Page 2
Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS"...
The purchased products, services and features are stipulated by the contract made between Huawei Technologies Co., Ltd. and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope.
Page 4
Features wholly or partially, or the provision of Features, Huawei reserves its right to, at its sole discretion, terminate the provision of Features without any liability to the extent permitted by law.
Page 5
Huawei will not bear any legal obligations or liabilities for the security events (such as personal data leaks) that are not caused by Huawei's misconduct.
1.8 Appendix D: Applying for a License 1.9 Appendix E: Upgrade Record Table 1.10 Appendix F: Abbreviations 1.1 Application Scenarios This document applies to the USG6000 series. For version software, the following scenarios are covered: Upgrade from V500R001C00SPC300 to V500R001C80SPC100 Upgrade from V500R001C00SPC500 to V500R001C80SPC100...
1 USG6000 NOTICE 1. Patch upgrades cannot be performed in BootROM. 2. V1 upgrades are not recommended. If there are such requirements, contact Huawei engineers. 3. Before rolling V500R001C50 and later versions back to earlier versions, run the set system-software check-mode all command in the system view. Directly roll other versions back to earlier ones.
Page 42
The premise is that you have logged in to the Web environment using the Web UI. If the login using the Web UI is not configured, log in to the USG6000 using the console port to configure the Web environment. For configuration details, see...
Page 43
Do as follows to configure the USG6000 as the Web server: Procedure Step 1 Log in to the USG6000 CLI through Telnet or SSH from PC1. For the Telnet or SSH login method, see the related configuration example in HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation You are recommended to use interface GigabitEthernet 0/0/0 on the USG6000 for log in.
(Optional) Local signature database file The file name extension is .zip. You can obtain the file from http://sec.huawei.com/sec. If the device does not require any content security or the signature database can be upgrade in online mode, the signature database file is not required.
Step 1 Access Huawei security center at http://sec.huawei.com/. (Internet Explorer: version 8.0 or later or Firefox) Step 2 Expand the USG6000 Series tab and select the product model and version, such as USG6680 - V500R001C80SPC100. Step 3 Select and download the component package. The component packages are as follows: URLRMT: component package for the URL remote query feature.
Page 48
Note the fields in bold of the Attrib attribute. COMM indicates a commercial license and 2019-06-04 indicates the expiry date of the license. If the license expires, contact Huawei technical support personnel. Step 2 Apply for a license file.For details on how to apply for a license file, see...
Page 59
If the latest signature database is required, you can upgrade the signature database in either the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. Step 6 Upload the system software.
(Optional) Dynamic Feature Component Package The file name extension is .mod. You can obtain the file from sec.huawei.com. If the device does not require any content security or the signature database can be upgrade in online mode, the signature database file is not required.
Page 70
As shown in Figure 1, the USG6000 is configured as the FTP server and version software is located on PC2 serving as the FTP client. On PC2, log in to the FTP server and upload the version software to CF card 1 of the USG6000 through FTP.
Step 1 Access Huawei security center at http://sec.huawei.com/. (Internet Explorer: version 8.0 or later or Firefox) Step 2 Expand the USG6000 Series tab and select the product model and version, such as USG6680 - V500R001C80SPC100. Step 3 Select and download the component package. The component packages are as follows: URLRMT: component package for the URL remote query feature.
Page 76
CSG_H50010000_yyy.mod or URLRMT_H50010000_yyy.mod) of V500R001C80SPC100 to the $_install_mod folder in the CF card of the USG6000. The name of the file to be uploaded cannot be the same as the name of any existing file in the CF card. If a file with the same name already exists in the CF card, the file is replaced by the uploaded file.
Page 98
Upgrade Guide 1 USG6000 is cancelled or you desire to use SSH for the login, log in to the USG6000 from the console port to construct the Telnet or SSH environment. Figure 1 shows the connection for configuring the upgrade environment using the console port.
Page 99
Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parameters of the port, as shown in Figure 4. The communication parameters of COM1 must be the same as those of the console port on the USG6000. Figure 1-50 Setting port properties Step 4 Log in to the NGFW, and enter the CLI.
Page 100
1 USG6000 By default, the user name and password are admin and Admin@123 respectively for logging in to the USG6000 through the console port. If you forget the user name and password configured on the console port, see Password of the Console Port Is Forgotten.
Figure 1 shows the connection for configuring the upgrade environment using the console port. The serial port of the PC is connected to the console port of the USG6000 with a standard a serial cable. The device has two types of console ports: RJ45 and mini USB console ports. If an RJ45 console port is used, use the console cable delivered with the USG6000.
Page 102
Figure 1-52 Upgrade topology through the console port Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1) of the PC for connecting to the USG6000 from the Connect using drop-down list box, as shown in Figure 3.
Page 103
Step 4 Log in to the USG6000 and access the CLI. By default, user name admin and password Admin@123 are used to log in to the USG6000 through the console port. If you forget the user name and password configured on the console...
Password of the Console Port Is Forgotten Perform the following steps when you forget the password of the console port. Procedure Step 1 Restart the USG6000 and access the BootROM main menu ========================< Main Menu >======================== | <1> Boot System | <2>...
As shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from the USG6000 and upload or download files through FTP. This method requires the third-party FTP server software to be installed on the PC2.
Step 2 Log in to the USG6000 from PC1 through Telnet/SSH. Step 3 Log in to the FTP server on the USG6000.Run the ftp ip-address command in the user view to establish an FTP connection to the PC and enter the FTP client view. The following operation assumes that the IP address of the FTP server as 192.168.0.2.
Page 107
Configure a local key pair for PC2 and the USG6000. Copy the public key of PC2 to the USG6000. On the USG6000, bind the SSH user to the public key of PC2. Enable SFTP services on the USG6000. Configure the SSH user to log in to the USG6000 from PC2.
Page 108
..++++++++ Step 4 Generate a local key pair on PC2. The local key pair consists of host key and server key. Step 5 Use password RsaKey001 to copy the host key of PC2 to the USG6000. [FW] rsa peer-public-key RsaKey001 Enter "RSA public key"...
Step 2 Log in to the USG6000 from PC1 through Telnet/SSH. Step 3 Upload files in storage media of the USG6000 to the TFTP server. Issue 01 (2018-01-16) Huawei Proprietary and Confidential...
CF card. If no, re-upload the files to ensure that they are completely uploaded to the TFTP server. Step 4 Download files from the TFTP server to CF card of the USG6000.Run the tftpip- addressgetsource-filename [ destination-filename ] command in the user view to download files from the TFTP server.
Page 111
Dashboard page. Figure 1-59 System Information Step 3 Obtain the license file from the license self-service. Log in to the http://app.huawei.com/isdp and obtain the license file according to the procedure in the system help or displayed information. NOTICE To apply for the licenses of multiple devices, make sure that the entitlement ID corresponds to the ESN.
2 USG9500 NOTICE 1. Patch upgrades cannot be performed in BootROM. 2. V3 upgrades are not recommended. If there are such requirements, contact Huawei engineers. 3. Before rolling V500R001C50 and later versions back to earlier versions, run the set system-software check-mode all command in the system view. Directly roll other versions back to earlier ones.
HUAWEI USG6000&USG9500 V500R001C80SPC100 Release Notes Procedure Step 1 Log in to the homepage of Huawei at . Step 2 If you are not a registered user, you need to go to 3 to register first. If you are already a registered user, go to 4 to log in.
In V500R001, the following content security features compose the content security component package: file blocking,data filtering,application behavior control,mail filtering,smart DNS,and audit. Procedure Step 1 Access Huawei security center at http://sec.huawei.com/sec .(Internet Explorer: version 8.0 or later or Firefox) Step 2 Expand the USG tab and select the product model and version, such as USG9520 - V500R001C80SPC100.
Page 140
On PC1, log in to the CLI of the USG9500 through Telnet or SSH. For the Telnet or SSH login method, see the related configuration example in HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation You are recommended to use interface GigabitEthernet 0/0/0 on the MPU of the USG9500 for login.
Page 142
On PC1, log in to the CLI of the USG9500 through Telnet or SSH. For the Telnet or SSH login method, see the related configuration example in HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation You are recommended to use interface GigabitEthernet 0/0/0 on the MPU of the USG9500 for login.
The following uses V500R001C30SPC100 as an example. Part of output is omitted. display version Huawei Technologies Versatile Security Platform Software Software Version: USG9520 V500R001C30SPC100 (VSP (R) Software, Version 5.70) ..In any view, run the display startup command to check the version software and configuration file in use.
Page 155
CSG_H50010000_xxx.mod or URLRMT_H50010000_xxx.mod) of V500R001C80SPC100 to the $_install_mod folder in the CF card of the USG6000. The name of the file to be uploaded cannot be the same as the name of any existing file in the CF card. If a file with the same name already exists in the CF card, the file is replaced by the uploaded file.
For details, see the chapter "Upgrade Center " in the HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. Step 17 (Optional) Upload and activate a new license file if required. Skip this step if no new license file is required.
Page 160
For details, see the description of security policies and content security in USG6000&USG9500 V500R001C80SPC100 Administrator Guide. l Before executing the following online loading procedure, ensure that the DNS server address has been configured and the DNS server can correctly parse http://sec.huawei.com. Upgrading V500R001 to V500R001C80SPC100. Move the pointer to...
If the latest signature database is required, you can upgrade the signature database in either the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. ----End 2.2.5.4 Upgrade Through CF Card Upgrade Flow Figure 1 shows the flow of upgrading the version software through CF card.
Page 163
HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. NOTE Before executing the following online loading procedure, ensure that the DNS server address has been configured and the DNS server can correctly parse http://sec.huawei.com. download module nextstartup install-module filename CSG_H50010000_xxx.mod next-startup install-module filename URLRMT_H50010000_xxx.mod next-startup After the loading in either local or online mode, run the display module-information verbose command to view details on the dynamically loaded component package.
If the latest signature database is required, you can upgrade the signature database in either the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. ----End 2.2.5.5 Upgrade Through BootROM Context Figure 1 shows the flow of upgrading the version software through BootROM.
Page 165
Password: ********** Then access the BootROM main menu. NOTE The default password to access the BootROM main menu is WWW@HUAWEI, which is case sensitive. You are advised to change the default password after login for security. Keep your new password secure.
Page 171
HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. NOTE Before executing the following online loading procedure, ensure that the DNS server address has been configured and the DNS server can correctly parse http://sec.huawei.com. download module nextstartup install-module filename CSG_H50010000_yyy.mod next-startup install-module filename URLRMT_H50010000_yyy.mod next-startup After the loading in either local or online mode, run the display module-information verbose command to view details on the dynamically loaded component package.
If the latest signature database is required, you can upgrade the signature database in either the online or local upgrade mode. For details, see the chapter "Upgrade Center " in the HUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation. ----End 2.2.6 Upgrade Result Verification 2.2.6.1 Checking the Information About the Current Version Software...
If the device has two MPUs, record the ESNs of both the active and standby MPUs. l The ESN is case-sensitive. Note the case when you record the ESN. Step 2 Provide the previous information to the local technical support personnel of Huawei. The application will be handled as soon as possible.