
dataflow local-store user The requirement for None.

STRING<1-20> password uploading logs during idle
PASSWORD<1-256> time is added.

v-gateway STRING<1-15> SVN virtualization

public STRING<1-127> systems use the same IP None.

STRING<1-127> ] address in the root system as
v-gateway public-ip SVN virtualization None.

X.X.X.X scenarios (the virtual
v-gateway public-domain SVN virtualization None.

STRING<1-127> scenarios (the virtual

Command: v-gateway SVN virtualization None.

public ssl version { tlsv10 | scenarios (the virtual
tlsv11 | tlsv12 | sslv30 } * gateways in different virtual

ciphersuit allciphersuit scenarios (the virtual

ciphersuit custom { aes256- scenarios (the virtual
sha | non-aes256-sha } gateways in different virtual
{ des-cbc3-sha | non-des- systems use the same IP
cbc3-sha } { rc4-sha | non- address in the root system as
rc4-sha } { rc4-md5 | non- their virtual gateway
rc4-md5 } { aes128-sha | addresses) are supported.
non-aes128-sha } { des-cbc-
sha | non-des-cbc-sha }
v-gateway public certificate- SVN virtualization None.

server STRING<1-64> scenarios (the virtual
enable gateways in different virtual
reset acl ipv6 counter IPv6 addresses are

{ INTEGER<2000-2999> | supported in virtual systems.
None.
INTEGER<3000-3999> |
all }
undo acl ipv6 { { [ number ] IPv6 addresses are None.

>|
INTEGER<0-4294967295>
} } | all }
acl ipv6 [ number ] IPv6 addresses are None.

>|
INTEGER<0-4294967295>
}


[ undo ] nat64 prefix NAT64 supports new None.

X:X::X:X virtualization commands.
INTEGER<32-96>

[ protocol icmp ] X:X::X:X virtualization commands.
X.X.X.X

protocol { tcp | udp } virtualization commands.
X:X::X:X
[ INTEGER<1-65535> ]
X.X.X.X
[ INTEGER<1-65535> ]
[ undo ] nat64 icmp need- NAT64 supports new None.

frag enable virtualization commands.
undo nat64 static all NAT64 supports new

None.

l address in the root system as

public STRING<1-127> l systems use the same IP

STRING<1-127> ] l address in the root system as

configuration performance data report
function is added.

collection statistics performance data report
function is added.


feature.

verbose feature.
[ undo ] debugging api This is a new northbound

netconf { agent | server | feature. None.
transapi | ssh | no-validate }
[ undo ] debugging ssl-vpn An SVN memory debugging None.

memory command is added for fault
location.
debugging dataplane nat A NAT Server debugging None.

nat-server [ number command is added in the
INTEGER<8-2048> ] diagnose view.
debugging ssl-vpn memory An SVN memory debugging None.

print command is added for fault
location.
undo debugging dataplane A NAT Server debugging None.

nat nat-server command is added in the
diagnose view.


ipv6 session supported in virtual systems.

ipv6 session-rate supported in virtual systems.
resource-item-limit ipv6 IPv6 addresses are

session reserved-number supported in virtual systems.
INTEGER<1-960000000>
[ maximum { equal-to- None.
reserved | unlimited |
INTEGER<1-960000000> }
]
resource-item-limit ipv6 IPv6 addresses are None.

session-rate supported in virtual systems.
INTEGER<1-12000000>
[ undo ] detect ipv6 { ftp | ASPF6 supports new None.

rtsp | sip } virtualization commands.
[ undo ] public-ip The public IP address None.

destination match enable matching function is added.



INTEGER<1-128>


INTEGER<1-128>
[ undo ] service protocol IPv6 addresses are

INTEGER<58-58> }
[ icmpv6-type
{ INTEGER<0-255> None.
INTEGER<0-255> ] }
&<1-64> |
STRING<1-32> } ]
destination-address range IPv6 addresses are None.

X:X::X:X X:X::X:X supported in virtual systems.

INTEGER<1-128>


INTEGER<1-128>
[ undo ] service protocol IPv6 addresses are None.

INTEGER<58-58> }
[ icmpv6-type
{ INTEGER<0-255>
INTEGER<0-255> ] }
&<1-64> |
STRING<1-32> } ]


INTEGER<1-128>
[ undo ] source-address NAT64 supports

None.

[ undo ] source-address NAT64 supports None.

INTEGER<1-128>
[ undo ] service protocol NAT64 supports None.

{ icmpv6 | virtualization.
INTEGER<58-58> }
[ icmpv6-type
{ INTEGER<0-255>
INTEGER<0-255> ] }
&<1-64> |
STRING<1-32> } ]
nat-type nat64 NAT64 supports None.

virtualization.

any | X:X::X:X
INTEGER<1-128> } ] |
[ logging ] | [ time-range
STRING<1-34> ] ] *

[ [ source ] | [ logging ] |
[ time-range ] ] *
undo step IPv6 addresses are None.


step INTEGER<1-20> IPv6 addresses are

None.

return IPv6 addresses are None.



{ INTEGER<1-5> |
INTEGER<7-16> |
INTEGER<18-57> | ipv6 |
gre | ospfv3 |
INTEGER<59-255> |
X:X::X:X
INTEGER<1-128> } ] |
| any | X:X::X:X
INTEGER<1-128> } ] |
[ time-range
STRING<1-34> ] |
[ logging ] ] *

{ icmpv6 |
INTEGER<58-58> }
any | X:X::X:X
INTEGER<1-128> } ] |
| any | X:X::X:X
INTEGER<1-128> } ] |
[ time-range
STRING<1-34> ] |
[ logging ] | [ icmp6-type
{ INTEGER<0-255>
INTEGER<0-255> |
STRING<1-32> } ] ] *


> ] { permit | deny } { tcp |
X:X::X:X
INTEGER<1-128> } ] |
| any | X:X::X:X
INTEGER<1-128> } ] |
[ time-range
STRING<1-34> ] |
{ STRING<1-32>
STRING<1-32>
STRING<1-32> } ] |
[ destination-port
{ STRING<1-32>
STRING<1-32>
STRING<1-32> } ] ] *

> ] { permit | deny } { udp |
INTEGER<17-17> }
any | X:X::X:X
INTEGER<1-128> } ] |
| any | X:X::X:X
INTEGER<1-128> } ] |
[ time-range
STRING<1-34> ] |
{ STRING<1-32>
STRING<1-32>
STRING<1-32> } ] |
[ destination-port
{ STRING<1-32>
STRING<1-32>
STRING<1-32> } ] ] *


[ [ source ] | [ destination ] |
[ icmp6-type ] | [ time-
range ] | [ logging ] |
[ source-port ] |
[ destination-port ] ] *
undo step IPv6 addresses are

None.

step INTEGER<1-20> IPv6 addresses are None.


[ undo ] ssl-connection This command is added for None.

allow use public-parameter SSL VPN virtualization.
enable
health-check type { tcp | dns The port parameter is None.

| radius } [ tx-interval added.
INTEGER<3-10> | times
INTEGER<2-10> | port
INTEGER<0-65535> ] *
health-check type http [ tx- The req-url, ept-code, and None.

interval INTEGER<3-10> | port parameters are added.
times INTEGER<2-10> |
req-url STRING<1-255> |
ept-code
INTEGER<0-4294967295>
| port
INTEGER<0-65535> ] *
undo vip X.X.X.X The virtual server IP address None.

is deleted.
rule STRING<1-63> os The Windows 10 operating

version win10 sp ignore system is added in the host
None.
check function to adapt to
[ undo ] rule The Windows 10 operating None.

STRING<1-63> os version system is added in the host
win10 logincheck enable check function to adapt to
undo api netconf port This is a new northbound None.

feature.

undo api { http | https } This is a new northbound None.

enable feature.
undo security server- This is a new northbound None.

certificate feature.
[ undo ] api netconf enable This is a new northbound None.

feature.
[ undo ] connection aging- This is a new northbound None.

time INTEGER<3-7200> feature.
api netconf port This is a new northbound None.

api http [ port This is a new northbound

INTEGER<1025-50000> ] feature. None.
enable
api https [ port This is a new northbound None.

INTEGER<1025-50000> ] feature.
enable
api call-home host This is a new northbound None.

STRING<1-31> { domain feature.
STRING<1-64> | ip
X.X.X.X } port
INTEGER<1-65535>
[ source-ip X.X.X.X ]
api user privilege level This is a new northbound None.

undo api call-home host This is a new northbound None.

[ STRING<1-31> ] feature.
undo api user privilege level This is a new northbound None.

feature.
[ undo ] api call-home This is a new northbound None.

connect [ host feature.
STRING<1-31> ]
reset api call-home connect This is a new northbound None.

[ host STRING<1-31> ] feature.
security server-certificate This is a new northbound None.

STRING<1-64> feature.
security version { { sslv3 | This is a new northbound None.

tlsv1 | tlsv1.1 | tlsv1.2 } * | feature.
all }
return This is a new northbound None.

feature.


display manager- display manager- This is a new None.

user service-type user service-type northbound feature.
{ ssh | telnet | web | { ssh | telnet | web |
terminal | ftp } terminal | ftp | api }
[ undo ] debugging [ undo ] debugging Session debugging None.

tcp-proxy [ adapter | tcp-proxy [ adapter | commands are
session | ustack | ustack | http ] deleted.
http ] { packet | { packet | event |
event | error | all } error | all }
debugging debugging This is a new None.

undo debugging undo debugging This is a new None.

undo nat server { id undo nat server { id NAT Server None.

INTEGER<0-40959 INTEGER<0-40959 supports automatic
> | name > | name delivery of new
STRING<1-256> } STRING<1-256> } UNR command
[ unr-route ] keywords.
threat-report item threat-report item added to control the
{ threat-type | { threat-type | enabling report.
application | attacker application | attacker
| victim | threat- | victim | threat-
name | virus-name | name | virus-name |
defend | attacker- defend | attacker-
location | victim- location | victim-
location | all } location | all | map }
enable enable


traffic-report item traffic-report item added to control the
{ source-ip | { source-ip | enabling report.
destination-ip | destination-ip |
enable map } enable
acl ipv6 { [ number ] acl ipv6 [ number ] IPv6 addresses are None.
{ INTEGER<0-4294 { INTEGER<0-4294 supported in virtual
967295> | 967295> | systems.
67295> } } [ vpn- 67295> } [ vpn-
instance instance
report type threat- report type threat- The map keyword is None.
report item { threat- report item { threat- added to control the
type | application | type | application | enabling report.
attacker | victim | attacker | victim |
threat-name | virus- threat-name | virus-
name | defend | name | defend |
attacker-location | attacker-location |
victim-location | victim-location | all |
all } enable map } enable
report type traffic- report type traffic- The map keyword is None.
report item { source- report item { source- added to control the
ip | destination-ip | ip | destination-ip | enabling report.
enable map } enable
undo nat server { id undo nat server NAT Server None.

INTEGER<0-40959 { { id supports automatic
> | name INTEGER<0-40959 delivery of new
STRING<1-256> | > | name UNR command
all } STRING<1-256> } keywords.
[ unr-route ] | all }


nat server nat server NAT Server None.

STRING<1-256> STRING<1-256> supports automatic
[ INTEGER<0-4095 [ INTEGER<0-4095 delivery of new
9> ] [ zone 9> ] [ zone UNR command
STRING<1-256> ] STRING<1-256> ] keywords.
[ protocol [ protocol
global X.X.X.X global X.X.X.X
[ X.X.X.X ] [ X.X.X.X ]
5> ] ] inside 5> ] ] inside
X.X.X.X X.X.X.X
[ X.X.X.X ] [ X.X.X.X ]
5> ] ] [ vrrp 5> ] ] [ vrrp
[ no-reverse ] [ no-reverse ]
[ description [ description
TEXT0 ] TEXT0 ] [ unr-
route ]
display cpu-usage display cpu-usage The CPU core- and None.

history { history | core | task-based methods
task } for displaying the
CPU usage are
added.

ssh | snmp | telnet | ssh | snmp | telnet |
all } { permit | all | netconf }
deny } { permit | deny }

ssh | telnet | all } ssh | telnet | all |
{ permit | deny } netconf } { permit |
deny }
port-block-size port-block-size The CGN sub- None.

INTEGER<8-4096> INTEGER<8-16384 functions are
[ extended-times > { [ extended-times supported.
[ port-range
INTEGER<256-655
35>
INTEGER<256-655
35> ] }


service-type { web | service-type { api | This is a new None.

ftp | terminal | telnet web | ftp | terminal | northbound feature.
| ssh } * telnet | ssh } *
[ undo ] rule [ undo ] rule Antivirus software is None.

antivirus { any | 0 | 1 antivirus { any | 0 | 1 check function to
|2|3|4|5|6|7|8 |2|3|4|5|6|7|8 adapt to client
| 9 | 10 | 11 | 12 | 13 | | 9 | 10 | 11 | 12 | 13 | requirements.
14 | 15 | 16 | 17 | 18 | 14 | 15 | 16 | 17 | 18 |
19 | 21 | 22 } 19 | 20 | 21 | 22 | 23 |
24 | 25 }
[ undo ] rule [ undo ] rule Firewall software is None.

firewall { any | 0 | 1 | firewall { any | 0 | 1 | check function to
2|3|4|5|6} 2|3|4|5|6|7} adapt to client
requirements.

Command: [ undo ] The global view is changed None.

debugging firewall defend to the user view.
ipcar { packet | event |
error }
The license can still be used after the upgrade from V500R001C20SPC200 to V500R001C30
V500R001C20SPC200 to V500R001C30. Otherwise, these features are unavailable.

NOTICE
software.

V500R001C20SPC100 V500R001C50SPC100
The firewall system statistics function is The default status of this function is
disabled by default. changed from disabled to enabled.
The root firewall does not have the Add the following default setting.
worktime time range setting after the time-range worktime period-range 08:00:00
configuration is restored. to 18:00:00 working-day.



l display link- l display link- The link-group If the root system

group group function supports interface and a
l link-group l link-group virtualization. virtual system
Link-groups in the interface belong to
l link-group clean l link-group clean one link-group, after
root system and
virtual systems are the upgrade, the
independent. interfaces are no
longer in the same
link-group, and they
are not associated.
For example, if the
root system interface
is down, the virtual
system interface will
not go down. After
the upgrade, the root
system and virtual
system are
configured with
separate link-groups.
Do not configure the
interfaces of
different virtual
systems in one link-
group.
V500R001C50SPC100.

NOTICE
software.
3.2.8 Upgrade Impact from V500R001C00SPC500

V500R001C00SPC500 V500R001C50SPC100
supported.

matching condition.
condition.

V500R001C00SPC500 V500R001C50SPC100
wired-portal }
rules. For example:
description BFD
bfd
permit


Command Upgrade
application name application name The Command is None

STRING<1-256> STRING<1-32>/ modified.
cache type <3-34> cache type
{ acceleration aging- { acceleration aging-
time time
>} >}

{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } STRING<1-256> }
weight-rule }

verification, the
command cannot be
delivered. The
lost after the
upgrade.



fragment enable supportted by firewall overwritten by a new

throughput enable supportted by firewall overwritten by a new

V500R001C50SPC100.
NOTICE
software.
3.2.9 Upgrade Impact from V500R001C00SPC300
V500R001C00SPC300 V500R001C50SPC100
supported.

matching condition.

V500R001C00SPC300 V500R001C50SPC100
condition.
wired-portal }
rules. For example:
description BFD
bfd
permit


Command Upgrade
application name application name The name length of None

STRING<1-256> STRING<1-32>/ a predefined
cache type <3-34> cache type application is
{ acceleration aging- { acceleration aging- shortened.
time time
>} >}

{ STRING<1-256> { STRING<1-256>
STRING<1-256> | STRING<1-256> |
STRING<1-256> } STRING<1-256> }
weight-rule }

verification, the
command cannot be
delivered. The
lost after the
upgrade.


V500R001C50SPC100.

NOTICE
software.
3.2.10 Other Upgrade Impacts

1. Impact on NLOG:
Table 3-21 NLog system difference description

Version Version Whether Support Difference from
the Upgrade to the Source
V500R001C50SP Version
C100
V500R001C00 No Yes Difference from

the Source Version

100

200

300

100

200

300
V500R001C50 Yes Yes None
Upgrade Description:

Upgrade with a hard disk:

i. Upgrade V500R001 to V500R001C50SPC100.
ii. After the device is started and the hard disk is online, run the update log
database command to update the log database.
NOTICE
1. After the manual update is complete, you can query history logs and reports, but
cannot roll back the system.
2. Manual update will overwrite the logs of the source version with new logs. Therefore,
you are advised to manually update the log database immediately after upgrading the
system software if the customer does not require version rollback.
3. The time and time zone after the upgrade must be correct.
2. Impact on MIB nodes:

3. Impact on mapping devices:
Network
management eSight V300R007C00
software (NMS)
Agile Controller-
Controller V200R003C20
Campus
Agile Controller-
V300R001C10
DCN
Agile Controller-
V200R002C00
Cloud Manager
Configuration
V100R006C00B023
conversion tool
4. Impact on the signature databases:


5. Impact on patch upgrade:
NOTICE
All patches cannot be upgraded.
The patch loading procedure is the same for hot-standby and single-device scenarios.
Whether the patch is first loaded to the active or standby device does not affect the patch
loading effect.
3.3.1 Upgrade Schemes

software version effective, you need to restart the device, which interrupts services.
When to restart the device, for the upgrade depends on your requirements. You need to choose
a suitable upgrade time to minimize the impacts on services.
Table 3-23 Update Mode

Web When the This mode This mode Upgrade

device is applies to all applies to all Through Web
running upgrade upgrade
normally and scenarios. The scenarios. The
carries service GUI provides GUI provides
traffic, users easy operation easy operation
familiar with with visible with visible
graphical effects and effects and
interfaces can exerts minimal exerts minimal
use this mode impacts on impacts on
for the upgrade services. services.


CLI When the All versions The network Upgrade

(recommended) device is support this must transmit Through CLI
running mode. The upgrade files
normally and procedure is properly during
carries service simple and the upgrade.
traffic, the CLI exerts a small The device
is impact on needs to be
recommended services. configured as
for the upgrade. an FTP server,
or a third-party
FTP server
program needs
to be
configured.
BootROM When the When the The RS-232 Appendix A:

device cannot device fails and cables are used Upgrading
be started or the loading system to connect the System
version software fails, serial port of Software Using
software is the upgrade can the PC and BootROM
faulty, use this be performed Console port of
mode for the only in this the device.
upgrade. mode. The network
must transmit
upgrade files
properly, and
therefore the
third-party FTP
server program
is required.
3.3.2 Precautions
Precautions
l Ensure the stable power supply during the upgrade and avoid power failures. If the
details, see Appendix A: Upgrading System Software Using BootROM.
l The registration of boards takes a period of time. After the device is restarted, do not
3.3.3 Upgrade Flow

NOTE
For details on how to upgrade the version software using BootROM, see Appendix A: Upgrading
System Software Using BootROM.
Table 1 lists the description of each step during the upgrade.
Table 3-24 Preparation before the upgrade

y

ion information and display esn including the BOM code.
collectio commands.
n



y
Data Configurati l Web:Save the To back up the currently used

backup on file configuration file configuration file. It is recommended
and export it to a that the exported configuration file
local PC serve as the input for configuration
l CLI:Save the conversion.
configuration file
and export it to a
local PC
Software l Web:Save the To back up the currently used

version configuration file software package.
and export it to a
local PC
l CLI:Save the
configuration file
and export it to a
local PC
License file CLI:Save the To back up the currently used license

(license.dat configuration file and file.
) export it to a local PC
Patch file CLI:Save the To back up the currently used patch

configuration file and file.
export it to a local PC
Sensitive CLI:Save the To back up the sensitive feature

Feature configuration file and component files loaded in the system
Component export it to a local PC (upgrade from V500R001 or later
Packages versions).
Upgrade Configurati Obtaining Upgrade To convert the source configuration

preparati on Files files accordingly. This tool must be
on tool conversion used to convert the configuration file
tool during the upgrade from V100R001
to V500R001C50SPC100.
V500R001C00 can be smoothly
upgraded to V500R001C50SPC100
without requiring configuration
conversion.
V500R001 Obtaining Upgrade V500R001C50SPC100 version

C50SPC10 Files software
0 version
software
(Optional) Obtaining Upgrade V500R001C50SPC100 license file

License file Files


y

feature Packages
component
package
(Optional) Obtaining Upgrade To update the signature databases.

Signature Files
database
update file
Configur License file See license impact in To analyze the display license
ation analysis Upgrade Impact command output and check whether
analysis the license file needs to be converted
Impact.

the license.
l To obtain the sensitive feature
component package.
l Web:Tool-based To use the configuration conversion

Configuration tool to convert the configuration.
Conversion
l CLI:Tool-based
Configuration
Conversion
Importing l Web:Manual To analyze the tool-based

files for the Configuration configuration conversion result and
upgrade Conversion manually convert the commands that
l CLI:Manual cannot be converted using the tool.
Configuration
Conversion


y
l Web:Configuration To verify the converted configuration

Verification on physical devices.
l CLI:Configuration
Verification
l Web:Importing l To import the license file.

Files for the l To import the configuration file.
Upgrade
l CLI:Importing component package.
Files for the
Upgrade l To specify the startup
configuration file.
Upgrade Upgrade to l WEB:Upgrade to l Restart the device to complete the

operatio V500R001 V500R001 upgrade to V500R001.
ns l CLI:Upgrade to l To specify the startup
(operatio V500R001 configuration file.
ns l To load the license file for
performe V500R001 but do not save the
d after configuration.
the
device is
isolated
from the
service
environ
ment)
Upgrade Upgrade l WEB:Upgrade Upgrade Result Verification.

Verificati Verification Result Verification
on l CLI:Upgrade
Result Verification
Version Version Version Rollback l To import backup data.

Rollback Rollback l To specify the configuration file
l (optional)To apply for the license
it.
3.3.4 Upgrade Through Web
3.3.4.1 Preparing for the upgrade

3.3.4.1.1 Preparing the Upgrade Environment
Prerequisites
To upgrade system software using the Web UI, upload the system software to the CF card of
the properly operating NIP6300/6600 , specify the system software to be used at the next
startup, and restart the NIP6300/6600 .
The premise is that you have logged in to the Web environment using the Web UI. If the login
using the Web UI is not configured, log in to the NIP6300/6600 using the console port to
configure the Web environment. For configuration details, see Setting Up an Environment
for Upgrading System Software Using Web.
By default, the device allows an administrator to log in to the web UI using HTTPS.
NOTE
The network using two PCs is used as an example to facilitate description. You can use only one PC as
Telnet/SSH and HTTPS clients.
Preparing the Upgrade Tool

Prepare the following tools for the upgrade:
l Login tool
Login tools help you log in to the device on the Web UI. This document uses the tool in
Windows (Windows XP+SP2) as an example. The browser of the PC must meet any of
the following requirements:
Internet Explorer: version 8.0 or later
Firefox (recommended): version 10.0 or later
Chrome: version 17.0 or later
l File comparison tool.
A file comparison tool is used to compare the configuration files before and after the
upgrade. Use proven third-party tools, such as Beyond Compare.
Preparing the Upgrade Environment in Web Mode

As shown in Figure 1, the IPS Module is configured as the Web server and the version
software is located on PC2. On PC2, log in to the IPS Module using the browser and then
upload the version software to the CF card of the IPS Module through Web.

Figure 3-2 Schematic diagram of the IPS Module serving as the Web server
The Web service is enabled on the IPS Module by default. You can use the IP address
192.168.0.1 of interface GigabitEthernet 0/0/0 on the IPS Module and the default user name
admin and password Admin@123 to log in to the web UI of the IPS Module through HTTPS.
If you have disabled the Web service or deleted the default user, do as follows to reconfigure
the service.
NOTE
facilitate description, the network using two PCs is used as an example. The following steps apply to this
two-PC network.
Do as follows to configure the IPS Module as the Web server:
Procedure
Step 1 On PC1, log in to the CLI of the IPS Module through Telnet or SSH.
You are recommended to use interface GigabitEthernet 0/0/0 on the IPS Module for log in. By
default, the IP address for interface GigabitEthernet 0/0/0 is 192.168.0.1, the user name is
admin, and the password is Admin@123.
Step 2 Enter the system view and start the Web service. Configure a user with user name webuser
and password Admin@1234 and the level of the Web user. You can use other user names and
passwords as required.
<IPS Module> system-view
[IPS Module] web-manager enable
[IPS Module] web-manager security enable port 8443
[IPS Module] aaa
[IPS Module-aaa] manager-user admin
[IPS Module-aaa-manager-user-admin] password cipher Admin@1234
[IPS Module-aaa-manager-user-admin] service-type web telnet ssh
[IPS Module-aaa-manager-user-admin] level 15
[IPS Module-aaa-manager-user-admin] quit
[IPS Module-aaa] quit
[IPS Module] interface GigabitEthernet0/0/0
[IPS Module-GigabitEthernet0/0/0] service-manage enable
[IPS Module-GigabitEthernet0/0/0] service-manage http permit
[IPS Module-GigabitEthernet0/0/0] service-manage https permit
[IPS Module-GigabitEthernet0/0/0] quit
Step 3 Log in to https://192.168.0.1 using the Internet Explorer on PC2 to verify the configurations.

If the login interface of the Web server is displayed in the IE browser, and the login succeeds
through admin and Admin@1234, it indicates that you can log in to the Web server normally.
After the configuration is verified, you can either keep this connection for further use, or exit
from the Web server and relog in to it when required.
----End
Context
The file name extension is .bin. This document uses V500R001C50SPC100 (with about
196,369,777 bytes),MD5 :83bfa0e68390f05b8812b7c884de1ece as an example.
The file name extension is .mod. You can obtain the file from http://sec.huawei.com/
sec. If the device does not require any content security or the signature database can be
The file name extension is .zip. You can obtain the file from http://sec.huawei.com/sec.
If the device does not require any content security or the signature database can be
Save the file into the root directory (such as D:\Web) of PC2 that serves as a Web browser.
You can specify another directory as required.
Obtain the following documents for reference during the upgrade. For example, to upgrade
NIP6000&NIP6800&IPS Module V500R001C50SPC100 V500R001C50SPC100, obtain the
following documents:
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 Product Documentation
HUAWEI NIP6000&NIP6800&IPS Module V500R001C50SPC100 Release Notes
Procedure
Step 1 Access the home page of http://support.huawei.com/enterprise.
Step 2 If you are not a registered member of the website, perform 3 to register. If you are a registered
member, go to 4.
Step 3 Click Register and register as prompted. If the registration succeeds, you will receive your
user name and password.
Step 4 Enter the user name, password, and verification code. Then click Login.
Step 5 After login, choose Support > Software > Enterprise Networking > Security > Firewall &
VPN Gateway . In the navigation tree, choose the corresponding version of

----End
3.3.4.1.3 Downloading Content Security Component Packages
Context
In V500R001C50SPC100, the following content security features compose the content

security component package: application behavior control, SSL decryption and URL
logging.
Procedure
Step 2 Expand the IPS Module Series tab and select the product model and version, such as
V500R001C50.
NOTE
----End
3.3.4.1.4 Querying the Current System Software

Context
The premise is that you have logged in to the Web environment of the device from PC2 using
the Web UI. On the Web UI, you can query the current system software and perform
subsequent operations.
After login, you can query the version information of the running system software in System
Information on the DashBoard page, as shown in figure 1. V500R001C50SPC100 is used as
an example
Figure 3-3 Interface for displaying system information
Click Upgrade at the right side of Version, as shown in figure 2, to query the existing system
software. Record the system software file name for file backup
Figure 3-4 System update

NOTE
The root directory of the CF card is hda1:/. You can use the system software on the CF card to start the
device.
3.3.4.1.5 Checking the Use of Licenses
Context
If no license-controlled function, such as content security function (intrusion prevention/anti-
virus/pre-defined URL category query) is used, skip this section.
The licenses can be either commercial or non-commercial:

l Commercial license
A commercial license is purchased under contract.
l Non-commercial license
A non-commercial license is used for test only and is valid usually for three months.
After the version is upgraded to V5, the license validity also has impact on the service
availability after the upgrade. Ensure that the current license is within its validity period.
Procedure
Step 1 Check information about the current license. You do not need to apply for another license if
the current license does not expire or no function needs to be added.After login, you can
query the license information in License Information on the DashBoard page, as shown in
figure 1:
Figure 3-5 License information
The preceding information is about an activated license file. Service Expire Time in the
figure indicates the expiry time of the IPS/AV signature database upgrade service or the URL
predefined category query service, not the expiry time of the license file.
Use the Notepad on the PC to open and check the license file. license.dat is used only as an
example. In practice, replace license.dat with the actual file name:
........
Product=FW
Feature=FWVSYS01
Esn="030UEKZxxxxxxxxx"
Attrib="COMM,2014-06-04,60,NULL,NULL,NULL"
Function="LFWVSYS08=1"
Resource="LFWVSYS07=700"

Comment=",,V544HUP32MUW-7W4A"
Sign=3694DA7AE8190BF77FC8D6A08689E64DCDC1CDB8AE70E625AF2490B755A828D1619795F892C
7708CCDD512AADC816D2C6074CEF5FCFB18305CC6FF87DC2E9E0F1F84C65511344DA2BB3C1F4BD92
B2EECEB8670DDC42DC83385D8DC36B8547638653FFC7CE27A1A09943936B79C3152D73C8C416583F
01B3413518B4B9110A53C9C673C1A56CE6C6FC70877DA393131A6161A4380CA0FF3FEE8E0982ADD3
5E53834F649BF1CC36F4AA6C8BAFE75582A2C5E0D22442F0E929A3A16CC876D2EA0B7932499718F3
2951238DB8BE8D6B31EEEB53CFC34646B2A48A884DEB9DE6569ACC3AA4CBE02214FAED74ACFA66C8
E3191930F53F941BDEED02A717F6154ABB6BC
........
Note the fields in bold of the Attrib attribute. COMM indicates a commercial license and
2014-06-04 indicates the expiry date of the license.
If the license expires, contact Huawei technical support personnel.
Step 2 Apply for a license file.For details on how to apply for a license file, see Appendix :
Applying for a License
After you obtain the license file, save it in the same directory as the system software
NOTICE
l Each license file corresponds to one equipment serial number (ESN).
l To successfully activate a license file, ensure that the name of the license file (including
the complete absolute path) does not exceed 64 characters. It is recommended that the
name of the license file be as short as possible without spaces
----End
3.3.4.1.6 Checking the Device Operating Status
Prerequisites
After you log in to the Web UI, check the device operating status on the Dashboard page

View System Resource on the Dashboard page, as shown in figure 1:
Figure 3-6 Displaying device resource information


View System Information on the Dashboard page, as shown in figure 2:
Figure 3-7 Displaying system information

View Device Information on the Dashboard page, as shown in figure 3:
Figure 3-8 Displaying the device status
View Traffic History on the Dashboard page, as shown in figure 4:

Figure 3-9 Displaying interface traffic statistics

View Alarm Information on the Dashboard page, as shown in figure 5:
Figure 3-10 Displaying alarm information
View Syslog List on the Dashboard page, as shown in figure 6:

Figure 3-11 Displaying system log information
3.3.4.1.7 Collecting Device Diagnosis Information
Context
On the Web UI, choose Monitor > Diagnosis Center > Diagnosis Infomation. Click Collect
to view device diagnosis information, as shown in figure 1. You can also save the diagnosis
information to a text file

Figure 3-12 Information collecting
troubleshooting, as shown in figure 2:
Figure 3-13 Displaying or exporting diagnosis information
3.3.4.1.8 Checking the Service Operating Status

Checking System Statistics

On the Web UI, choose Monitor > System Statistics to check system statistics as shown. By
viewing system statistics, you can learn about statistics on sessions and sent/received/
discarded packets of the system. You can use these statistics to determine whether services are
normal.
Figure 3-14 Displaying system statistics
3.3.4.1.9 Saving and Backing Up Important Data
Context
Important data includes the current system software, configuration file, license file, patch file,
diagnosis file, signature file.
NOTE
The license file, signature file, sensitive feature component packaget not support export from webpages.
Please see Performing the Upgrade Using the CLI
On the Web UI, you can use One-Touch Version Upgrade to back up important data before
the upgrade.
Procedure
Step 1 Display the System Update pageOn the Web UI, choose System > System Upgrade. On the
System Upgrade page, click One-Touch Version Upgrade, as shown in figure 1:

Figure 3-15 Displaying the System Update page
Step 2 Back up important data.
NOTICE
You need to save the configuration file before backing it up.
On the One-Touch Version Upgrade page, you can export alarms, logs, and configurations
and save configurations, as shown in figure 2
Figure 3-16 Interface for displaying upgrade preparation
----End

NOTICE
Here is an example:
action alert
manually converted.
target both
protocol all
#

Context
for support.
3.3.4.1.11 Checking the Remaining Space of the CF Card

On the One-Touch Version Upgrade page, the remaining space of the CF card is displayed,
as shown in figure 1. Ensure that the CF card has sufficient space to store the system software
to be upgraded.

Figure 3-17 Displaying the remaining space of the CF card
NOTICE
If the remaining available space of the CF card is insufficient during the one-touch version
upgrade, the system automatically deletes the running system software
Deleting Unnecessary System Software Packages

If the remaining space of the CF card is smaller than the size of the target system software,
delete unnecessary files.
On the System Upgrade page, click Select. On the System Software Management page that
is displayed, select the unnecessary system software packages and click Delete, as shown in
figure 2:
Figure 3-18 Deleting unnecessary system software packages

NOTE
Because the size of system software (*.bin files) is large, deleting unwanted system software can greatly
save the space on the CF card. You can delete the software that is running
Context
Procedure
Step 1 On PC2, open the Internet Explorer, access https://192.168.0.1, and enter user name admin
and password Admin@1234 to log in to the NGFW. User name admin and password
Admin@1234 are used as an example. You can set another user name and password as
required.
NOTICE
Ensure that a configuration conversion tool is used to convert the original configuration file to
a configuration file applicable to the target version. For details, see Configuration
Conversion.
After the upload succeeds, the Configuration File Management page is displayed. The
available configuration files are listed on the page. Check whether the size of the uploaded
file in the list and the size of the file on PC2 are the same. If no, upload the file again.
1. ChooseSystem > Configuration File Management. You can view configuration file
information in Current System Software and Next Startup System Software.

Figure 3-20 Viewing configuration file information
2. Click Select for the Next Startup System Software, the Configuration File
Management page is displayed. Click . The Upload File dialog box is displayed.
Figure 3-21 Uploading the configuration file
3. Click Browse..., select the configuration file (must be a .cfg file or .zip file) to be
uploaded, and click Upload. The name of the file to be uploaded cannot be the same as
the name of any existing file in the CF card.
Step 3 Specify the configuration file to be used for the next startup. On the Configuration File
Management page, click of the uploaded file and then click OK to specify the file as the
configuration file for the next startup.
file is required.
Choose System > License Management and use Local Manual Activation to upload a
license file and activate it.

Step 6 Upload the system software.
1. Choose System > System Upgrade. You can view system software information in
System Software
Figure 3-22 Viewing system software information
2. Click Select for System Software. The System Software Management page is
displayed.
Click . The Upload File dialog box is displayed.
Upload a file.

Figure 3-23 Uploading a file
NOTICE
The name of the file to be uploaded cannot exceed 48 characters.
After the upload succeeds, the System Software Management page is displayed. The
corresponding files are listed on the page. Check whether the size of the uploaded file in
the list and the size of the file on PC2 are the same. If no, upload the file again.
3. Click Browse..., select the system software (must be a .bin file) to be uploaded, and click
Upload. The name of the file to be uploaded cannot be the same as the name of any
existing file in the CF card.
Step 7 If the file fails to be uploaded, the uploaded incomplete file cannot be deleted immediately.
Therefore, you need to delete the incomplete file after the device is restarted. Specify the
system software to be used for the next startup.
On the System Software Management page, click of the uploaded file and then click OK
to specify the file as system software for the next startup.

NOTE
If the configuration file for the next startup is imported, restart the device without saving the running
configuration. Otherwise, the running configuration will overwrite the imported configuration.
If sensitive features are not involved, the upgrade to V500R001C50SPC100 is complete. Otherwise, go
to the next step.


NOTE
Guide.
l Upgrading V500R001 to V500R001C50SPC100

the CLI console. Click any space on the page. If the command prompt <sysname> is
Module
Information
------------------------------------------------------------------------

PackageName
------------------------------------------------------------------------
ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00

CSG_H50010000_2015123023.mod
************************************************************************

*
************************************************************************
Slot Type State

Detail
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************

NOTICE
If the configuration file for the next startup is imported, restart the device without
saving the running configuration. Otherwise, the running configuration will overwrite
the imported configuration.
For the upgrade from V500R001 to V500R001C50SPC100, if the configuration file
is not imported, you are advised to save the current configurations before restarting
the device.
Step 10 Now, the upgrade to V500R001C50SPC100 is complete. The optional follow-up task is to
----End
Checking the Running Software Version

After the device is started, log in to the web UI, choose System > System Upgrade, and view
information about the running system version.
You can click Details to view detailed version information.
NOTE
If the login page fails to be displayed, clear the browser buffer or use another browser.
Figure 3-24 Viewing the running system version
In System Software, you can view the running system version and the version for the next
startup.
Figure 3-25 Displaying the running system version and the version for the next startup
Choose System > Configuration File Management. You can view the running configuration
file and the configuration file for the next startup.
Figure 3-26 Displaying the running configuration file and the configuration file for the next
startup

Checking the License Status

You can query the license information in License Information on the DashBoard page. Skip
this step if no function requires a license.
Figure 3-27 Viewing the license information
Checking the Device Operating Status

After you log in to the web UI, check the device operating status on the Dashboard page.

View system resource information on the Dashboard page, as shown in figure 5.
Figure 3-28 Viewing the system resource information

View system information on the Dashboard page, as shown in figure 6.

Viewing the system information
Figure 3-29 Viewing the system information

View device information on the Dashboard page, as shown figure 7.
Figure 3-30 Viewing the device status
View interface traffic statistics on the Dashboard page, as shown in figure 8.

Figure 3-31 Viewing interface traffic statistics

View alarm information on the Dashboard page, as shown in figure 9.
Figure 3-32 Viewing alarm information
View system log information on the Dashboard page, as shown in figure 10.

Figure 3-33 Viewing system log information

On the web UI, choose Monitor > Diagnosis Center > Diagnosis Info. Click Collect to view
device diagnosis information, as shown in figure 11. You can also save the diagnosis
information to a text file.
Figure 3-34 Collecting diagnosis information

troubleshooting, as shown in figure 12.
Figure 3-35 Viewing or exporting diagnosis information

After the system software is upgraded, compare the current configuration file with the
configuration file backed up before the upgrade is performed to check whether any
configuration is lost or modified.
upgrade.
personnel.

Check whether services run properly in either of the following ways:
l Compare the entries (such as routes, session entries, and FIB entries) before and after the
upgrade to see if any entry is lost and check whether the service traffic before and after
the upgrade are identical.
l Consult the network administrator to check whether services are running properly.
3.3.5 Upgrade Through CLI

3.3.5.1 Preparations for the Upgrade
Preparing the Upgrade Environment

When the device works properly, you can use the CLI to transfer the version software to the
storage media of the device, specify the version software for the next startup, and then restart
the device.
In the example, Telnet or SSH login parameters have been set, and you have logged in to the
CLI using Telnet or SSH. If Telnet or SSH login parameters are not set, log in to the device
from the console port and set the Telnet or SSH login parameters. For details, see Appendix
B : Establishing the Upgrade Environment Through the Console Port.
NOTE
network.

l Login tool
Obtaining Upgrade Files

The file name extension is .bin. This document uses
IPSModuleV500R001C50SPC100.bin (with about 196,369,777 bytes) as an example.
The file name extension is .mod. You can obtain the file from sec.huawei.com. If the

The file name extension is .zip. You can obtain the file from sec.huawei.com. If the
Procedure
1. Access the home page of http://support.huawei.com/enterprise.

2. If you are not a registered member of the website, perform 3 to register. If you are a
registered member, go to 4.
3. Click Register and register as prompted. If the registration succeeds, you will receive
your user name and password.
4. Enter the user name, password, and verification code. Then click Login.
5. After login, choose Support > Software > Enterprise Networking > Security >
Firewall & VPN Gateway . In the navigation tree, choose the corresponding version of

of the IPS Module. Currently, the following modes are supported:
l FTP mode with the IPS Module as the FTP server

l FTP mode with the IPS Module as the FTP client
l TFTP mode with the IPS Module as the TFTP client
l SFTP mode with the IPS Module as the SFTP server
The following is an example in which the IPS Module functions as an FTP server. This
method is easy because it does not require a third-party FTP server. For details on other
modes, see Appendix C: Uploading and Downloading Files. You are advised to use SFTP
to transfer files to secure data transfer.
As shown in Figure 1, the IPS Module is configured as the FTP server and version software is
located on PC2 serving as the FTP client. On PC2, log in to the FTP server and upload the
version software to CF card 1 of the IPS Module through FTP.
Figure 3-36 Schematic diagram of the IPS Module serving as the FTP server
Perform the following steps to configure the IPS Module as the FTP server:

Saving and Backing Up Important Data

1. Save the configuration file.
You must save the configuration file before each upgrade in case some configurations
that are not saved during device running are lost when the device is restarted. By default,
the configuration file is stored on the CF card by default. The default loading path is the
same as the saving path.
Detailed operations are as follows:
<NGFW> save
The current configuration will be written to the
device.
Are you sure to continue?[Y/
N]y
Now saving the current configuration to the
device......................
Info:The current configuration was saved to the device successfully.
<NGFW> dir
Directory of
hda1:/
0 drw- - Oct 08 2013 09:17:10

nlog_db
1 drw- - Jul 31 2013 11:15:36
umdb
2 -rw- 3247 Dec 13 2013 00:42:34
vrpcfg.zip
3 -rw- 3151 Dec 07 2013 20:52:52
scep_ra.cer
4 -rw- 194531064 Nov 29 2015 10:29:52 V500R001C00SPC300.bin
5 -rw- 302167 Dec 12 2013 21:02:54 diagnostic-
info.txt
1438376 KB total (861872 KB free)
2. Log in to the NGFW from PC2 using FTP.

This document uses the Windows FTP client as an example. In practice, you are advised
to use a proven third-party FTP client (such as Cute FTP) to transfer files.
C:\> ftp 192.168.0.1
Password:
230 User logged in.
ftp>
3. Set the file transfer mode. Set the directory for saving the backup files on PC2 to D:
\FTP\Backup. The folder must already exist. You can specify another directory as
required.
mode.
ftp> lcd "d:\FTP\Backup" /Set the directory that stores the backup files on
PC2.
NOTE
4. Run the get remote-filename[ local-filename] command to download the file and save it
to local directory D:\FTP\Backup

For example, before the upgrade, download the existing version software (for example,
V500R001C00SPC300.bin), vrpcfg.zip, Sensitive Feature Component
Packages($_install_mod/*.mod),license.dat, and diagnosis file (for example, diagnostic-
info.txt) to PC2 for backup.
ftp> get vrpcfg.zip
ftp> get V500R001C00SPC300.bin
ftp> get diagnostic-info.txt
ftp> get av_h20010000_2013081700.zip //Back up the antivirus signature
database file of V500R001C00SPC300.bin to PC2.
ftp> get ips_h20010000_2013083100.zip //Back up the intrusion prevention
ftp> get sa_h50010000_2013111300.zip //Back up the application identification
ftp>get CSG_H50010000.mod
After the download is complete, check whether the sizes of the files on PC2 are
consistent with those in the device. If no, re-download the files to ensure that they are
completely backed up to PC2.

Based on the actual situation, run the dir hda1: command in the user view to check the
remaining space on the CF card. Ensure that the available space on the CF card is sufficient
for the version software to be upgraded.
<NGFW> dir hda1:
Directory of hda1:/
0 drw- - Oct 08 2012 09:17:10 nlog_db
1 drw- - Jul 31 2012 11:15:36 umdb
2 -rw- 4351023 Aug 02 2012 15:15:10 autotest2.cfg
3 -rw- 8192 Dec 11 2012 23:31:58 userinfo.db
4 -rw- 3247 Dec 13 2012 00:42:34 vrpcfg.zip
5 -rw- 9747 Dec 05 2012 01:33:32 tete.cfg
6 -rw- 3151 Dec 07 2012 20:52:52 scep_ra.cer
7 -rw- 9394 Aug 08 2012 07:53:20 test1.cfg
8 drw- - Sep 25 2012 12:37:44 history
9 -rw- 1037 Nov 15 2012 00:11:52 offline.req
10 -rw- 168509595 Nov 16 2015 05:44:36 V500R001C00SPC300.bin
11 -rw- 608656 Nov 15 2012 07:54:00 url.sdb
12 -rw- 987 Nov 21 2012 05:27:26 certcrl.crl
13 -rw- 948 Nov 21 2012 05:49:24 ssl.req
14 -rw- 302167 Dec 12 2012 21:02:54 diagnostic-info.txt
1138376 KB total (1161872 KB free)
The bold information indicates the remaining space of the CF card.

If the remaining space is smaller than the size of the target version software, delete
unnecessary files. In the user view, run the delete /unreserved hda1:/filename command to
delete unnecessary files from the CF card.
<NGFW> delete /unreserved hda1:/test1.cfg
The contents cannot be recycled!!! Delete hda1:/test1.cfg?[Y/
N]:y
%Deleting file hda1:/test1.cfg...Done!
It takes a long time to delete the *.bin file. Please wait and do not restart the device.
Files are deleted and cannot be restored after the delete command with the /unreserved
parameter is executed. If the /unreserved parameter is not specified, the files are stored in the

recycle bin. To optimize space for the CF card, run the reset recycle-bin hda1: command to
empty the recycle bin.
NOTE
Because the version software (*.bin file) is large, deleting unwanted version software can release large
space on the CF card.
You can not delete the software that is running.
3.3.5.1.2 Downloading Sensitive Feature Component Packages
Context
In V500R001C50SPC100, the following content security features compose the content

security component package: application behavior control, SSL decryption and URL
logging.
Procedure
Step 2 Expand the IPS Module Series tab and select the product model and version, such as
V500R001C50.
NOTE
----End

NOTICE
Here is an example:
action alert
manually converted.
target both
protocol all
#

Context
for support.

Context
NOTE
FTP is used as an example. For SFTP file upload and download, see Device Serving as the SFTP
Server to Upload or Download Files Through SFTP.
Procedure
Step 1 Log in to the NGFW from PC2 using FTP. This document uses the Windows FTP client as an
example. In practice, you are advised to use a proven third-party FTP client (such as Cute
FTP) to transfer files.
C:\> ftp 192.168.0.1
Password:
230 User logged in.
ftp>
Step 2 Set the file transfer mode. Set the directory for saving upgrade-related files on PC2 to D:\FTP.
The folder must already exist. You can specify another directory as required.
mode.
ftp> lcd D:\FTP /Set the directory that stores the files required for the upgrade
on PC2.
Step 3 Run the put command to upload the IPSModuleV500R001C50SPC100.bin file to the CF card
of the NGFW. The name of the file to be uploaded cannot be the same as the name of any
ftp> put D:\FTP\ IPSModuleV500R001C50SPC100.bin

Depending on the network conditions, the upload of the version software may take some time.
Please wait. After the upload is complete, check whether the size of the file in the CF card is
consistent with that on PC2. If no, re-upload the file to ensure that the file is completely
uploaded to the CF card.
NOTICE
Convert the configuration file of the original version to that of V500R001C50SPC100. For
details, seeConfiguration Conversion.
Step 4 Run the put command to upload the configuration file that has been converted (for example,
vrpcfg_new.cfg) to the CF card of the NGFW. The name of the file to be uploaded cannot be
the same as the name of any existing file in the CF card. If a file with the same name already
exists in the CF card, the file is replaced by the uploaded file.
After the upload is complete, check whether the size of the file in the CF card is consistent
with that on PC2. If no, re-upload the file to ensure that the file is completely uploaded to the
CF card.
Step 5 When the file upload is complete, exit the FTP environment. Log in to the CLI of the NGFW
through Telnet or SSH from PC1.
Step 6 In the user view, run the startup system-software filename command to specify the version
software for the next startup of the NGFW.
<NGFW> startup system-software IPSModuleV500R001C50SPC100.bin
Info:System software for the next startup:hda1:/IPSModuleV500R001C50SPC100.bin,
start read file....
Succeeded in setting the software for booting system.
Step 7 In the user view, run the startup saved-configuration filename command to specify the
configuration file for the next startup of the NGFW as the uploaded file.
<NGFW> startup saved-configuration vrpcfg_new.cfg
file is required.



Step 10 (Optional) Upgrade content security features.
CSG_H50010000_yyy.mod) of V500R001C50SPC100 to the $_install_mod folder in the CF
card of the IPS Module. The name of the file to be uploaded cannot be the same as the name
of any existing file in the CF card. If a file with the same name already exists in the CF card,
the file is replaced by the uploaded file.
NOTICE
upgrade fails.
Upgrading the content security feature component package applies to the following
scenarios:
install-module CSG_H50010000_yyy.mod next-startup
Module Information
------------------------------------------------------------------------
------------------------------------------------------------------------
************************************************************************
************************************************************************
------------------------------------------------------------------------
- NP INSTALL_OK -
************************************************************************
************************************************************************
------------------------------------------------------------------------
- NP INSTALL_OK -


NOTICE
l If the configuration file for the next startup is imported, restart the device without saving
the running configuration. Otherwise, the running configuration will overwrite the
imported configuration.
<sysname> reboot fast
Now, the upgrade to V500R001C50SPC100 is complete. The optional follow-up task is to

----End
Checking the Information About the Current Version Software

After the device is started, log in to the CLI, and then run the display version command in
any view to check the current the software version.
<sysname> display version
Huawei Versatile Routing Platform Software
VRP (R) Software, Version 5.160 (IPS Module
V500R001C50SPC100)
Copyright (C) 2014-2015 Huawei Technologies Co., Ltd
IPS Module uptime is 0 week, 0 day, 17 hours, 53 minutes
AV Signature Database Version :
IPS Signature Database Version : 2015031400
IPS Engine Version : V200R002C00SPC070
SA Signature Database Version : 2015006040
C&C Domain Name Database Version :
IP Reputation Database Version :
Location Database Version : 2014010414
SDRAM Memory Size : 4096 M bytes
Flash Memory Size : 16 M bytes
NVRAM Memory Size : 1024 K bytes
CF Card Memory Size : 2048 M bytes
RPU version information :
3. BootROM Version : 103 Apr 2 2015 14:04:09
4. BootLoad Version : 103 Apr 2 2015 14:08:13
5. Disk 1 Firware Version :
6. DiskIO Firware Version : 0x0
Slot 1 :
FIB version information :
2. Board Type : FIBA
Then run the display startup command in any view to check the current version software and
configuration file, and those for the next startup.
<sysname>display startup
MainBoard:
Configured startup system software: hda1:/V500R001C50SPC100.bin
Startup system software: hda1:/V500R001C50SPC100.bin
Next startup system software: hda1:/V500R001C50SPC100.bin

Startup saved-configuration file: hda1:/vrpcfg_new.cfg

Next startup saved-configuration file: hda1:/vrpcfg_new.cfg
Startup paf file: default
Next startup paf file: default
Startup license file: default
Next startup license file: default
Startup patch package: NULL
Next startup patch package: NULL
Checking License Status

<sysname> display license
Device ESN is: 210235XXXXXXXXXXXXXX
The file activated is: hda1:/license.dat
The time when expired is: 2016/06/20
Encrypted SSL traffic inspection function: Disabled

In any view, run the display cpu-usage command to check the CPU usage.
[sysname] cpu-usage monitor
[sysname] display cpu-usage
PU Usage Stat. Cycle: 10
(Second)
CPU Usage : 13.0% Max:

14.2%
CPU Usage Stat. Time : 2015-09-18

22:12:58
CPU utilization for ten seconds: 13.0% : one minute: 13.0% : five minutes:
13.0%

In any view, run the display health command to check the CPU and memory usage.
<sysname> display health

System Memory Usage
Information:
System memory usage at 2015-11-17
21:10:41
-------------------------------------------------------------------------------
Slot Total Memory(MB) Used Memory(MB) Used Percentage Upper

Limit
-------------------------------------------------------------------------------
0 7850 4789 60%

95%
-------------------------------------------------------------------------------
System CPU Usage

Information:
System cpu usage at 2015-11-17
21:10:41
-------------------------------------------------------------------------------
Slot CPU Usage Upper

Limit
-------------------------------------------------------------------------------

0 13%
80%
-------------------------------------------------------------------------------

If the CPU and memory usage before and after the upgrade differ slightly, the device runs
properly.
Checking the Registration Status of Interface Cards

Run the display device command in any view to check the registration status of interface
cards.
<sysname> display device
Device status:
Slot Sub Type Online Power Register Status
Role
-------------------------------------------------------------------------------
0 - RPU Present PowerOn Registered Normal

Master
1 - FIBA Present PowerOn Registered Normal
NA
6 - PWR Present PowerOn Registered Normal
NA
7 - FAN Present PowerOn Registered Normal NA
In normal cases, the interface card status is Normal. If the Status field is displayed as
Abnormal, the interface card in the slot runs improperly.
If the interface cards in certain slots do not work properly, contact the technical support
personnel.

In the diagnose view, run the display diagnostic-information diagnostic-information.txt
command to collect the diagnosis information of the device.
[sysname-diagnose] display diagnostic-information hda1:/diagnostic-
information_new.txt
Now saving the diagnostic information to the device.............................
................................................................................
..................
info: The diagnostic information was saved to the device successfully.
The diagnosis information is saved in the hda1:/diagnostic-information_new.txt file by

default. Back up this file to facilitate subsequent troubleshooting.

After the system is upgraded to V500R001C50SPC100, the implementation and CLI change.
You need to compare the current configuration file with the configuration file in the CF card
to check whether any configuration is lost or modified.
upgrade.
personnel.


Prerequisites
NOTICE
as the file for next startup by running the startup saved-configuration cfg-filename command.
Upload the sensitive feature component package *.mod corresponding to the source version
to the device.
BootROM mode. For details, see Appendix A: Upgrading System Software Using
BootROM.
Through CLI.
Web.
Roll back the version using BootROM. The operations are the same as those for
upgrading the system software using BootROM. For operation details, see
Appendix A: Upgrading System Software Using BootROM.

Log Rollback Description

l Rollback with a disk
a. The user has not manually updated the log database.
n Roll back to the source version.
b. The user has manually updated the log database.
NOTICE
As the database is different, the following operation will clear all logs.
i. Before V500R001C50SPC100 rollback, format the disk.

<system> system
[system] disk offline //Hard disk offline
[system] diagnose
[system-diagnose] reset disk
ii. In the system view, run the delete log sdb command to delete the IDNAME
log file.
One-Click Version Rollback
NOTICE
l If the folder does not exist, the One-click version rollback fails.
l Version rollback does not involve license rollback. If the license files are different in the
source and target versions, use the corresponding backup license or re-apply for a license
and manually load the license file according to the product documentation.
Upgrade operations:
1. Check whether the backup file (backcfg.zip) is available. The backup file should be in
the hda1:/backupyyyyMMddHHmmss/ folder. If the backup file is unavailable, the
follow-up procedure cannot be performed.
<FW>dir backup/ --Check whether the backup file is in the backup
folder.
Directory of hda1:/backup/

0 drw- - Nov 26 2015 16:30:18 20151126163018
1 drw- - Nov 26 2015 16:58:56 20151126165855
601,328 KB total (253,232 KB free)

<FW>cd backup/
<FW>cd 20151126163018/
dir
Directory of hda1:/backup/20151126163018/

0 -rw- 2,375 Nov 26 2015 16:30:18 backcfg.zip

601,328 KB total (253,200 KB free)
2. Copy the target version (such as V500R001C00SPC500.bin) of version rollback to the

CF card. For details, see Appendix C: Uploading and Downloading Files.
3. Access the diagnose view and run the recover system filename command.
NOTICE
l If multiple hda1:/backup/yyyyMMddHHmmss folders exist, use the latest one for
the version rollback.
[FW-diagnose]recover system V500R001C00SPC500.bin

Confirm: Will you recover and reboot the system ?[Y/N] y
Precautions
1. The precautions and the result check method of the version rollback operation are the
same as those of the version upgrade operation. For details, see the descriptions of
corresponding upgrade modes.
2. During the version rollback, services are interrupted temporarily. The interruption
duration depends on the rollback mode and the service configuration.
Before the version rollback, contact technical support personnel to determine whether the
patch version.

Backup
3.4.1 Overview
indicates that two device are deployed, if one device is faulty, the other takes over the work

NOTICE
Context
environments
Use the active/standby mode as an example. Before the upgrade, FW_A serves as the active
device and FW_B as the standby oneProcedure.
Procedure
follows:


In the system view of FW_B, Then you need to upgrade the software version. The precautions
and the detailed procedure are the same as those of upgrading a single device. Select a proper
HRP_M<FW_B> system-view
HRP_M[FW_B-GigabitEthernet1/0/3] interface GigabitEthernet 1/0/1
HRP_M[FW_B-GigabitEthernet1/0/1] quit

Single-System.
FW_A.After the upgrade and re-startup of FW_A are complete,Meanwhile run the undo
shutdown command on the interface connecting FW_B and FW_A as follows:
operations.
Step 6 Observe the service running status. Check the information about the session tables on FW_A
and FW_B to verify the upgrade. If the services are running properly, run the save command
to save the configurations on FW_A and FW_B.Perform the following operations:
HRP_M<FW_A> save
HRP_S<FW_B> save
In addition, simulate link or device faults (run the shutdown command on relevant interfaces)
after successful upgrade and service tests, so that the device performs an active/standby
switchover. Then check whether the dual-system hot backup function is normal after upgrade.
Roll back the version to that before the upgrade if necessary. For details on version rollback,
see Version RollBack . The version rollback process in dual-system hot backup networking is
similar to that in single-device networking. During version rollback in dual-system hot
backup networking, change the target version to the source version.
----End

3.5 Appendix A: Upgrading System Software Using

BootROM
3.5.1 Background
When the device fails to load the system software, and you cannot log in to the device using
the Web UI or CLI, upgrade the system software using BootROM.
At present, the device supports the system software transmission to the CF card using FTP or
TFTP in the BootROM menu. The device, serving as the client, downloads the system
software from the FTP/TFTP server, as shown in Figure 1. You must install the third-party
FTP/TFTP server software on PC2.
NOTE
You can use only one PC as both the HyperTerminal program and the FTP client. To facilitate
description, two PCs are used as an example.
Figure 3-39 Transferring files through an FTP or TFTP server
The following section provides an example of how the device downloads the system software
from the FTP server.
3.5.2 Upgrade Process Overview
Context
Figure 1 shows the process for upgrading the system software using BootROM.

Figure 3-40 Flowchart for upgrading the system software using BootROM
3.5.3 Performing the Upgrade
Context
The serial port of PC1 is connected to the console port of the device with a standard RS-232
configuration cable. Run the terminal emulation program (use the HyperTerminal in the
Windows XP as an example) on PC1 to ensure that PC1 communicates with the console port
of the device.
Procedure
delivered with the program. The premise is that you obtain the FTP server program in a
legitimate way. You have already created an FTP user whose name is 123 and password is
123 and configured the root directory of the user as the directory of the files to be uploaded or
downloaded.
Step 2 Power on or reboot the device.
Step 3 After the device is powered on, you can run the terminal emulation program on PC1 to check
the device startup process. When the following information is displayed, press Ctrl+B within
three seconds.
Base Bootrom Ver: 021 May 8 2014 15:58:31

Extended Bootrom Ver: 028 May 8 2014 16:01:28

CPLD BigVer : 003B
CPLD SmlVer : 005B 2013-08-15
PCB Ver: SUA2MPUA REV B
CPU Type : CN6880 Rev 2.1
CPU L2 Cache : 2048 KB
CPU Core Frequency : 1200 MHz
BUS Frequency : 900 MHz
Mem Size : 16384 MB
Press Ctrl+B to enter main menu...

3
Password:
********
For the sake of security, please modify the original password.
Enter password O&m15213 to access the BootROM main menu.

====================< Extend Main Menu >====================
| <1> Boot System |
| <3> File Management Menu... |
| <4> Load and Upgrade Menu... |
| <5> Modify Bootrom Password |
| <6> Reset Factory Configuration |
| <0> Reboot |
| ---------------------------------------------------------|
| Press Ctrl+T to Enter Manufacture Test Menu... |
============================================================
Step 4 In the BootROM main menu, enter 3 to access file management menu.
==================< File Management Menu >==================
| <2> Rename File |
| <3> Delete File |
| <4> Copy File |
| <5> Format Device |
============================================================
In the file management menu, enter 1 to check the available space in the CF card. If the
available space of the CF card is insufficient, enter 3 to delete unnecessary files.
Ensure that the CF card has sufficient available space. Enter 0 to return to the BootROM main
menu.
Step 5 In the BootROM main menu, enter 4 to access the load and upgrade menu.
| <2> Upgrade Application Software |
============================================================
In the load and upgrade menu, enter 2 to access the application software upgrade menu. The
current parameter settings are displayed.

Net Paramter:
Protocol type : 1
Unit number : 0
Board Mask address : 255.255.255.0
FTP user name : ngfw
FTP user password : ngfw
Target file name : sup.bin
Download file to : hda1:
<1> Download file.

<0> Quit
In the application software upgrade menu, enter 2 to modify the load parameters.
Protocol type:
<1> FTP <2> TFTP
NOTE: TFTP protocol limits the file length to 32M bytes.
Protocol type : 1
Unit number : 0
Board IP mask : 255.255.255.0
FTP user name : 123
FTP user password : 123
Target file name : V500R001C**.bin
Choose one of following devices where the file in:

<1> hda1: <2> sdram
Download file to : 1
<1> Download file.

<0> Quit
Enter 1 to download the upgrade file.

Using FTP client...
File < V500R001C**.bin> 170014779 bytes downloaded.
Writing hda1:/V500R001C**.bin, please wait.................................

................................................................................
................................................................................
................................................................................
................................................................................

................................................................................
................................................................................
................................................................................
................................................................................
..................................................................Done.
The next boot package file is <hda1:/V500R001C**.bin
Table 3-25 Parameters of FTP download

Parameter Description
Protocol type Indicates the protocol used for download.

The value 1 indicates FTP, and the value 2
indicates TFTP.
Unit number Indicates the interface connected to the

external FTP server (PC 2). Only 0 can be
entered in this field to identify
GigabitEthernet0/0/0.
Server IP address Indicates the IP address of the external FTP

server (PC2).
Board IP address Indicates the IP address of the device

interface.
FTP user name Indicates the user name, which must be the
FTP user password Indicates the password, which must be the

Load file name Indicates the name of the system software.
Target file name Indicates the name of the system software to

be saved.
Download file to Indicates the location in which the system

software is saved.
After the download is complete, the device automatically specifies the downloaded system
software as that to be used at the next startup. Enter 0 to return to the load and upgrade menu.
Then, enter 0 to return to the BootROM main menu.
Step 6 In the load and upgrade menu, enter 3 to download the converted configuration file.

| <1> Display File List
|
| <2> Upgrade Application Software
|
|
============================================================


3
Net
paramter:
Protocol type : 1
Unit number : 0
Board IP mask : 255.255.255.0
FTP user name : 1234
FTP user password : ****
Load file
name :vrpcfg_new.cfg
Target file name :

vrpcfg_new.cfg
Download file to :
hda1:
<1> Download
file.
<0>
Quit
After the downloading is complete, enter 0 to return to the load and upgrade menu. Then,
enter 0 to return to the BootROM main menu.
Step 7 In the BootROM main menu, enter 2 to specify the system software and configuration file.
====================< Extend Main Menu >====================
| <1> Boot System
|
|
|
|
|
| <0> Reboot
|
|
---------------------------------------------------------|

|
============================================================

2
Current boot application software: <hda1:/

V500R001C**.bin>
Current boot configuration: <hda1:/

vrpcfg_new.cfg>
<1> Modify
setting
<0>
Quit

1
After the setting is complete, enter 0 to return to the BootROM main menu.
Step 8 In the BootROM main menu, enter 0 to restart the device.
----End
3.6 Appendix B : Establishing the Upgrade Environment


Using Telnet/SSH
Prerequisites

PC.
l The IPS Module is powered on and running properly.
Context
IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the IPS Module by
default. You can use this IP address and the default user name admin and password
Admin@123 to log in to the CLI of the IPS Module through Telnet. If the Telnet

configuration is cancelled or you desire to use SSH for the login, log in to the IPS Module
from the console port to construct the Telnet or SSH environment.
port. The serial port of the PC is connected to the console port of the device with a standard a
serial cable.
console port is used, use the console cable delivered with the device. Using the cables of other
vendors might cause unexpected faults. If a mini USB console port is used, purchase the mini
USB-to-USB cable as required. The RJ45 and mini USB console ports cannot be used
Procedure
of the PC for connecting to the IPS Module from the Connect using drop-down list box, as
shown in Figure 3.

Figure 3-43 Connection to dialog box
of the port, as shown in Figure 4. The communication parameters of COM1 must be the same
as those of the console port on the IPS Module.
Step 4 Log in to the NGFW, and enter the CLI.

By default, the user name and password are admin and Admin@123 respectively for logging
in to the IPS Module through the console port. If you forget the user name and password
configured on the console port, see Password of the Console Port Is Forgotten.
l Configure Telnet for login.
Enable the Telnet service on GE 0/0/0 of the device. Configure AAA authentication and
Telnet for the virtual type terminal (VTY) user interface. Create a local Telnet user and
set the user name to user1, and password to Password1 for the Telenet user. Enable the
Telnet service on the device.
V500R001:
[IPS Module] telnet server enable
[IPS Module] interface GigabitEthernet 0/0/0
[IPS Module-GigabitEthernet1/0/3] ip address 192.168.1.1 255.255.255.0
[IPS Module-GigabitEthernet1/0/3] service-manage telnet permit
[IPS Module] user-interface vty 0 4
[IPS Module-ui-vty0-4] authentication-mode aaa
[IPS Module-ui-vty0-4] user privilege level 3
[IPS Module-ui-vty0-4] quit
[IPS Module] aaa
[IPS Module-aaa] authorization-scheme default
[IPS Module-aaa-auth-default] quit
[IPS Module-aaa] manager-user user1
[IPS Module-aaa-manager-user-user1] password cipher Password1
[IPS Module-aaa-manager-user-user1] level 15
[IPS Module-aaa-manager-user-user1] service-type telnet
[IPS Module-aaa-manager-user-user1] quit
[IPS Module-aaa] bind manager-user user1 role system-admin
[IPS Module] firewall zone trust
[IPS Module-zone-trust] add interface GigabitEthernet1/0/3
[IPS Module-zone-trust] quit
l Configure SSH for login.

Enable the SSH service on GE 0/0/0 of the device. Configure AAA authentication and
SSH for the virtual type terminal (VTY) user interface. Create a local SSH user and set
the user name to user1, and password to Password1 for the SSH user. Enable the
STelnet service on the device.
V500R001:
<IPS Module>system-view
[IPS Module-GigabitEthernet1/0/3] service-manage ssh permit
[IPS Module] quit
[IPS Module-ui-vty0-4] user privilege level 3
[IPS Module-ui-vty0-4] protocol inbound ssh
[IPS Module] aaa
[IPS Module-aaa-manager-user-user1] service-type ssh
[IPS Module-aaa] bind manager-user user1 role system-admin
[IPS Module] stelnet server enable
[IPS Module] ssh user user1

[IPS Module] ssh user user1 authentication-type password

[IPS Module] ssh user user1 service-type stelnet
[IPS Module] ssh server port 1025
[IPS Module] ssh server timeout 80
[IPS Module] ssh server authentication-retries 4
[IPS Module] ssh server rekey-interval 1
[IPS Module] ssh server compatible-ssh1x enable
----End

Using Web
Prerequisites
Before you log in to the IPS Module using the console port, complete the following tasks:
l Prepare a PC (with an RS232 serial port) and a serial cable.

l Install an emulation program, such as HyperTerminal on the Windows XP, on the PC.
l Power on the IPS Module and ensure that the IPS Module runs properly.
Context
When the system software needs to be upgraded remotely, but the Web environment is not
configured, you can log in to the IPS Module through the console port and then configure the
Web environment. Then you can log in to the IPS Module remotely using Web to upgrade the
system software.
This section describes how to establish the HTTP-based upgrade environment through the
console port.
port. The serial port of the PC is connected to the console port of the IPS Module with a
standard a serial cable.
console port is used, use the console cable delivered with the IPS Module. Using the cables of
other vendors might cause unexpected faults. If a mini USB console port is used, purchase the
mini USB-to-USB cable as required. The RJ45 and mini USB console ports cannot be used

Procedure
Step 1 Run the terminal emulation program, such as the HyperTerminal of Windows XP, on the PC.
Choose Start > Programs > Accessories > Communications > HyperTerminal.
The Connection Description dialog box is displayed, as shown in Figure 2.
Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1) of
the PC for connecting to the IPS Module from the Connect using drop-down list box, as
shown in Figure 3.
of the port, as shown in Figure 4. The communication parameters of COM1 must be must be
consistent with those of the console port on the NGFW.

Step 4 Log in to the IPS Module and access the CLI.

By default, user name admin and password Admin@123 are used to log in to the IPS Module
through the console port. If you forget the user name and password configured on the console
port, see Password of the Console Port Is Forgotten.
Step 5 Configure the web for login.
Enable HTTP and HTTPS on GE 0/0/0 of the IPS Module. Create a local web user and
configure the user name to user1,user level to level 15, and password to Password1 for the
web user. Enable the HTTP and HTTPS service on the device.
[IPS Module-GigabitEthernet0/0/0] service-manage http permit
[IPS Module-GigabitEthernet0/0/0] service-manage https permit
[IPS Module] aaa
[IPS Module-aaa-manager-user-user1] service-type web
[IPS Module] web-manager enable
[IPS Module] web-manager security enable port 8443

NOTE
If an administrator uses HTTP for access Web UI, the device automatically redirects to a more secure
service, HTTPS. If the browser displays a notification for an insecure certificate, you can continue the
browsing
----End
3.6.3 Upgrade Troubleshooting
3.6.3.1 Password of the Console Port Is Forgotten
Password of the Console Port Is Forgotten

Perform the following steps when you forget the password of the console port.
Procedure
Step 1 Restart the NIP6300/6600 and access the BootROM main menu
========================< Main Menu

>========================
| <1> Boot System
|
| <2> Set Startup Application Software and Configuration
|
|
|
|
|
| <0> Reboot
|
|
----------------------------------------------------------|

|
| Press Ctrl+Z to Enter Diagnose Menu...
|
=============================================================
Step 2 Enter 3 to access the file management menu.
================< File Management Menu

>=====================
| <2> Rename File
|
| <3> Delete File
|
| <4> Copy File
|
| <5> Format Device
|

|
=============================================================
Step 3 Enter 2 to rename the current configuration file for startup.

Input the file name you want to rename(eg: hda1:/sup.bin): hda1:/vrpcfg.cfg
Input the new file name: hda1:/vrpcfgrename.cfg
Step 4 After device startup, use the default user name admin and password Admin@123 for login
and use FTP to save the renamed configuration file to the PC.
Step 5 Reconfigure a user and copy the user information generated by the device to the renamed
configuration file.
manager-user newuser
password cipher %@%@@)wB&=/Q1Fvhl1W=,4C)Vpg^C.0{VCnlxU^3svMxY@^A)vmh%@%@
service-type web terminal telnet
level 15
Step 6 Upload the modified configuration file to the device and specify the file as that to be used at
the next startup. After device restart, you can use the configured user information to log in
----End

Files Through FTP
Context
As shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from the IPS
Module and upload or download files through FTP. This method requires the third-party FTP
server software to be installed on the PC2.
NOTE
IPS Moduleserving as the FTP client

Procedure
available with the program. Suppose that you obtain the FTP server program in a legitimate
way and description of the program is beyond the coverage of this document. Assume that an
FTP user already exists with the user name 123 and password 123, and that the root directory
of the user is set to the storage path of files to be uploaded/downloaded.
Step 2 Log in to the IPS Module from PC1 through Telnet/SSH.
Step 3 Log in to the FTP server on the IPS Module.Run the ftp ip-address command in the user view
to establish an FTP connection to the PC and enter the FTP client view. The following
operation assumes that the IP address of the FTP server as 192.168.0.2.
<IPS Module> ftp 192.168.0.2
Trying 192.168.0.2 ...
User(192.168.0.2:(none)):123
Password:
[ftp]
Step 4 Upload files in storage media of the IPS Module to the FTP server.Run the put local-filename
[ remote-filename ] command in the FTP client view to upload files to the FTP server.
mode.
[ftp] put test.bin
Step 5 Download files from the FTP server to storage media of the IPS Module.Run the get remote-
filename [ local-filename ] command in the FTP client view to download files from the FTP
server.
mode.
[ftp] get temp.bin
----End

Files Through SFTP
Context
As shown in Figure 1, IPS Module serves as the SFTP server. Log in to the SFTP server from
the PC2 and upload/download files through SFTP. This method requires the third-party SFTP
client program (such as WinSCP) to be installed on the PC2.

NOTE
IPS Module serving as the SFTP server
The roadmap for configuring an SFTP client (PC2) to communicate with an SSH server (IPS
Module) is as follows (RSA authentication is used):
l Create an SSH user on the IPS Module.

l Configure a local key pair for PC2 and the IPS Module.
l Copy the public key of PC2 to the IPS Module.
l On the IPS Module, bind the SSH user to the public key of PC2.
l Enable SFTP services on the IPS Module.
l Configure the SSH user to log in to the IPS Module from PC2.
Procedure
Step 1 Enable the SSH service on interface GigabitEthernet 0/0/0.
<NGFW> system-view
[NGFW] interface GigabitEthernet 0/0/0
[NGFW-GigabitEthernet0/0/0] service-manage ssh permit
[NGFW-GigabitEthernet0/0/0] service-manage enable
[NGFW-GigabitEthernet0/0/0] quit
Log in to the IPS Module from PC1 through Telnet/SSH.
Step 2 Create an SSH user on the IPS Module.
Enable the SFTP service

[IPS Module] sftp server enable
Configure an authentication mode and a protocol on the VTY interface.

[IPS Module-ui-vty0-4] protocol inbound ssh
Create SSH user client and set the authentication type to rsa, service type to SFTP, and
service directory to hda1:

[IPS Module] ssh user sftpadmin

[IPS Module] ssh user sftpadmin authentication-type password
[IPS Module] aaa
[IPS Module-aaa] manager-user sftpadmin
[IPS Module-aaa-manager-user-sftpadmin] service-type ssh
[IPS Module-aaa-manager-user-sftpadmin] level 3
[IPS Module-aaa-manager-user-sftpadmin] password
Enter Password:
Confirm Password:
[IPS Module-aaa-manager-user-sftpadmin] quit
[IPS Module] ssh user sftpadmin service-type sftp
[IPS Module] ssh user sftpadmin sftp-directory hda1:
Step 3 Generate a local key pair on the IPS Module.

[IPS Module] rsa local-key-pair create
The key name will be: IPS Module_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 4 Generate a local key pair on PC2. The local key pair consists of host key and server key.
Step 5 Use password RsaKey001 to copy the host key of PC2 to the IPS Module.
[IPS Module] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[IPS Module-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[IPS Module-rsa-key-code] 3047
[IPS Module-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[IPS Module-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[IPS Module-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[IPS Module-rsa-key-code] 1D7E3E1B
[IPS Module-rsa-key-code] public-key-code end
[IPS Module-rsa-public-key] peer-public-key end
Step 6 On PC2, connect the SFTP client to the SSH server.
----End
Example
After the SFTP client connects to the SSH server, run the display ssh server status and
display ssh server session commands on the SSH server to check whether the SFTP service
is enabled and whether the SFTP client is connected to the SSH server.
l Check SSH server status.
[IPS Module] display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP server : Enable
STELNET server : Disable
l Check SSH server connection information.

[IPS Module] display ssh server session
Session 1:

Conn : VTY 4
Version : 2.0
State : started
Username : client
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Service Type : sftp
Authentication Type : rsa

Files Through TFTP
Context
As shown in Figure 1, PC2 serves as the TFTP server. Log in to the TFTP server from the IPS
Module and upload or download files through TFTP. This method requires the third-party
TFTP server software to be installed on the PC2.
NOTE
IPS Module serving as the TFTP client
Procedure
Step 2 Log in to the IPS Module from PC1 through Telnet/SSH.
Step 3 Upload files in storage media of the IPS Module to the TFTP server.

NOTICE
Due to the limitation of third-party TFTP server software, TFTP upload of files larger than 16
MB may fail. Therefore, you are advised to use FTP to upload the files larger than 16 MB.
Run the tftp ip-address put source-filename [ destination-filename ] command in the user
view to upload files to the TFTP server. The following operation assumes that the IP address
of the TFTP server as 192.168.0.2.
<IPS Module> tftp 192.168.0.2 put test.bin
Step 4 Download files from the TFTP server to CF card of the IPS Module.Run the tftpip-
addressgetsource-filename [ destination-filename ] command in the user view to download
files from the TFTP server.
<IPS Module> tftp 192.168.0.2 get temp.bin
----End
Context
Procedure
Step 1 Obtain a license authorization code (Entitlement ID).
Find the license authorization certificate in the delivery accessories and obtain the Entitlement
ID, as shown in Figure 1.
NOTE
The license authorization certificate is delivered together with the product to the customer in A4 papers
or CD-ROMs.

Figure 3-52 License authorization certificate
Step 2 Obtain an equipment serial number (ESN).

l Log in to the device in CLI mode and run the display firewall esn command in any view
to obtain the ESN.
l Log in the device in Web mode and view the ESN in System Information of the
Dashboard page.
Figure 3-53 System Information
Step 3 Obtain the license file from the license self-service.
Log in to the http://app.huawei.com/isdp and obtain the license file according to the procedure
in the system help or displayed information.
NOTICE
To apply for the licenses of multiple devices, make sure that the entitlement ID corresponds to
the ESN.
If you cannot obtain the license file, contact the local technical support personnel.
Step 4 You need to obtain a new license file if you want to expand the license capacity or use new
features that are subject to license control. In this case, follow the preceding steps to apply for
the new license.

The license center automatically combines the licenses for new features with the existing
license, and generates a new license.
----End
Table 3-26 Upgrade Record Table

Huawei:
Upgrade successful
or not
Check before the

upgrade
Check of upgrade
operations
Check after the

upgrade

Accounting
AUX Auxiliary port
CF Compact Flash

HTTPS Secure HTTP
IPSec IP Security
SSH Secure Shell


Huawei Nip6000&amp;Nip6800&amp;Ips Module v500r001c50spc100 Upgrade Guide

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Huawei Nip6000&amp;Nip6800&amp;Ips Module v500r001c50spc100 Upgrade Guide

Загружено:

Авторское право:

Доступные форматы

HUAWEI NIP6000&NIP6800&IPS Module

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2017-03-29) Huawei Proprietary and Confidential i

About This Document

Encryption Algorithm Declaration

Personal Data Declaration

Issue 01 (2017-03-29) Huawei Proprietary and Confidential ii

Feature Usage Declaration

Issue 01 (2017-03-29) Huawei Proprietary and Confidential iii

About This Document.....................................................................................................................ii

Issue 01 (2017-03-29) Huawei Proprietary and Confidential iv

1.2.6.4 Impact of Sensitive Features...................................................................................................................................71

Issue 01 (2017-03-29) Huawei Proprietary and Confidential v

1.3.5.3 Upgrade Result Verification................................................................................................................................. 123

Issue 01 (2017-03-29) Huawei Proprietary and Confidential vi

2.2.3 Upgrade Flow.......................................................................................................................................................... 192

3 IPS Module................................................................................................................................. 252

Issue 01 (2017-03-29) Huawei Proprietary and Confidential vii

3.2.1.1 Impact of Feature Changes................................................................................................................................... 254

Issue 01 (2017-03-29) Huawei Proprietary and Confidential viii

3.2.9.3 License Impact......................................................................................................................................................330

Issue 01 (2017-03-29) Huawei Proprietary and Confidential ix

3.7 Appendix C: Uploading and Downloading Files....................................................................................................... 396

Issue 01 (2017-03-29) Huawei Proprietary and Confidential x

About This Chapter

1.1 Application Scenarios

Issue 01 (2017-03-29) Huawei Proprietary and Confidential 1

1.1 Application Scenarios

Issue 01 (2017-03-29) Huawei Proprietary and Confidential 2

1.2 Upgrade Impact

1.2.1 Impact of the Upgrade from V500R001C50

1.2.1.1 Impact of Feature Changes

Table 1-1 New features

The log and alarm

The rate of received

The SSL proxy

The alarm is added,

The log and alarm

The alarm is added,

Issue 01 (2017-03-29) Huawei Proprietary and Confidential 3

No. Description Purpose

The device supports

To meet the carrier's QoS requirements. The

The device supports

Table 1-2 Modified features

Virtual getState is added to

Issue 01 (2017-03-29) Huawei Proprietary and Confidential 4

No. Feature Change Cause Upgrade Impact

The license provides

Issue 01 (2017-03-29) Huawei Proprietary and Confidential 5

No. Feature Change Cause Upgrade Impact

l The upstream rate

1.2.1.2 Impact of Command Changes

Issue 01 (2017-03-29) Huawei Proprietary and Confidential 6

[ undo ] firewall dynamic- Enables or disables the None.

firewall dynamic-resource Sets the threshold for the None.

undo firewall dynamic- Restores the threshold to the None.

[ undo ] firewall dynamic- Enables or disables the None.

firewall dynamic-resource Sets the threshold for the None.

undo firewall dynamic- Restores the threshold to the None.

interface virtual-if api Vritual-if-[vsysname]

display firewall detect Displays the ASPF detection None

Huawei Nip6000&Nip6800&Ips Module v500r001c50spc100 Upgrade Guide

Huawei Nip6000&Nip6800&Ips Module v500r001c50spc100 Upgrade Guide