Huawei USG6000 Upgrade Manual
  1. Manuals
  2. Brands
  3. Huawei Manuals
  4. Firewall
  5. USG6000 Series
  6. Upgrade manual

Huawei USG6000 Upgrade Manual

Hide thumbs Also See for USG6000:
Table of Contents

Quick Links

HUAWEI USG6000&USG9500
V500R001C80SPC100
Upgrade Guide
Issue
01
Date
2018-01-16
HUAWEI TECHNOLOGIES CO., LTD.
Table of Contents
loading

Related Manuals for Huawei USG6000

Summary of Contents for Huawei USG6000

  • Page 1 HUAWEI USG6000&USG9500 V500R001C80SPC100 Upgrade Guide Issue Date 2018-01-16 HUAWEI TECHNOLOGIES CO., LTD.
  • Page 2 Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS"...

  • Page 3: About This Document

    The purchased products, services and features are stipulated by the contract made between Huawei Technologies Co., Ltd. and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope.
  • Page 4 Features wholly or partially, or the provision of Features, Huawei reserves its right to, at its sole discretion, terminate the provision of Features without any liability to the extent permitted by law.
  • Page 5 Huawei will not bear any legal obligations or liabilities for the security events (such as personal data leaks) that are not caused by Huawei's misconduct.
  • Page 6 SNMPv3 is recommended. Change History Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues. Issue 01 (2018-01-16) Initial commercial release. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 7: Table Of Contents

    1.3.4.3 Upgrade Result Verification........................... 54 1.3.5 Upgrade Through CLI............................... 59 1.3.5.1 Preparations for the Upgrade..........................59 1.3.5.1.1 Obtaining Upgrade Files............................60 1.3.5.1.2 Downloading Content Feature Component Packages..................64 1.3.5.2 Upgrade Flow................................. 65 Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 8 2.2.1.1 Impact on the Current System During the Upgrade..................... 124 2.2.2 Precautions................................124 2.2.3 Upgrade Flow................................125 2.2.4 Preparations for the Upgrade........................... 128 2.2.4.1 Obtaining the Version Software Required By the Upgrade..................128 Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 9 2.5.3 Device Serving as the SFTP Server to Upload or Download Files Through SFTP..........183 2.6 Appendix: Activating the ESN........................... 184 2.7 Appendix: Applying for a License..........................185 2.8 Appendix: Upgrade Record Table..........................185 2.9 Appendix F: Abbreviations............................186 Issue 01 (2018-01-16) Huawei Proprietary and Confidential viii Copyright © Huawei Technologies Co., Ltd.

  • Page 10: Usg6000

    1.8 Appendix D: Applying for a License 1.9 Appendix E: Upgrade Record Table 1.10 Appendix F: Abbreviations 1.1 Application Scenarios This document applies to the USG6000 series. For version software, the following scenarios are covered: Upgrade from V500R001C00SPC300 to V500R001C80SPC100 Upgrade from V500R001C00SPC500 to V500R001C80SPC100...
  • Page 11 USG6000&USG9500 V500R001C30SPC100&NGFW Module V500R002C00SPC100 Upgrade Guide >>. V500R001C00SPC300 V500R001C00SPC500 V500R001C20SPC100 V500R001C20SPC200 V500R001C20SPC300 Among them, V500R001C20SPC100, V500R001C20SPC200, and V500R001C20SPC300 can have the patch V500R001SPH002 installed before the upgrade. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 12: Upgrade Impact

    1 USG6000 NOTICE 1. Patch upgrades cannot be performed in BootROM. 2. V1 upgrades are not recommended. If there are such requirements, contact Huawei engineers. 3. Before rolling V500R001C50 and later versions back to earlier versions, run the set system-software check-mode all command in the system view. Directly roll other versions back to earlier ones.
  • Page 13 The function is Languages of multiple enhanced to SSL VPN None countries are supported. improve user experience. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 14 None cluster enhanced. protocol, port, and lifetime. The packet loss Session Packet loss logs can be logging function None logs sampled and then sent. is enhanced. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 15: Impact Of The Command Changes

    The command sets the MAC None ack-time no-ack-time authentication response failure time. display user-manage mac- The command sets the MAC access information authentication response None failure time. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 16 [ slot slot-id The command displays None cpu cpu-id ] [ active | information about SAs standby ] [ remote-id-type established through IKE remote-id-type ] remote-id negotiation. remote-id Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 17 MAC address authentication users. [ undo ] mac-authen timer The command configures reauthenticate-period the re-authentication None reauthenticate-period-value interval for online MAC address authentication users. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 18 [ undo ] gawa-log non- The command configures None certificate that server certificate validation is not required during the upload of log files to the FTPS server. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 19 None address prefix-length IPv6 static routes. interface-type interface- number [ nexthop-ipv6- address ] [ { preference preference | tag tag } * ] [ description text ] Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 20 } bfd block peer to inherit the BFD function from its peer group. None By default, the peer inherits the BFD function from its peer group. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 21 OSPFv3. multiplier detect-multiplier- value } * ospfv3 bfd block [ instance The command blocks the instance-id ] bidirectional forwarding detection (BFD) None dynamically created by an interface. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 22 None session session-name bfd- static route bound to a name admindown invalid specific BFD session from participating in route selection when the BFD session is Admin down. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 23 | dh- group16 | dh- group16 | dh- group19 | dh- group19 | dh- group20 | dh- group20 | dh- group21 } group21 | dh- group18 } Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 24 The local tunnel ID None { peer-name remote- { peer-name peer- range is widened name | local-id name | local-id from 1-11000 to tunnel-id| all } tunnel-id| all } 1-11050. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 25 INTEGER<46-9600 > | packet > | packet INTEGER<2-65535 INTEGER<6-65535 > | byte > | byte INTEGER<46-4294 INTEGER<46-4294 967295> } * } 967295> } * } &<1-8> &<1-8> Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 26 { arp | dhcp } * supported in this version. dot1x authentication-method This The command is not None { chap | pap | eap } supported in this version. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 27: License Impact

    This The command is not None supported in this version. 1.2.1.3 License Impact The license can still be used after the upgrade from V500R001C80 to V500R001C80SPC100. 1.2.1.4 Dynamic Loading Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 28 ISP users so that the ISP users can access intranet services using their own ISP networks. By doing as, intelligent DNS ensures minimized delay and optimal service experience. URL Remote Query package: Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 29 APT attack traffic. The device periodically obtains analysis results from the sandbox. If the sandbox detects malicious traffic, it instructs the device to block the traffic. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 30: Other Upgrade Impacts

    Table 1-2 NLog system difference description Version Version Whether Support Difference from the Upgrade to the Source V500R001C80SP Version C100 V500R001C00 Difference from the Source Version V500R001C20SPC None V500R001C20SPC None Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 31 1 USG6000 Version Version Whether Support Difference from the Upgrade to the Source V500R001C80SP Version C100 V500R001C20SPC None V500R001C30SPC None V500R001C30SPC None V500R001C30SPC None V500R001C30SPC None V500R001C30SPC None Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 32 Two-level dimension report drilling supports advanced query. l Traffic reports by outbound interface are supported, and two-level dimension drilling by Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 33 Traffic reports/ threat reports by security policy are supported. l Two-level dimension drilling for traffic reports, threat reports, and URL reports is supported. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 34 After the device restart is complete, the converted user information takes effect. – Command lines do not support encoding format rollback. After the transcoding is complete, the old configuration file and user database file are stored. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 35 ACL is bound to the corresponding VPN instance (acl number 3000 vpn-instance default). Impact on the SSL VPN client: – When a plug-in is updated, the local device needs to obtain the new SecoClient. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 36: Upgrading Version Software In Single-System

    When to restart the device, for the upgrade depends on your requirements. You need to choose a suitable upgrade time to minimize the impacts on services. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 37 FTP server program is required. The FTP server and management port must be in the same network segment. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 38: Precautions

    For details on how to upgrade the version software using BootROM, see Appendix A: Upgrading System Software Using BootROM. Table 1 lists the description of each step during the upgrade. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 39 To back up the dynamic feature Feature configuration file and component files loaded in the system Component export it to a local PC (upgrade from V500R001 or later Packages versions). Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 40 The dynamic feature component package needs to be separately downloaded and loaded based on the license. l To obtain the dynamic feature component package. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 41: Upgrade Through Web

    (optional)To apply for the license of the source version and activate 1.3.4 Upgrade Through Web 1.3.4.1 Preparing for the upgrade 1.3.4.1.1 Preparing the Upgrade Environment Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 42 The premise is that you have logged in to the Web environment using the Web UI. If the login using the Web UI is not configured, log in to the USG6000 using the console port to configure the Web environment. For configuration details, see...
  • Page 43 Do as follows to configure the USG6000 as the Web server: Procedure Step 1 Log in to the USG6000 CLI through Telnet or SSH from PC1. For the Telnet or SSH login method, see the related configuration example in HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation You are recommended to use interface GigabitEthernet 0/0/0 on the USG6000 for log in.

  • Page 44: Obtaining Upgrade Files

    (Optional) Local signature database file The file name extension is .zip. You can obtain the file from http://sec.huawei.com/sec. If the device does not require any content security or the signature database can be upgrade in online mode, the signature database file is not required.

  • Page 45: Downloading Content Feature Component Packages

    Step 1 Access Huawei security center at http://sec.huawei.com/. (Internet Explorer: version 8.0 or later or Firefox) Step 2 Expand the USG6000 Series tab and select the product model and version, such as USG6680 - V500R001C80SPC100. Step 3 Select and download the component package. The component packages are as follows: URLRMT: component package for the URL remote query feature.

  • Page 46: Querying The Current System Software

    Click Upgrade at the right side of Version, as shown in Figure 1-4, to query the existing system software. Record the system software file name for file backup Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 47: Checking The Use Of Licenses

    License Information on the DashBoard page, as shown in Figure 1-5: Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 48 Note the fields in bold of the Attrib attribute. COMM indicates a commercial license and 2019-06-04 indicates the expiry date of the license. If the license expires, contact Huawei technical support personnel. Step 2 Apply for a license file.For details on how to apply for a license file, see...

  • Page 49: Checking The Device Operating Status

    View System Resource on the Dashboard page, as shown in Figure 1-6: Figure 1-6 Displaying device resource information Checking System Information View System Information on the Dashboard page, as shown in Figure 1-7: Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 50 View Device Information on the Dashboard page, as shown in Figure 1-8: Figure 1-8 Displaying the device status View Traffic History on the Dashboard page, as shown in Figure 1-9: Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 51: Collecting Device Diagnosis Information

    Figure 1-10 Displaying alarm information View Syslog List on the Dashboard page, as shown in Figure 1-11: Figure 1-11 Displaying system log information 1.3.4.1.7 Collecting Device Diagnosis Information Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 52: Checking The Service Operating Status

    You can either view the diagnosis information or export it for backup to facilitate subsequent troubleshooting, as shown in figure 2: Figure 1-13 Displaying or exporting diagnosis information 1.3.4.1.8 Checking the Service Operating Status Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 53 You can use these statistics to determine whether services are normal. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 54: Saving And Backing Up Important Data

    Step 1 Display the System Update pageOn the Web UI, choose System > System Upgrade. On the System Upgrade page, click One-Touch Version Upgrade. Figure 1-17 Displaying the System Update page Step 2 Back up important data. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 55 Figure 1-18 Interface for displaying upgrade preparation Step 3 Back up User/Group. On the User/Group page, you can export User/Group information, the file in format of CSV, as shown in figure 3: Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 56: Checking The Remaining Space Of The Cf Card

    1. Ensure that the CF card has sufficient space to store the system software to be upgraded. Figure 1-20 Displaying the remaining space of the CF card Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 57: Upgrade Flow

    NOTE Because the size of system software (*.bin files) is large, deleting unwanted system software can greatly save the space on the CF card. 1.3.4.2 Upgrade Flow Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 58 PC2 are the same. If no, upload the file again. ChooseSystem > Configuration File Management. You can view configuration file information in Current System Software and Next Startup System Software. Figure 1-23 Viewing configuration file information Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 59 If the latest signature database is required, you can upgrade the signature database in either the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. Step 6 Upload the system software.
  • Page 60 . The Upload File dialog box is displayed. Delete unwanted files if the free space in the CF card is insufficient. Upload a file. Figure 1-26 Uploading a file Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 61 For details, see the description of security policies and content security in USG6000&USG9500 V500R001C80SPC100 Administrator Guide. l Before executing the following online loading procedure, ensure that the DNS server address has been configured and the DNS server can correctly parse http://sec.huawei.com. Upgrading V500R001 to V500R001C80SPC100. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright ©...
  • Page 62 – For the upgrade from V500R001C00 to V500R001C80SPC100, if the configuration file is not imported, you are advised to save the current configurations before restarting the device. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 63: Upgrade Result Verification

    If the login page fails to be displayed, clear the browser buffer or use another browser. Figure 1-29 Viewing the running system version In System Software, you can view the running system version and the version for the next startup. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 64 After you log in to the web UI, check the device operating status on the Dashboard page. Checking the CPU, Memory, and Storage Space Usage View system resource information on the Dashboard page, as shown in figure 5. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 65 Figure 1-34 Viewing the system information Checking Device Status and Interface Traffic Information View device information on the Dashboard page, as shown figure 7. Figure 1-35 Viewing the device status Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 66 View alarm information on the Dashboard page, as shown in figure 9. Figure 1-37 Viewing alarm information View system log information on the Dashboard page, as shown in figure 10. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 67 Figure 1-39 Collecting diagnosis information You can either view the diagnosis information or export it for backup to facilitate subsequent troubleshooting, as shown in figure 12. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 68: Upgrade Through Cli

    Consult the network administrator to check whether services are running properly. 1.3.5 Upgrade Through CLI 1.3.5.1 Preparations for the Upgrade Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 69: Obtaining Upgrade Files

    (Optional) Dynamic Feature Component Package The file name extension is .mod. You can obtain the file from sec.huawei.com. If the device does not require any content security or the signature database can be upgrade in online mode, the signature database file is not required.
  • Page 70 As shown in Figure 1, the USG6000 is configured as the FTP server and version software is located on PC2 serving as the FTP client. On PC2, log in to the FTP server and upload the version software to CF card 1 of the USG6000 through FTP.
  • Page 71 Run the get remote-filename[ local-filename] command to download the file and save it to local directory D:\FTP\Backup For example, before the upgrade, download the existing version software (for example, V500R001C00SPC300.bin), vrpcfg.zip, Dynamic Feature Component Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 72 Nov 21 2012 05:49:24 ssl.req -rw- 302167 Dec 12 2012 21:02:54 diagnostic- information.txt 1138376 KB total (1161872 KB free) The bold information indicates the remaining space of the CF card. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 73: Downloading Content Feature Component Packages

    Step 1 Access Huawei security center at http://sec.huawei.com/. (Internet Explorer: version 8.0 or later or Firefox) Step 2 Expand the USG6000 Series tab and select the product model and version, such as USG6680 - V500R001C80SPC100. Step 3 Select and download the component package. The component packages are as follows: URLRMT: component package for the URL remote query feature.

  • Page 74: Upgrade Flow

    NOTE FTP is used as an example. For SFTP file upload and download, see Device Serving as the SFTP Server to Upload or Download Files Through SFTP. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 75 Step 6 In the user view, run the startup system-software filename command to specify the version software for the next startup of the NGFW. startup system-software USG6000V500R001C80SPC100.bin Info:System software for the next startup:hda1:/USG6000V500R001C80SPC100.bin, Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 76 CSG_H50010000_yyy.mod or URLRMT_H50010000_yyy.mod) of V500R001C80SPC100 to the $_install_mod folder in the CF card of the USG6000. The name of the file to be uploaded cannot be the same as the name of any existing file in the CF card. If a file with the same name already exists in the CF card, the file is replaced by the uploaded file.

  • Page 77: Upgrade Result Verification

    The following is a sample output for this command. display version Huawei Versatile Routing Platform Software VRP (R) Software, Version 5.160 (USG6620V500R001C80SPC100) Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 78 HUAWEI USG6000&USG9500 Upgrade Guide 1 USG6000 Copyright (C) 2014-2017 Huawei Technologies Co., Ltd USG6620 uptime is 0 week, 0 day, 17 hours, 53 minutes AV Signature Database Version IPS Signature Database Version : 2017031400 IPS Engine Version : V200R002C00SPC070 SA Signature Database Version : 2017006040 C&C Domain Name Database Version :...
  • Page 79 display device Device status: Slot Sub Type Online Power Register Status Role ------------------------------------------------------------------------------- Present PowerOn Registered Normal Master FIBA Present PowerOn Registered Normal Present PowerOn Registered Normal Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 80: Version Rollback

    Contact the network administrator of the office and check whether the service is normal. 1.3.6 Version Rollback Prerequisites Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 81 – Roll back the version through Web. The detailed procedure is the same as that of upgrading the version software in Web mode. For details, see Upgrade Through Web. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 82 0 drw- - Nov 26 2015 16:30:18 20151126163018 1 drw- - Nov 26 2015 16:58:56 20151126165855 601,328 KB total (253,232 KB free) cd backup/ cd 20151126163018/ Directory of hda1:/backup/20151126163018/ Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 83: Upgrading Version Software In Dual-System Hot Backup

    You should comply with certain procedure and principle to upgrade version software in the dual-system hot backup networking. The main principle of the upgrade is upgrading the Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 84: Upgrading System Software In Hot Standby Scenarios (Applicable To Versions Later Than V500R001C30Spc300)

    Upgrade the standby FW. Before the upgrade, run the shutdown command to disable the service and heartbeat interfaces of the standby FW to isolate the standby FW. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 85 Warning: The configuration has been modified, and it will be saved to the next s tartup saved-configuration file hda1:/vrpcfg.zip. Continue? [Y/N]:y Now saving the current configuration to the slot 0..Save the configuration successfully. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 86 Info: If want to reboot with saving diagnostic information, input 'N' and then e xecute 'reboot save diagnostic-information'. System will reboot! Continue?[Y/N]:y Step 11 After FW_A is restarted, run the undo shutdown command to enable the heartbeat interface. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 87: Upgrading System Software In Hot Standby Scenarios (Applicable To Versions Earlier Than V500R001C30Spc300)

    GE1/0/1 the upstream service interface, and GE1/0/3 the downstream service interface. You need to upgrade system software versions of the two FWs to a specified version. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 88 (standby device). You must run the shutdown command to disable the service interface first and then the heartbeat interface. You can run the shutdown command to disable the heartbeat interface of FW_B but not that of FW_A. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 89 HRP_M[FW_B] interface GigabitEthernet 1/0/3 HRP_M[FW_B-GigabitEthernet1/0/3] undo shutdown HRP_M[FW_B-GigabitEthernet1/0/3] quit HRP_M[FW_B] interface GigabitEthernet 1/0/1 HRP_M[FW_B-GigabitEthernet1/0/1] undo shutdown HRP_M[FW_B-GigabitEthernet1/0/1] quit Step 6 Set the system software for the next startup of FW_A. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 90 HRP_M, and the command prompt of FW_B is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 91: Appendix A: Upgrading System Software Using Bootrom

    The following section provides an example of how the device downloads the system software from the FTP server. 1.5.2 Upgrade Process Overview Context Figure 1 shows the process for upgrading the system software using BootROM. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 92: Performing The Upgrade

    Step 3 After the device is powered on, you can run the terminal emulation program on PC1 to check the device startup process. When the following information is displayed, press Ctrl+B within three seconds. Base Bootrom Ver: 021 May 8 2014 15:58:31 Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 93 | <0> Return to Main Menu ============================================================ Enter your choice(0-6): In the load and upgrade menu, enter 2 to access the application software upgrade menu. The current parameter settings are displayed. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 94 Enter your choice(0-2): Enter 1 to download the upgrade file. Using FTP client... File < V500R001C**.bin> 170014779 bytes downloaded. Writing hda1:/V500R001C**.bin, please wait......................................................................... Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 95 | <3> Download File from External Server | <4> Upload File to External Server | <5> Upgrade Extended Bootrom | <6> Upgrade Base Bootrom | <0> Return to Main Menu ============================================================ Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 96 | <4> Load and Upgrade Menu... | <5> Modify Bootrom Password | <6> Reset Factory Configuration | <0> Reboot ---------------------------------------------------------| | Press Ctrl+T to Enter Manufacture Test Menu... Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 97: Appendix B : Establishing The Upgrade Environment Through The Console Port

    IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the USG6000 by default. You can use this IP address and the default user name admin and password Admin@123 to log in to the CLI of the USG6000 through Telnet. If the Telnet configuration Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright ©...
  • Page 98 Upgrade Guide 1 USG6000 is cancelled or you desire to use SSH for the login, log in to the USG6000 from the console port to construct the Telnet or SSH environment. Figure 1 shows the connection for configuring the upgrade environment using the console port.
  • Page 99 Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parameters of the port, as shown in Figure 4. The communication parameters of COM1 must be the same as those of the console port on the USG6000. Figure 1-50 Setting port properties Step 4 Log in to the NGFW, and enter the CLI.
  • Page 100 1 USG6000 By default, the user name and password are admin and Admin@123 respectively for logging in to the USG6000 through the console port. If you forget the user name and password configured on the console port, see Password of the Console Port Is Forgotten.

  • Page 101: Setting Up An Environment For Upgrading System Software Using Web

    Figure 1 shows the connection for configuring the upgrade environment using the console port. The serial port of the PC is connected to the console port of the USG6000 with a standard a serial cable. The device has two types of console ports: RJ45 and mini USB console ports. If an RJ45 console port is used, use the console cable delivered with the USG6000.
  • Page 102 Figure 1-52 Upgrade topology through the console port Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1) of the PC for connecting to the USG6000 from the Connect using drop-down list box, as shown in Figure 3.
  • Page 103 Step 4 Log in to the USG6000 and access the CLI. By default, user name admin and password Admin@123 are used to log in to the USG6000 through the console port. If you forget the user name and password configured on the console...

  • Page 104: Upgrade Troubleshooting

    Password of the Console Port Is Forgotten Perform the following steps when you forget the password of the console port. Procedure Step 1 Restart the USG6000 and access the BootROM main menu ========================< Main Menu >======================== | <1> Boot System | <2>...

  • Page 105: Appendix C: Uploading And Downloading Files

    As shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from the USG6000 and upload or download files through FTP. This method requires the third-party FTP server software to be installed on the PC2.

  • Page 106: Device Serving As The Sftp Server To Upload Or Download Files Through Sftp

    Step 2 Log in to the USG6000 from PC1 through Telnet/SSH. Step 3 Log in to the FTP server on the USG6000.Run the ftp ip-address command in the user view to establish an FTP connection to the PC and enter the FTP client view. The following operation assumes that the IP address of the FTP server as 192.168.0.2.
  • Page 107 Configure a local key pair for PC2 and the USG6000. Copy the public key of PC2 to the USG6000. On the USG6000, bind the SSH user to the public key of PC2. Enable SFTP services on the USG6000. Configure the SSH user to log in to the USG6000 from PC2.
  • Page 108 ..++++++++ Step 4 Generate a local key pair on PC2. The local key pair consists of host key and server key. Step 5 Use password RsaKey001 to copy the host key of PC2 to the USG6000. [FW] rsa peer-public-key RsaKey001 Enter "RSA public key"...

  • Page 109: Device Serving As The Tftp Client To Upload Or Download Files Through Tftp

    Step 2 Log in to the USG6000 from PC1 through Telnet/SSH. Step 3 Upload files in storage media of the USG6000 to the TFTP server. Issue 01 (2018-01-16) Huawei Proprietary and Confidential...

  • Page 110: Appendix D: Applying For A License

    CF card. If no, re-upload the files to ensure that they are completely uploaded to the TFTP server. Step 4 Download files from the TFTP server to CF card of the USG6000.Run the tftpip- addressgetsource-filename [ destination-filename ] command in the user view to download files from the TFTP server.
  • Page 111 Dashboard page. Figure 1-59 System Information Step 3 Obtain the license file from the license self-service. Log in to the http://app.huawei.com/isdp and obtain the license file according to the procedure in the system help or displayed information. NOTICE To apply for the licenses of multiple devices, make sure that the entitlement ID corresponds to the ESN.

  • Page 112: Appendix E: Upgrade Record Table

    1.10 Appendix F: Abbreviations Table 1-7 Abbreviations Authentication, Authorization and Accounting Access Control List Auxiliary port Access Control List Compact Flash Domain Name System Equipment Serial Number Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 113 Remote Authentication Dial in User Service SPUA Service Processing Unit A Secure Shell Transmission Control Protocol TFTP Trivial File Transfer Protocol User Datagram Protocol Virtual Type Terminal Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 114: Usg9500

    For version software, the following scenarios are covered: Upgrade from V500R001C00SPC300 to V500R001C80SPC100 Upgrade from V500R001C00SPC500 to V500R001C80SPC100 Upgrade from V500R001C20SPC100 to V500R001C80SPC100 Upgrade from V500R001C20SPC200 to V500R001C80SPC100 Upgrade from V500R001C20SPC300 to V500R001C80SPC100 Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 115 HUAWEI USG6000&USG9500 V500R001C30SPC100&NGFW Module V500R002C00SPC100 Upgrade Guide. V500R001C00SPC300 V500R001C00SPC500 V500R001C20SPC100 V500R001C20SPC200 V500R001C20SPC300 Among them, V500R001C20SPC100, V500R001C20SPC200, and V500R001C20SPC300 can have the patch V500R001SPH002 installed before the upgrade. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 116: Hardware Support

    2 USG9500 NOTICE 1. Patch upgrades cannot be performed in BootROM. 2. V3 upgrades are not recommended. If there are such requirements, contact Huawei engineers. 3. Before rolling V500R001C50 and later versions back to earlier versions, run the set system-software check-mode all command in the system view. Directly roll other versions back to earlier ones.
  • Page 117 Solution: Use the LPUF-101, LPUF-120 or LPUF-240 to replace the LPUF-21 or LPUF-40-A if necessary. Before the upgrade, you must collect information about the boards on the device. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 118: Upgrade Impact

    Modified features Feature Change Description Cause Impact of the Upgrade The function is Languages of multiple enhanced to SSL VPN None countries are supported. improve user experience. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 119 None cluster enhanced. protocol, port, and lifetime. The packet loss Session Packet loss logs can be logging function None logs sampled and then sent. is enhanced. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 120: Impact Of Command Changes

    | rip | pim } ] ] ] session status of each BFD session. [ undo ] ipv6 route-static The command deletes the None track bfd-session session- configured static routes. name STRING<1-15> admindown invalid Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 121 VPN instance. prefix-length [ interface-type interface-number ] [ nexthop-ipv6-address ] [ { preference preference | tag tag } * ] [ track bfd- session ] Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 122 ] [ neighbor-id ] information of all OSPFv3 [ verbose | all ] processes. bfd all-interfaces enable The command enables BFD None in the IS-IS process. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 123 The command clears the None cache { all | type { bing | cache information about the google | youtube } } secure search function of DNS filtering. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 124 By default, when a device sends packets to the LDAP server, the IP address of the actual outbound interface is used as the source IP address. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 125 [ port port-number ] | protocol-number } | existed- time existed-time } * undo cluster session-sync The command deletes None filter id id filtering conditions for cluster session synchronization. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 126 The value range is STRING<1-256> STRING<1-258> extended. server basedn server basedn The value range is STRING<1-256> STRING<1-258> extended. server searchdn server searchdn The value range is STRING<1-256> STRING<1-258> extended. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 127 [ vpn-instance [ vpn-instance STRING<1-31> ] The command is STRING<1-31> ] [ X:X::X:X ] repeatedly X:X::X:X [ timeout [ timeout registered. INTEGER<10-120> INTEGER<10-120> Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 128 The command is { tracked-interface | tracked-interface adjusted. tracked-vrrp } reset cluster backup { management-plane reset cluster backup The command is | dataplane } statistics adjusted. statistics Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 129: Impact Of Licenses

    Traffic Detection Content security package (enhanced): provides audit and smart DNS. Enabling multiple content security-related functions simultaneously affects the device processing capability. Therefore, purchase functions as required. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 130 V500R001C80. It can be set to the package for next startup only in versions earlier than V500R001C80. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 131: Other Upgrade Impacts

    After the device restart is complete, the converted user information takes effect. – Command lines do not support encoding format rollback. After the transcoding is complete, the old configuration file and user database file are stored. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 132 If not, the administrator cannot log in to the device. In this case, modify the configuration. To be specific, bind the ACL to the corresponding VPN instance. The Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 133: System Software

    When to restart the USG9500 for the upgrade depends on your requirements. You need to choose a suitable upgrade time to minimize the impacts on services. 2.2.2 Precautions During the upgrade, take the following precautions: Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 134: Upgrade Flow

    Operation Objective Informat Part Run the display device To collect hardware information and information and display esn all the device ESN, including the BOM collectio commands. code. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 135 Obtaining the Version V500R001C80SPC100 version C80SPC10 Software Required By software. 0 version the Upgrade software paf file Obtaining the Version Select the paf.txt file. Software Required By the Upgrade Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 136 V500R001C80SPC100 but do not save the configuration. device is isolated from the service environ ment) Upgrade Upgrade Verifying the Upgrade To verify the upgrade. verificati verification Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 137: Preparations For The Upgrade

    HUAWEI USG6000&USG9500 V500R001C80SPC100 Release Notes Procedure Step 1 Log in to the homepage of Huawei at . Step 2 If you are not a registered user, you need to go to 3 to register first. If you are already a registered user, go to 4 to log in.

  • Page 138: Downloading Content Security Feature Component Packages

    In V500R001, the following content security features compose the content security component package: file blocking,data filtering,application behavior control,mail filtering,smart DNS,and audit. Procedure Step 1 Access Huawei security center at http://sec.huawei.com/sec .(Internet Explorer: version 8.0 or later or Firefox) Step 2 Expand the USG tab and select the product model and version, such as USG9520 - V500R001C80SPC100.

  • Page 139: Preparing The Upgrade Environment

    USG9500. Currently, the following modes are supported: FTP mode with the USG9500 as the FTP server FTP mode with the USG9500 as the FTP client Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 140 On PC1, log in to the CLI of the USG9500 through Telnet or SSH. For the Telnet or SSH login method, see the related configuration example in HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation You are recommended to use interface GigabitEthernet 0/0/0 on the MPU of the USG9500 for login.
  • Page 141 192.168.0.1 of interface GigabitEthernet 0/0/0 on the MPU and the default user name admin and password Admin@123 to log in to the web UI of the USG9500 through HTTPS. If you Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 142 On PC1, log in to the CLI of the USG9500 through Telnet or SSH. For the Telnet or SSH login method, see the related configuration example in HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation You are recommended to use interface GigabitEthernet 0/0/0 on the MPU of the USG9500 for login.
  • Page 143 You can use only one PC on which you run both the HyperTerminal program and the FTP/TFTP server. To facilitate description, the network using two PCs is used as an example. The following steps apply to this two-PC network. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 144: Checking The Information About The Current Version Software

    The following uses V500R001C30SPC100 as an example. Part of output is omitted. display version Huawei Technologies Versatile Security Platform Software Software Version: USG9520 V500R001C30SPC100 (VSP (R) Software, Version 5.70) ..In any view, run the display startup command to check the version software and configuration file in use.
  • Page 145 Number of VPN Tunnels-R: 1000000 Number of Virtual Systems: 4095 GTP: Enable 6RD Session Scale: 1280M NAT64 Session Scale: 1280M DS-Lite Session Scale: 1280M Firewall Upgrade Additional Performance: 1280Gbps Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 146: Checking The Running Status Of The Device

    In any view, run the display device command to check the registration status of the boards. In normal cases, the Status column should be Normal. display device Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 147 The following is sample output from this command on GigabitEthernet 1/0/2: display interface GigabitEthernet 1/0/2 GigabitEthernet1/0/2 current state : UP Line protocol current state : UP Description: test Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 148: Backing Up The Important Data In Cf Card

    The following information is displayed: C:\> ftp 192.168.0.1 Connected to 192.168.0.1. 220 FTP service ready. User (192.168.0.1:(none)): ftpuser 331 Password required for ftpuser. Password: 230 User logged in. ftp> Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 149: Checking The Remaining Space Of The Cf Card

    66033 Jan 25 2010 12:10:50 paf.txt -rw- 12757 Jan 25 2010 12:11:02 license.txt -rw- 4545 Sep 25 2009 16:02:46 config.cfg -rw- 216118051 Jan 25 2010 12:15:38 USG9500v500r001c00.cc Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 150: Upgrade Procedure

    2.2.5.1 Upgrade Modes To enable the upgrade from an earlier version to V500R001C80SPC100, select a proper upgrade mode as required, as shown in Table 2. Upgrade modes Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 151 Transmitting the upgrade. the upgrade can be version software performed in this requires the support mode only. of the network environment. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 152: Upgrade Through Cli

    If the FTP connection established for backing up the important data to CF card 1 remain, perform Step 2; if the FTP connection has timed out, log in again. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 153 PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card. ftp> put license_spcxxx.txt ..ftp: 12757 bytes sent in 0.03Seconds 425.23Kbytes/sec. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 154 Info: Succeeded in setting slave board resource file for system. startup paf paf_spcxxx.txt slave-board Info: Succeeded in setting slave board resource file for system. Step 14 (Optional) Upgrade Content Security Features. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 155 CSG_H50010000_xxx.mod or URLRMT_H50010000_xxx.mod) of V500R001C80SPC100 to the $_install_mod folder in the CF card of the USG6000. The name of the file to be uploaded cannot be the same as the name of any existing file in the CF card. If a file with the same name already exists in the CF card, the file is replaced by the uploaded file.
  • Page 156 Before upgrading the signature database, ensure that the activated license file contains the content security function. If the latest signature databases are not required, skip this step. The NGFW will automatically load the default signature databases after startup. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 157: Upgrade Through Web

    For details, see the chapter "Upgrade Center " in the HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. Step 17 (Optional) Upload and activate a new license file if required. Skip this step if no new license file is required.
  • Page 158 Management interface is displayed. Click . The Upload File dialog box is displayed. Click Browse... and select the file to be uploaded. Click Import, as shown in Figure 4. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 159 MPU PAF File Management, Slave MPU License File Managementinterfaces to configure the current file as the version software used during next startup. Step 6 (Optional) Upgrade sensitive features. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 160 For details, see the description of security policies and content security in USG6000&USG9500 V500R001C80SPC100 Administrator Guide. l Before executing the following online loading procedure, ensure that the DNS server address has been configured and the DNS server can correctly parse http://sec.huawei.com. Upgrading V500R001 to V500R001C80SPC100. Move the pointer to...

  • Page 161: Upgrade Through Cf Card

    If the latest signature database is required, you can upgrade the signature database in either the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. ----End 2.2.5.4 Upgrade Through CF Card Upgrade Flow Figure 1 shows the flow of upgrading the version software through CF card.
  • Page 162 In system view, run the diagnose command to access the diagnose view. In the diagnose view, run the undo set bootmode-next fastboot all command. The detailed operations are as follows: system-view [USG9500] diagnose [USG9500-diagnose] undo set bootmode-next fastboot all Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 163 HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. NOTE Before executing the following online loading procedure, ensure that the DNS server address has been configured and the DNS server can correctly parse http://sec.huawei.com. download module nextstartup install-module filename CSG_H50010000_xxx.mod next-startup install-module filename URLRMT_H50010000_xxx.mod next-startup After the loading in either local or online mode, run the display module-information verbose command to view details on the dynamically loaded component package.

  • Page 164: Upgrade Through Bootrom

    If the latest signature database is required, you can upgrade the signature database in either the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. ----End 2.2.5.5 Upgrade Through BootROM Context Figure 1 shows the flow of upgrading the version software through BootROM.
  • Page 165 Password: ********** Then access the BootROM main menu. NOTE The default password to access the BootROM main menu is WWW@HUAWEI, which is case sensitive. You are advised to change the default password after login for security. Keep your new password secure.
  • Page 166 255093046 Aug 22 19:20 cfcard:/USG9520V500R001C80SPC100.cc 525361 Sep 2 10:25 cfcard:/private- data.txt 66820 Jul 12 17:26 cfcard:/ patchpackage_0712.pat 991 Aug 5 20:10 cfcard:/ vrpcfg.zip 66852 Aug 12 19:30 cfcard:/ Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 167 Enter 1 to delete files from CFcard. cfcard:/USG9520V500R001C80SPC100.cc is used only as an example. You must enter the absolute path. Enter your choice(1-3): 1 CAREFUL! If you delete a directory, all of its contents will be Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 168 USG9500_USG9520V500R001C80SPC100.cc as an example. If this parameter is blank, enter the name of the file that you want to download. If this parameter is a file other than Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 169 Step 10 Repeat step 6 to download paf.txt to CF card 1. If the file of the same name exists on CF card 1, the system displays a message to indicate whether to overwrite the original file is displayed. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 170 Step 17 In the BootROM main menu, enter 2 to start the device from CF card 1.If both MPUs are in position, insert the cable connected to the console port into the console ports of the master and Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 171 HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. NOTE Before executing the following online loading procedure, ensure that the DNS server address has been configured and the DNS server can correctly parse http://sec.huawei.com. download module nextstartup install-module filename CSG_H50010000_yyy.mod next-startup install-module filename URLRMT_H50010000_yyy.mod next-startup After the loading in either local or online mode, run the display module-information verbose command to view details on the dynamically loaded component package.

  • Page 172: Upgrade Result Verification

    If the latest signature database is required, you can upgrade the signature database in either the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. ----End 2.2.6 Upgrade Result Verification 2.2.6.1 Checking the Information About the Current Version Software...

  • Page 173: Checking Whether Boards Have Been Successfully Registered

    Firewall Upgrade Additional Performance: 150Gbps 6RD Session Scale : 16M NAT64 Session Scale : 16M DS-Lite Session Scale: 16M URL Remote Query : Enabled; service expire time: 2023/04/24 Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 174: Checking The Running Status Of The Device

    : 2016-01-28 14:12:56 UTC+08:00 Last physical down time : 2016-01-28 13:56:19 UTC+08:00 Max input bit rate: 837731200 bits/sec at 2016-01-28 19:28:32 Max output bit rate: 96 bits/sec at 2016-01-28 14:23:09 Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 175: Checking Whether Configurations Are Recovered

    It is recommended that you use Beyond Compare to compare the configuration files before and after upgrade for any difference. If any configuration is lost, use the configuration file before upgrade for recovery or contact technical support personnel. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 176: Checking Whether Services Are Normal

    The version rollback needs to be implemented if: The device cannot start normally after upgrade, and the current version needs to be rolled back to the previous one. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 177 cd backup/ cd 20151126163018/ Directory of CFcard:/backup/20151126163018/ Idx Attr Size(Byte) Date Time FileName 0 -rw- 2,375 Nov 26 2015 16:30:18 backcfg.zip 601,328 KB total (253,200 KB free) Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 178: Upgrading Version Software In Dual-System Hot Backup

    The main principle of the upgrade is upgrading the backup device and then the master device independently. Note that the HRP backup channel (the heartbeat line) must be disconnected during the upgrade. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 179: Upgrading System Software In Hot Standby Scenarios (Applicable To Versions Later Than V500R001C30Spc300)

    FW to isolate the standby FW. After the standby FW is upgraded, run the undo shutdown command to enable the heartbeat interface first. After the heartbeat interface becomes Up, synchronize session Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 180 Now saving the current configuration to the slot 0..Save the configuration successfully. Info: If want to reboot with saving diagnostic information, input 'N' and then e xecute 'reboot save diagnostic-information'. System will reboot! Continue?[Y/N]:y Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 181 Step 11 After FW_A is restarted, run the undo shutdown command to enable the heartbeat interface. HRP_M system-view HRP_M[FW_A] interface GigabitEthernet 1/0/7 HRP_M[FW_A-GigabitEthernet1/0/7] undo shutdown HRP_M[FW_A-GigabitEthernet1/0/7] quit Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 182: Upgrading System Software In Hot Standby Scenarios (Applicable To Versions Earlier Than V500R001C30Spc300)

    GE1/0/1 the upstream service interface, and GE1/0/3 the downstream service interface. You need to upgrade system software versions of the two FWs to a specified version. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 183 (standby device). You must run the shutdown command to disable the service interface first and then the heartbeat interface. You can run the shutdown command to disable the heartbeat interface of FW_B but not that of FW_A. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 184 HRP_M[FW_B] interface GigabitEthernet 1/0/3 HRP_M[FW_B-GigabitEthernet1/0/3] undo shutdown HRP_M[FW_B-GigabitEthernet1/0/3] quit HRP_M[FW_B] interface GigabitEthernet 1/0/1 HRP_M[FW_B-GigabitEthernet1/0/1] undo shutdown HRP_M[FW_B-GigabitEthernet1/0/1] quit Step 6 Set the system software for the next startup of FW_A. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 185 HRP_M, and the command prompt of FW_B is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 186: Appendix: Establishing The Upgrade Environment Through The Console Port

    Step 1 Select Start > All Programs > Accessories > Communication > HyerTerminal to start the terminal simulation program (for example, Windows XP HyerTerminal) on the PC. The Connection Description dialog box is displayed, as shown in Figure 2. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 187 Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parameters of the port, as shown in figure 4. The communication parameters of COM1 must be the same as those of the console port on the USG9500. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 188 [USG9500] firewall zone trust [USG9500-zone-trust] add interface GigabitEthernet 1/0/1 [USG9500-zone-trust] quit [USG9500] policy interzone local trust inbound [USG9500-policy-interzone-local-trust-inbound] policy 1 [USG9500-policy-interzone-local-trust-inbound-1] policy source 192.168.0.2 0 [USG9500-policy-interzone-local-trust-inbound-1] policy destination Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 189: Appendix: Uploading And Downloading Files

    As shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from the USG9500 and upload or download files through FTP. This method requires the third-party FTP server software to be installed on the PC2. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 190 Step 5 Download files from the FTP server to storage media of the USG9500.Run the get remote- filename [ local-filename ] command in the FTP client view to download files from the FTP server. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 191: Device Serving As The Tftp Client To Upload Or Download Files Through Tftp

    [ destination-filename ] command in the user view to upload files to the TFTP server. The following operation assumes that the IP address of the TFTP server as 192.168.0.2. tftp 192.168.0.2 put test.cc Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 192: Device Serving As The Sftp Server To Upload Or Download Files Through Sftp

    Step 2 Log in to the USG9500 from PC1 through Telnet/SSH. Step 3 On the USG9500, create an SFTP user with user name user1 and password Admin@123 and enable the SFTP server service. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 193: Appendix: Activating The Esn

    Step 1 In the user view, run the system-view command to access the system view. system-view [USG9500] Step 2 Run the diagnose command, and access the diagnose view. Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 194: Appendix: Applying For A License

    If the device has two MPUs, record the ESNs of both the active and standby MPUs. l The ESN is case-sensitive. Note the case when you record the ESN. Step 2 Provide the previous information to the local technical support personnel of Huawei. The application will be handled as soon as possible.

  • Page 195: Appendix F: Abbreviations

    Compact Flash Domain Name System Equipment Serial Number File Transfer Protocol Generic Routing Encapsulation GPRS Tunneling Protocol HTTPS Secure HTTP ICMP Internet Control Message Protocol Internet Protocol Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 196 Remote Authentication Dial in User Service SPUA Service Processing Unit A Secure Shell Transmission Control Protocol TFTP Trivial File Transfer Protocol User Datagram Protocol Virtual Type Terminal Issue 01 (2018-01-16) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

This manual is also suitable for:

Usg9500

Table of Contents