Login
| Title | Size | Downloads |
|---|---|---|
| SecPathACG1000-IMW110-R6614P11-ARM_NXP.zip | 198.96 MB | |
| H3C_SecPathACG1000-IMW110-R6614P11_(ACG1000-AI-50)_Release_Notes.pdf | 605.70 KB |
|
H3C SecPathACG1000-IMW110-R6614P11 Release Notes |
|
|
Contents
Hardware and software compatibility matrix· 5
Upgrade restrictions and guidelines· 5
Software feature and command updates· 6
Registering and installing licenses· 9
Open problems and workarounds· 9
Resolved problems in SecPathACG1000-IMW110-R6614P11· 10
Appendix B Upgrading software· 15
Upgrading the system software image· 16
Upgrading the system software image from the CLI 16
Upgrading the system software image from the Web interface· 20
List of tables
Table 1 Version history......................................................................................................... 5
Table 2 Hardware and software compatibility matrix.......................................... 5
Table 3 Hardware features............................................................................................... 11
Table 4 Software features................................................................................................. 12
Table 5 Default Web login information.................................................................... 20
Table 6 Boot menu parameters..................................................................................... 22
Introduction
This document describes the features, restrictions and guidelines, open problems, and workarounds for version SecPathACG1000-IMW110-R6614P11. Before you use this version on a live network, back up the configuration and test the version to avoid software upgrade affecting your live network.
Use this document in conjunction with H3C SecPathACG1000-IMW110-R6614P11 Release Notes (Software Feature Changes) and the documents listed in "Related documentation."
Version information
Version number
i-Ware software, Version 1.10, Release 6614P11
Note: You can see the version number with the display version command in any view. Please see Note①.
Version history
Version number | Last version | Release date | Release type | Remarks |
R6614P11 | First English version | 2023-10-19 | Formal version | First English version |
Hardware and software compatibility matrix
CAUTION: To avoid an upgrade failure, use Table 2 to verify the hardware and software compatibility before performing an upgrade. |
Table 2 Hardware and software compatibility matrix
Item | Specifications |
Hardware platform | ACG1000-AI-50 |
Host software and MD5 checksum | Upgrade package: SecPathACG1000-IMW110-R6614P11-ARM_NXP.BIN MD5:F50E07F6289F1B47869BEAB13D4CDE58 |
Remarks | N/A |
Upgrade restrictions and guidelines
Before upgrading the version, back up the original configuration file. To roll back the version, clear the current configuration and import the original configuration file.
For other upgrade restrictions and guidelines, see "Restrictions and cautions."
Hardware feature updates
None.
Software feature and command updates
For more information about the software feature and command update history, see H3C SecPathACG1000-IMW110-R6614P11 Release Notes (Software Feature Changes).
MIB updates
None.
Operation changes
None.
Restrictions and cautions
Before performing an upgrade, see H3C SecPathACG1000-IMW110-R6614P11 Release Notes (Software Feature Changes) and related documentation to see the software feature changes and evaluate the influence on the service.
Restrictions
Log and file storage or download on a disk with a high disk usage on R6614Pxx
When the usage of a disk exceeds 90%, logs will be deleted. The device checks the disk usage every 30 minutes and deletes the oldest day's logs each time. A maximum of 100000 original files of emails, email attachments, and network disk files can be retained per day (with shared count limit). No limit is applied to the number of logs that can be stored. The device still records logs when the number of logs exceeds 100000, but you cannot download the original log files.
User import
Importing a large number of users is CPU intensive. If CPU resources are insufficient, other processes might become unresponsive.
Authentication delay in simultaneous login of over 20 users through third-party authentication
Because of PHP performance, the authentication delay for third-party RADIUS or LDAP authentication is about 5 seconds when more than 20 users log in simultaneously per second. As a best practice, use IMC or local authentication in scenarios where a large number of users attempt to come online.
Occasional empty application traffic statistics
When the device is fully loaded with high traffic, the statistics of some applications in the detailed application traffic statistics might be empty. You cannot obtain information about the applications and corresponding user information.
Misidentification of shared Internet access behaviors
The system cannot accurately identify shared Internet access behaviors.
Packet order-preserving in QoS rate limit
Enabling packet order-preserving cannot entirely prevent packet disorder in QoS rate limit, which might cause occasional slow downloads.
Low IPsec performance
The performance of the IPsec feature is low.
Log export
Log export has limitations. You can export logs within a specified time range, with a maximum time range of 14 days each time. A maximum of 100000 logs can be exported each time. If the number of logs exceeds 100000, the system prompts the end time of this export. You can then set the prompted time as the start time to continue exporting remaining logs.
Login to the same PC in a domain
When different users log in to the same PC used for test in a domain, only one account is displayed in online user information.
Configuration file import
After you import a configuration file, you must reboot the device for the configuration to take effect. Do not click Save Configuration before reboot, because this operation will overwrite the imported file with the current configuration, and the original configuration remains effective after the reboot.
Enabling real-time configuration saving on devices
· As a best practice, do no enable real-time saving configuration on newly deployed devices. With this feature enabled, excessive resource will be consumed during frequent and quick operations or in collaboration with HA. Potential issues include:
¡ During SNMP user synchronization, two consecutive user registration tasks might be generated, and the user information in the first task might not be synchronized to the backup device.
¡ If you apply an empty URL object in an IPv4 control policy and then add content on the URL object page, you might not view the application relationship.
¡ A message indicating error information will prompt if you delete multiple users when the device saves configuration automatically.
· If you enable real-time configuration saving, after you complete the configuration each time, wait 1 to 2 minutes for the device to fully save the configuration.
Supported features in collaboration with Cloud Security O&M Management Platform
In collaboration between the device and Cloud Security O&M Management Platform, the following features are supported:
· Viewing the device information, performance status, and device status of monitored ACG devices on the platform.
· Events and alarms.
· Graphical Web reverse links.
· Version management, license management, and configuration management.
Features that require hard drive support
Features such as audit logs, Web protection, security analysis, statistical reports, and BA platform configuration are only supported on ACG devices with hard drives. For more information, see the corresponding specification document.
Statistical report loading
The loading speed of statistical reports in data center is affected by the volume of log data. The larger volume of data, the longer loading time and waiting time.
Identification of AD domain usernames
An AD domain username with commas (,) will be displayed as vertical lines (|) on after synchronization to the device. This makes it difficult to distinguish between users with usernames containing vertical lines (|) and those who are synchronized from the LDAP server and have usernames containing commas (,) in the local user list, online user list, and online/offline logs.
Dual-factor authentication
Importing a configuration file will not restore the administrator's dual-factor authentication settings.
Interface status detection
After you configure interface status detection with address detection linkage for an interface, if the interface is also used as the outgoing interface for address detection, you cannot execute the shutdown or no shutdown command to restore the interface status.
Application cache file upload
In the application cache, you cannot upload a file that contains Chinese characters through CLI.
Configurations containing SQL injection risk characters
You can import a configuration containing SQL injection risk characters, but cannot submit the configuration on the edit page. This issue occurs in multiple configuration modules of the device. To resolve this issue, modify the configuration through CLI, or delete the risk characters from the configuration and then create a new configuration without risk characters on the Web interface.
USB drive mounting
USB drive mounting is not supported.
Force negotiation mode
Because of hardware and software limitations, some interfaces do not support forced interface speed negotiation at 1000 Mbps.
cautions
QoS maximum bandwidth
If packets are fragmented, the QoS maximum bandwidth cannot be reached. As a best practice to avoid this situation, set the MTU to the greatest value.
HA
· After an HA switchover, the application traffic statistics and user traffic statistics are not synchronized.
· Web portal settings are not synchronized during HA configuration synchronization.
· If both monitoring interface address synchronization and address detection are configured in Master-Master mode, the Master-Master mode cannot be successfully negotiated after the interface does down and then comes up. As a best practice, do not configure address detection.
Advertisement settings
· HTTPS is not supported.
· Local customized advertisement settings are not synchronized during HA configuration synchronization. Reconfigure local customized advertisement settings after an HA switchover.
· Local customized advertisement settings can be configured only from the Web interface.
· A domain name whitelist for advertisement pushing can be configured only at the CLI.
· If the Internet speed is low, advertisements will be displayed slowly.
· If advertisements are displayed slowly, refresh the page or wait for the page to load.
· To push advertisements successfully, make sure the device management IP address is reachable to all users.
· For websites that use the frameset framework, advertisement pictures will be displayed because the main page contains multiple requests. As a best practice, add such websites to the domain name whitelist.
· If advertisements fail to be displayed, use the debug http hijack command to identify whether HTTP requests match an advertisement policy.
· If a website fails to be accessed because advertisement pushing is enabled, add it to the domain name whitelist.
· As a best practice to save memory resources, do not configure more than 1000 subinterfaces, 1000 control policies, 1000 audit policies, or 1000 routes.
· The security module commands are complex. As a best practice, configure IPS, anti-virus, security protection, Web protection, and risk scanning only from the Web interface. Use CLI commands only for troubleshooting and configuration recovery.
Licensing
About licensing
To use license-based features, you must purchase licenses from H3C and install the licenses.
For more information about license-based features and supported licenses, see H3C SecPath ACG1000 Series Application Control Gateway Licensing Guide.
Registering and installing licenses
H3C License Management Platform provides product licensing services for H3C customers. You can access this system to obtain an activation file or transfer licenses.
H3C License Management Platform is accessible at http://www.h3c.com/en/License/.
For more information about license registration, activation file installation, and license transfer, see H3C SecPath ACG1000 Series Application Control Gateway Licensing Guide.
Open problems and workarounds
202206281257
· Symptom: When editing an existing custom URL object on the Policy > Object Management > URL Object > Custom URL page, add a period and a space (. ) in the associated URL. The action can be successfully submitted. However, after saving and returning to the editing page, the space disappears and resubmitting results in an error. The same error occurs when you create a new custom URL object.
· Condition: This symptom occurs when you configure a custom URL object.
· Workaround: Avoid using a period and then a space (. ).
202206280915
· Symptom: When there are a large number of data tables on the device, exporting data for statistics will continuously indicate that the file is being generated. Even after waiting for a long time, it still cannot be completed, and there is no file available for export after refreshing. The reason is that there are too many data tables in the database, which caused an error and stopped the generation process. It needs to be associated with the log retention period.
· Condition: This symptom occurs if you export data for analysis when the device has a large number of data tables.
· Workaround: None. The situation only occurs occasionally when the device is running for a long time with a large number of data tables.
202212080983
· Symptom: Unable to view attachment name after clicking email log details.
· Condition: This symptom occurs when you view email log details.
· Workaround: None. This is a display issue, with a relatively small impact.
202306291911
· Symptom: WeChat mini-program authentication is used. On some mobile phone models, there is occasional inability to open the mini-program through the browser.
· Condition: This symptom might occur if the WeChat mini-program authentication method is used.
· Workaround: Perform authentication by opening the wireless network authentication interface.
202306291879
· Symptom: When WeChat mini-program authentication is selected, the system also verifies the authentication step description for the authentication URL authentication method.
· Condition: This symptom occurs if you configure unsupported characters in the authentication step description and use the WeChat mini-program authentication method.
· Workaround: Use supported characters in the authentication step description.
List of resolved problems
Resolved problems in SecPathACG1000-IMW110-R6614P11
First release, no list of resolved problems
Troubleshooting resources
To obtain troubleshooting resources for the product:
1. Access Technical Documents at http://www.h3c.com/en/Technical_Documents.
2. Select the device category and model.
3. Select the Maintain or Maintenance menu.
Related documentation
· H3C SecPath ACG1000 Series Application Control Gateway Installation Quick Start
· H3C SecPath ACG1000 Series Application Control Gateway Installation Guide
· H3C SecPath ACG1000 Series Application Control Gateway Licensing Guide
· H3C SecPath ACG1000 Series Application Control Gateway Web Configuration Guide (R6614)
· H3C SecPath ACG1000 Series Application Control Gateway Configuration Examples (R6614)
· H3C SecPath ACG1000 Series Application Control Gateway Command References (R6614)
· H3C SecPath ACG1000 Series Application Control Gateway Configuration Guides (R6614)
Technical support
To obtain technical assistance, contact H3C by using one of the following methods:
· Email:
[email protected] (countries and regions except Hong Kong, China)
[email protected] (Hong Kong, China)
· Technical support hotline number. To obtain your local technical support hotline number, go to the H3C Service Hotlines website: https://www.h3c.com/en/Support/Online_Help/Service_Hotlines/
To access documentation, go to the H3C website at http://www.h3c.com/en/.
ACG1000-AI-50 | |
Management ports | 1 × GE (copper) + any service port |
Service ports | 4 × GE (combo) + 16 × GE (copper) + 6×GE(fiber)+2 × 10-GE fiber ports |
Bypass ports | N/A |
Expansion slots | 0 |
Interface modules | N/A |
PoE ports | N/A |
Dimensions (H × W × D) | 44.2 × 440 × 435 mm (1.74 × 17.32 × 17.13 in) |
Max power consumption | 46 W |
Power supply | 100 V to 240 Vac@ 50Hz or 60Hz, 2.0 A |
Availability | ≥ 100000 hours |
Weight | 5.4 kg (11.9 lb) |
Category | Subcategory | Description |
Network access behavior management | Traffic management | Support for virtual link and hierarchical bandwidth management, and 4-level channel nesting. |
Support for bandwidth limits based on users, applications, services, IPs, or time. | ||
Support for per-IP rate limit, bandwidth guaranteeing, and multi-priority management. | ||
Application filtering and audit | Control over network communities, P2P, file transmission, e-commerce, IM, stock trading, network media, online games, and remote control. | |
Application audit targeting at an application category or a single application. | ||
Support for auditing application behavior actions. | ||
Support for auditing application behavior content. | ||
Support for filtering and auditing websites, emails, forum posting, and searched keywords. | ||
Audit log levels (emergency, alert, critical, error, warning, notification, and informational). | ||
URL filtering | Built-in URL classification library. Support for filtering and auditing the following websites: advertising, adult, art, online music, BBS, lottery, business, crime, education, entertainment, gambling, games, healthcare, immorality, and job recruitment. | |
Support for malicious URL and custom URL filtering. | ||
User management | User | Support for importing and exporting users or user groups in bulk. |
User attributes for local users, RADIUS users, LDAP users, and users with statically bound IP addresses. | ||
Online user management | Displaying online user status (username, group to which the user belongs, login address, authentication method, login time/freezing time, status, and online duration). | |
Online user operations: freezing or unfreezing unauthenticated accounts, and logging out, freezing, or unfreezing authenticated users. | ||
Linkage with IMC | Linkage with IMC. | |
For unidentified user traffic, an authentication policy redirects the Web access traffic to the specific portal page. | ||
Recording the user information after successful user authentication. | ||
Identifying and periodically updating access traffic after successful user authentication. | ||
Granular service control for authentication users. | ||
Pushing the authentication page and receiving authentication information of portal users. | ||
Initiating user authentication requests and user offline notifications. | ||
Providing user self-service by linking to the self-service page provided by the central RADIUS server. | ||
Forcing users to be redirected to the specific portal server and authenticated when they access Web pages. | ||
Logging user online and offline information. | ||
Sending accounting-on packets to the IMC server to log out corresponding users. | ||
Authentication server management | Support for RADIUS and LDAP authentication servers and server groups. | |
Support for Wi-Fi authentication for Internet access via SMS verification code. | ||
Support for Wi-Fi authentication for Internet access by following the WeChat public account. | ||
Statistics set | Application traffic statistics | Displaying application statistics overview. |
Displaying application ratio chart. | ||
Application statistics trend overview. | ||
Displaying detailed information about application statistics. | ||
Coupling of the application and user dimensions. | ||
TOP 11 application statistics. | ||
User traffic statistics | User statistics overview. | |
Displaying user statistics in bar charts. | ||
Displaying detailed information about user statistics coupled with the application dimension. | ||
Support for displaying the application trend and top application list for a user. | ||
Top 15/50/100 user statistics. | ||
Basic network features | Interface | Support for subinterfaces, bridge interfaces, and aggregate interfaces. |
DHCP | Support for DHCP relay agents, DHCP servers, and DHCP clients. | |
The DHCP server supports IP-MAC binding, lease management, and excluded IP addresses. | ||
Session management | Support for limit on address objects, number of sessions that can exist for each IP address, and number of sessions per second that can be created for each IP address. | |
Session statistics: Number of connections initiated by IP addresses. | ||
NAT | NAT ALG for DNS, FTP, H.323, ILS, MSN, NBT, PPTP, and SIP. | |
Source address translation, destination address translation, one-to-one address translation, one-to-many address translation, and many-to-many address translation. | ||
Routing | Support for static routing, dynamic routing (RIP or OSPF), and policy-based routing. | |
Support for policy-based routing based on the source address, destination address, service, user or application. | ||
Support for ISP routing, predefined ISP route tables, and customized ISP routes. | ||
VPN | AH and ESP. Manual or automatic establishment of security associations through IKE. ESP supports multiple encryption algorithms such as DES, 3DES, and AES. Support for MD5 and SHA-1 authentication algorithms. | |
Support for main-mode IKE, aggressive-mode IKE, NAT traversal, and DPD. | ||
Interface detection | Support for the PING address detection type. | |
Support for the TCP address detection type. | ||
Support for the DNS address detection type. | ||
Supported interface types: physical interface, subinterface, bridge interface, aggregate interface, and tunnel interface. | ||
Address detection group | Strict mode or non-strict mode. In strict mode, all detection items within the address group must succeed for the status of the detection group to be considered successful. In non-strict mode, as long as one detection item in the detection group succeeds, the detection group is considered successful. | |
Support for configuring descriptions for address detection groups. | ||
Route detection | Support for route detection to ensure route validity. | |
Supported scenarios and deployment modes | Support for linkage with static routes or ISP routes. | |
Support for linkage with interface status. | ||
Support for linkage with HA. | ||
Logs | Logging address detection failure and successful address detection. | |
Security protection | Attack prevention | Support for interface-based IP and port scanning protection. |
Support for SYN flood, UDP flood, ICMP flood, and DNS flood attack protection and abnormal message attack (ping of death, land-based, teardrop, TCP flag, Winnuke, smurf, IP options, IP-spoof, or Jolt2) protection. | ||
Linkage with the IP address blacklist feature to disable access from specific IP addresses. | ||
Support for IP-MAC binding and uniqueness check. | ||
System management | Deployment method | Bypass, inline, and hybrid deployment. |
Configuration file | Importing and exporting configuration files. | |
Dual-backup configuration. | ||
System upgrade | Support for local and remote system software upgrade. | |
Signature libraries support automatic and manual upgrade. | ||
SNMP | Support for SNMP agents. | |
Supported versions: v1, v2, and v3. | ||
SNMP users: Support for creating, editing, or deleting users. Authentication methods: None, MD5, or SHA. | ||
Log settings | Support for a maximum of three syslog sending servers and can send logs to the remote log analysis and management platform. | |
Support for filtering logs by level and the device mapping table. |
Appendix B Upgrading software
Overview
This chapter describes types of software and how to upgrade software for the device from the CLI, Web interface, and boot menu. The output on the device might differ depending on the version of the device.
The default storage medium on the device is the CF card.
Software types
The device supports the system software image and Boot ROM image.
System software image
The system software image is a program file used to start up the device.
Typically, the system software image is a .bin file, for example, SecPathACG1000-IMW110-R6603P02.BIN.
Configuration files
A configuration file stores the configuration information of the device. Save configuration to configuration files for the following purposes:
· Save the running configuration to a configuration file for the configuration to survive a device reboot.
· Facilitate users to retrieve configuration information.
By default, the device has configuration files syscfg.con and syscfg.bcp. The syscfg.con file stores settings configured both at the CLI and on the Web interface. The syscfg.bcp file is a backup configuration file. You can also save configuration to other files and specify the files as the startup and backup configuration files.
· You can execute the copy running-config backup-config command to copy the running configuration to the backup configuration file.
· You can execute the copy startup-config backup-config command to copy the settings in the startup configuration file to the backup configuration file.
· You can execute the copy backup-config startup-config command to restore the startup configuration file with the settings in the backup configuration file.
Upgrade methods
Upgrade object | Upgrade method | Description |
System software image | Upgrading the system software image from the CLI | · To upgrade the system software image from the Web interface, you do not need to enable the TFTP or FTP server. · Because of the incompatibility of configuration file information between different software versions, the configuration of the device after the upgrade might differ from the configuration before the upgrade. You must carefully review the corresponding section to confirm the feature changes in the version being upgraded. |
Upgrading the system software image from the Web interface | ||
Upgrading the system software image from the boot menu |
Preparing for the upgrade
The device does not come with the TFTP or FTP server. You can purchase and install the software as needed.
Trivial File Transfer Protocol (TFTP) is a protocol within the TCP/IP protocol suite that allows for simple file transfer between a client and server. It provides a simple and resource-friendly file transfer service. The device can act as the TFTP client to upload its system software image to a file server (typically a PC) or download a system software image file from the file server to it after you execute the corresponding commands through the configuration terminal.
File Transfer Protocol (FTP) is an application-layer protocol within the TCP/IP protocol suite. It primarily provides file transfer services between remote hosts for users. The device acts as the FTP client and a file server (typically a PC) acts as the FTP server.
Before you upgrade the system software image, complete the following tasks:
· Configure the IP address of the management port on the device.
· Enable the TFTP or FTP server on the file server.
· Log in to the CLI through the configuration terminal.
· Copy the upgrade file for the system software image to the file server and correctly set the access path of the TFTP or FTP server.
Figure 167 Upgrade environment
Upgrading the system software image
Upgrading the system software image from the CLI
To upgrade the system software image from the CLI, use one of the following methods:
· Using TFTP to upgrade the system software image
· Using FTP to upgrade the system software image
Using TFTP to upgrade the system software image
The device acts as the TFTP client to access the specified path on the TFTP server and complete the backup and upgrade operations for the system software image. The procedure is as follows:
1. Back up the current system software image and running configuration:
# In any view, save the running configuration.
H3C# save config
Building configuration...
Save configuration ok !
# In user view, identify the current version number of the device.
H3C# display version
i-Ware software,Version 1.10, Release 6605, Build time is Jan 28 2015 17:31:46
System uptime: 0 days 0 hours 42 minutes
Firmware is SecPathACG1000-IMW110-R6605.BIN
Application signature version: ACG-APP-R3.1.4
Software S/N : 110100100115022860784559
Model : ACG1000-S
Platform : PLATFORM_MC1220
Basic Functionality : License valid
Application Audit and Control : License valid
Malware URL Category : License valid
Virtual Private Network : License valid
Application Audit and Control Update Service : License valid
Malware URL Category Update Service : License valid
Virtual Private Network Tunnel Limit : License valid
# In user view, copy configuration file syscfg.con to the TFTP server.
H3C# copy startup-config tftp 192.168.0.2 syscfg.con
H3C#
2. Upgrade the system software image:
In the example, the upgrade file is SecPathACG1000-IMW110-F6603P02.BIN with version 1.10 in Release 6603P02. In actual situations, upgrade the system software image based on the real name of the upgrade file.
# In user view, import file SecPathACG1000-IMW110-F6603P02.BIN to the CF card.
H3C# copy tftp 192.168.2.185 SecPathACG1000-IMW110-F6603P02.BIN ver
Download file SecPathACG1000-IMW110-F6603P02.BIN ....
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
#####################################################
Download file(SecPathACG1000-IMW110-F6603P02.BIN) success.
Checking images valid success.
Install system................................................ success
Update images success.
# In user view, reboot the device.
H3C# reboot
Save current configuration? Please enter "y/n" to confirm: y
Building configuration...
Save configuration ok !
The system will be rebooted! Please enter "y/n" to confirm: y
...
# Verify that the current version information of the device is consistent with that of the upgrade file.
i-Ware software,Version 1.10, Release 6603P02, Build time is Mar 5 2015 15:32:26
System uptime: 0 days 0 hours 5 minutes
Firmware is SecPathACG1000-IMW110-F6603P02.BIN
Application signature version: ACG-APP-R3.1.4
Software S/N : 110100100115022860784559
Device S/N : 219801A0QQ914AP00001
Model : ACG1000-S
Platform : PLATFORM_MC1220
Basic Functionality : License valid
Application Audit and Control : License valid
Malware URL Category : License valid
Virtual Private Network : License valid
Application Audit and Control Update Service : License valid
Malware URL Category Update Service : License valid
Virtual Private Network Tunnel Limit : License valid
Using FTP to upgrade the system software image
The device acts as the FTP client to access the specified path on the FTP server and complete the backup and upgrade operations for the system software image. The procedure is as follows:
1. Back up the current system software image and running configuration:
# In user view, save the running configuration of the device.
H3C# save config
Building configuration...
Save configuration ok !
# In user view, identify the current version number of the device.
H3C# display version
i-Ware software,Version 1.10,Release 6603P01, Build time is Jan 28 2015 17:31:46
System uptime: 0 days 0 hours 42 minutes
Firmware is SecPathACG1000-IMW110-R6603P01.BIN
Application signature version: ACG-APP-R3.1.4
Software S/N : 110100200114052620813527
Model : ACG1000-M
Platform : PLATFORM_MC5200
Basic Functionality : License valid
Application Audit and Control : License valid
Malware URL Category : License valid
Virtual Private Network : License valid
Application Audit and Control Update Service : License valid
Malware URL Category Update Service : License valid
Virtual Private Network Tunnel Limit : License valid
# In user view, copy configuration file syscfg.con to the FTP server.
H3C# copy startup-config ftp anonymous test 192.168.0.2 syscfg.con
2. Upgrade the system software image:
In the example, the upgrade file is SecPathACG1000-IMW110-F6603P02.BIN with version 1.10 in Release 6603P02. In actual situations, upgrade the system software image based on the real name of the upgrade file.
# In user view, import upgrade file SecPathACG1000-IMW110-R6603.BIN to the CF card of the device.
H3C# copy ftp user password 192.168.2.185 SecPathACG1000-IMW110-F6603P02.BIN ver
Download file SecPathACG1000-IMW110-F6603P02.BIN ....
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
#####################################################
Download file(SecPathACG1000-IMW110-F6603P02.BIN) success.
Checking images valid success.
Install system................................................ success
Update images success.
# In user view, reboot the device.
H3C# reboot
Save current configuration? Please enter "y/n" to confirm: y
Building configuration...
Save configuration ok !
The system will be rebooted! Please enter "y/n" to confirm: y
# Verify that the current version information of the device is consistent with that of the upgrade file.
i-Ware software,Version 1.10, Release 6603P02, Build time is Mar 5 2015 15:32:26
System uptime: 0 days 0 hours 5 minutes
Firmware is SecPathACG1000-IMW110-F6603P02.BIN
Application signature version: ACG-APP-R3.1.4
Software S/N : 110100100115022860784559
Device S/N : 219801A0QQ914AP00001
Model : ACG1000-S
Platform : PLATFORM_MC1220
Basic Functionality : License valid
Application Audit and Control : License valid
Malware URL Category : License valid
Virtual Private Network : License valid
Application Audit and Control Update Service : License valid
Malware URL Category Update Service : License valid
Virtual Private Network Tunnel Limit : License valid
Upgrading the system software image from the Web interface
About this task
The device supports the Web management function. You can use the Web interface to conveniently and intuitively manage, maintain, and upgrade the device.
The device is shipped with default Web login information, allowing users to directly log in to the Web interface using this default information.
Table 5 Default Web login information
Item | Default configuration |
Username | admin |
Password | admin |
Management IP address | 192.168.1.1/24 |
Procedure
1. Connect the device and PC.
Use an Ethernet cable to connect the PC to an Ethernet interface of the device.
2. Configure an IP address for the PC to ensure that the PC and device can reach each other.
Change the IP address to an IP address in subnet 192.168.1.0/24, excluding 192.168.1.1. For example, use 192.168.1.2.
3. Open a browser and enter login information:
a. On the PC, open a browser, and enter IP address 192.168.1.1 in the address bar to open the Web login page of the device.
b. On the Web login page, enter the default username and password and the verification code, and then click Login.
4. Navigate to the System Management > System Maintenance > Software Update page.
Figure 176 Software Update page
5. Click Upload.
CAUTION: Software upgrade takes some time. Please be patient. You must manually reboot the device after the upgrade is complete. |
Upgrading the system software image from the boot menu
To upgrade the system software image from the boot menu, use the following method:
· Using FTP to upgrade the system software image through an Ethernet interface
Using a console cable to connect to the device and accessing the boot menu
The output might differ depending on the device condition.
When the device starts up or reboots, press Ctrl+C as prompted to access the boot menu.
PrRss Ctrl+C to stop auto start : 03
reading menuboot
.......................................[ 25.391419] tmp421 0-004c: Could not read configuration register (-5)
/sbin/rc starting
Mounting file systems
Setting up loopback
...
===============================================================
| BOOT MENU(V2.0-20140812) |
| 1. Upgrade image by FTP. |
| 2. Upgrade menuboot by FTP. |
| 3. Check and repare file system. |
| 4. Reset administrator passowrd. |
| 5. Producing test. |
| 6. Aging test. |
| 7. Display production and aging recored. |
| 8. Advance functions. |
| 0. Reboot. |
| |
===============================================================
Field | Description |
<1> Upgrade image by FTP | Upgrades the system software image by FTP. |
<2> Upgrade menuboot by FTP | Upgrades the boot menu by FTP. |
<3> Check and repare file system | Checks and repairs the file system. |
<4> Reset administrator passowrd | Resets the password of the administrator to the default password. |
<5> Producing test | Used to check the basic communication functionality of ports. |
<6> Aging test | Long-duration stress test in sending and receiving packets. |
<7> Display production and aging recored | Displays the results of the producing test and aging test. |
<8> Advance functions | Not supported in the current software version. |
<0> Reboot | Reboots the device. |
Using FTP to upgrade the system software image through an Ethernet interface
1. Enter 1 to upgrade the system software image by FTP and configure FTP parameters as follows:
Please input your choice[0-8]:1
Local IP[A.B.C.D/M]:192.168.0.1/24
Server IP[A.B.C.D]:192.168.0.2
Gateway IP[A.B.C.D]:192.168.0.254
image name[xxx.bin]:SecPathACG1000-IMW110-F6603P02.BIN
Field | Description |
Local IP | IP address of the device. |
Server IP | IP address of the FTP server. |
Gateway IP | Gateway IP address. Configure the gateway IP address if the device and the FTP server do not belong to the same subnet. |
image name | Name of the upgrade file. |
2. Enter 0 to reboot the device for the upgrade file to take effect.
Download file SecPathACG1000-IMW110-F6603P02.BIN ....
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
################################################################
##############################################
Download file(SecPathACG1000-IMW110-F6603P02.BIN) success.
Checking images valid success.
Install system......................................................................... success
Update images success.
===============================================================
| BOOT MENU(V2.0-20140812) |
| 1. Upgrade image by FTP. |
| 2. Upgrade menuboot by FTP. |
| 3. Check and repare file system. |
| 4. Reset administrator passowrd. |
| 5. Producing test. |
| 6. Aging test. |
| 7. Display production and aging recored. |
| 8. Advance functions. |
| 0. Reboot. |
| |
===============================================================
Please input your choice[0-8]: 0
Upgrade time
It takes about 2 minutes for the device to load the upgrade file.
It takes about 3 minutes for the device to restart.
Handling software upgrade failures
To handle a software upgrade failure:
1. Check the physical ports for a loose or incorrect connection, and verify that the LEDs are reflecting the correct port status.
2. If you are using the console port for file transfer, check the HyperTerminal settings (including the baud rate and data bits) for any incorrect setting.
3. Check the FTP or TFTP server for incorrect settings.
4. If the image desc magic check fail message is generated after the device loads the upgrade file, verify that the file is available.
5. If the issue persists, contact H3C Support.
