Signature library update configuration examples

 

·     Introduction

·     Prerequisites

·     General restrictions and guidelines

·     Example: Configuring scheduled automatic update of the signature library

·     Example: Configuring immediate online update of the signature library

·     Example: Using a local signature file to update the device signature library

 

The following information provides signature library update configuration examples.

The following methods are available for updating the signature library on the device:

·     Automatic scheduled update—The device automatically downloads the most up-to-date signature file to update its local signature library periodically.

·     Immediate online update—The device downloads the most up-to-date signature file to update its local signature library immediately after you trigger the operation.

·     Manual update—Use this method when the device cannot obtain the signature file automatically. You must manually download the most up-to-date signature file, and then use the file to update the signature library on the device.

 

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of the signature library upgrade feature.

 

The signature library for each security service requires a license to run on the device. After the license expires, some functions of the related service cannot be used, and the library cannot be updated. For more information, see the online help for each security service.

Network configuration

As shown in Figure 1, the internal users in the Trust security zone can access the Internet resources in the Untrust security zone. Configure the device to update the IPS signature library at 3:00:00 every Saturday.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device and E9671 of the M9000-X06 device.

Restrictions and guidelines

Before configuring this feature, make sure:

·     The device can access the update server directly or through a proxy server.

·     The IPS license is in running status.

Procedure

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

○          Select the Trust security zone.

○          On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 192.168.1.1/24.

○          Use the default settings for other parameters.

○          Click OK.

# Add GE 1/0/2 to the Untrust security zone and set its IP address to 2.2.2.1./24 in the same way you configure GE 1/0/1.

2.     Configure settings for routing:

This example configures static routes.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure an IPv4 static route:

○          Enter destination address 0.0.0.0.

○          Enter mask length 0.

○          Enter next-hop address 2.2.2.2.

○          Use the default settings for other parameters.

○          Click OK.

3.      Configure a DNS server:

This example uses DNS server IP address 10.72.66.36.

# On the top navigation bar, click Network.

# From the navigation pane, select DNS > DNS Clients.

# Enter DNS server IP address 10.72.66.36, and click Add.

4.     Configure a security policy named Local-to-Untrust:

○          Enter policy name Local-to-Untrust.

○          Select source security zone Local.

○          Select destination security zone Untrust.

○          Select type IPv4.

○          Select action Permit.

○          Use the default settings for other parameters.

○          Click OK.

5.     Configure the device to update the IPS signature library automatically at a scheduled time.

# On the top navigation bar, click System.

# From the navigation pane, select Upgrade Center > Signature Upgrade.

# Select the check box for Auto update for the IPS signature library.

# In the dialog box that opens, set the scheduled update time to 03:00:00 every Saturday.

 

 

Figure 2 IPS signature library scheduled update configuration

 

# Click OK.

Verifying the configuration

After the scheduled update time, access the signature library update list and verify that the IPS signature library has been updated.

Figure 3 Viewing the signature library version

 

Network configuration

As shown in Figure 4, the internal users in the Trust security zone can access the Internet resources in the Untrust security zone. Update the IPS signature library immediately so that the IPS feature can use the up-to-date signature library to protect the internal network.

Figure 4 Network diagram

 

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device and E9671 of the M9000-X06 device.

Restrictions and guidelines

Before configuring this feature, make sure the device can access the update server directly or through a proxy server.

Procedure

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

○          Select the Trust security zone.

○          On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 192.168.1.1/24.

○          Use the default settings for other parameters.

○          Click OK.

# Add GE 1/0/2 to the Untrust security zone and set its IP address to 2.1.1.1./24 in the same way you configure GE 1/0/1.

2.     Configure a route:

This example configures a static route. If dynamic routes are required, configure a dynamic routing protocol.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure an IPv4 static route:

○          Enter destination address 0.0.0.0.

○          Enter mask length 0.

○          Enter next-hop address 2.2.2.2.

○          Use the default settings for other parameters.

○          Click OK.

3.      Configure a DNS server:

This example uses DNS server IP address 10.72.66.36.

# On the top navigation bar, click Network.

# From the navigation pane, select DNS > DNS Clients.

# Enter DNS server IP address 10.72.66.36, and click Add.

4.     Configure a security policy named Local-to-Untrust:

¡     Enter policy name Local-to-Untrust.

¡     Select source security zone Local.

¡     Select destination security zone Untrust.

¡     Select type IPv4.

○          Select action Permit.

○          Use the default settings for other parameters.

○          Click OK.

5.     Update the IPS signature library immediately.

# On the top navigation bar, click System.

# From the navigation pane, select Upgrade Center > Signature Upgrade.

# Click the Online update link for the IPS signature library.

# In the dialog box that opens, confirm your operation.

Figure 5 Updating the IPS signature library immediately

 

Verifying the configuration

On the signature library update list, verify that the IPS signature library has been updated.

Figure 6 Viewing the signature library version

 

Network configuration

As shown in Figure 7, the up-to-date IPS signature file V7-IPS-1.0.128.dat is saved locally. Use the manual update method to load the file to the update the device IPS signature library.

Figure 7 Network diagram

 

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device and E9671 of the M9000-X06 device.

Restrictions and guidelines

The device is preconfigured with a management port (for example, GE1/0/0) that has an IP address of 192.168.0.1/24. The IP address of the host must be I the same subnet as the management port. You can log in to the Web interface of the device to configure the device by entering https://192.168.0.1 in the browser.

Procedure

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

○          Select the Trust security zone.

○          On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 10.1.1.1/24.

○          Use the default settings for other parameters.

○          Click OK.

2.     Configure a security policy named Trust-Local, ensuring that the internal users can use a PC to access the Internet:

○          Enter policy name Trust-Local.

○          Select source security zones Trust and Local.

○          Select destination security zones Trust and Local.

○          Select type IPv4.

○          Select action Permit.

○          Use the default settings for other parameters.

○          Click OK.

3.     Import the local IPS signature file.

# On the top navigation bar, click System.

# From the navigation pane, select Upgrade Center > Signature Upgrade.

# Click the Manual update link for the IPS signature library.

# In the dialog box that opens, select the locally saved signature file V7-IPS-1.0.128.dat.

Figure 8 Selecting the locally saved signature file

 

# Click OK.

Verifying the configuration

On the signature library update list, verify that the IPS signature library has been updated.

Figure 9 Signature library update list