- Table of Contents
-
- 08-Configuration Examples
- 01-Web Login Configuration Examples
- 02-Internet Access Through a Static IP Address Configuration Examples
- 03-Internet access through PPPoE configuration examples
- 04-Signature Library Upgrade Configuration Examples
- 04-Software Upgrade Examples(only for F50X0-D and F5000-AK5X5 firewalls)
- 05-Software Upgrade Examples
- 06-Static routing configuration examples
- 07-OSPF configuration examples
- 08-BGP configuration examples
- 09-RIP configuration examples
- 10-DHCP configuration examples
- 11-DNS configuration examples
- 12-Object Group Configuration Examples
- 13-Public key management configuration examples
- 14-Security Policy Configuration Examples
- 15-Attack defense configuration examples
- 16-Connection Limit Configuration Examples
- 17-IPS Configuration Examples
- 18-URL Filtering Configuration Examples
- 19-Anti-Virus Configuration Examples
- 20-Data Filtering Configuration Examples
- 21-File Filtering Configuration Examples
- 22-APR-Based Security Policy Configuration Examples
- 23-Bandwidth Management Configuration Examples
- 24-NAT configuration examples
- 25-NAT hairpin configuration examples
- 26-IPsec configuration examples
- 27-SSL VPN configuration examples
- 28-Server Load Balancing Configuration Examples
- 29-Outbound Link Load Balancing Configuration Examples
- 30-Inbound Link Load Balancing Configuration Examples
- 31-Transparent DNS Proxy Configuration Examples
- 32-Context Configuration Examples
- 32-Context Configuration Examples(only for F50X0-D and F5000-AK5X5 firewalls)
- 33-IRF configuration examples
- 34-High Availability Group Configuration Examples
- 35-NAT Flow Logging Configuration Examples
- 36-User identification configuration examples
- 37-Server Connection Detection Configuration Examples
- 38-IP Reputation Configuration Examples
- 39-NPTv6 Configuration Examples
- 40-SSL Decryption Configuration Examples
- 41-MAC Address Learning Through a Layer 3 Device Configuration Examples
- 42-WAF Configuration Examples
- 43-NetShare Control Configuration Examples
- 44-4G Configuration Examples
- 45-WLAN Configuration Examples
- Related Documents
-
Title | Size | Download |
---|---|---|
04-Signature Library Upgrade Configuration Examples | 191.33 KB |
Signature library update configuration examples
Introduction
The following information provides signature library update configuration examples.
The following methods are available for updating the signature library on the device:
· Automatic scheduled update—The device automatically downloads the most up-to-date signature file to update its local signature library periodically.
· Immediate online update—The device downloads the most up-to-date signature file to update its local signature library immediately after you trigger the operation.
· Manual update—Use this method when the device cannot obtain the signature file automatically. You must manually download the most up-to-date signature file, and then use the file to update the signature library on the device.
This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of the signature library upgrade feature.
The signature library for each security service requires a license to run on the device. After the license expires, the related service can use the existing signature library on the device, but the library cannot be updated.
Example: Configuring scheduled automatic update of the signature library
Network configuration
As shown in Figure 1, the internal users in the Trust security zone can access the Internet resources in the Untrust security zone. Configure the device to update the IPS signature library at 3:00:00 every Saturday.
Software versions used
This configuration example was created and verified on F9345 of the F1060 device.
Restrictions and guidelines
Before configuring this feature, make sure:
· The device can access the update server directly or through a proxy server.
· The IPS license is in running status.
Procedure
1. Assign IP addresses to interfaces and add the interfaces to security zones.
# On the top navigation bar, click Network.
# From the navigation pane, select Interface Configuration > Interfaces.
# Click the Edit icon for GE 1/0/1.
# In the dialog box that opens, configure the interface:
○ Select the Trust security zone.
○ On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 192.168.1.1/24.
○ Use the default settings for other parameters.
○ Click OK.
# Add GE 1/0/2 to the Untrust security zone and set its IP address to 2.2.2.1./24 in the same way you configure GE 1/0/1.
2. Configure settings for routing:
This example configures static routes.
# On the top navigation bar, click Network.
# From the navigation pane, select Routing > Static Routing.
# On the IPv4 Static Routing tab, click Create.
# In the dialog box that opens, configure an IPv4 static route:
○ Enter destination address 0.0.0.0.
○ Enter mask length 0.
○ Enter next-hop address 2.2.2.2.
○ Use the default settings for other parameters.
○ Click OK.
3. Configure a DNS server:
# On the top navigation bar, click Network.
# From the navigation pane, select DNS > DNS Clients.
# Enter DNS server IP address 10.72.66.36, and click Add.
4. Configure a security policy named Local-to-Untrust:
○ Enter policy name Local-to-Untrust.
○ Select source security zone Local.
○ Select destination security zone Untrust.
○ Select type IPv4.
○ Select action Permit.
○ Use the default settings for other parameters.
○ Click OK.
5. Configure the device to update the IPS signature library automatically at a scheduled time.
# On the top navigation bar, click System.
# From the navigation pane, select Upgrade Center > Signature Upgrade.
# Select the check box for Auto update for the IPS signature library.
# In the dialog box that opens, set the scheduled update time to 03:00:00 every Saturday.
A scheduled automatic library update will occur at a random time between the following time points: · An hour before the specified start time. · An hour after the specified start time. |
Figure 2 IPS signature library scheduled update configuration
# Click OK.
Verifying the configuration
After the scheduled update time, access the signature library update list and verify that the IPS signature library has been updated.
Figure 3 Signature library update list
Network configuration
As shown in Figure 4, the internal users in the Trust security zone can access the Internet resources in the Untrust security zone. Update the IPS signature library immediately so that the IPS feature can use the up-to-date signature library to protect the internal network.
Software versions used
This configuration example was created and verified on F9345 of the F1060 device.
Restrictions and guidelines
Before configuring this feature, make sure the device can access the update server directly or through a proxy server.
Procedure
1. Assign IP addresses to interfaces and add the interfaces to security zones.
# On the top navigation bar, click Network.
# From the navigation pane, select Interface Configuration > Interfaces.
# Click the Edit icon for GE 1/0/1.
# In the dialog box that opens, configure the interface:
○ Select the Trust security zone.
○ On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 192.168.1.1/24.
○ Use the default settings for other parameters.
○ Click OK.
# Add GE 1/0/2 to the Untrust security zone and set its IP address to 2.1.1.1./24 in the same way you configure GE 1/0/1.
2. Configure a route:
This example configures a static route. If dynamic routes are required, configure a dynamic routing protocol.
# On the top navigation bar, click Network.
# From the navigation pane, select Routing > Static Routing.
# On the IPv4 Static Routing tab, click Create.
# In the dialog box that opens, configure an IPv4 static route:
○ Enter destination address 0.0.0.0.
○ Enter mask length 0.
○ Enter next-hop address 2.2.2.2.
○ Use the default settings for other parameters.
○ Click OK.
3. Configure a DNS server:
# On the top navigation bar, click Network.
# From the navigation pane, select DNS > DNS Clients.
# Enter DNS server IP address 10.72.66.36, and click Add.
4. Configure a security policy named Local-to-Untrust:
¡ Enter policy name Local-to-Untrust.
¡ Select source security zone Local.
¡ Select destination security zone Untrust.
¡ Select type IPv4.
○ Select action Permit.
○ Use the default settings for other parameters.
○ Click OK.
5. Update the IPS signature library immediately.
# On the top navigation bar, click System.
# From the navigation pane, select Upgrade Center > Signature Upgrade.
# Click the Online update link for the IPS signature library.
# In the dialog box that opens, confirm your operation.
Verifying the configuration
On the signature library update list, verify that the IPS signature library has been updated.
Figure 5 Signature library update list
Network configuration
As shown in Figure 6, the up-to-date IPS signature file V7-IPS-1.0.54.dat is saved locally. Use the manual update method to load the file to the update the device IPS signature library.
Software versions used
This configuration example was created and verified on F9345 of the F1060 device.
Procedure
1. Assign IP addresses to interfaces and add the interfaces to security zones.
# On the top navigation bar, click Network.
# From the navigation pane, select Interface Configuration > Interfaces.
# Click the Edit icon for GE 1/0/1.
# In the dialog box that opens, configure the interface:
○ Select the Trust security zone.
○ On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 10.1.1.1/24.
○ Use the default settings for other parameters.
○ Click OK.
2. Configure a security policy named Trust-Local, ensuring that the internal users can use a PC to access the Internet:
○ Enter policy name Trust-Local.
○ Select source security zones Trust and Local.
○ Select destination security zones Trust and Local.
○ Select type IPv4.
○ Select action Permit.
○ Use the default settings for other parameters.
○ Click OK.
3. Import the local IPS signature file.
# On the top navigation bar, click System.
# From the navigation pane, select Upgrade Center > Signature Upgrade.
# Click the Manual update link for the IPS signature library.
# In the dialog box that opens, select the locally saved signature file V7-IPS-1.0.54.dat.
Figure 7 Selecting the locally saved signature file
# Click OK.
Verifying the configuration
On the signature library update list, verify that the IPS signature library has been updated.
Figure 8 Signature library update list