Upgrade Guide - Huawei Technical Support

HUAWEI USG6000&USG9500V500R001C80SPC100

Upgrade Guide

Issue 01

Date 2018-01-16

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2018. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://e.huawei.com

Issue 01 (2018-01-16) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://e.huawei.com

About This Document

Content ConventionsThe purchased products, services and features are stipulated by the contract made betweenHuawei Technologies Co., Ltd. and the customer. All or part of the products, services andfeatures described in this document may not be within the purchase scope or the usage scope.Unless otherwise specified in the contract, all statements, information, and recommendationsin this document are provided "AS IS" without warranties, guarantees or representations ofany kind, either express or implied.

The information in this document is subject to change without notice. Every effort has beenmade in the preparation of this document to ensure accuracy of the contents, but allstatements, information, and recommendations in this document do not constitute a warrantyof any kind, express or implied.

DisclaimerIn response to Customer's explicit request, Huawei makes commercially reasonable efforts toprovide the following features (Features):

l The File Blocking function blocks the transmission of specified types of files to preventdownloads of files infected by malware and viruses or uploads of sensitive files to theInternet.

l The Data Filtering function prevents the disclosure of confidential information andblocks unauthorized transmission.

l The Mail Filtering function controls mail sending and receiving to prevent spam,anonymous mails, and data leaks.

l The Application Behavior Control function implements refined control on HTTP- andFTP-based online behavior.

l The SSL-Encrypted Traffic Detection function decrypts SSL-encrypted traffic and thenperforms content security check and audit on the traffic.

l The URL Session Log function means that the device parses the URL of an accessedwebsite, adds the URL to a session log, and sends the log to a log server.

l The Audit function uses audit policies and audit profiles to record the Internet accessbehavior for future audit and analysis.

l The Smart DNS function pushes the addresses of servers on the same ISP network asusers, so that the users can access the servers on an enterprise network through their own

HUAWEI USG6000&USG9500Upgrade Guide About This Document


ii

ISP network. This implementation minimizes the access latency and improves serviceexperience.

l The URL Remote Query function extracts URLs from HTTP packets and controls theURLs by category. To be specific, the device analyzes the header of each HTTP requestand sends the obtained URL information to a remote URL category server throughencrypted packets.

l The Cloud Sandbox detection function extracts the files transferred on the network andsends them to the sandbox system in the cloud for in-depth file inspection to checkwhether APTs occur. The sandbox then sends the analysis result to the device. Oncedetecting malicious traffic, the sandbox instructs the device to block the traffic.

Customer and its authorized parties shall, as required by applicable laws and regulations,provide the users, governmental bodies, and any other third parties with necessaryinformation, and obtain and maintain all necessary consents, licenses, and authorizations,when using and maintaining Features. Applicable laws and regulations, user agreements,terms of use, privacy policy or statement, any other lawful agreements (Agreements), andpublicly or targeted statements (Statements) shall not be violated. Huawei provides Featuresto Customer as per Customer's warrants to Huawei that Customer will use and maintainFeatures as permitted by applicable laws and regulations, Agreements and Statements.Huawei will not bear any legal obligations or liabilities, including but not limited to, claims,liabilities, obligations, costs, expenses, penalties, injunctions, and judgments that are notcaused by Huawei's misconduct when Customer and its authorized parties are using andmaintaining Features.

In the event that any governmental body adopts laws and regulations, or Customer signsagreements with third parties or makes statements, which materially affect the legitimacy ofFeatures wholly or partially, or the provision of Features, Huawei reserves its right to, at itssole discretion, terminate the provision of Features without any liability to the extentpermitted by law.

Encryption Algorithm DeclarationCurrently, the device uses the following encryption algorithms: DES, 3DES, AES, RSA,SHA1, SHA2, and MD5. The encryption algorithm depends on the applicable scenario. Usethe recommended encryption algorithm; otherwise, security defense requirements may be notmet.

l The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digitalsignature scenarios and password encryption)/SHA1 (in digital signature scenarios) havea low security, which may bring security risks. If protocols allowed, using more secureencryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/HMAC-SHA2, isrecommended.

l For the symmetrical encryption algorithm, use AES with the key of 128 bits or more.

l For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits or more.

l For the hash algorithm, use SHA2 with the key of 256 bits or more.

l For the HMAC algorithm, use HMAC-SHA2.

l SHA2 is irreversible encryption algorithm. The irreversible encryption algorithm mustbe used for the administrator password.



iii

Personal Data DeclarationSome personal data may be obtained or used during operation or fault location of yourpurchased products, services, features. Huawei Technologies Co., Ltd. alone is unable tocollect or save the content of users' communications. It is suggested that you activate the userdata-related functions based on the applicable laws and regulations in terms of purpose andscope of usage. You are obligated to take considerable measures to ensure that the content ofusers' communications is fully protected when the content is being used and saved.

Feature Usage DeclarationThe IPSec VPN, DSPVN and SSL VPN functions are not provided in versions shipped toRussia in accordance with Russian laws.

l The features such as antivirus, IPS, file blocking, data filtering, application behaviorcontrol, mail filtering, url session logs and URL filtering may involve the collection ofusers' communication contents such as the browsed websites and transmitted files. Youare advised to clear unnecessary sensitive information in a timely manner.

l Antivirus and IPS support attack evidence collection to analyze data packets for virusesor intrusions. However, the attack evidence collection process may involve the collectionof user's communication content. The device provides dedicated audit administrators toobtain collected attack evidence. Other administrators do not have such permissions.Please keep the audit administrator account safe and clear the attack evidence collectionhistory in time.

l The audit function is used to record online behaviors, including the collection or storageof browsed web pages, BBS or microblog posts, HTTP/FTP file transfer, email receivingand sending, and IM messages. The device provides dedicated audit administrators toconfigure audit policies and view audit logs. Other administrators do not have suchpermissions. Please keep the audit administrator account safe.

l Port mirroring and NetStream are vital to fault diagnosis and traffic statistics andanalysis, but may involve the collection of user's communication content. The productprovides permission control over such functions. You are advised to clear traffic recordsafter fault diagnosis and traffic analysis.

l The quintuple packet capture function can capture the whole packet content, which maycause the disclosure of users' personal data. When using this function, you must complywith related national laws and regulations and take sufficient measures to protect users'personal data. For example, the technical support personnel cannot perform packetcapture without prior consent of customers; in addition, they must delete capturedpackets immediately after the fault locating is complete. Huawei will not bear any legalobligations or liabilities for the security events (such as personal data leaks) that are notcaused by Huawei's misconduct.

l Data feedback function (user experience plan ) may involve transferring or processingusers' communication contents or personal data. Huawei Technologies Co., Ltd. alone isunable to transfer or process the content of users' communications and personal data. It issuggested that you activate the user data-related functions based on the applicable lawsand regulations in terms of purpose and scope of usage.

l The device can transfer files through FTP, TFTP, SFTPv1, SFTPv2, and FTPS. UsingFTP, TFTP or SFTPv1 has potential security risks. SFTPv2 or FTPS is recommended.

l Telnet and STelnetv1&v2 can be used to log in to the device. Using Telnet or STelnetv1has potential security risks. STelnetv2 is recommended.



iv

l SNMPv1&v2c&v3 can be used to manage network elements. Using SNMPv1&v2c haspotential security risks. SNMPv3 is recommended.

Change HistoryUpdates between document issues are cumulative. Therefore, the latest document issuecontains all updates made in previous issues.

Issue 01 (2018-01-16)Initial commercial release.



v

Contents

About This Document.....................................................................................................................ii

1 USG6000.......................................................................................................................................... 11.1 Application Scenarios.....................................................................................................................................................11.2 Upgrade Impact.............................................................................................................................................................. 31.2.1 Impact of the Upgrade from V500R001C80............................................................................................................... 31.2.1.1 Impact of Feature Changes....................................................................................................................................... 31.2.1.2 Impact of The command Changes............................................................................................................................ 61.2.1.3 License Impact........................................................................................................................................................181.2.1.4 Dynamic Loading................................................................................................................................................... 181.2.2 Other Upgrade Impacts..............................................................................................................................................211.3 Upgrading Version Software in Single-System............................................................................................................ 271.3.1 Upgrade Schemes...................................................................................................................................................... 271.3.2 Precautions.................................................................................................................................................................291.3.3 Upgrade Flow............................................................................................................................................................ 291.3.4 Upgrade Through Web.............................................................................................................................................. 321.3.4.1 Preparing for the upgrade....................................................................................................................................... 321.3.4.1.1 Preparing the Upgrade Environment................................................................................................................... 321.3.4.1.2 Obtaining Upgrade Files......................................................................................................................................351.3.4.1.3 Downloading Content Feature Component Packages......................................................................................... 361.3.4.1.4 Querying the Current System Software...............................................................................................................371.3.4.1.5 Checking the Use of Licenses............................................................................................................................. 381.3.4.1.6 Checking the Device Operating Status................................................................................................................401.3.4.1.7 Collecting Device Diagnosis Information........................................................................................................... 421.3.4.1.8 Checking the Service Operating Status............................................................................................................... 431.3.4.1.9 Saving and Backing Up Important Data..............................................................................................................451.3.4.1.10 Checking the Remaining Space of the CF Card................................................................................................ 471.3.4.2 Upgrade Flow......................................................................................................................................................... 481.3.4.3 Upgrade Result Verification................................................................................................................................... 541.3.5 Upgrade Through CLI............................................................................................................................................... 591.3.5.1 Preparations for the Upgrade..................................................................................................................................591.3.5.1.1 Obtaining Upgrade Files......................................................................................................................................601.3.5.1.2 Downloading Content Feature Component Packages......................................................................................... 641.3.5.2 Upgrade Flow......................................................................................................................................................... 65

HUAWEI USG6000&USG9500Upgrade Guide Contents


vi

1.3.5.3 Upgrade Result Verification................................................................................................................................... 681.3.6 Version Rollback........................................................................................................................................................711.4 Upgrading Version Software in Dual-System Hot Backup.......................................................................................... 741.4.1 Overview................................................................................................................................................................... 741.4.2 Upgrading System Software in Hot Standby Scenarios (Applicable to Versions Later ThanV500R001C30SPC300)......................................................................................................................................................751.4.3 Upgrading System Software in Hot Standby Scenarios (Applicable to Versions Earlier ThanV500R001C30SPC300)......................................................................................................................................................781.5 Appendix A: Upgrading System Software Using BootROM.......................................................................................821.5.1 Background................................................................................................................................................................821.5.2 Upgrade Process Overview....................................................................................................................................... 821.5.3 Performing the Upgrade............................................................................................................................................ 831.6 Appendix B : Establishing the Upgrade Environment Through the Console Port.......................................................881.6.1 Setting Up an Environment for Upgrading System Software Using Telnet/SSH..................................................... 881.6.2 Setting Up an Environment for Upgrading System Software Using Web.................................................................921.6.3 Upgrade Troubleshooting.......................................................................................................................................... 951.6.3.1 Password of the Console Port Is Forgotten.............................................................................................................951.7 Appendix C: Uploading and Downloading Files......................................................................................................... 961.7.1 Device Serving as the FTP Client to Upload or Download Files Through FTP....................................................... 961.7.2 Device Serving as the SFTP Server to Upload or Download Files Through SFTP.................................................. 971.7.3 Device Serving as the TFTP Client to Upload or Download Files Through TFTP................................................ 1001.8 Appendix D: Applying for a License......................................................................................................................... 1011.9 Appendix E: Upgrade Record Table...........................................................................................................................1031.10 Appendix F: Abbreviations...................................................................................................................................... 103

2 USG9500...................................................................................................................................... 1052.1 Upgrade Preparation and Evaluation..........................................................................................................................1052.1.1 Supported Source Versions......................................................................................................................................1052.1.2 Hardware Support....................................................................................................................................................1072.1.3 Upgrade Impact....................................................................................................................................................... 1092.1.3.1 Upgrade Impact from V500R001C80.................................................................................................................. 1092.1.3.1.1 Impact of Feature Changes................................................................................................................................ 1092.1.3.1.2 Impact of Command Changes............................................................................................................................1112.1.3.1.3 Impact of Licenses.............................................................................................................................................1202.1.3.1.4 Dynamic Loading.............................................................................................................................................. 1202.1.3.2 Other Upgrade Impacts.........................................................................................................................................1222.1.4 System Software...................................................................................................................................................... 1242.2 Upgrading Version Software in Single-System.......................................................................................................... 1242.2.1 Impact of the Upgrade............................................................................................................................................. 1242.2.1.1 Impact on the Current System During the Upgrade............................................................................................. 1242.2.2 Precautions...............................................................................................................................................................1242.2.3 Upgrade Flow.......................................................................................................................................................... 1252.2.4 Preparations for the Upgrade...................................................................................................................................1282.2.4.1 Obtaining the Version Software Required By the Upgrade..................................................................................128



vii

2.2.4.2 Downloading Content Security Feature Component Packages............................................................................1292.2.4.3 Preparing the Upgrade Environment.................................................................................................................... 1302.2.4.4 Checking the Information About the Current Version Software.......................................................................... 1352.2.4.5 Checking the License In Use................................................................................................................................ 1352.2.4.6 Checking the Running Status of the Device.........................................................................................................1372.2.4.7 Backing Up the Important Data in CF Card......................................................................................................... 1392.2.4.8 Checking the Remaining Space of the CF Card................................................................................................... 1402.2.5 Upgrade Procedure.................................................................................................................................................. 1412.2.5.1 Upgrade Modes.....................................................................................................................................................1412.2.5.2 Upgrade Through CLI.......................................................................................................................................... 1432.2.5.3 Upgrade Through Web......................................................................................................................................... 1482.2.5.4 Upgrade Through CF Card................................................................................................................................... 1522.2.5.5 Upgrade Through BootROM................................................................................................................................1552.2.6 Upgrade Result Verification.................................................................................................................................... 1632.2.6.1 Checking the Information About the Current Version Software.......................................................................... 1632.2.6.2 Checking Whether Boards Have Been Successfully Registered..........................................................................1642.2.6.3 Checking License Status.......................................................................................................................................1642.2.6.4 Checking the Running Status of the Device.........................................................................................................1652.2.6.5 Checking Whether Configurations Are Recovered.............................................................................................. 1662.2.6.6 Checking Whether Services Are Normal............................................................................................................. 1672.2.6.7 Running Inspection Tool.......................................................................................................................................1672.2.7 Version Rollback......................................................................................................................................................1672.3 Upgrading Version Software in Dual-System Hot Backup........................................................................................ 1692.3.1 Overview................................................................................................................................................................. 1692.3.2 Upgrading System Software in Hot Standby Scenarios (Applicable to Versions Later ThanV500R001C30SPC300)....................................................................................................................................................1702.3.3 Upgrading System Software in Hot Standby Scenarios (Applicable to Versions Earlier ThanV500R001C30SPC300)....................................................................................................................................................1732.4 Appendix: Establishing the Upgrade Environment Through the Console Port..........................................................1772.5 Appendix: Uploading and Downloading Files........................................................................................................... 1802.5.1 Device Serving as the FTP Client to Upload or Download Files Through FTP..................................................... 1802.5.2 Device Serving as the TFTP Client to Upload or Download Files Through TFTP................................................ 1822.5.3 Device Serving as the SFTP Server to Upload or Download Files Through SFTP................................................ 1832.6 Appendix: Activating the ESN................................................................................................................................... 1842.7 Appendix: Applying for a License............................................................................................................................. 1852.8 Appendix: Upgrade Record Table.............................................................................................................................. 1852.9 Appendix F: Abbreviations........................................................................................................................................ 186



viii

1 USG6000

About This Chapter

1.1 Application Scenarios

1.2 Upgrade Impact

1.3 Upgrading Version Software in Single-System

1.4 Upgrading Version Software in Dual-System Hot Backup

1.5 Appendix A: Upgrading System Software Using BootROM

1.6 Appendix B : Establishing the Upgrade Environment Through the Console Port

1.7 Appendix C: Uploading and Downloading Files

1.8 Appendix D: Applying for a License

1.9 Appendix E: Upgrade Record Table

1.10 Appendix F: Abbreviations

1.1 Application Scenarios

This document applies to the USG6000 series.

For version software, the following scenarios are covered:l Upgrade from V500R001C00SPC300 to V500R001C80SPC100l Upgrade from V500R001C00SPC500 to V500R001C80SPC100l Upgrade from V500R001C20SPC100 to V500R001C80SPC100l Upgrade from V500R001C20SPC200 to V500R001C80SPC100l Upgrade from V500R001C20SPC300 to V500R001C80SPC100l Upgrade from V500R001C30SPC100 to V500R001C80SPC100l Upgrade from V500R001C30SPC200 to V500R001C80SPC100

HUAWEI USG6000&USG9500Upgrade Guide 1 USG6000


1

l Upgrade from V500R001C30SPC500 to V500R001C80SPC100l Upgrade from V500R001C30SPC600 to V500R001C80SPC100l Upgrade from V500R001C50 to V500R001C80SPC100l Upgrade from V500R001C50SPC100 to V500R001C80SPC100l Upgrade from V500R001C50SPC200 to V500R001C80SPC100l Upgrade from V500R001C50SPC300 to V500R001C80SPC100l Upgrade from V500R001C60 to V500R001C80SPC100l Upgrade from V500R001C60SPC100 to V500R001C80SPC100l Upgrade from V500R001C60SPC200 to V500R001C80SPC100l Upgrade from V500R001C60SPC300 to V500R001C80SPC100l Upgrade from V500R001C80 to V500R001C80SPC100

NOTICEBefore an upgrade from a patch version, run the patch delete all command to delete thepatch.

The following versions cannot be directly upgraded to V500R001C80SPC100. Instead, theycan be first upgraded to V500R001C30SPC100. For details, see << HUAWEIUSG6000&USG9500 V500R001C30SPC100&NGFW Module V500R002C00SPC100Upgrade Guide >>.

l V500R001C00SPC300l V500R001C00SPC500l V500R001C20SPC100l V500R001C20SPC200l V500R001C20SPC300

Among them, V500R001C20SPC100, V500R001C20SPC200, and V500R001C20SPC300can have the patch V500R001SPH002 installed before the upgrade.



2

http://support.huawei.com/enterprise/en/security/secospace-usg6600-pid-8206049/software/22009468/?idAbsPath=fixnode01%7C7919710%7C9856724%7C21430823%7C21100507%7C8206049



NOTICE1. Patch upgrades cannot be performed in BootROM.2. V1 upgrades are not recommended. If there are such requirements, contact Huawei

engineers.3. Before rolling V500R001C50 and later versions back to earlier versions, run the set

system-software check-mode all command in the system view. Directly roll otherversions back to earlier ones.

4. In V500R001C30, api call-home host and api call-home connect commands are used inthe API view to configure call-home. In V500R001C50, these commands are used in thesystem view. If you save the configuration in V500R001C50 and then roll back the systemto V500R001C30, the two commands are lost. In this case, you must manually add the twocommands after rollback.

Note the following items for patch upgrades:l After activating the patch and setting the startup configuration file, ensure that the patch is

in activated state when the reboot or reboot fast command is used to restart the system.Otherwise, the system restart may fail.

l If the patch is mistakenly deleted and the system restart fails after the startup configurationfile is set, you must re-activate the patch and restart the system again. For a high-endfirewall with dual MPUs, check whether the patch status of both MPUs is normal. If not,delete the patch and then install and activate it again.

1.2 Upgrade Impact

1.2.1 Impact of the Upgrade from V500R001C80

1.2.1.1 Impact of Feature Changes

New featuresNone



3

Modified featuresFeature Change Description Cause Impact of the Upgrade

MACaddress-prioritized Portalauthentication

After Portal2.0authentication iscompleted for a user,the user can access thenetwork again within aspecific period withoutthe need to re-enter theuser name andpassword.

The function isenhanced toimprove userexperience.

None

Associationbetween adeviceand anADserver

A device can use aspecified source IPaddress to communicatewith an AD server.

The function isenhanced, sothat a device canuse a specifiedsource IPaddress tocommunicatewith an ADserver. Forexample, abranch devicecan use aspecified IPaddress tocommunicatewith an ADserver in theheadquartersover an IPSectunnel.

None

Securitypolicy

The vlan-id field isnewly supported by thesecurity policy NBIfunction.

The function isenhanced. None

Configurationmanagement

When the configurationon a device changes, analarm is sent to theeSight. The eSightobtains thecorrespondingconfiguration from thedevice based on thealarm information.


SSL VPN Languages of multiplecountries are supported.


None



4

Feature Change Description Cause Impact of the Upgrade

License

The following twoalarms are added:l Emergency recovery

license is about toexpire, and theremaining lifetime isdisplayed.

l Emergency recoverylicense has expired.

License statuscan be learned inadvance.

None

URL/IMaudit

This feature adapts tologin logs of WeChatrunning on IOS V6.5.9,Android V6.6.31, or alater version.


None

PKI

The CA and devicecertificates arepreconfigured insoftware packages.

CA and devicecertificates arenotpreconfigured inV500R001C30earlier versions.As a result,devices runningthese versionscannotcommunicatewith the AC-Campus. Acertificate ispreconfigured inV500R001C80to allow devicesrunning theseversions tocommunicatewith the cloudplatform.

None

BFD BFD for IPv6 issupported.


Cross-DCcluster

Cluster sessions to bebacked up can befiltered based on theprotocol, port, andlifetime.


Sessionlogs

Packet loss logs can besampled and then sent.

The packet losslogging functionis enhanced.

None



5


IPSecThe maximum IPSecanti-replay window sizecan be 8K.


IPSec IPSec supports theDH18 algorithm.


IPSecInterworking betweenmulti-VPN instance andIPSec is supported.


Deleted FeaturesNone

1.2.1.2 Impact of The command Changes

New CommandsThe command Description Impact

license emergency The command enables thelicense emergency state.

None

[ undo ] user-manage mac-access enable

The command enables MACaddress-prioritized portalauthentication.

None

undo user-manage mac-access aging-time

The command restores theMAC entry aging time tothe default value.

None

undo user-manage mac-access no-ack-time

The command restores theMAC authenticationresponse failure time to thedefault value.

None

user-manage mac-accessaging-time aging-time

The command sets the MACentry aging time.

None

user-manage mac-access no-ack-time no-ack-time

The command sets the MACauthentication responsefailure time.

None

display user-manage mac-access information

The command sets the MACauthentication responsefailure time.

None



6

The command Description Impact

[ undo ] web-managersecurity verify-ssl-peer

The command disablesbidirectional certificateauthentication between theFW and client.

None

[ undo ] web-managersecurity ca-certificate ca-certificate-name

The command enables/disables bidirectionalcertificate authenticationbetween the FW and client.

None

[ undo ] banner enable The command enables/disables the display of thesystem banner.

None

[ undo ] mac-access-profileaccess-profile-name

The command binds/unbinds an authenticationprofile to a MAC accessprofile

None

hwtacacs-server accountingip-address [ port ] [ vpn-instance vpn-instance-name ] [ secondary | third ]

The command configures anHWTACACS accountingserver.

None

ldap-server source{ loopback interface-number | ip-address ip-address | vlanif interface-number }

The command configuresthe source IP address that adevice uses when sendingpackets to the LDAP server.

None

undo ldap-server source The command restores thedefault configuration. Bydefault, when a device sendspackets to the LDAP server,the IP address of the actualoutbound interface is usedas the source IP address.

None

ad-server source { loopbackinterface-number | ip-address ip-address | vlanifinterface-number }

The command configuresthe source IP address that adevice uses when sendingpackets to the AD server.

None

display ike sa [ remote{ ipv4-address | ipv6-address } ] [ slot slot-id cpucpu-id ] [ active | standby ]

The command displaysinformation about SAsestablished through IKEnegotiation.

None

display ike sa [ slot slot-idcpu cpu-id ] [ active |standby ] [ remote-id-typeremote-id-type ] remote-idremote-id


None



7


display ike sa verbose{ remote { ipv4-address |ipv6-address } | connection-id connection-id | [ remote-id-type remote-id-type ]remote-id remote-id }

The command displaysinformation about SAsestablished through IKEnegotiation. None

display ike sa [ slot slot-idcpu cpu-id ] { all-systems |vsys vsys-name } [ active |standby ]


None

[ undo ] flow-vrf checkdisable

The command disables/enables the check of theVPN instance in a data flowduring IPSec encryption/decryption.

None

[ undo ] local-id-preferencecertificate enable

The command enables/disables the device topreferentially obtain thelocal ID from a field in acertificate when IKE usescertificate negotiation.

None

[ undo ] local-id-reflectenable

The command enables/disables the function ofusing the local ID of theresponder as the remote IDcarried in the IKE packetssent by the initiator duringIKEv2 negotiation.

None

display mac-access-profileconfiguration [ nameaccess-profile-name ]

The command displays theconfiguration of a MACaccess profile.

None

[ undo ] mac-access-profilename access-profile-name

The command creates aMAC access profile anddisplays the MAC accessprofile view.

None

[ undo ] mac-authenreauthenticate

The command enables re-authentication for onlineMAC address authenticationusers.

None

[ undo ] mac-authen timerreauthenticate-periodreauthenticate-period-value

The command configuresthe re-authenticationinterval for online MACaddress authentication users.

None



8


[ undo ] mac-authenusername { fixed username[ password cipherpassword ] | macaddress[ format { with-hyphen[ normal ] [ colon ] |without-hyphen }[ uppercase ] [ passwordcipher password ] ] }

The command configuresthe user name for MACaddress authentication.

None

display firewall gtp tunnel[ count ] [ slot slot-id cpucpu-id ]

The command displays GTPtunnel entry information.

None

display firewall gtp tunnel{ teid teid | apn apn | rairai } [ slot slot-id cpu cpu-id ]

The command displays GTPtunnel entry information. None

[ undo ] firewall gtp state-check enable

The command enables/disables the GTP statefulinspection function.

None

[ undo ] log state-invalid{ basic | extended }

The The command enables/disables the GTP packet logfunction.

None

firewall gtp state-checkaction { bypass | block }

The command configuresthe action when the GTPstateful inspection functiondetects an anomaly.

None

firewall gtp tunnel aging-time time

The command sets the agingtime of a GTP tunnel entry. None

reset firewall gtp tunnel{ all }

all The command resetsGTP tunnel entryinformation.

None

undo firewall gtp tunnelaging-time

The command restores theaging time of a GTP tunnelentry to the default value,namely, 24 hours.

None

[ undo ] gawa-log non-certificate

The command configuresthat server certificatevalidation is not requiredduring the upload of logfiles to the FTPS server.

None



9


log backup master database The command copies thelog database monitoringtable in the hard disk or SDcard to the hda1:/ directoryof the CF card for faultlocating.

None

display dns-filter safe-search cache [ slot slot-idcpu cpu-id ]

The command displays thecache information of theDNS filtering secure searchfunction.

None

display rm bfd-session [ all |[ [ vpn-instance vpn-instance-name ][ destination destination-address ] [ source source-address ] [ interfaceinterface-type interface-number ] [ protocol { bgp |isis-l1 | isis-l2 | isis-l1l2 |ospf | rip | pim } ] ] ]

The command displays theconfigurations of BFDsessions in RouteManagement (RM). Theconfigurations include theglobal status of BFD,number of BFD sessions,and VPN instance,destination address, sourceaddress, interface, andsession status of each BFDsession.

None

[ undo ] ipv6 route-statictrack bfd-session session-name STRING<1-15>admindown invalid

The command restores thedefault configuration.

None

ipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-addressprefix-length interface-typeinterface-number [ nexthop-ipv6-address ] [ { preferencepreference | tag tag } * ][ track bfd-session bfd-name| track nqa admin-name test-name ] [ description text ]

The command configures anIPv6 static route in a VPNinstance.

None

ipv6 route-static dest-ipv6-address prefix-lengthinterface-type interface-number [ nexthop-ipv6-address ] [ { preferencepreference | tag tag } * ][ description text ]

The command configuresIPv6 static routes.

None



10


ipv6 route-static vpn-instance vpn-instance-namedest-ipv6-address prefix-length interface-typeinterface-number [ nexthop-ipv6-address ] [ preferencepreference | tag tag ] *[ description text ]

The command configuresIPv6 static routes in a VPNinstance.

None

ipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-addressprefix-length nexthop-ipv6-address [ public ][ { preference preference |tag tag } * ] [ track bfd-session bfd-name | track nqaadmin-name test-name |inherit-cost ] [ descriptiontext ]

The command configures anIPv6 static route in a VPNinstance.

None

undo ipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-addressprefix-length [ interface-typeinterface-number ][ nexthop-ipv6-address ][ { preference preference |tag tag } * ] [ track bfd-session ]

The command deletes aunicast IPv6 static routefrom a VPN instance.

None

undo ipv6 route-static trackbfd-session [ session-namebfd-name ] admindowninvalid

The command restores thedefault configuration.

None

display bgp ipv6 bfd session{ [ vpnv6 vpn-instance vpn-instance-name ] peer ipv6-address | all }

The command displaysinformation about the BFDsession set up by BGP.

None

display bgp ipv6 bfd sessionall [ vpnv6 vpn-instancevpn-instance-name ]


None

undo peer { ipv4-address |ipv6-address } bfd block

The command restores apeer to inherit the BFDfunction from its peer group.By default, the peer inheritsthe BFD function from itspeer group.

None



11


undo peer { group-name |ipv4-address | ipv6-address } bfd enable

The command disablesBFD. By default, no BGPsession is set up for a peeror peer group.

None

undo peer { group-name |ipv4-address | ipv6-address } bfd { min-tx-interval min-tx-interval |min-rx-interval min-rx-interval | detect-multipliermultiplier | wtr wtr-value } *

The command restores thedefault values of BFDdetection parameters.

None

peer { group-name | ipv4-address | ipv6-address } bfdenable [ single-hop-prefer ]

The command creates aBFD session for a peer(group).

None

undo peer { group-name |ipv4-address | ipv6-address } bfd { min-tx-interval | min-rx-interval |detect-multiplier | wtr } *

The command restores thedefault values of BFDdetection parameters. None

display ospfv3 [ process-id ]bfd session [ interface-name| interface-type interface-number ] [ neighbor-id ][ verbose | all ]

The command displaysbidirectional forwardingdetection (BFD) sessioninformation of all OSPFv3processes.

None

bfd all-interfaces enable The command enables BFDon all the interfaces in a RIPprocess.

None

bfd all-interfaces { min-transmit-interval min-transmit-value | min-receive-interval min-receive-value | detect-multiplier detect-multiplier-value } *

The command enables BFDfor OSPFv3 or configuresbidirectional forwardingdetection (BFD) specificparameters for OSPFv3.

None

ospfv3 bfd block [ instanceinstance-id ]

The command blocks thebidirectional forwardingdetection (BFD)dynamically created by aninterface.

None



12


ospfv3 bfd { min-transmit-interval min-transmit-value |min-receive-interval min-receive-value | detect-multiplier detect-multiplier-value } * [ instanceinstance-id ]

The command enables thebidirectional forwardingdetection (BFD) on thespecified interface enabledwith OSPFv3, or sets theparameter values of a BFDsession.

None

undo bfd all-interfacesenable

The command enables BFDfor OSPF in an OSPFprogress and sets BFDsession parameters.

None

undo bfd all-interfaces{ min-transmit-interval[ min-transmit-value ] | min-receive-interval [ min-receive-value ] | detect-multiplier [ detect-multiplier-value ] } *

The command disables BFDfor OSPFv3 or unconfiguresBFD specific parameters forOSPFv3. By default, BFD isnot enabled or configured atOSPFv3 process level.

None


The command deletes theBFD on the specifiedinterface, or restores thedefault parameter values ofa BFD session. By default,BFD is not enabled atOSPFv3 interface level.

None

[ undo ]ppp accm { accm |enable }

The command enables/disables the PPP ACCMfunction.

None

ip route-static track bfd-session session-name bfd-name admindown invalid

The command disables thestatic route bound to aspecific BFD session fromparticipating in routeselection when the BFDsession is Admin down.

None



13

Modified CommandsOriginal Thecommand

New Thecommand

ChangeDescription Upgrade Impact

display healthcheckservice [ state { up |down | init } ][ destinationX.X.X.X ] [ protocol{ icmp | tcp | http |dns | tcp-simple |radius } ] [ slotSTRING<1-256> ][ verbose ]

display healthcheckservice [ state { up |down | init } ][ destinationX.X.X.X ] [ protocol{ icmp | tcp | http |dns | tcp-simple |radius | https } ][ slotSTRING<1-256> ][ verbose ]

The keyword httpsis added.

None

display ike sa[ remote X.X.X.X ]

display ike sa[ remote X.X.X.X |remote-id TEXT0 ]

The keywordremote-id TEXT0is added.

None

display ike saverbose { remoteX.X.X.X |connection-idINTEGER<1-4294967295> }

display ike saverbose { remoteX.X.X.X |connection-idINTEGER<1-4294967295> | remote-idTEXT0 }

The keywordremote-id TEXT0is added.

None

dh { group1 | group2| group5 | group14 |group15 | group16 |group19 | group20 |group21 } *

dh { group1 | group2| group5 | group14 |group15 | group16 |group19 | group20 |group21 | group18 }*

The keywordgroup18 is added.

None

pfs { dh-group1 | dh-group2 | dh-group5 |dh-group14 | dh-group15 | dh-group16 | dh-group19 | dh-group20 | dh-group21 }

pfs { dh-group1 | dh-group2 | dh-group5 |dh-group14 | dh-group15 | dh-group16 | dh-group19 | dh-group20 | dh-group21 | dh-group18 }

The keywordgroup18 is added.

None



14

Original Thecommand

New Thecommand


sftp client-transfile{ get | put } ipv6 [ -asource-address]host-ip host-ipv6 [ -oi interface-typeinterface-number ][ port ] [ [ -vpn-instance vpn-instance-name |prefer_kex{ { dh_group1 |dh_group14 |dh_exchange_group} } ] | [ identity-key{ rsa | dsa | ecc } ] |[ prefer_ctos_cipherprefer_ctos_cipher ]|[ prefer_stoc_cipherprefer_stoc_cipher ]| [ prefer_ctos_hmacprefer_ctos_hmac ] |[ prefer_stoc_hmacprefer_stoc_hmac ] |[ -ki aliveinterval ] |[ -kcalivecountmax ] ] *username user-namepassword passwordsourcefile source-file [ destinationdestination ]

sftp client-transfile{ get | put } ipv6 [ -asource-address]host-ip host-ipv6 [ -oi interface-typeinterface-number ][ port ] [ [ -vpn-instance vpn-instance-name |prefer_kex{ { dh_group1 |dh_group14 |dh_exchange_group} } ] | [ identity-key{ rsa | dsa | ecc } ] |[ prefer_ctos_cipherprefer_ctos_cipher ]|[ prefer_stoc_cipherprefer_stoc_cipher ]| [ prefer_ctos_hmacprefer_ctos_hmac ] |[ prefer_stoc_hmacprefer_stoc_hmac ] |[ -ki aliveinterval ] |[ -kcalivecountmax ] ] *username user-namepassword passwordsourcefile source-file [ destinationdestination ]

The value range iswidened.

None

display black-boxinformationdeadloop { slot slot-id | item-id [ off-set ][ verbose ] }

display black-boxinformationdeadloop { slot slot-id | item-id [ off-set ][ verbose ] }

Slot ID 1 is changedto 0. None

display black-boxinformationexception item-id[ slot slot-id ] [ off-set ] [ verbose ]

display black-boxinformationexception item-id[ slot slot-id ] [ off-set ] [ verbose ]

Slot ID 1 is changedto 0.

None

reset l2tp tunnel{ peer-name remote-name | local-idtunnel-id| all }

reset l2tp tunnel{ peer-name peer-name | local-idtunnel-id| all }

The local tunnel IDrange is widenedfrom 1-11000 to1-11050.

None



15

Original Thecommand

New Thecommand


reset l2tp tunnel{ peer-name remote-name | local-idtunnel-id } [ all-systems | vpn-instance vpn-instance ] [ slot slot-id cpu cpu-id ]

reset l2tp tunnel{ peer-name remote-name | local-idtunnel-id } [ all-systems | vpn-instance vpn-instance ] [ slot slot-id cpu cpu-id ]

The local tunnel IDrange is widenedfrom 1-11000 to1-11050.

None

display dot1xvariable quiet-entry{ all | mac-address |show-count[ { count1 | briefcount2 } begin-index ] }

display dot1xvariable quiet-entry{ all | mac-address |show-count[ { count1 | briefcount2 } begin-index ] }

count2 and begin-index value rangesare widened.

None

diagnose ipsec peer[ remote-ipv4 |remote-ipv6 ][ timeout timeout ]

diagnose ipsec peer[ vpn-instance vpn-instance-name ][ remote-ipv4 |remote-ipv6 ][ timeout timeout ]

The vpn-instancekeyword is added.

None

undo user user-id undo user TEXT0 user-id is changed toTEXT0. None

hardware fast-forwarding filteradvanced { protocol{ tcp | udp | sctp |icmp | gre |INTEGER<0-255> |default } { existed-timeINTEGER<1-36000> | packet-rateINTEGER<1-65535> | average-packet-lengthINTEGER<46-9600> | packetINTEGER<2-65535> | byteINTEGER<46-4294967295> } * }&<1-8>


The packet valuerange is changedfrom 2-65535 to6-65535.

None



16

Table 1-1 Deleted Commands

The command Cause of Deletion Impact

statistic enable The VLAN statisticsfunction is not supported.

The command configurationis lost after the upgrade.

authentication mode{ multi-share | multi-authen[ max-user max-user ] }

This The command is notsupported in this version.

None

authentication timerhandshake-periodhandshake-period


None

undo authentication mode[ multi-authen max-user ]

This The command is notsupported in this version. None

undo authentication timerhandshake-period


None

undo dot1x-access-profile This The command is notsupported in this version.

None

display dot1x quiet-user{ all | mac-address mac-address }


None

display dot1x-access-profileconfiguration [ name name ]


[ undo ] access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address


None

[ undo ] dot1x mc-triggerport-up-send enable


None

[ undo ] dot1x quiet-period This The command is notsupported in this version.

None

[ undo ] dot1xreauthenticate


[ undo ] dot1x unicast-trigger


None

access-user arp-detectdefault ip-address ip-address


None

authentication trigger-condition { arp | dhcp } *


None

dot1x authentication-method{ chap | pap | eap }




17

The command Cause of Deletion Impact

dot1x port-control { auto |authorized-force |unauthorized-force }


None

dot1x reauthenticate mac-address mas-addres


None

dot1x timer reauthenticate-periodINTEGER<60-7200>


None

dot1x timer { quiet-periodINTEGER<1-3600> | tx-period INTEGER<1-120> }


undo access-user arp-detectdefault ip-address


None

undo authentication trigger-condition [ arp | dhcp ] *


None

undo dot1x authentication-method


None

undo dot1x port-control This The command is notsupported in this version. None

undo dot1x quiet-times This The command is notsupported in this version.

None

undo dot1x retry This The command is notsupported in this version.

None

undo dot1x timer client-timeout


undo dot1x timerreauthenticate-period


None

display dot1x version This The command is notsupported in this version. None

reset dot1x statistics This The command is notsupported in this version.

None

1.2.1.3 License Impact

The license can still be used after the upgrade from V500R001C80 to V500R001C80SPC100.

1.2.1.4 Dynamic Loading



18

Note that you must dynamically load the dynamic features after the upgrade fromV500R001C80 to V500R001C80SPC100. Otherwise, these features are unavailable.

The dynamic loading packages are as follows:

l The content security package is divided into the content security package (basic) andcontent security package (enhanced).Content security package (basic): provides content security-related functions. The deviceperformance is affected if multiple content security-related functions are enabled.Purchase these functions based on service requirements.

Item Description

File filtering File filtering blocks the specified types of files to prevent downloadsof files infected by malware and viruses or uploads of dynamic filesto the Internet.

Contentfiltering

Content filtering prevents dynamic information leaks.

Mail filtering Mail filtering controls email sending and receiving to prevent spamand anonymous mails and data leaks.

Applicationbehaviorcontrol

Application behavior control implements refined control overHTTP- and FTP-based behavior.

URL sessionlog

URL session log indicates that the device parses the URLs of theaccessed websites and then sends these URLs to the log server viasession logs.

SSL-EncryptedTrafficDetection

SSL-Encrypted Traffic Detection is used to decrypt SSL traffic forcontent security detection and audit.

l Content security package (enhanced): provides audit and smart DNS. Enabling multiple

content security-related functions simultaneously affects the device processingcapability. Therefore, purchase functions as required.

Item Description

Audit The Audit and audit profile are used to record the Internet accessbehavior for future audit and analysis.

IntelligentDNS

Intelligent DNS is used to provide different server IP addresses fordifferent ISP users so that the ISP users can access intranet servicesusing their own ISP networks. By doing as, intelligent DNS ensuresminimized delay and optimal service experience.

l URL Remote Query package:



19

Item Description

URL remotequery

This component is required when the URL filtering function is usedto query predefined URL categories. After this component is loaded,the firewall can use the URL remote query function to obtainpredefined URL categories.

URLreputation

This component is required when the URL filtering function is usedto detect URL reputation. After this component is loaded, thefirewall can check the credibility of URLs and block URLs with lowcredibility.

Feedbackenhancement

This component is used to enhance the user experience improvementprogram. After this component is loaded, the firewall provides thefunction of viewing historical feedback records and detecting andreporting dynamic fields.

l Cloud Sandbox Component Package: In cloud sandbox detection, the device extracts

files transmitted over the network and sends them to the cloud sandbox for in-depthdetection of whether they contain APT attack traffic. The device periodically obtainsanalysis results from the sandbox. If the sandbox detects malicious traffic, it instructs thedevice to block the traffic.



20

NOTICEl The dynamic load component package must be compatible with the version software.

Therefore, ensure that the component package of the corresponding version is available.l The dynamic load component package is license-controlled and unavailable by default.

You must dynamically load a component package to use the corresponding feature.l You must dynamically load the dynamic load component package after the upgrade to V5.

Otherwise, corresponding features are unavailable.l The corresponding feature configurations do not take effect immediately after the dynamic

component package is loaded. You must leave the configurations unsaved and restart thedevice. Then, the device will load and save the configurations and restore services.

l If the version is upgraded to V500R001C80 or a later version for the first time, thematching full content security package can still be used. After the upgrade succeeds, thebasic and enhanced content security packages should be used.

l The content security component of V500R001C80 cannot be directly installed and loadedor set to the package for next startup in V500R001C80. It can be set to the package fornext startup only in versions earlier than V500R001C80.

l Before the upgrade from versions earlier than V500R001C80 to V500R001C80, set thecontent security package for next startup can be set to the one in V500R001C80 becausethe versions earlier than V500R001C80 cannot identify the basic content security packageor the enhanced content security package.

l After the content security component is upgraded from versions earlier thanV500R001C80 to versions later than V500R001C80, the function is not affected, but thebasic content security component and enhanced content security component cannot beloaded.

l To upgrade the content security package that has been upgraded from V500R001C60 orearlier versions to V500R001C80, cancel the current package for next startup, set apackage for next startup, and restart the device.

1.2.2 Other Upgrade Impacts

1. Impact on NLOG:

Table 1-2 NLog system difference description

Version Version Whether Supportthe Upgrade toV500R001C80SPC100

Difference fromthe SourceVersion

V500R001C00 No Yes Difference fromthe Source Version

V500R001C20SPC100

Yes Yes None

V500R001C20SPC200

Yes Yes None



21



V500R001C20SPC300

Yes Yes None

V500R001C30SPC100

Yes Yes None

V500R001C30SPC200

Yes Yes None

V500R001C30SPC300

Yes Yes None

V500R001C30SPC500

Yes Yes None

V500R001C30SPC600

Yes Yes None



22



V500R001C50 Yes Yes l Key indicators,such as thenumber ofconcurrentconnections, thenumber of newconnections,number ofonline IPaddresses, andnumber ofonline users areadded in thehome page.

l Traffic/sessionrankings bysource addressand real-timetraffic/sessionrankings byapplication areadded on thehome page.

l Thecomprehensivereport functionis added.

l Stacking chart,column chart,pie chart, andtrend chart ofreports areadded.

l Two-leveldimensionreport drillingsupportsadvanced query.

l Traffic reportsby outboundinterface aresupported, andtwo-leveldimensiondrilling by



23



application issupported.

l Threat reportsin the attackeror attack targetdimension aresupported.

V500R001C50SPC100

Yes Yes None

V500R001C50SPC200

Yes Yes None

V500R001C50SPC300

Yes Yes None

V500R001C60 Yes Yes l The user-defined reportfunction isadded.

l The function ofexportingreports as aPDF file issupported.

l Comprehensive Report ischanged toSmart ReportSearch.

l Cloudapplicationreports areadded.

l Traffic reports/threat reports bysecurity policyare supported.

l Two-leveldimensiondrilling fortraffic reports,threat reports,and URLreports issupported.



24



V500R001C60SPC100

Yes Yes None

V500R001C60SPC200

Yes Yes None

V500R001C60SPC300

Yes Yes None

V500R001C80 Yes Yes None

V500R001C80SPC100

Yes Yes None

Upgrade Description:– Upgrade with a hard disk:

i. System software is upgraded.ii. Service verification succeeds.iii. After the hard disk goes online, upgrade the log database on the web UI or

using the update log database command.

NOTICE1. In V500R001C50/V500R001C60, the log and report functions are improved. After

the upgrade from V500R001C30 or earlier versions to V500R001C50 or laterversions, the data structure of the report database is changed. As a result, after thedatabase is upgraded through the web UI or using the update log databasecommand, only log data is reserved, and report data is discarded.

2. After the log database upgrade is complete, you can query historical log data butcannot query historical report data (including traffic maps, threat maps, policymatching analysis, and policy tuning), and system rollback is not supported.

3. After the system software upgrade is complete, manually upgrade logs after theservice verification succeeds.

4. The time and time zone after the system software upgrade must be correct.

2. Impact of switching the encoding format to UTF8.V500R001C80 supports UTF8 encoding. Note the following points when switching theencoding format:– If there are online users during trancoding, the device is automatically restarted.

After the device restart is complete, the converted user information takes effect.– Command lines do not support encoding format rollback. After the transcoding is

complete, the old configuration file and user database file are stored.



25

<sysname>dir /charset_backup/ Idx Attr Size(Byte) Date Time FileName 0 -rw- 35,840 Nov 03 2017 15:30:34 usermanage.db 1 -rw- 59,141 Nov 03 2017 18:20:00 charset_back.cfg

– To roll back to the previous encoding format, copy the file to the hda1 rootdirectory and then set charset_back.cfg as the configuration file for next startup,copy usermanage.db to the umdb/umsystem/ directory to overwrite the userdatabase file, and run the delete log sdb command in the system view to delete log-related files. Then restart the device.

– In the hot standby scenario, the encoding format switching can be performed onlyin the active/standby hot standby environment but not the load-balancing hotstandby environment.

– In the hot standby scenario, complete the encoding format switching on the standbydevice, perform an active/standby device switchover, and then complete theencoding format switching on the new standby device.

3. DSVPN

DSVPN is incorporated in V500R001C50 and later versions. However, DSVPN does notsupport hot standby.

NOTE

Although DSVPN does not support service backup between two devices, active/standby hotstandby can be implemented for load balancing or fault tolerance. If the active device or the link ofa service interface fails, an active/standby device switchover can be performed. The standbydevice automatically takes over services. Traffic interruption may occur during the active/standbydevice switchover.

The service restoration time on the active and standby devices is related to the registration intervalconfigured using the nhrp registration interval command and entry aging time configured usingthe nhrp entry holdtime seconds command.

4. Impact on MIB nodes:

Use the mapping MIB database.

5. Impact on the signature databases:

After the software version is upgrade, you must upgrade the signature databases as well.

6. Impact on ACLs:

If ACLs are used to control SNMP, SSH, TELNET, WEB, API, FTP, and NTP access,check whether the referenced ACL and accessed interface are in the same VPN instance.If not, the administrator cannot log in to the device. In this case, modify theconfiguration. To be specific, bind the ACL to the corresponding VPN instance. Theproblem will not occur after V1 is upgraded to V500R001C30. For the upgrade fromV500R001C00 to V500R001C30 to the current version, check whether the configurationmeets the preceding rule. If the ACL should be bound to a VPN instance, bind it. Forexample, the ACL is not bound to the VPN instance (acl number 3000). After themodification, the ACL is bound to the corresponding VPN instance (acl number 3000vpn-instance default).

7. Impact on the SSL VPN client:

– When a plug-in is updated, the local device needs to obtain the new SecoClient.



26

– During version upgrade, you are advised to upgrade matching program SecoClientso that new functions can work properly. For example, SecoClient 1.50.2 matchesV500R001C50.

8. Impact on the user management database:The user management database can be smoothly upgraded. To ensure reliability andsuccessful version rollback, you must back up the database to a local PC. For details seeSaving and Backing Up Important Data.<FW>dir /umdb/umsystemIdx Attr Size(Byte) Date Time FileName 1 -rw- 1,120,256 Nov 22 2007 03:05:16 usermanage.db

9. Impact on the web database:In V500R001C50 and later versions, the web database type is changed to SQL. The userweb database can be upgraded smoothly. However, to ensure availability and versionrollback, back up the database to the local PC. That is, you can use FTP to export /hda1/webuserinfo.db from the device.

10. Local sandbox login port change: In V500R001C80SPC100 and later versions, afterlocal sandbox association succeeds, the default port on the System > Sandbox > LocalSandbox > Login to Local Sandbox on the web UI changes from 443 to 32229.

11. One-click trial of the cloud sandbox function: V500R001C60SPC100 supports theinterworking between the FW and cloud sandbox. The interworking protocol is HTTPSand is determined by the device certificate file. To upgrade a version earlier thanV500R001C60SPC100 to V500R001C60SPC100, contact R&D engineers to generatethe corresponding device certificate and import to the device.

12. Impact on patch upgrade:

NOTICEAll patches cannot be upgraded.The patch loading procedure is the same for hot-standby and single-device scenarios.Whether the patch is first loaded to the active or standby device does not affect the patchloading effect.


1.3.1 Upgrade Schemes

When upgrading the software version during the running of the device, to make the newsoftware version effective, you need to restart the device, which interrupts services.

When to restart the device, for the upgrade depends on your requirements. You need to choosea suitable upgrade time to minimize the impacts on services.



27

Table 1-3 Update Mode

Update Mode UsageScenario

Advantages Prerequisites Location inthe Document

Web When thedevice isrunningnormally andcarries servicetraffic, usersfamiliar withgraphicalinterfaces canuse this modefor the upgrade

This modeapplies to allupgradescenarios. TheGUI provideseasy operationwith visibleeffects andexerts minimalimpacts onservices.

This modeapplies to allupgradescenarios. TheGUI provideseasy operationwith visibleeffects andexerts minimalimpacts onservices.

UpgradeThrough Web

CLI(recommended)

When thedevice isrunningnormally andcarries servicetraffic, the CLIisrecommendedfor the upgrade.

All versionssupport thismode. Theprocedure issimple andexerts a smallimpact onservices.

The networkmust transmitupgrade filesproperly duringthe upgrade.The deviceneeds to beconfigured asan FTP server,or a third-partyFTP serverprogram needsto beconfigured.

UpgradeThrough CLI

BootROM When thedevice cannotbe started or theversionsoftware isfaulty, use thismode for theupgrade.

When thedevice fails andloading systemsoftware fails,the upgrade canbe performedonly in thismode.

The RS-232cables are usedto connect theserial port ofthe PC andConsole port ofthe device.The networkmust transmitupgrade filesproperly, andtherefore thethird-party FTPserver programis required. TheFTP server andmanagementport must be inthe samenetworksegment.

Appendix A:UpgradingSystemSoftware UsingBootROM



28

1.3.2 Precautions

Precautions

During the upgrade, take the following precautions:

l Ensure the stable power supply during the upgrade and avoid power failures. If thedevice cannot start normally after a power failure, try to upgrade in BootROM mode. Fordetails, see Appendix A: Upgrading System Software Using BootROM.

l The registration of boards takes a period of time. After the device is restarted, do notperform any operations until all the boards are registered. When you run the displaydevice command to display the registration status of a board, Registered is displayed inthe Register field and Normal is displayed in the Status field.

1.3.3 Upgrade Flow

Figure 1 shows the flow for upgrading to V500R001C80SPC100 from an earlier version.

Figure 1-1 Upgrade flowchart

NOTE

For details on how to upgrade the version software using BootROM, see Appendix A: UpgradingSystem Software Using BootROM.

Table 1 lists the description of each step during the upgrade.



29

Table 1-4 Preparation before the upgrade

Category

Item Operation Objective

Informationcollection

Partinformation

Run the display deviceand display esncommands.

To collect hardware informationincluding the BOM code.

Versioninformation

Run the display versioncommand.

l To collect the software versioninformation.

l Check whether the associatedNMS needs to be upgraded. If theNMS version does not match, donot perform the upgrade.

Licenseinformation

Run the display licensecommand.

To collect the license information.

Databackup

Configuration file

l Web:Save theconfiguration fileand export it to alocal PC

l CLI:Save theconfiguration fileand export it to alocal PC

To back up the currently usedconfiguration file.

Softwareversion

l Web:Save theconfiguration fileand export it to alocal PC

l CLI:Save theconfiguration fileand export it to alocal PC

To back up the currently usedsoftware package.

License file(license.dat)

CLI:Save theconfiguration file andexport it to a local PC

To back up the currently used licensefile.

Patch file CLI:Save theconfiguration file andexport it to a local PC

To back up the currently used patchfile.

Usermanagement database(usermanage.db)


To back up the currently used usermanagement database (upgrade fromV500R001 or later versions).

DynamicFeatureComponentPackages


To back up the dynamic featurecomponent files loaded in the system(upgrade from V500R001 or laterversions).



30

Category


Upgradepreparation tool

V500R001versionsoftware

Obtaining UpgradeFiles

V500R001C80SPC100 versionsoftware

V500R001C30 versionsoftware



(Optional)License file


V500R001C80SPC100 license file

(Optional)dynamicfeaturecomponentpackage

Downloading dynamicFeature ComponentPackages

To download the dynamic featurecomponent package.

(Optional)Signaturedatabaseupdate file


To update the signature databases.

Configurationanalysis

License fileanalysis

See license impact inUpgrade Impact

To analyze the display licensecommand output and check whetherthe license file needs to be convertedor merged according to thedescription in section LicenseImpact.

Configurationconversionanalysis

See "Impact of dynamicFeatures" in UpgradeImpact

l To search the configuration fordynamic features in V500R001based on keywords in the currentversion according to sectionImpact of dynamic features.These features are license-controlled in V500R001, and youmust re-sign a contract with thecustomer for a new license file.You need to merge the newlicense file with the original one.The dynamic feature componentpackage needs to be separatelydownloaded and loaded based onthe license.

l To obtain the dynamic featurecomponent package.



31

Category


l Web:ImportingFiles for theUpgrade

l CLI:ImportingFiles for theUpgrade

l To import the license file.l To import the configuration file.l To import the dynamic feature

component package.l To specify the startup

configuration file.

Upgradeoperations(operationsperformed afterthedevice isisolatedfrom theserviceenvironment)

Upgrade toV500R001

l WEB:Upgrade toV500R001

l CLI:Upgrade toV500R001

l Restart the device to complete theupgrade to V500R001.

l To specify the startupconfiguration file.

l To load the license file forV500R001 but do not save theconfiguration.

UpgradeVerification

UpgradeVerification

l WEB:UpgradeResult Verification

l CLI:UpgradeResult Verification

Upgrade Result Verification.

VersionRollback

VersionRollback

Version Rollback l To import backup data.l To specify the configuration file

for the next startup.l (optional)To apply for the license

of the source version and activateit.

1.3.4 Upgrade Through Web

1.3.4.1 Preparing for the upgrade

1.3.4.1.1 Preparing the Upgrade Environment



32

PrerequisitesTo upgrade system software using the Web UI, upload the system software to the CF card ofthe properly operating USG6000 , specify the system software to be used at the next startup,and restart the USG6000 .

The premise is that you have logged in to the Web environment using the Web UI. If the loginusing the Web UI is not configured, log in to the USG6000 using the console port to configurethe Web environment. For configuration details, see Setting Up an Environment forUpgrading System Software Using Web.

By default, the device allows an administrator to log in to the web UI using HTTPS.

NOTE

The network using two PCs is used as an example to facilitate description. You can use only one PC asTelnet/SSH and HTTPS clients.

Preparing the Upgrade ToolPrepare the following tools for the upgrade:

l Login toolLogin tools help you log in to the device on the Web UI. This document uses the tool inWindows (Windows XP+SP2) as an example. The browser of the PC must meet any ofthe following requirements:– Internet Explorer: version 8.0 or later– Firefox (recommended): version 10.0 or later– Chrome: version 17.0 or later

l File comparison tool.A file comparison tool is used to compare the configuration files before and after theupgrade. Use proven third-party tools, such as Beyond Compare.

Preparing the Upgrade Environment in Web ModeAs shown in Figure 1, the USG6000 is configured as the Web server and the version softwareis located on PC2. On PC2, log in to the USG6000 using the browser and then upload theversion software to the CF card of the USG6000 through Web.

Figure 1-2 Schematic diagram of the USG6000 serving as the Web server



33

The Web service is enabled on the USG6000 by default. You can use the IP address192.168.0.1 of interface GigabitEthernet 0/0/0 on the USG6000 and the default user nameadmin and password Admin@123 to log in to the web UI of the USG6000 through HTTPS. Ifyou have disabled the Web service or deleted the default user, do as follows to reconfigure theservice.

NOTE

You can use only one PC on which you run both the Telnet/SSH client and the browser/FTP server. Tofacilitate description, the network using two PCs is used as an example. The following steps apply to thistwo-PC network.

Do as follows to configure the USG6000 as the Web server:

Procedure

Step 1 Log in to the USG6000 CLI through Telnet or SSH from PC1. For the Telnet or SSH loginmethod, see the related configuration example inHUAWEI USG6000&USG9500 V500R001C80SPC100 Product DocumentationYou are recommended to use interface GigabitEthernet 0/0/0 on the USG6000 for log in. Bydefault, the IP address for interface GigabitEthernet 0/0/0 is 192.168.0.1, the user name isadmin, and the password is Admin@123.

Step 2 Enter the system view and start the Web service. Configure a user with user name webuserand password Admin@1234 and the level of the Web user. You can use other user names andpasswords as required. <FW> system-view [FW] web-manager enable [FW] web-manager security enable port 8443 [FW] aaa [FW-aaa] manager-user admin [FW-aaa] service-type web telnet ssh [FW-aaa-manager-user-admin] level 15 [FW-aaa-manager-user-admin] password cipher Admin@1234 Please input old password Info: You are advised to config on man-machine mode. Info:Total 2 user(s) being cut. [ FW-aaa-manager-user-admin] Info: Receive a message from AAA of cutting user. User interface con0 is available Please Press ENTER. Login authentication Username:admin Password: <FW> system-view [FW] interface GigabitEthernet0/0/0 [FW-GigabitEthernet0/0/0] service-manage enable [FW-GigabitEthernet0/0/0] service-manage http permit [FW-GigabitEthernet0/0/0] service-manage https permit [FW-GigabitEthernet0/0/0] quit

Step 3 On PC2, configure an IP address in the same network segment as GigabitEthernet 0/0/0. Login to https://192.168.0.1 using the Internet Explorer on PC2 to verify the configurations.



34

If the login interface of the Web server is displayed in the IE browser, and the login succeedsthrough admin and Admin@1234, it indicates that you can log in to the Web server normally.

After the configuration is verified, you can either keep this connection for further use, or exitfrom the Web server and relog in to it when required.

----End

1.3.4.1.2 Obtaining Upgrade Files

Context

Obtain the following files for the upgrade:

1. System software file.

The file name extension is .bin. This document usesUSG6000V500R001C80SPC100.bin (with about 194,505,771 bytes)USG6000V500R001C80SPC100PWE.bin (with about 170,675,243 bytes as an example.

2. (Optional) License file

The file name extension is .dat. Based on Checking the Use of Licenses, obtain the fileonly if you need to apply for a license.

3. (Optional) Sensitive Feature Component Package

The file name extension is .mod. You can obtain the file from http://sec.huawei.com/sec. If the device does not require any content security or the signature database can beupgrade in online mode, the signature database file is not required.

4. (Optional) Local signature database file

The file name extension is .zip. You can obtain the file from http://sec.huawei.com/sec.If the device does not require any content security or the signature database can beupgrade in online mode, the signature database file is not required.

Save the file into the root directory (such as D:\Web) of PC2 that serves as a Web browser.You can specify another directory as required.

Obtain the following documents for reference during the upgrade. For example, to upgradeUSG6000&USG9500 V500R001C80SPC100 , obtain the following documents:

HUAWEI USG6000&USG9500 V500R001C80SPC100 Upgrade_guide

HUAWEI USG6000&USG9500 V500R001C80SPC100 Release Notes

Procedure

Step 1 Access the home page of .

Step 2 If you are not a registered member of the website, perform 3 to register. If you are a registeredmember, go to 4.

Step 3 Click Register and register as prompted. If the registration succeeds, you will receive youruser name and password.

Step 4 Enter the user name, password, and verification code. Then click Login.



35

http://sec.huawei.com/sec



Step 5 To view or download related documentation, log in to , and search for "USG6600" or"USG6500" or "USG6300" or "USG6100"

----End

1.3.4.1.3 Downloading Content Feature Component Packages

Context

Content feature component packages are not released along with the software package. Youmust access the security center website and load the packages in online mode, or downloadand load them locally.

In V500R001C80SPC100, the following Content features compose the content securitycomponent package: file blocking, data filtering, application behavior control, mailfiltering, SSL decryption, smart DNS, URL logging, and audit.

Procedure

Step 1 Access Huawei security center at http://sec.huawei.com/. (Internet Explorer: version 8.0 orlater or Firefox)

Step 2 Expand the USG6000 Series tab and select the product model and version, such as USG6680- V500R001C80SPC100.

Step 3 Select and download the component package. The component packages are as follows:

URLRMT: component package for the URL remote query feature.

CSG: content security component package, including the file blocking, data filtering, mailfiltering, application behavior control, audit, URL logging, SSL decryption, and smart DNSfeatures

NOTE

Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content featurecomponent packages.

The content feature component package to be loaded must be compatible with the system software.

----End



36


1.3.4.1.4 Querying the Current System Software

ContextThe premise is that you have logged in to the Web environment of the device from PC2 usingthe Web UI. On the Web UI, you can query the current system software and performsubsequent operations.

After login, you can query the version information of the running system software in SystemInformation on the DashBoard page, as shown in Figure 1-3.V500R002C00SPC100 is usedas an example

Figure 1-3 Interface for displaying system information

Click Upgrade at the right side of Version, as shown in Figure 1-4, to query the existingsystem software. Record the system software file name for file backup



37

Figure 1-4 System update

NOTE

The root directory of the CF card is hda1:/. You can use the system software on the CF card to start thedevice.

1.3.4.1.5 Checking the Use of Licenses

ContextIf no license-controlled function, such as the virtual firewall, the number of concurrent SSLVPN users, and content security function (intrusion prevention/anti-virus/pre-defined URLcategory query) is used, skip this section.

The licenses can be either commercial or non-commercial:

l Commercial licenseA commercial license is purchased under contract.

l Non-commercial licenseA non-commercial license is used for test only and is valid usually for three months.

After the version is upgraded to V5, the license validity also has impact on the serviceavailability after the upgrade. Ensure that the current license is within its validity period.

Procedure

Step 1 Check information about the current license. You do not need to apply for another license ifthe current license does not expire or no function needs to be added.After login, you canquery the license information in License Information on the DashBoard page, as shown inFigure 1-5:



38

Figure 1-5 License information

The preceding information is about an activated license file. Service Expire Time in thefigure indicates the expiry time of the IPS/AV signature database upgrade service or the URLpredefined category query service, not the expiry time of the license file.

Use the Notepad on the PC to open and check the license file. license.dat is used only as anexample. In practice, replace license.dat with the actual file name:

........ Product=FW Feature=FWVSYS01 Esn="030UEKZxxxxxxxxx" Attrib="COMM,2019-06-04,60,NULL,NULL,NULL" Function="LFWVSYS08=1" Resource="LFWVSYS07=700" Comment=",,V544HUP32MUW-7W4A" Sign=3694DA7AE8190BF77FC8D6A08689E64DCDC1CDB8AE70E625AF2490B755A828D1619795F892C 7708CCDD512AADC816D2C6074CEF5FCFB18305CC6FF87DC2E9E0F1F84C65511344DA2BB3C1F4BD92 B2EECEB8670DDC42DC83385D8DC36B8547638653FFC7CE27A1A09943936B79C3152D73C8C416583F 01B3413518B4B9110A53C9C673C1A56CE6C6FC70877DA393131A6161A4380CA0FF3FEE8E0982ADD3 5E53834F649BF1CC36F4AA6C8BAFE75582A2C5E0D22442F0E929A3A16CC876D2EA0B7932499718F3 2951238DB8BE8D6B31EEEB53CFC34646B2A48A884DEB9DE6569ACC3AA4CBE02214FAED74ACFA66C8 E3191930F53F941BDEED02A717F6154ABB6BC ........

Note the fields in bold of the Attrib attribute. COMM indicates a commercial license and2019-06-04 indicates the expiry date of the license.

If the license expires, contact Huawei technical support personnel.

Step 2 Apply for a license file.For details on how to apply for a license file, see Appendix :Applying for a License

After you obtain the license file, save it in the same directory as the system software



39

NOTICEl Each license file corresponds to one equipment serial number (ESN).l To successfully activate a license file, ensure that the name of the license file (including

the complete absolute path) does not exceed 64 characters. It is recommended that thename of the license file be as short as possible without spaces

----End

1.3.4.1.6 Checking the Device Operating Status

PrerequisitesAfter you log in to the Web UI, check the device operating status on the Dashboard page

Checking the CPU, Memory, and Storage Space UsageView System Resource on the Dashboard page, as shown in Figure 1-6:

Figure 1-6 Displaying device resource information

Checking System InformationView System Information on the Dashboard page, as shown in Figure 1-7:



40

Figure 1-7 Displaying system information

Checking Device Status and Interface Traffic InformationView Device Information on the Dashboard page, as shown in Figure 1-8:

Figure 1-8 Displaying the device status

View Traffic History on the Dashboard page, as shown in Figure 1-9:



41

Figure 1-9 Displaying interface traffic statistics

Checking Alarms and Logs

View Alarm Information on the Dashboard page, as shown in Figure 1-10:

Figure 1-10 Displaying alarm information

View Syslog List on the Dashboard page, as shown in Figure 1-11:

Figure 1-11 Displaying system log information

1.3.4.1.7 Collecting Device Diagnosis Information



42

Context

The diagnosis information contains the output of multiple commonly-used displaycommands. You can check the operating status of each device module.

On the Web UI, choose Monitor > Diagnosis Center > Diagnosis Infomation. Click Collectto view device diagnosis information, as shown in figure 1. You can also save the diagnosisinformation to a text file

Figure 1-12 Information collecting

You can either view the diagnosis information or export it for backup to facilitate subsequenttroubleshooting, as shown in figure 2:

Figure 1-13 Displaying or exporting diagnosis information

1.3.4.1.8 Checking the Service Operating Status



43

Checking Session Table Information

On the Web UI, choose Monitor > Session Table to check session table information, asshown in figure 1. Record the session table information before the upgrade. Compare thesession table information before and after the upgrade, so that you can check whether theservices are normal after the upgrade

Figure 1-14 Displaying session table information

Checking Routing Table Information

On the Web UI, choose Network > Router > Routing Table to check routing tableinformation, as shown in figure 2. Record information about the routing table before theupgrade. Compare it with that after the upgrade to check whether services after the upgradeare normal.

Figure 1-15 Displaying routing table information

Checking System Statistics

On the Web UI, choose Monitor > System Statistics to check system statistics as shown. Byviewing system statistics, you can learn about statistics on sessions and sent/received/discarded packets of the system. You can use these statistics to determine whether services arenormal.



44

Figure 1-16 Displaying system statistics

1.3.4.1.9 Saving and Backing Up Important Data

ContextImportant data includes the current system software, configuration file, license file, patch file,diagnosis file, signature file, and database files for SSL VPN and user management.

NOTE

The license file, signature file, sensitive feature component package, and database files for SSL VPNand user management not support export from webpages. Please see Performing the Upgrade Using theCLI

On the Web UI, you can use One-Touch Version Upgrade to back up important data beforethe upgrade.

Procedure

Step 1 Display the System Update pageOn the Web UI, choose System > System Upgrade. On theSystem Upgrade page, click One-Touch Version Upgrade.

Figure 1-17 Displaying the System Update page

Step 2 Back up important data.



45

NOTICEYou need to save the configuration file before backing it up.

On the One-Touch Version Upgrade page, you can export alarms, logs, and configurationsand save configurations, as shown in Figure 1-18

Figure 1-18 Interface for displaying upgrade preparation

Step 3 Back up User/Group.

On the User/Group page, you can export User/Group information, the file in format of CSV,as shown in figure 3:



46

l Figure 1-19 Interface for back up User/Group information

----End

1.3.4.1.10 Checking the Remaining Space of the CF Card

Checking the Remaining Space

On the One-Touch Version Upgrade page, the remaining space of the CF card is displayed,as shown in figure 1. Ensure that the CF card has sufficient space to store the system softwareto be upgraded.

Figure 1-20 Displaying the remaining space of the CF card



47

NOTICEIf the remaining available space of the CF card is insufficient during the one-touch versionupgrade, the system automatically deletes the running system software

Deleting Unnecessary System Software PackagesIf the remaining space of the CF card is smaller than the size of the target system software,delete unnecessary files.

On the System Upgrade page, click Select. On the System Software Management page thatis displayed, select the unnecessary system software packages and click Delete, as shown infigure 2:

Figure 1-21 Deleting unnecessary system software packages

NOTE

Because the size of system software (*.bin files) is large, deleting unwanted system software can greatlysave the space on the CF card.

1.3.4.2 Upgrade Flow



48

Context

Figure 1-22 Flowchart of the version software upgrade through the Web

Procedure

Step 1 On PC2, open the Internet Explorer, access https://192.168.0.1, and enter user name adminand password Admin@1234 to log in to the NGFW. User name admin and passwordAdmin@1234 are used as an example. You can set another user name and password asrequired.

Step 2 Upload the system program.

NOTICEEnsure that a configuration conversion tool is used to convert the original configuration file toa configuration file applicable to the target version. For details, see Configuration Conversion.After the upload succeeds, the Configuration File Management page is displayed. Theavailable configuration files are listed on the page. Check whether the size of the uploadedfile in the list and the size of the file on PC2 are the same. If no, upload the file again.

1. ChooseSystem > Configuration File Management. You can view configuration fileinformation in Current System Software and Next Startup System Software.

Figure 1-23 Viewing configuration file information



49

2. Click Select for the Next Startup System Software, the Configuration FileManagement page is displayed. Click . The Upload File dialog box is displayed.Delete unwanted files if the free space in the CF card is insufficient.

Figure 1-24 Uploading the configuration file

3. Click Browse..., select the configuration file (must be a .cfg file or .zip file) to beuploaded, and click Upload. The name of the file to be uploaded cannot be the same asthe name of any existing file in the CF card.

During the upload, do not close the Internet Explorer.

Step 3 Specify the configuration file to be used for the next startup. On the Configuration FileManagement page, click of the uploaded file and then click OK to specify the file as theconfiguration file for the next startup.

Step 4 (Optional) Upload and activate a new license file if required. Skip this step if no new licensefile is required.

Choose System > License Management and use Local Manual Activation to upload alicense file and activate it.

Step 5 (Optional) Update the signature databases of security functions.

Before upgrading the signature database, ensure that the activated license file contains thecontent security function.

If the latest signature databases are not required, skip this step. The NGFW will automaticallyload the default signature databases after startup.

If the latest signature database is required, you can upgrade the signature database in eitherthe online or local upgrade mode. For details, see the chapter "Upgrade Center " in theHUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation.

Step 6 Upload the system software.



50

1. Choose System > System Upgrade. You can view system software information inSystem Software

Figure 1-25 Viewing system software information

2. Click Select for System Software. The System Software Management page isdisplayed.

Click . The Upload File dialog box is displayed.

Delete unwanted files if the free space in the CF card is insufficient.

Upload a file.

Figure 1-26 Uploading a file



51

NOTICEThe name of the file to be uploaded cannot exceed 48 characters.After the upload succeeds, the System Software Management page is displayed. Thecorresponding files are listed on the page. Check whether the size of the uploaded file inthe list and the size of the file on PC2 are the same. If no, upload the file again.

3. Click Browse..., select the system software (must be a .bin file) to be uploaded, and clickUpload. The name of the file to be uploaded cannot be the same as the name of anyexisting file in the CF card.

During the upload, do not close the Internet Explorer.

Step 7 If the file fails to be uploaded, the uploaded incomplete file cannot be deleted immediately.Therefore, you need to delete the incomplete file after the device is restarted. Specify thesystem software to be used for the next startup.

On the System Software Management page, click of the uploaded file and then click OKto specify the file as system software for the next startup.

Step 8 Restart the device.

Figure 1-27 reboot

NOTE

If the configuration file for the next startup is imported, restart the device without saving the runningconfiguration. Otherwise, the running configuration will overwrite the imported configuration.

If sensitive features are not involved, the upgrade to V500R001C80SPC100 is complete. Otherwise, goto the next step.

Step 9 (Optional) Upgrade sensitive features.

NOTE

l Ensure that an activated license file is available. If the license file is not activated, the upgrade fails.

l Ensure that the device can access the security center directly or through a proxy server.

l Configure a security policy to permit HTTP and FTP packets when the device directly connects tothe security center or permit HTTP packets when the device connects to the security center through aproxy server. For details, see the description of security policies and content security inUSG6000&USG9500 V500R001C80SPC100 Administrator Guide.

l Before executing the following online loading procedure, ensure that the DNS server address hasbeen configured and the DNS server can correctly parse http://sec.huawei.com.

l Upgrading V500R001 to V500R001C80SPC100.



52

http://sec.huawei.com/

– Content security component packageinstall-module CSG_H50010000_yyy.mod next-startup

– URL component packageinstall-module URLRMT_H50010000_yyy.mod next-startup

– Cloud sandbox component packageinstall-module CSB_H50010000_yyy.mod next-startup

1. Move the pointer to on the lower right of the page and click to openthe CLI console. Click any space on the page. If the command prompt <sysname> isdisplayed, you can perform configurations on the CLI.

2. After the loading in either local or online mode, run the display module-informationverbose command to view details on the dynamically loaded component package. Thefollowing information is a part of the command output. If the State value isINSTALL_OK, the component packet has been successfully loaded.<sysname> display module-information verbose Module Information ------------------------------------------------------------------------ Module Version InstallTime PackageName ------------------------------------------------------------------------ ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_2015123023.mod URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_2015123023.mod ************************************************************************ * Content Security Group information, as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK - * URL Filter information , as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK - …………………

NOTICE– If the configuration file for the next startup is imported, restart the device without

saving the running configuration. Otherwise, the running configuration will overwritethe imported configuration.

– For the upgrade from V500R001C00 to V500R001C80SPC100, if the configurationfile is not imported, you are advised to save the current configurations beforerestarting the device.



53

Step 10 (Optional) Configure the license resource type required by the device.

If the network license is not used, skip this step.

Choose System > License Management , select the corresponding resource type, and clickApply.

Figure 1-28

Step 11 Now, the upgrade to V500R001C30 is complete. The optional follow-up task is to restore andtest services.

----End

1.3.4.3 Upgrade Result Verification

Checking the Running Software Version

After the device is started, log in to the web UI, choose System > System Upgrade, and viewinformation about the running system version.

You can click Details to view detailed version information.

NOTE

If the login page fails to be displayed, clear the browser buffer or use another browser.

Figure 1-29 Viewing the running system version

In System Software, you can view the running system version and the version for the nextstartup.



54

Figure 1-30 Displaying the running system version and the version for the next startup

Choose System > Configuration File Management. You can view the running configurationfile and the configuration file for the next startup.

Figure 1-31 Displaying the running configuration file and the configuration file for the nextstartup

Checking the License StatusYou can query the license information in License Information on the DashBoard page. Skipthis step if no function requires a license.

Figure 1-32 Viewing the license information

Checking the Device Operating StatusAfter you log in to the web UI, check the device operating status on the Dashboard page.

Checking the CPU, Memory, and Storage Space UsageView system resource information on the Dashboard page, as shown in figure 5.



55

Figure 1-33 Viewing the system resource information

Checking System InformationView system information on the Dashboard page, as shown in figure 6.

Figure 1-34 Viewing the system information

Checking Device Status and Interface Traffic InformationView device information on the Dashboard page, as shown figure 7.

Figure 1-35 Viewing the device status



56

View interface traffic statistics on the Dashboard page, as shown in figure 8.

Figure 1-36 Viewing interface traffic statistics

Checking Alarms and LogsView alarm information on the Dashboard page, as shown in figure 9.

Figure 1-37 Viewing alarm information

View system log information on the Dashboard page, as shown in figure 10.



57

Figure 1-38 Viewing system log information

Collecting Device Diagnosis InformationThe diagnosis information contains the output of multiple commonly-used displaycommands. You can check the operating status of each device module.

On the web UI, choose Monitor > Diagnosis Center > Diagnosis Info. Click Collect to viewdevice diagnosis information, as shown in figure 11. You can also save the diagnosisinformation to a text file.

Figure 1-39 Collecting diagnosis information

You can either view the diagnosis information or export it for backup to facilitate subsequenttroubleshooting, as shown in figure 12.



58

Figure 1-40 Viewing or exporting diagnosis information

Checking Whether Configurations Are Recovered

After the system software is upgraded, compare the current configuration file with theconfiguration file backed up before the upgrade is performed to check whether anyconfiguration is lost or modified.

You can also use Beyond Compare to compare the configuration files before and after theupgrade.

Recover the configuration based on the check result or contact the technical supportpersonnel.

Checking Whether Services Are Normal

Check whether services run properly in either of the following ways:

l Compare the entries (such as routes, session entries, and FIB entries) before and after theupgrade to see if any entry is lost and check whether the service traffic before and afterthe upgrade are identical.

l Consult the network administrator to check whether services are running properly.

1.3.5 Upgrade Through CLI

1.3.5.1 Preparations for the Upgrade



59

1.3.5.1.1 Obtaining Upgrade Files

Preparing the Upgrade Environment

When the device works properly, you can use the CLI to transfer the version software to thestorage media of the device, specify the version software for the next startup, and then restartthe device.

In the example, Telnet or SSH login parameters have been set, and you have logged in to theCLI using Telnet or SSH. If Telnet or SSH login parameters are not set, log in to the devicefrom the console port and set the Telnet or SSH login parameters. For details, see AppendixB : Establishing the Upgrade Environment Through the Console Port.

NOTE

You can use only one PC on which you run both the Telnet/SSH client and the FTP client. To facilitatedescription, the network using two PCs is used as an example. The following steps apply to this two-PCnetwork.

Preparing Upgrade Tools

It is recommended that you prepare the following tools for upgrade:

l Login toolLogin tools help you log in to the device through the console port, Telnet, or SSH. Thisdocument uses the tool in Windows as an example. In practice, it is recommended thatyou use a legitimate third-party tool, for example, SecureCRT, to log the upgradeoperations in detail.

l File comparison toolFile comparison tools help you compare the configuration files before and after upgradefor configuration loss. In practice, it is recommended that you use a legitimate third-party tool, for example, Beyond Compare.

Obtaining Upgrade Files

Obtain the following files for the upgrade:

1. System software file.The file name extension is .bin. This document usesUSG6000V500R001C80SPC100.bin (with about 194,505,771 bytes) as an example.

2. (Optional) License fileThe file name extension is .dat. Based on Checking the Use of Licenses, obtain the fileonly if you need to apply for a license.

3. (Optional) Dynamic Feature Component PackageThe file name extension is .mod. You can obtain the file from sec.huawei.com. If thedevice does not require any content security or the signature database can be upgrade inonline mode, the signature database file is not required.

4. (Optional) Local signature database fileThe file name extension is .zip. You can obtain the file from sec.huawei.com. If thedevice does not require any content security or the signature database can be upgrade inonline mode, the signature database file is not required.



60

Procedure

1. Access the home page of .2. If you are not a registered member of the website, perform 3 to register. If you are a

registered member, go to 4.3. Click Register and register as prompted. If the registration succeeds, you will receive

your user name and password.4. Enter the user name, password, and verification code. Then click Login.5. After login, choose Support > Software > Enterprise Networking > Security >

Firewall & VPN Gateway . In the navigation tree, choose the corresponding version ofV500R001C80SPC100 to display the list of system software and documents. You candownload a file by clicking its file name.

Preparing the Environment for the Upgrade Through CLI

The key to the upgrade through the CLI is how to transfer the version software to CF card 1of the USG6000. Currently, the following modes are supported:

l FTP mode with the USG6000 as the FTP serverl FTP mode with the USG6000 as the FTP clientl TFTP mode with the USG6000 as the TFTP clientl SFTP mode with the USG6000 as the SFTP server

The following is an example in which the USG6000 functions as an FTP server. This methodis easy because it does not require a third-party FTP server. For details on other modes, seeAppendix C: Uploading and Downloading Files. You are advised to use SFTP to transferfiles to secure data transfer.

As shown in Figure 1, the USG6000 is configured as the FTP server and version software islocated on PC2 serving as the FTP client. On PC2, log in to the FTP server and upload theversion software to CF card 1 of the USG6000 through FTP.

Figure 1-41 Schematic diagram of the USG6000 serving as the FTP server

Perform the following steps to configure the USG6000 as the FTP server:

Saving and Backing Up Important Data1. Save the configuration file.



61

You must save the configuration file before each upgrade in case some configurationsthat are not saved during device running are lost when the device is restarted. By default,the configuration file is stored on the CF card by default. The default loading path is thesame as the saving path.Detailed operations are as follows:<NGFW> save The current configuration will be written to the device. Are you sure to continue?[Y/N]y Now saving the current configuration to the device...................... Info:The current configuration was saved to the device successfully. <NGFW> dir Directory of hda1:/ Idx Attr Size(Byte) Date Time FileName 0 drw- - Oct 08 2013 09:17:10 nlog_db 1 drw- - Jul 31 2013 11:15:36 umdb 2 -rw- 3247 Dec 13 2013 00:42:34 vrpcfg.zip 3 -rw- 3151 Dec 07 2013 20:52:52 scep_ra.cer 4 -rw- 194531064 Nov 29 2013 10:29:52 V500R001C00SPC300.bin 5 -rw- 302167 Dec 12 2013 21:02:54 diagnostic-information.txt 1438376 KB total (861872 KB free)

2. Log in to the NGFW from PC2 using FTP.This document uses the Windows FTP client as an example. In practice, you are advisedto use a proven third-party FTP client (such as Cute FTP) to transfer files.The following information is displayed:C:\> ftp 192.168.0.1 Connected to 192.168.0.1. 220 FTP service ready. User (192.168.0.1:(none)): ftpuser 331 Password required for ftpuser. Password: 230 User logged in. ftp>

3. Set the file transfer mode. Set the directory for saving the backup files on PC2 to D:\FTP\Backup. The folder must already exist. You can specify another directory asrequired.ftp> binary /Run the binary command to specify file transmission in binary mode. ftp> lcd "d:\FTP\Backup" /Set the directory that stores the backup files on PC2.

NOTE

The binary mode is required for file integrity, especially in the Linux or Unix system.

4. Run the get remote-filename[ local-filename] command to download the file and save itto local directory D:\FTP\BackupFor example, before the upgrade, download the existing version software (for example,V500R001C00SPC300.bin), vrpcfg.zip, Dynamic Feature Component



62

Packages($_install_mod/*.mod),license.dat, and diagnosis file (for example, diagnostic-info.txt) to PC2 for backup. ftp> get vrpcfg.zip ftp> get license.datftp> get V500R001C00SPC300.binftp> get diagnostic-info.txtftp> get umdb/umsystem/usermanage.db //Back up the database file of V500R001C00SPC300.bin to PC2.ftp> get av_h20010000_2013081700.zip //Back up the antivirus signature database file of V500R001C00SPC300.bin to PC2.ftp> get ips_h20010000_2013083100.zip //Back up the intrusion prevention signature database file of V500R001C00SPC300.bin to PC2.ftp> get sa_h50010000_2013111300.zip //Back up the application identification signature database file of V500R001C00SPC300.bin to PC2.ftp>cd $_install_modftp>get URLRMT_H50010000.modftp>get CSG_H50010000.modAfter the download is complete, check whether the sizes of the files on PC2 areconsistent with those in the device. If no, re-download the files to ensure that they arecompletely backed up to PC2.

5. Run the following command to export user and user group data into a CSV file: user-manage user-export { from groupgroup-name | useruser-name } tocsv-file For details,see the product documentation.For example, [sysname] user-manage user-export from group /engineer to abc.csvUse FTP to download the CSV file from the device directory to PC2. Then checkwhether the sizes of the files on PC2 are consistent with those in the device. If no, re-download the files to ensure that they are completely backed up to PC2.

Checking the Remaining SpaceBased on the actual situation, run the dir hda1: command in the user view to check theremaining space on the CF card. Ensure that the available space on the CF card is sufficientfor the version software to be upgraded.

<NGFW> dir hda1: Directory of hda1:/ Idx Attr Size(Byte) Date Time FileName 0 drw- - Oct 08 2012 09:17:10 nlog_db 1 drw- - Jul 31 2012 11:15:36 umdb 2 -rw- 4351023 Aug 02 2012 15:15:10 autotest2.cfg 3 -rw- 8192 Dec 11 2012 23:31:58 userinfo.db 4 -rw- 3247 Dec 13 2012 00:42:34 vrpcfg.zip 5 -rw- 9747 Dec 05 2012 01:33:32 tete.cfg 6 -rw- 3151 Dec 07 2012 20:52:52 scep_ra.cer 7 -rw- 9394 Aug 08 2012 07:53:20 test1.cfg 8 drw- - Sep 25 2012 12:37:44 history 9 -rw- 1037 Nov 15 2012 00:11:52 offline.req 10 -rw- 168509595 Nov 16 2015 05:44:36 V500R001C00SPC300.bin 11 -rw- 608656 Nov 15 2012 07:54:00 url.sdb 12 -rw- 987 Nov 21 2012 05:27:26 certcrl.crl 13 -rw- 948 Nov 21 2012 05:49:24 ssl.req 14 -rw- 302167 Dec 12 2012 21:02:54 diagnostic-information.txt 1138376 KB total (1161872 KB free)

The bold information indicates the remaining space of the CF card.



63

Deleting Unnecessary FilesIf the remaining space is smaller than the size of the target version software, deleteunnecessary files. In the user view, run the delete /unreserved hda1:/filename command todelete unnecessary files from the CF card.

<NGFW> delete /unreserved hda1:/test1.cfg The contents cannot be recycled!!! Delete hda1:/test1.cfg?[Y/N]:y %Deleting file hda1:/test1.cfg...Done!

It takes a long time to delete the *.bin file. Please wait and do not restart the device.

Files are deleted and cannot be restored after the delete command with the /unreservedparameter is executed. If the /unreserved parameter is not specified, the files are stored in therecycle bin. To optimize space for the CF card, run the reset recycle-bin hda1: command toempty the recycle bin.

NOTE

Because the version software (*.bin file) is large, deleting unwanted version software can release largespace on the CF card.

You can not delete the software that is running.

1.3.5.1.2 Downloading Content Feature Component Packages

ContextContent feature component packages are not released along with the software package. Youmust access the security center website and load the packages in online mode, or downloadand load them locally.

In V500R001C80SPC100, the following Content features compose the content securitycomponent package: file blocking, data filtering, application behavior control, mailfiltering, SSL decryption, smart DNS, URL logging, and audit.

Procedure

Step 1 Access Huawei security center at http://sec.huawei.com/. (Internet Explorer: version 8.0 orlater or Firefox)

Step 2 Expand the USG6000 Series tab and select the product model and version, such as USG6680- V500R001C80SPC100.



CSG: content security component package, including the file blocking, data filtering, mailfiltering, application behavior control, audit, URL logging, SSL decryption, and smart DNSfeatures



64


NOTE

Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content featurecomponent packages.

The content feature component package to be loaded must be compatible with the system software.

----End

1.3.5.2 Upgrade Flow

Context

Figure 1-42 Flowchart of the version software upgrade through the CLI

NOTE

FTP is used as an example. For SFTP file upload and download, see Device Serving as the SFTPServer to Upload or Download Files Through SFTP.



65

Procedure

Step 1 Log in to the NGFW from PC2 using FTP. This document uses the Windows FTP client as anexample. In practice, you are advised to use a proven third-party FTP client (such as CuteFTP) to transfer files.

The following information is displayed:

C:\> ftp 192.168.0.1 Connected to 192.168.0.1. 220 FTP service ready. User (192.168.0.1:(none)): ftpuser 331 Password required for ftpuser. Password: 230 User logged in. ftp>

Step 2 Set the file transfer mode. Set the directory for saving upgrade-related files on PC2 to D:\FTP.The folder must already exist. You can specify another directory as required.ftp> binary /Run the binary command to specify file transmission in binary mode. ftp> lcd D:\FTP /Set the directory that stores the files required for the upgrade on PC2.

Step 3 Run the put command to upload the USG6000V500R001C80SPC100.bin file to the CF cardof the NGFW. The name of the file to be uploaded cannot be the same as the name of anyexisting file in the CF card. If a file with the same name already exists in the CF card, the fileis replaced by the uploaded file.ftp> put D:\FTP\ USG6000V500R001C80SPC100.bin

Depending on the network conditions, the upload of the version software may take some time.Please wait. After the upload is complete, check whether the size of the file in the CF card isconsistent with that on PC2. If no, re-upload the file to ensure that the file is completelyuploaded to the CF card.

NOTICEConvert the configuration file of the original version to that of V500R001C80SPC100. Fordetails, seeConfiguration Conversion.

Step 4 Run the put command to upload the configuration file that has been converted (for example,vrpcfg_new.cfg) to the CF card of the NGFW. The name of the file to be uploaded cannot bethe same as the name of any existing file in the CF card. If a file with the same name alreadyexists in the CF card, the file is replaced by the uploaded file.ftp> put D:\FTP\vrpcfg_new.cfg

After the upload is complete, check whether the size of the file in the CF card is consistentwith that on PC2. If no, re-upload the file to ensure that the file is completely uploaded to theCF card.

Step 5 When the file upload is complete, exit the FTP environment. Log in to the CLI of the NGFWthrough Telnet or SSH from PC1.

Step 6 In the user view, run the startup system-software filename command to specify the versionsoftware for the next startup of the NGFW.<NGFW> startup system-software USG6000V500R001C80SPC100.bin Info:System software for the next startup:hda1:/USG6000V500R001C80SPC100.bin,



66

start read file.... Succeeded in setting the software for booting system.

Step 7 In the user view, run the startup saved-configuration filename command to specify theconfiguration file for the next startup of the NGFW as the uploaded file.<NGFW> startup saved-configuration vrpcfg_new.cfg Info: Succeeded in setting the configuration for booting system.


Run the put command to upload the new license file (for example, license_new.dat) to the CFcard of the NGFW. The name of the file to be uploaded cannot be the same as the name of anyexisting file in the CF card. If a file with the same name already exists in the CF card, the fileis replaced by the uploaded file.

Run the license active file filename command in the system view to activate the license file.

[NGFW] license active license_new.dat Info:License is successfully activated.




If the latest signature database is required, you can upgrade the signature database in eitherthe online or local upgrade mode. For details, see the chapter "Upgrade Center " in theHUAWEI USG6000&USG9500 V500R001C80SPC100 V500R001C80SPC100 ProductDocumentation.

Step 10 (Optional) Upgrade Content Security Features.

Run the put command to upload the content security feature component package (such asCSG_H50010000_yyy.mod or URLRMT_H50010000_yyy.mod) of V500R001C80SPC100to the $_install_mod folder in the CF card of the USG6000. The name of the file to beuploaded cannot be the same as the name of any existing file in the CF card. If a file with thesame name already exists in the CF card, the file is replaced by the uploaded file.

NOTICEl If no content security feature is involved, skip this step.l Ensure that an activated license file is available. If the license file is not activated, the

upgrade fails.l You must obtain the component package from the security center (http://sec.huawei.com)

in advance and upload it to the $_install_mod folder in the root directory. Then, load thecomponent package as follows:

Upgrading the content security feature component package applies to the followingscenarios:

l Upgrading V500R001 to V500R001C80SPC100.install-module CSG_H50010000_yyy.mod next-startup



67


install-module URLRMT_H50010000_yyy.mod next-startup

After the configuration is complete, run the display module-information verbose commandto view details on the dynamically loaded component package. The following information is apart of the command output. If the State value is INSTALL_OK, the component package hasbeen successfully loaded.

<sysname> display module-information verbose Module Information ------------------------------------------------------------------------ Module Version InstallTime PackageName ------------------------------------------------------------------------ ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_yyy.mod URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_yyy.mod ************************************************************************ * Content Security Group information, as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK - ************************************************************************ * URL Filter information , as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK - …………………

Step 11 Restart the NGFW.

NOTICEl If the configuration file for the next startup is imported, restart the device without saving

the running configuration. Otherwise, the running configuration will overwrite theimported configuration.

l For the upgrade from V500R001 to V500R001C80SPC100, if the configuration file is notimported, you are advised to save the current configurations before restarting the device.

<FW> reboot fast

Now, the upgrade to V500R001C80SPC100 is complete. The optional follow-up task is torestore and test services.

----End

1.3.5.3 Upgrade Result Verification

Checking the Information About the Current Version Software

After the device is started, log in to the CLI. In any view, run the display version command tocheck the information about the running version software. The following is a sample outputfor this command.

<sysname> display version Huawei Versatile Routing Platform Software VRP (R) Software, Version 5.160 (USG6620V500R001C80SPC100)



68

Copyright (C) 2014-2017 Huawei Technologies Co., Ltd USG6620 uptime is 0 week, 0 day, 17 hours, 53 minutes AV Signature Database Version : IPS Signature Database Version : 2017031400 IPS Engine Version : V200R002C00SPC070 SA Signature Database Version : 2017006040 C&C Domain Name Database Version : IP Reputation Database Version : Location Database Version : 2016010414 SDRAM Memory Size : 4096 M bytes Flash Memory Size : 16 M bytes NVRAM Memory Size : 1024 K bytes CF Card Memory Size : 2048 M bytes RPU version information : 1. PCB Version : VER.A 2. CPLD Version : 110 3. BootROM Version : 103 Apr 2 2015 14:04:09 4. BootLoad Version : 103 Apr 2 2015 14:08:13 5. Disk 1 Firware Version : 6. DiskIO Firware Version : 0x0 Slot 1 : FIB version information : 1. PCB Version : VER.A 2. Board Type : FIBA 3. CPLD Version : 112

Then run the display startup command in any view to check the current version software andconfiguration file, and those for the next startup.

sh<sysname>display startup MainBoard: Configured startup system software: hda1:/V500R001C80SPC100.bin Startup system software: hda1:/ V500R001C80SPC100.bin Next startup system software: hda1:/ V500R001C80SPC100.bin Startup saved-configuration file: hda1:/vrpcfg_new.cfg Next startup saved-configuration file: hda1:/vrpcfg_new.cfg Startup paf file: default Next startup paf file: default Startup license file: default Next startup license file: default Startup patch package: NULL Next startup patch package: NULL

Checking License StatusRun the display license command in any view to check the license status.

<sysname> display license Device ESN is: 210235XXXXXXXXXXXXXX The file activated is: hda1:/license.dat The time when activated is: 2018/01/23 14:02:20 The time when expired is: 2018/08/20 Virtual System: 1000 SSL VPN Concurrent User: 5000 Content Security Group: Enabled Encryption Function: Enabled IPS : Enabled; service expire time: 2022/05/03 Anti Virus : Enabled; service expire time: 2022/05/03 URL Filter : Enabled; service expire time: 2022/05/03

Checking the CPU and Memory UsageIn any view, run the display cpu-usage command to check the CPU usage.



69

[sysname] cpu-usage monitor<sysname> display cpu-usage PU Usage Stat. Cycle: 10 (Second) CPU Usage : 13.0% Max: 14.2% CPU Usage Stat. Time : 2016-09-18 22:12:58 CPU utilization for ten seconds: 13.0% : one minute: 13.0% : five minutes: 13.0%¡¡

In any view, run the display health command to check the CPU and memory usage.

<sysname> display health¡¡System Memory Usage Information: System memory usage at 2016-11-17 21:10:41 ------------------------------------------------------------------------------- Slot Total Memory(MB) Used Memory(MB) Used Percentage Upper Limit ------------------------------------------------------------------------------- 0 7850 4789 60% 95% ------------------------------------------------------------------------------- System CPU Usage Information: System cpu usage at 2016-11-17 21:10:41 ------------------------------------------------------------------------------- Slot CPU Usage Upper Limit ------------------------------------------------------------------------------- 0 13% 80% ------------------------------------------------------------------------------- ¡¡

If the CPU and memory usage before and after the upgrade differ slightly, the device runsproperly.

Checking the Registration Status of Interface Cards

Run the display device command in any view to check the registration status of interfacecards.

<sysname> display device Device status: Slot Sub Type Online Power Register Status Role ------------------------------------------------------------------------------- 0 - RPU Present PowerOn Registered Normal Master 1 - FIBA Present PowerOn Registered Normal NA 6 - PWR Present PowerOn Registered Normal NA



70

7 - FAN Present PowerOn Registered Normal NA

In normal cases, the interface card status is Normal. If the Status field is displayed asAbnormal, the interface card in the slot runs improperly.

If the interface cards in certain slots do not work properly, contact the technical supportpersonnel.

Collecting Device Diagnosis InformationIn the diagnose view, run the display diagnostic-information diagnostic-information.txtcommand to collect the diagnosis information of the device.

[sysname-diagnose] display diagnostic-information hda1:/diagnostic-information_new.txt Now saving the diagnostic information to the device............................. ................................................................................ .................. info: The diagnostic information was saved to the device successfully.

The diagnosis information is saved in the hda1:/diagnostic-information_new.txt file bydefault. Back up this file to facilitate subsequent troubleshooting.

Checking Whether Configurations Are RecoveredAfter the system is upgraded to V500R001C80SPC100, the implementation and CLI change.You need to compare the current configuration file with the configuration file in the CF cardto check whether any configuration is lost or modified.

You can also use Beyond Compare to compare the configuration files before and after theupgrade.

Recover the configuration based on the check result or contact the technical supportpersonnel.

Checking Whether Services Are NormalThere are two methods of checking whether the service is normal:

l Collect several tables and compare the tables with those before upgrade to check whethercertain entries are lost, including routing table, FIB table, MAC table, session tableentries, and whether service traffic amount after upgrade is approximately the same asthat before upgrade.

l Contact the network administrator of the office and check whether the service is normal.

1.3.6 Version Rollback

Prerequisites



71

NOTICE1.Before rolling V500R001C50 and later versions back to earlier versions, run the set system-software check-mode all command in the system view. Directly roll other versions back toearlier ones.

2.Before rolling back the original version, make sure that the corresponding configuration file(already backed up before the upgrade) is loaded to the CF card of the device and is specifiedas the file for next startup by running the startup saved-configuration cfg-filename command.Then restart the device, avoiding configuration loss due to CLI differences between versions.

3.Ensure that the user management database usermanager.db (hda1:/umdb/umsystem/usermanage.db) corresponding to the source version is uploaded to the device.

4.Upload the sensitive feature component package *.mod corresponding to the source versionto the device.

5. When V500R001C30 is upgraded to V500R001C50 or later versions, the hda1:/svndb/system/vgsysteminfo.db file is generated to record upgrade information because the SSLVPN database type is changed. After rolling the current version back to V500R001C30, youneed to delete the vgsysteminfo.db file to upgrade the version to V500R001C50 or laterversions. Otherwise, SSL VPN data cannot be written in to the database after the upgrade, andthe SSL VPN data modified during version rollback is lost.

6. After V500R001C30 is upgraded to a version later than V500R001C50, PKI virtualizationis supported, and the storage directory of PKI certificate configuration file ca_config.ini ischanged from the root directory to the pki/public directory. When the current version is rolledback to V500R001C30 and PKI service configurations are modified, the /pki/public/ca_config.ini file needs to be deleted. Otherwise, the follow-up upgrade does not trigger theupgrade of PKI services, and the PKI certificate configuration is lost after the upgrade.

7. In the hot standby scenario, during the version rollback from V500R001C80 and laterversions to V500R001C60 and earlier versions, SSL VPN users need to re-log in.

Application Scenario

The version rollback needs to be implemented if:

l The device cannot start normally after upgrade, and the current version needs to be rolledback to the previous one.

In this case, you need to roll the version to the backup source version in BootROMmode. The detailed procedure is the same as that of upgrading the version software inBootROM mode. For details, see Appendix A: Upgrading System Software UsingBootROM.

l The device can start normally after upgrade, but a certain function cannot run normally,and therefore the current version needs to be rolled back to the previous one.

In this case, you can adopt either of the following modes to roll back the version:

– Roll back the version through command lines. The detailed procedure is the same asthat of upgrading the version software in CLI mode. For details, see UpgradeThrough CLI.

– Roll back the version through Web. The detailed procedure is the same as that ofupgrading the version software in Web mode. For details, see Upgrade ThroughWeb.



72

– Roll back the version using BootROM. The operations are the same as those forupgrading the system software using BootROM. For operation details, seeAppendix A: Upgrading System Software Using BootROM.

– Roll back the version in one-click mode.

Log Rollback Descriptionl Rollback with a disk

a. The user has not manually updated the log database.n Roll back to the source version.

b. The user has manually updated the log database.

NOTICEAs the database is different, the following operation will clear all logs.

i. Before V500R001C80SPC100 rollback, format the disk.<system> system[system] disk offline //Hard disk offline[system] diagnose[system-diagnose] reset disk

ii. In the system view, run the delete log sdb command to delete the IDNAMElog file.

One-Click Version Rollback

NOTICEl If the folder does not exist, the One-click version rollback fails.l Version rollback does not involve license rollback. If the license files are different in the

source and target versions, use the corresponding backup license or re-apply for a licenseand manually load the license file according to the product documentation.

Upgrade operations:

1. Check whether the backup file (backcfg.zip,usermanage.db,userinfo.db) is available.The backup file should be in the hda1:/backupyyyyMMddHHmmss/ folder. If thebackup file is unavailable, the follow-up procedure cannot be performed.<FW>dir backup/ --Check whether the backup file is in the backup folder.Directory of hda1:/backup/

Idx Attr Size(Byte) Date Time FileName 0 drw- - Nov 26 2015 16:30:18 20151126163018 1 drw- - Nov 26 2015 16:58:56 20151126165855

601,328 KB total (253,232 KB free) <FW>cd backup/<FW>cd 20151126163018/dir Directory of hda1:/backup/20151126163018/



73

Idx Attr Size(Byte) Date Time FileName 0 -rw- 2,375 Nov 26 2015 16:30:18 backcfg.zip

601,328 KB total (253,200 KB free) 2. Copy the target version (such as V500R001C00SPC500.bin) of version rollback to the

CF card. For details, see Appendix C: Uploading and Downloading Files.3. The system software file of versions earlier than V500R001C50 does not include any

digital certificate. To load the system software file of an early version, run the setsystem-software check-mode all command to set the mode for verifying systemsoftware integrity to all. Otherwise, the file cannot be used for the next startup.

4. Access the diagnose view and run the recover system filename command.

NOTICEl If multiple hda1:/backup/yyyyMMddHHmmss folders exist, use the latest one for

the version rollback.

[FW-diagnose]recover system V500R001C00SPC500.binConfirm: Will you recover and reboot the system ?[Y/N] y

Precautions

During the version rollback, note the following:

1. The precautions and the result check method of the version rollback operation are thesame as those of the version upgrade operation. For details, see the descriptions ofcorresponding upgrade modes.

2. During the version rollback, services are interrupted temporarily. The interruptionduration depends on the rollback mode and the service configuration.

Before the version rollback, contact technical support personnel to determine whether thetarget version needs to be patched. If yes, install the patch immediately after the versionrollback is complete. For how to install the patch, see the usage guide of the correspondingpatch version.

1.4 Upgrading Version Software in Dual-System HotBackup

1.4.1 Overview

Dual-system hot backup is an important feature of the device . Dual-system hot backupindicates that two device are deployed, if one device is faulty, the other takes over the workimmediately. In this way, the single point failure is avoided, and the network stability andreliability are improved. For details, refer to the corresponding product document.

You should comply with certain procedure and principle to upgrade version software in thedual-system hot backup networking. The main principle of the upgrade is upgrading the



74

backup device and then the master device independently. Note that the HRP backup channel(the heartbeat line) must be disconnected during the upgrade.

NOTICEUpgrading version software in dual-system hot backup, the target version software of themaster device must be the same as that of the backup device.

1.4.2 Upgrading System Software in Hot Standby Scenarios(Applicable to Versions Later Than V500R001C30SPC300)

This section describes how to upgrade system software in hot standby scenarios.

Networking RequirementsAs shown in Figure 1-43, two FWs work in active/standby mode. GE1/0/7 is the heartbeatinterface, GE1/0/1 the upstream service interface, and GE1/0/3 the downstream serviceinterface. You need to upgrade system software versions of the two FWs to a specifiedversion.

NOTEMethods of upgrading the FW in various hot standby networking modes are the same. This example describeshow to upgrade the FW in the active/standby networking where the router is connected in the upstream anddownstream directions.

Figure 1-43 Networking for upgrading system software in a hot standby scenario

Configuration Procedure1. Upgrade the standby FW. Before the upgrade, run the shutdown command to disable the

service and heartbeat interfaces of the standby FW to isolate the standby FW.



75

2. After the standby FW is upgraded, run the undo shutdown command to enable theheartbeat interface first. After the heartbeat interface becomes Up, synchronize sessionentries between the active and standby FWs. After the session entries are synchronized,run the undo shutdown command to enable the service interface. It takes around twominutes to synchronize the entries.

3. Upgrade the active FW. Before the upgrade, run the shutdown command to disable theservice and heartbeat interfaces of the active FW to isolate the active FW. In this case,service traffic is switched to the standby FW for forwarding.

4. After the active FW is upgraded, run the undo shutdown command to enable theheartbeat interface first. After the heartbeat interface becomes Up, synchronize sessionentries between the active and standby FWs. After the session entries are synchronized,run the undo shutdown command to enable the service interface. It takes around twominutes to synchronize the entries.

5. Verify whether services are normal after the upgrade. Perform the active/standbyswitchover test.

NOTE

If the active and standby FW run different versions, the active cannot back up configurations to the standby.Therefore, do not deliver upgrade-irrelevant configurations to the FWs during the upgrade.

Before the upgrade or rollback, run the undo hrp base config enable command on the active and standbyFWs to disable the function of automatically synchronizing configurations from the peer. If this function isenabled, after the FWs restart upon the upgrade or rollback, they will automatically synchronizeconfigurations from the peer. As configuration commands of different versions may vary, if the configurationssynchronized from the peer conflict with the local software version, the configurations cannot be properlyrestored.

Procedure

Step 1 Upload system software packages to the two FWs respectively.

Step 2 Run the shutdown command to disable the service and heartbeat interfaces of FW_B(standby device). You must run the shutdown command to disable the service interface firstand then the heartbeat interface. You can run the shutdown command to disable the heartbeatinterface of FW_B but not that of FW_A.HRP_S<FW_B> system-viewHRP_S[FW_B] interface GigabitEthernet 1/0/3 HRP_S[FW_B-GigabitEthernet1/0/3] shutdown HRP_S[FW_B-GigabitEthernet1/0/3] quit HRP_S[FW_B] interface GigabitEthernet 1/0/1 HRP_S[FW_B-GigabitEthernet1/0/1] shutdown HRP_S[FW_B-GigabitEthernet1/0/1] quitHRP_S[FW_B] interface GigabitEthernet 1/0/7 HRP_S[FW_B-GigabitEthernet1/0/7] shutdownHRP_M[FW_B-GigabitEthernet1/0/7] quitHRP_M[FW_B] quit

Step 3 Set the system software for the next startup of FW_B.HRP_M<FW_B> startup system-software xxxxx.bin Info:System software for the next startup:hda1:/xxxxx.bin, start read file.... Succeeded in setting the software for booting system.

Step 4 Restart FW_B.HRP_M<FW_B> rebootInfo: The system is now comparing the configuration, please wait. Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file hda1:/vrpcfg.zip. Continue? [Y/N]:y Now saving the current configuration to the slot 0.... Save the configuration successfully.



76

Info: If want to reboot with saving diagnostic information, input 'N' and then execute 'reboot save diagnostic-information'. System will reboot! Continue?[Y/N]:y

Step 5 After FW_B is restarted, run the undo shutdown command to enable the heartbeat interface.HRP_M<FW_B> system-viewHRP_M[FW_B] interface GigabitEthernet 1/0/7 HRP_M[FW_B-GigabitEthernet1/0/7] undo shutdownHRP_M[FW_B-GigabitEthernet1/0/7] quit

Step 6 Wait for the session entries to be synchronized between the active and standby FWs. It takesaround two minutes to synchronize the entries. You can run the display firewall session tablecommand to check whether the numbers of sessions on the two FWs are consistent. If yes,continue the following operations.

Step 7 Run the undo shutdown command to enable the service interface of FW_B.HRP_S[FW_B] interface GigabitEthernet 1/0/3 HRP_S[FW_B-GigabitEthernet1/0/3] undo shutdown HRP_S[FW_B-GigabitEthernet1/0/3] quit HRP_S[FW_B] interface GigabitEthernet 1/0/1 HRP_S[FW_B-GigabitEthernet1/0/1] undo shutdown HRP_S[FW_B-GigabitEthernet1/0/1] quitHRP_S[FW_B] quitHRP_S<FW_B> saveInfo: The system is now comparing the configuration, please wait. Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file hda1:/vrpcfg.zip. Continue? [Y/N]:y Now saving the current configuration to the slot 0.... Save the configuration successfully.

Step 8 Run the shutdown command to disable the service and heartbeat interfaces of FW_A (activedevice). You must run the shutdown command to disable the service interface first and thenthe heartbeat interface. You can run the shutdown command to disable the heartbeat interfaceof FW_A but not that of FW_B.HRP_M<FW_A> system-viewHRP_M[FW_A] interface GigabitEthernet 1/0/3 HRP_M[FW_A-GigabitEthernet1/0/3] shutdown HRP_S[FW_A-GigabitEthernet1/0/3] quit HRP_S[FW_A] interface GigabitEthernet 1/0/1 HRP_S[FW_A-GigabitEthernet1/0/1] shutdown HRP_S[FW_A-GigabitEthernet1/0/1] quitHRP_S[FW_A] interface GigabitEthernet 1/0/7 HRP_S[FW_A-GigabitEthernet1/0/7] shutdownHRP_M[FW_A-GigabitEthernet1/0/7] quitHRP_M[FW_A] quit

After the preceding operations, service traffic is switched to FW_B for forwarding.

Step 9 Set the system software for the next startup of FW_A.HRP_M<FW_A> startup system-software xxxxx.bin Info:System software for the next startup:hda1:/xxxxx.bin, start read file.... Succeeded in setting the software for booting system.

Step 10 Restart FW_A.HRP_M<FW_A> rebootInfo: The system is now comparing the configuration, please wait. Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file hda1:/vrpcfg.zip. Continue? [Y/N]:y Now saving the current configuration to the slot 0.... Save the configuration successfully. Info: If want to reboot with saving diagnostic information, input 'N' and then execute 'reboot save diagnostic-information'. System will reboot! Continue?[Y/N]:y

Step 11 After FW_A is restarted, run the undo shutdown command to enable the heartbeat interface.



77

HRP_M<FW_A> system-viewHRP_M[FW_A] interface GigabitEthernet 1/0/7 HRP_M[FW_A-GigabitEthernet1/0/7] undo shutdownHRP_M[FW_A-GigabitEthernet1/0/7] quit


Step 13 Run the undo shutdown command to enable the service interface of FW_A.HRP_S[FW_A] interface GigabitEthernet 1/0/3 HRP_S[FW_A-GigabitEthernet1/0/3] undo shutdown HRP_S[FW_A-GigabitEthernet1/0/3] quit HRP_S[FW_A] interface GigabitEthernet 1/0/1 HRP_S[FW_A-GigabitEthernet1/0/1] undo shutdown HRP_S[FW_A-GigabitEthernet1/0/1] quitHRP_S[FW_A] quitHRP_S<FW_A> saveInfo: The system is now comparing the configuration, please wait. Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file hda1:/vrpcfg.zip. Continue? [Y/N]:y Now saving the current configuration to the slot 0.... Save the configuration successfully.

----End

Verification1. Test whether services are normal.2. Test the active/standby switchover.

Configure a PC in the intranet to constantly the internet host and run the shutdowncommand on GE1/0/1 of FW_A. Then check the status switchover of the FW anddiscarded ping packets. If the status switchover is normal, FW_B switches to the activedevice and carries services. The command prompt of FW_B is changed from HRP_S toHRP_M, and the command prompt of FW_A is changed from HRP_M to HRP_S. No orseveral ping packets (1 to 3 packets, depending on actual network environments) arediscarded.Run the undo shutdown command on GE1/0/1 of FW_A and check the statusswitchover of the FW and discarded ping packets. If the status switchover is normal,FW_A switches to the active device and starts to carry service after the preemption delay(60s by default) expires. The command prompt of FW_A is changed from HRP_S toHRP_M, and the command prompt of FW_B is changed from HRP_M to HRP_S. No orseveral ping packets (1 to 3 packets, depending on actual network environments) arediscarded.

1.4.3 Upgrading System Software in Hot Standby Scenarios(Applicable to Versions Earlier Than V500R001C30SPC300)


Networking RequirementsAs shown in Figure 1-44, two FWs work in active/standby mode. GE1/0/7 is the heartbeatinterface, GE1/0/1 the upstream service interface, and GE1/0/3 the downstream serviceinterface. You need to upgrade system software versions of the two FWs to a specifiedversion.



78



Configuration Procedure1. Upgrade the standby FW first. Before the upgrade, run the shutdown command to

disable the service and heartbeat interfaces of the standby FW to isolate the standby FW.2. After the standby FW is upgraded, run the shutdown command to disable the service

and heartbeat interfaces of the active FW to isolate the active FW. Then run the undoshutdown command to enable the heartbeat and service interfaces of the standby FWand switch service traffic to the standby FW for forwarding.

3. Upgrade the active FW.4. After the active FW is upgraded, run the undo shutdown command to enable the

heartbeat interface first. After the heartbeat interface becomes Up, synchronize sessionentries between the active and standby FWs. After the session entries are synchronized,run the undo shutdown command to enable the service interface. It takes around twominutes to synchronize the entries.


Procedure


Step 2 Run the shutdown command to disable the service and heartbeat interfaces of FW_B(standby device). You must run the shutdown command to disable the service interface firstand then the heartbeat interface. You can run the shutdown command to disable the heartbeatinterface of FW_B but not that of FW_A.



79

HRP_S<FW_B> system-viewHRP_S[FW_B] interface GigabitEthernet 1/0/3 HRP_S[FW_B-GigabitEthernet1/0/3] shutdown HRP_S[FW_B-GigabitEthernet1/0/3] quit HRP_S[FW_B] interface GigabitEthernet 1/0/1 HRP_S[FW_B-GigabitEthernet1/0/1] shutdown HRP_S[FW_B-GigabitEthernet1/0/1] quitHRP_S[FW_B] interface GigabitEthernet 1/0/7 HRP_S[FW_B-GigabitEthernet1/0/7] shutdownHRP_M[FW_B-GigabitEthernet1/0/7] quitHRP_M[FW_B] quit


Step 4 Restart FW_B.HRP_M<FW_B> rebootInfo: The system is now comparing the configuration, please wait. Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file hda1:/vrpcfg.zip. Continue? [Y/N]:y Now saving the current configuration to the slot 0.... Save the configuration successfully. Info: If want to reboot with saving diagnostic information, input 'N' and then execute 'reboot save diagnostic-information'. System will reboot! Continue?[Y/N]:y

Step 5 After FW_B is restarted and the LPU and SPU are restored, run the shutdown command todisable the service and heartbeat interfaces of FW_A (active device). After the service andheartbeat interfaces of FW_A are disabled, services are interrupted. To reduce the serviceinterruption duration, after interfaces of FW_A are disabled, run the undo shutdowncommand to enable the heartbeat and service interfaces of FW_B immediately and switchservice traffic to FW_B for forwarding.

# Run the shutdown command to disable the service and heartbeat interfaces of FW_A. Youmust disable the service interface first and then the heartbeat interface.

HRP_M<FW_A> system-viewHRP_M[FW_A] interface GigabitEthernet 1/0/3 HRP_M[FW_A-GigabitEthernet1/0/3] shutdown HRP_M[FW_A-GigabitEthernet1/0/3] quit HRP_M[FW_A] interface GigabitEthernet 1/0/1 HRP_M[FW_A-GigabitEthernet1/0/1] shutdown HRP_M[FW_A-GigabitEthernet1/0/1] quitHRP_M[FW_A] interface GigabitEthernet 1/0/7 HRP_M[FW_A-GigabitEthernet1/0/7] shutdownHRP_M[FW_A-GigabitEthernet1/0/7] quitHRP_M[FW_A] quit

# Run the undo shutdown command to enable the heartbeat and service interfaces of FW_B.You must enable the heartbeat interface first and then the service interface.

HRP_M<FW_B> system-viewHRP_M[FW_B] interface GigabitEthernet 1/0/7 HRP_M[FW_B-GigabitEthernet1/0/7] undo shutdownHRP_M[FW_B-GigabitEthernet1/0/7] quitHRP_M[FW_B] interface GigabitEthernet 1/0/3 HRP_M[FW_B-GigabitEthernet1/0/3] undo shutdown HRP_M[FW_B-GigabitEthernet1/0/3] quit HRP_M[FW_B] interface GigabitEthernet 1/0/1 HRP_M[FW_B-GigabitEthernet1/0/1] undo shutdown HRP_M[FW_B-GigabitEthernet1/0/1] quit

Step 6 Set the system software for the next startup of FW_A.



80

HRP_M<FW_A> startup system-software xxxxx.bin Info:System software for the next startup:hda1:/xxxxx.bin, start read file.... Succeeded in setting the software for booting system.


Step 8 After FW_A is restarted, run the undo shutdown command to enable the heartbeat interface.HRP_M<FW_A> system-viewHRP_M[FW_A] interface GigabitEthernet 1/0/7 HRP_M[FW_A-GigabitEthernet1/0/7] undo shutdownHRP_M[FW_A-GigabitEthernet1/0/7] quit


Step 10 Run the undo shutdown command to enable the service interface of FW_A.HRP_S[FW_A] interface GigabitEthernet 1/0/3 HRP_S[FW_A-GigabitEthernet1/0/3] undo shutdown HRP_S[FW_A-GigabitEthernet1/0/3] quit HRP_S[FW_A] interface GigabitEthernet 1/0/1 HRP_S[FW_A-GigabitEthernet1/0/1] undo shutdown HRP_S[FW_A-GigabitEthernet1/0/1] quit

----End





81

1.5 Appendix A: Upgrading System Software UsingBootROM

1.5.1 Background

When the device fails to load the system software, and you cannot log in to the device usingthe Web UI or CLI, upgrade the system software using BootROM.

At present, the device supports the system software transmission to the CF card using FTP orTFTP in the BootROM menu. The device, serving as the client, downloads the systemsoftware from the FTP/TFTP server, as shown in Figure 1. You must install the third-partyFTP/TFTP server software on PC2.

NOTE

You can use only one PC as both the HyperTerminal program and the FTP client. To facilitatedescription, two PCs are used as an example.

Figure 1-45 Transferring files through an FTP or TFTP server

The following section provides an example of how the device downloads the system softwarefrom the FTP server.

1.5.2 Upgrade Process Overview

ContextFigure 1 shows the process for upgrading the system software using BootROM.



82

Figure 1-46 Flowchart for upgrading the system software using BootROM

1.5.3 Performing the Upgrade

Context

The serial port of PC1 is connected to the console port of the device with a standard RS-232configuration cable. Run the terminal emulation program (use the HyperTerminal in theWindows XP as an example) on PC1 to ensure that PC1 communicates with the console portof the device.

Procedure

Step 1 Configure the FTP server.Install the FTP server program on PC2 and configure the FTP server using the documentdelivered with the program. The premise is that you obtain the FTP server program in alegitimate way. You have already created an FTP user whose name is 123 and password is123 and configured the root directory of the user as the directory of the files to be uploaded ordownloaded.

Step 2 Power on or reboot the device.

Step 3 After the device is powered on, you can run the terminal emulation program on PC1 to checkthe device startup process. When the following information is displayed, press Ctrl+B withinthree seconds. Base Bootrom Ver: 021 May 8 2014 15:58:31



83

Extended Bootrom Ver: 028 May 8 2014 16:01:28 CPLD BigVer : 003B CPLD SmlVer : 005B 2013-08-15 PCB Ver: SUA2MPUA REV B CPU Type : CN6880 Rev 2.1 CPU L2 Cache : 2048 KB CPU Core Frequency : 1200 MHz BUS Frequency : 900 MHz Mem Size : 16384 MB Press Ctrl+B to enter main menu... 3 Password: ******** For the sake of security, please modify the original password.

Enter password O&m15213 to access the BootROM main menu.====================< Extend Main Menu >==================== | <1> Boot System | | <2> Set Startup Application Software and Configuration | | <3> File Management Menu... | | <4> Load and Upgrade Menu... | | <5> Modify Bootrom Password | | <6> Reset Factory Configuration | | <0> Reboot | | ---------------------------------------------------------| | Press Ctrl+T to Enter Manufacture Test Menu... | | Press Ctrl+Z to Enter Diagnose Menu... | ============================================================ Enter your choice(0-6):

Step 4 In the BootROM main menu, enter 3 to access file management menu.==================< File Management Menu >================== | <1> Display File List | | <2> Rename File | | <3> Delete File | | <4> Copy File | | <5> Format Device | | <0> Return to Main Menu | ============================================================ Enter your choice(0-5):

In the file management menu, enter 1 to check the available space in the CF card. If theavailable space of the CF card is insufficient, enter 3 to delete unnecessary files.

Ensure that the CF card has sufficient available space. Enter 0 to return to the BootROM mainmenu.

Step 5 In the BootROM main menu, enter 4 to access the load and upgrade menu.=================< Load and Upgrade Menu >================== | <1> Display File List | | <2> Upgrade Application Software | | <3> Download File from External Server | | <4> Upload File to External Server | | <5> Upgrade Extended Bootrom | | <6> Upgrade Base Bootrom | | <0> Return to Main Menu | ============================================================ Enter your choice(0-6):

In the load and upgrade menu, enter 2 to access the application software upgrade menu. Thecurrent parameter settings are displayed.



84

Net Paramter: Protocol type : 1 Unit number : 0 Server IP address : 3.3.3.3 Board IP address : 3.3.3.104 Board Mask address : 255.255.255.0 FTP user name : ngfw FTP user password : ngfw Load file name : sup.bin Target file name : sup.bin Download file to : hda1: <1> Download file. <2> Modify parameters. <0> Quit Enter your choice(0-2):

In the application software upgrade menu, enter 2 to modify the load parameters.

Protocol type: <1> FTP <2> TFTP NOTE: TFTP protocol limits the file length to 32M bytes. Protocol type : 1 Unit number : 0 Server IP address : 3.3.3.3 Board IP address : 3.3.3.104 Board IP mask : 255.255.255.0 FTP user name : 123 FTP user password : 123 Load file name : sup.bin Target file name : V500R001C**.bin Choose one of following devices where the file in: <1> hda1: <2> sdram Download file to : 1 <1> Download file. <2> Modify parameters. <0> Quit Enter your choice(0-2): 1

Enter 1 to download the upgrade file.

Using FTP client... File < V500R001C**.bin> 170014779 bytes downloaded. Writing hda1:/V500R001C**.bin, please wait................................. ................................................................................ ................................................................................ ................................................................................ ................................................................................



85

................................................................................

................................................................................

................................................................................

................................................................................

..................................................................Done. The next boot package file is <hda1:/V500R001C**.bin

Table 1-5 Parameters of FTP download

Parameter Description

Protocol type Indicates the protocol used for download.The value 1 indicates FTP, and the value 2indicates TFTP.

Unit number Indicates the interface connected to theexternal FTP server (PC 2). Only 0 can beentered in this field to identifyGigabitEthernet0/0/0.

Server IP address Indicates the IP address of the external FTPserver (PC2).

Board IP address Indicates the IP address of the deviceinterface.

FTP user name Indicates the user name, which must be thesame as that specified on the FTP server.

FTP user password Indicates the password, which must be thesame as that specified on the FTP server.

Load file name Indicates the name of the system software.

Target file name Indicates the name of the system software tobe saved.

Download file to Indicates the location in which the systemsoftware is saved.

After the download is complete, the device automatically specifies the downloaded systemsoftware as that to be used at the next startup. Enter 0 to return to the load and upgrade menu.Then, enter 0 to return to the BootROM main menu.

Step 6 In the load and upgrade menu, enter 3 to download the converted configuration file.

=================< Load and Upgrade Menu >================== | <1> Display File List | | <2> Upgrade Application Software | | <3> Download File from External Server | | <4> Upload File to External Server | | <5> Upgrade Extended Bootrom | | <6> Upgrade Base Bootrom | | <0> Return to Main Menu | ============================================================



86

Enter your choice(0-6): 3 Net paramter: Protocol type : 1 Unit number : 0 Server IP address : 3.3.3.3 Board IP address : 3.3.3.104 Board IP mask : 255.255.255.0 FTP user name : 1234 FTP user password : **** Load file name :vrpcfg_new.cfg Target file name : vrpcfg_new.cfg Download file to : hda1: <1> Download file. <2> Modify parameters. <0> Quit

After the downloading is complete, enter 0 to return to the load and upgrade menu. Then,enter 0 to return to the BootROM main menu.

Step 7 In the BootROM main menu, enter 2 to specify the system software and configuration file.====================< Extend Main Menu >==================== | <1> Boot System | | <2> Set Startup Application Software and Configuration | | <3> File Management Menu... | | <4> Load and Upgrade Menu... | | <5> Modify Bootrom Password | | <6> Reset Factory Configuration | | <0> Reboot | | ---------------------------------------------------------| | Press Ctrl+T to Enter Manufacture Test Menu...



87

| | Press Ctrl+Z to Enter Diagnose Menu... | ============================================================ Enter your choice(0-6): 2 Current boot application software: <hda1:/V500R001C**.bin> Current boot configuration: <hda1:/vrpcfg_new.cfg> <1> Modify setting <0> Quit Enter your choice (0-1): 1

After the setting is complete, enter 0 to return to the BootROM main menu.

Step 8 In the BootROM main menu, enter 0 to restart the device.

----End

1.6 Appendix B : Establishing the Upgrade EnvironmentThrough the Console Port

1.6.1 Setting Up an Environment for Upgrading System SoftwareUsing Telnet/SSH

Prerequisites

The prerequisites for console port login are as follows:

l A PC (with RS232 serial port) and an RS-232 cable are available.l A terminal simulation program (such as Windows XP HyerTerminal) is installed on the

PC.l The USG6000 is powered on and running properly.

Context

IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the USG6000 bydefault. You can use this IP address and the default user name admin and passwordAdmin@123 to log in to the CLI of the USG6000 through Telnet. If the Telnet configuration



88

is cancelled or you desire to use SSH for the login, log in to the USG6000 from the consoleport to construct the Telnet or SSH environment.

Figure 1 shows the connection for configuring the upgrade environment using the consoleport. The serial port of the PC is connected to the console port of the device with a standard aserial cable.

The device has two types of console ports: RJ45 and mini USB console ports. If an RJ45console port is used, use the console cable delivered with the device. Using the cables of othervendors might cause unexpected faults. If a mini USB console port is used, purchase the miniUSB-to-USB cable as required. The RJ45 and mini USB console ports cannot be usedtogether. If both ports are connected, only the mini USB console port is available.

Figure 1-47 Establishing the upgrade environment through the console port

Procedure

Step 1 Select Start > All Programs > Accessories > Communication > HyerTerminal to start theterminal simulation program (for example, Windows XP HyerTerminal) on the PC. TheConnection Description dialog box is displayed, as shown in Figure 2.

Figure 1-48 Connection Description dialog box

Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1)of the PC for connecting to the USG6000 from the Connect using drop-down list box, asshown in Figure 3.



89

Figure 1-49 Connection to dialog box

Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parametersof the port, as shown in Figure 4. The communication parameters of COM1 must be the sameas those of the console port on the USG6000.

Figure 1-50 Setting port properties

Step 4 Log in to the NGFW, and enter the CLI.



90

By default, the user name and password are admin and Admin@123 respectively for loggingin to the USG6000 through the console port. If you forget the user name and passwordconfigured on the console port, see Password of the Console Port Is Forgotten.

Step 5 Configure upgrade environment.l Configure Telnet for login.

Enable the Telnet service on GE 0/0/0 of the device. Configure AAA authentication andTelnet for the virtual type terminal (VTY) user interface. Create a local Telnet user andset the user name to user1, and password to Password1 for the Telenet user. Enable theTelnet service on the device.V500R001:<FW> system-view[FW] telnet server enable[FW] interface GigabitEthernet 0/0/0[FW-GigabitEthernet1/0/3] ip address 192.168.1.1 255.255.255.0 [FW-GigabitEthernet1/0/3] service-manage telnet permit[FW-GigabitEthernet1/0/3] service-manage enable[FW-GigabitEthernet1/0/3] quit[FW] user-interface vty 0 4[FW-ui-vty0-4] authentication-mode aaa[FW-ui-vty0-4] user privilege level 3[FW-ui-vty0-4] quit[FW] aaa[FW-aaa] authorization-scheme default [FW-aaa-auth-default] quit[FW-aaa] manager-user user1[FW-aaa-manager-user-user1] password cipher Password1[FW-aaa-manager-user-user1] level 15[FW-aaa-manager-user-user1] service-type telnet[FW-aaa-manager-user-user1] quit[FW-aaa] bind manager-user user1 role system-admin[FW-aaa] quit[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet1/0/3[FW-zone-trust] quit

l Configure SSH for login.Enable the SSH service on GE 0/0/0 of the device. Configure AAA authentication andSSH for the virtual type terminal (VTY) user interface. Create a local SSH user and setthe user name to user1, and password to Password1 for the SSH user. Enable theSTelnet service on the device.V500R001:<FW>system-view[FW] interface GigabitEthernet 1/0/3[FW-GigabitEthernet1/0/3] ip address 192.168.1.1 255.255.255.0 [FW-GigabitEthernet1/0/3] service-manage enable[FW-GigabitEthernet1/0/3] service-manage ssh permit[FW] quit[FW] user-interface vty 0 4[FW-ui-vty0-4] authentication-mode aaa[FW-ui-vty0-4] user privilege level 3[FW-ui-vty0-4] protocol inbound ssh[FW-ui-vty0-4] quit[FW] aaa[FW-aaa] manager-user user1[FW-aaa-manager-user-user1] password cipher Password1[FW-aaa-manager-user-user1] level 15[FW-aaa-manager-user-user1] service-type ssh [FW-aaa-manager-user-user1] quit[FW-aaa] bind manager-user user1 role system-admin[FW-aaa] quit[FW] stelnet server enable[FW] ssh user user1



91

[FW] ssh user user1 authentication-type password[FW] ssh user user1 service-type stelnet[FW] ssh server port 1025[FW] ssh server timeout 80[FW] ssh server authentication-retries 4[FW] ssh server rekey-interval 1[FW] ssh server compatible-ssh1x enable

----End

1.6.2 Setting Up an Environment for Upgrading System SoftwareUsing Web

Prerequisites

Before you log in to the USG6000 using the console port, complete the following tasks:

l Prepare a PC (with an RS232 serial port) and a serial cable.

l Install an emulation program, such as HyperTerminal on the Windows XP, on the PC.

l Power on the USG6000 and ensure that the USG6000 runs properly.

Context

When the system software needs to be upgraded remotely, but the Web environment is notconfigured, you can log in to the USG6000 through the console port and then configure theWeb environment. Then you can log in to the USG6000 remotely using Web to upgrade thesystem software.

This section describes how to establish the HTTP-based upgrade environment through theconsole port.

Figure 1 shows the connection for configuring the upgrade environment using the consoleport. The serial port of the PC is connected to the console port of the USG6000 with astandard a serial cable.

The device has two types of console ports: RJ45 and mini USB console ports. If an RJ45console port is used, use the console cable delivered with the USG6000. Using the cables ofother vendors might cause unexpected faults. If a mini USB console port is used, purchase themini USB-to-USB cable as required. The RJ45 and mini USB console ports cannot be usedtogether. If both ports are connected, only the mini USB console port is available.

Figure 1-51 Upgrade topology through the console port



92

Procedure

Step 1 Run the terminal emulation program, such as the HyperTerminal of Windows XP, on the PC.Choose Start > Programs > Accessories > Communications > HyperTerminal.The Connection Description dialog box is displayed, as shown in Figure 2.

Figure 1-52 Upgrade topology through the console port

Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1) ofthe PC for connecting to the USG6000 from the Connect using drop-down list box, as shownin Figure 3.

Figure 1-53 Connect to dialog box

Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parametersof the port, as shown in Figure 4. The communication parameters of COM1 must be must beconsistent with those of the console port on the NGFW.



93


Step 4 Log in to the USG6000 and access the CLI.

By default, user name admin and password Admin@123 are used to log in to the USG6000through the console port. If you forget the user name and password configured on the consoleport, see Password of the Console Port Is Forgotten.

Step 5 Configure the web for login.

Enable HTTP and HTTPS on GE 0/0/0 of the USG6000. Create a local web user andconfigure the user name to user1,user level to level 15, and password to Password1 for theweb user. Enable the HTTP and HTTPS service on the device.

<FW> system-view[FW] interface GigabitEthernet 0/0/0[FW-GigabitEthernet0/0/0] ip address 192.168.0.1 255.255.255.0[FW-GigabitEthernet0/0/0] service-manage http permit[FW-GigabitEthernet0/0/0] service-manage https permit[FW-GigabitEthernet0/0/0] service-manage enable[FW-GigabitEthernet0/0/0] quit[FW] aaa[FW-aaa] manager-user user1[FW-aaa-manager-user-user1] password cipher Password1[FW-aaa-manager-user-user1] service-type web[FW-aaa-manager-user-user1] level 15[FW-aaa-manager-user-user1] quit[FW-aaa] quit[FW] web-manager enable[FW] web-manager security enable port 8443



94

NOTE

If an administrator uses HTTP for access Web UI, the device automatically redirects to a more secureservice, HTTPS. If the browser displays a notification for an insecure certificate, you can continue thebrowsing

----End

1.6.3 Upgrade Troubleshooting

1.6.3.1 Password of the Console Port Is Forgotten

Password of the Console Port Is ForgottenPerform the following steps when you forget the password of the console port.

Procedure

Step 1 Restart the USG6000 and access the BootROM main menu

========================< Main Menu >======================== | <1> Boot System | | <2> Set Startup Application Software and Configuration | | <3> File Management Menu... | | <4> Load and Upgrade Menu... | | <5> Modify Bootrom Password | | <6> Reset Factory Configuration | | <0> Reboot | | ----------------------------------------------------------| | Press Ctrl+T to Enter Manufacture Test Menu... | | Press Ctrl+Z to Enter Diagnose Menu... | ============================================================= Enter your choice (0-6):

Step 2 Enter 3 to access the file management menu.

================< File Management Menu >===================== | <1> Display File List | | <2> Rename File | | <3> Delete File | | <4> Copy File | | <5> Format Device | | <0> Return to Main Menu



95

| ============================================================= Enter your choice (0-5):

Step 3 Enter 2 to rename the current configuration file for startup.Input the file name you want to rename(eg: hda1:/sup.bin): hda1:/vrpcfg.cfg Input the new file name: hda1:/vrpcfgrename.cfg

Step 4 After device startup, use the default user name admin and password Admin@123 for loginand use FTP to save the renamed configuration file to the PC.

Step 5 Reconfigure a user and copy the user information generated by the device to the renamedconfiguration file.manager-user newuser password cipher %@%@@)wB&=/Q1Fvhl1W=,4C)Vpg^C.0{VCnlxU^3svMxY@^A)vmh%@%@ service-type web terminal telnet level 15

Step 6 Upload the modified configuration file to the device and specify the file as that to be used atthe next startup. After device restart, you can use the configured user information to log in

----End

1.7 Appendix C: Uploading and Downloading Files

1.7.1 Device Serving as the FTP Client to Upload or DownloadFiles Through FTP

ContextAs shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from theUSG6000 and upload or download files through FTP. This method requires the third-partyFTP server software to be installed on the PC2.

NOTE

You can also use a PC as both the Telnet/SSH client and the FTP server. The following exampledescribes takes the two-PC deployment.

Figure 1-55 Schematic diagram of uploading/downloading files through FTP and with theUSG6000 serving as the FTP client



96

Procedure

Step 1 Configure the FTP server.

Install the FTP server program on PC2 and configure the FTP server using the documentavailable with the program. Suppose that you obtain the FTP server program in a legitimateway and description of the program is beyond the coverage of this document. Assume that anFTP user already exists with the user name 123 and password 123, and that the root directoryof the user is set to the storage path of files to be uploaded/downloaded.

Step 2 Log in to the USG6000 from PC1 through Telnet/SSH.

Step 3 Log in to the FTP server on the USG6000.Run the ftp ip-address command in the user viewto establish an FTP connection to the PC and enter the FTP client view. The followingoperation assumes that the IP address of the FTP server as 192.168.0.2.<FW> ftp 192.168.0.2 Trying 192.168.0.2 ... Press CTRL+K to abort Connected to 192.168.0.2. 220 ready for new user User(192.168.0.2:(none)):123 331 Give me your password, please Password: 230 Logged in successfully [ftp]

Step 4 Upload files in storage media of the USG6000 to the FTP server.Run the put local-filename[ remote-filename ] command in the FTP client view to upload files to the FTP server. [ftp] binary /Run the binary command to specify file transmission in binary mode. [ftp] put vrpcfg.zip

After the uploading is complete, check whether the sizes of files on the FTP server are thesame as those in the CF card. If no, re-upload the files to ensure that they are completelyuploaded to the FTP server.

Step 5 Download files from the FTP server to storage media of the USG6000.Run the get remote-filename [ local-filename ] command in the FTP client view to download files from the FTPserver. [ftp] binary /Run the binary command to specify file transmission in binary mode. [ftp] get vrpcfg.zip

After the downloading is complete, check whether the sizes of files in the CF card are thesame as those on the FTP server. If no, re-download the files to ensure that they arecompletely downloaded to the CF card.

----End

1.7.2 Device Serving as the SFTP Server to Upload or DownloadFiles Through SFTP

Context

As shown in Figure 1, USG6000 serves as the SFTP server. Log in to the SFTP server fromthe PC2 and upload/download files through SFTP. This method requires the third-party SFTPclient program (such as WinSCP) to be installed on the PC2.



97

NOTE

You can also use a PC as both the Telnet/SSH client and the SFTP server. The following exampledescribes takes the two-PC deployment.

Figure 1-56 Schematic diagram of uploading/downloading files through SFTP and with theUSG6000 serving as the SFTP server

The roadmap for configuring an SFTP client (PC2) to communicate with an SSH server(USG6000) is as follows (RSA authentication is used):

l Create an SSH user on the USG6000.l Configure a local key pair for PC2 and the USG6000.l Copy the public key of PC2 to the USG6000.l On the USG6000, bind the SSH user to the public key of PC2.l Enable SFTP services on the USG6000.l Configure the SSH user to log in to the USG6000 from PC2.

Procedure

Step 1 Enable the SSH service on interface GigabitEthernet 0/0/0.<NGFW> system-view[NGFW] interface GigabitEthernet 0/0/0[NGFW-GigabitEthernet0/0/0] service-manage ssh permit[NGFW-GigabitEthernet0/0/0] service-manage enable[NGFW-GigabitEthernet0/0/0] quit

Log in to the USG6000 from PC1 through Telnet/SSH.

Step 2 Create an SSH user on the USG6000.

Enable the SFTP service

[FW] sftp server enable

Configure an authentication mode and a protocol on the VTY interface.

[FW] user-interface vty 0 4[FW-ui-vty0-4] authentication-mode aaa[FW-ui-vty0-4] protocol inbound ssh[FW-ui-vty0-4] quit

Create SSH user client and set the authentication type to rsa, service type to SFTP, andservice directory to hda1:



98

[FW] ssh user sftpadmin[FW] ssh user sftpadmin authentication-type password[FW] aaa[FW-aaa] manager-user sftpadmin[FW-aaa-manager-user-sftpadmin] service-type ssh[FW-aaa-manager-user-sftpadmin] level 3[FW-aaa-manager-user-sftpadmin] passwordEnter Password: Confirm Password: [FW-aaa-manager-user-sftpadmin] quit[FW-aaa] quit[FW] ssh user sftpadmin service-type sftp[FW] ssh user sftpadmin sftp-directory hda1:

Step 3 Generate a local key pair on the USG6000.[FW] rsa local-key-pair createThe key name will be: FW_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512,It will take a few minutes.Input the bits in the modulus[default = 512]:Generating keys... .......++++++++++++..........++++++++++++ ...................................++++++++......++++++++

Step 4 Generate a local key pair on PC2. The local key pair consists of host key and server key.

Step 5 Use password RsaKey001 to copy the host key of PC2 to the USG6000.[FW] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [FW-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end".[FW-rsa-key-code] 3047 [FW-rsa-key-code] 0240 [FW-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB[FW-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [FW-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43[FW-rsa-key-code] 1D7E3E1B [FW-rsa-key-code] 0203 [FW-rsa-key-code] 010001[FW-rsa-key-code] public-key-code end[FW-rsa-public-key] peer-public-key end

Step 6 On PC2, connect the SFTP client to the SSH server.

----End

ExampleAfter the SFTP client connects to the SSH server, run the display ssh server status anddisplay ssh server session commands on the SSH server to check whether the SFTP serviceis enabled and whether the SFTP client is connected to the SSH server.

l Check SSH server status.[FW] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server : Enable STELNET server : Disable

l Check SSH server connection information.[FW] display ssh server sessionSession 1:



99

Conn : VTY 4Version : 2.0State : startedUsername : client Retry : 1 CTOS Cipher : aes128-cbcSTOC Cipher : aes128-cbcCTOS Hmac : hmac-sha1-96STOC Hmac : hmac-sha1-96Kex : diffie-hellman-group1-sha1Service Type : sftpAuthentication Type : rsa

1.7.3 Device Serving as the TFTP Client to Upload or DownloadFiles Through TFTP

Context

As shown in Figure 1, PC2 serves as the TFTP server. Log in to the TFTP server from theUSG6000 and upload or download files through TFTP. This method requires the third-partyTFTP server software to be installed on the PC2.

NOTE

You can also use a PC as both the Telnet/SSH client and the TFTP server. The following exampledescribes takes the two-PC deployment.

Figure 1-57 Schematic diagram of uploading/downloading files through TFTP and with theUSG6000 serving as the TFTP client

Procedure

Step 1 Configure the TFTP server.Install the TFTP server program on PC2 and configure the TFTPserver using the document available with the program. Suppose that you obtain the TFTPserver program in a legitimate way and description of the program is beyond the coverage ofthis document. The following operation assumes that the root directory of the TFTP server isset to the storage path of files to be uploaded/downloaded.


Step 3 Upload files in storage media of the USG6000 to the TFTP server.



100

NOTICEDue to the limitation of third-party TFTP server software, TFTP upload of files larger than 16MB may fail. Therefore, you are advised to use FTP to upload the files larger than 16 MB.

Run the tftp ip-address put source-filename [ destination-filename ] command in the userview to upload files to the TFTP server. The following operation assumes that the IP addressof the TFTP server as 192.168.0.2.

<FW> tftp 192.168.0.2 put test.bin

After the uploading is complete, check whether the sizes of files on the TFTP server are thesame as those in the CF card. If no, re-upload the files to ensure that they are completelyuploaded to the TFTP server.

Step 4 Download files from the TFTP server to CF card of the USG6000.Run the tftpip-addressgetsource-filename [ destination-filename ] command in the user view to downloadfiles from the TFTP server.<FW> tftp 192.168.0.2 get temp.bin

After the downloading is complete, check whether the sizes of files in the CF card are thesame as those on the TFTP server. If no, re-download the files to ensure that they arecompletely downloaded to the CF card.

----End

1.8 Appendix D: Applying for a License

ContextThe license file to be loaded on the device is a .dat file. This file is not delivered with thedevice and is independently generated by the license center of Huawei.

Procedure

Step 1 Obtain a license authorization code (Entitlement ID).

Find the license authorization certificate in the delivery accessories and obtain the EntitlementID, as shown in Figure 1.

NOTE

The license authorization certificate is delivered together with the product to the customer in A4 papersor CD-ROMs.



101

Figure 1-58 License authorization certificate

Step 2 Obtain an equipment serial number (ESN).

l Log in to the device in CLI mode and run the display esn command in any view toobtain the ESN.

l Log in the device in Web mode and view the ESN in System Information of theDashboard page.

Figure 1-59 System Information

Step 3 Obtain the license file from the license self-service.

Log in to the http://app.huawei.com/isdp and obtain the license file according to the procedurein the system help or displayed information.

NOTICETo apply for the licenses of multiple devices, make sure that the entitlement ID corresponds tothe ESN.If you cannot obtain the license file, contact the local technical support personnel.

Step 4 You need to obtain a new license file if you want to expand the license capacity or use newfeatures that are subject to license control. In this case, follow the preceding steps to apply forthe new license.



102

The license center automatically combines the licenses for new features with the existinglicense, and generates a new license.

----End

1.9 Appendix E: Upgrade Record Table

Table 1-6 Upgrade Record Table

Office name Upgrade time

Current version Target version

Upgrade engineer Customer:Huawei:

Upgrade successfulor not

Check Item Result Anomaly Handling

Check before theupgrade

Check of upgradeoperations

Check after theupgrade


Table 1-7 Abbreviations

AAA Authentication, Authorization andAccounting

ACL Access Control List

AUX Auxiliary port


CF Compact Flash

DNS Domain Name System

ESN Equipment Serial Number



103

FTP File Transfer Protocol

GRE Generic Routing Encapsulation

GTP GPRS Tunneling Protocol

HTTPS Secure HTTP

ICMP Internet Control Message Protocol

IP Internet Protocol

IPS Intrusion Prevention System

IPSec IP Security

MPU Main Processing Unit

RADIUS Remote Authentication Dial in User Service

SPUA Service Processing Unit A

SSH Secure Shell

TCP Transmission Control Protocol

TFTP Trivial File Transfer Protocol

UDP User Datagram Protocol

VTY Virtual Type Terminal



104

2 USG9500

About This Chapter

2.1 Upgrade Preparation and Evaluation


2.3 Upgrading Version Software in Dual-System Hot Backup

2.4 Appendix: Establishing the Upgrade Environment Through the Console Port

2.5 Appendix: Uploading and Downloading Files

2.6 Appendix: Activating the ESN

2.7 Appendix: Applying for a License

2.8 Appendix: Upgrade Record Table


2.1 Upgrade Preparation and Evaluation

2.1.1 Supported Source Versions

This document applies to the USG9500 series.

For version software, the following scenarios are covered:

l Upgrade from V500R001C00SPC300 to V500R001C80SPC100







105

l Upgrade from V500R001C30SPC100 to V500R001C80SPC100l Upgrade from V500R001C30SPC200 to V500R001C80SPC100l Upgrade from V500R001C30SPC300 to V500R001C80SPC100l Upgrade from V500R001C30SPC500 to V500R001C80SPC100l Upgrade from V500R001C30SPC600 to V500R001C80SPC100l Upgrade from V500R001C50 to V500R001C80SPC100l Upgrade from V500R001C50SPC100 to V500R001C80SPC100l Upgrade from V500R001C50SPC200 to V500R001C80SPC100l Upgrade from V500R001C50SPC300 to V500R001C80SPC100l Upgrade from V500R001C60 to V500R001C80SPC100l Upgrade from V500R001C60SPC100 to V500R001C80SPC100l Upgrade from V500R001C60SPC200 to V500R001C80SPC100l Upgrade from V500R001C60SPC300 to V500R001C80SPC100l Upgrade from V500R001C60SPC300 to V500R001C80SPC100l Upgrade from V500R001C80 to V500R001C80SPC100

NOTICEBefore an upgrade from a patch version, run the patch delete all command to delete thepatch.

The following versions cannot be directly upgraded to V500R001C80SPC100. Instead, theycan be first upgraded to V500R001C30SPC100. For details, see HUAWEIUSG6000&USG9500 V500R001C30SPC100&NGFW Module V500R002C00SPC100Upgrade Guide.

l V500R001C00SPC300l V500R001C00SPC500l V500R001C20SPC100l V500R001C20SPC200l V500R001C20SPC300

Among them, V500R001C20SPC100, V500R001C20SPC200, and V500R001C20SPC300can have the patch V500R001SPH002 installed before the upgrade.



106




NOTICE1. Patch upgrades cannot be performed in BootROM.

2. V3 upgrades are not recommended. If there are such requirements, contact Huaweiengineers.

3. Before rolling V500R001C50 and later versions back to earlier versions, run the setsystem-software check-mode all command in the system view. Directly roll otherversions back to earlier ones.

4. In V500R001C30, api call-home host and api call-home connect commands are used inthe API view to configure call-home. In V500R001C50, these commands are used in thesystem view. If you save the configuration in V500R001C50 and then roll back the systemto V500R001C30, the two commands are lost. In this case, you must manually add the twocommands after rollback.

Note the following items for patch upgrades:

l After activating the patch and setting the startup configuration file, ensure that the patch isin activated state when the reboot or reboot fast command is used to restart the system.Otherwise, the system restart may fail.

l If the patch is mistakenly deleted and the system restart fails after the startup configurationfile is set, you must re-activate the patch and restart the system again. For a high-endfirewall with dual MPUs, check whether the patch status of both MPUs is normal. If not,delete the patch and then install and activate it again.

2.1.2 Hardware Support

Table 1 lists all boards applicable to the USG9500, including MPUs, SPUs, SFUs, and LPUs.The USG9500 has many historical boards and software versions. Certain scenarios do notsupport the upgrade or have restrictions. Before the upgrade, you must read this sectioncarefully and confirm that the current hardware configuration meets the upgrade requirement.

Table 2-1 Supported hardware

BOM Model First Version ThatSupports ThisHardware

Whether toSupport Upgradeto V500R001C00

MPU

0305G06R SU9DMPUD0100 V200R001C00 Yes

03056305 E8KE-X3-MPU V500R001C00 Yes

0305G06S EKEX8-FWCD00SRUA00

V200R001C00 No

0305G08N E8KE-X8-SRUA-200

V200R001C01 Yes

0305G06U EKEX16-FWCD00MPUB00

V200R001C00 Yes



107

BOM Model First Version ThatSupports ThisHardware

Whether toSupport Upgradeto V500R001C00

SPU

0305G09N SPU-X3-40-E8KE V300R001C00 Yes

0305G09P SPU-X8X16-40-E8KE

V300R001C00

0305G09Q SPU-X8X16-80-E8KE

V300R001C00

0305G0B2 SPU-X3-B V300R001C00

0305G09Q SPU-X8X16-B V300R001C00

0305G09T SPU-X3-20-O-E8KE

V300R001C00

0305G09U SPU-X8X16-20-O-E8KE

V300R001C00

SFU

0305G08P E8KE-X8-SFUC-200

V200R001C01 Yes

0305G08Q E8KE-X16-SFUC-200

V200R001C01 Yes

0305G06T EKEX8-FWCD00SFUD00

V200R001C00 No

0305G06V EKEX16-FWCD00SFUG01

V200R001C00 No

LPU

0305G051 LPUF-21 V300R001C00 Yes

0305G074 LPUF-40-A V200R001C00 Yes

0305G09H LPUF-101 V300R001C01 Yes

03056306 LPUF-120 V500R001C00 Yes

03056307 LPUF-240 V500R001C00

The restrictions of boards on the upgrade are as follows:

1. The LPUF-21 and LPUF-40-A do not support the MPLS MTU function.Solution: Use the LPUF-101, LPUF-120 or LPUF-240 to replace the LPUF-21 orLPUF-40-A if necessary.

Before the upgrade, you must collect information about the boards on the device.



108

In the system or user view, run the display esn all command to view the BOM codes of allboards. Compare the BOM codes in the P/N column with table 1 to check whether the devicecan be upgraded to V500R001C80SPC100.

[USG9520]display esn all2017-07-27 17:19:44.580 +08:00 Slot-Pic Type S/N P/N - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 LPU 210305G07410EB000012 0305G074 1 -0 ETH_20XGF_N_CARD 210305G07610F1000001 0305G076 2 SPU 21030569830000000000 03056983 2 -1 SPU_CARD_TYPE_SPCC 210305G09RZ0C8000001 0305G09R 4 MPU 210305G06R10E7000090 0305G06R 5 MPU 210305G06R10E7000090 0305G06R 8 PWR (null) (null) 9 PWR (null) (null) 10 FAN 2102120514P0EC000415 02120514 / BackPlane 210305G06R0000000000 0235G6QB

Pay attention to the P/N information about the boards in mother slots, not in sub-slots.

For the USG9520, pay attention to the boards in slots 1 to 3.



2.1.3 Upgrade Impact

2.1.3.1 Upgrade Impact from V500R001C80

2.1.3.1.1 Impact of Feature Changes

New features

None

Modified featuresFeature Change Description Cause Impact of the Upgrade

SSL VPN Languages of multiplecountries are supported.


None



109


License

The following twoalarms are added:l Emergency recovery

license is about toexpire, and theremaining lifetime isdisplayed.

l Emergency recoverylicense has expired.

License statuscan be learned inadvance.

None

URL/IMaudit

This feature adapts tologin logs of WeChatrunning on IOS V6.5.9,Android V6.6.31, or alater version.


None

PKI

The CA and devicecertificates arepreconfigured insoftware packages.

CA and devicecertificates arenotpreconfigured inV500R001C30earlier versions.As a result,devices runningthese versionscannotcommunicatewith the AC-Campus. Acertificate ispreconfigured inV500R001C80to allow devicesrunning theseversions tocommunicatewith the cloudplatform.

None

BFD BFD for IPv6 issupported.


Cross-DCcluster

Cluster sessions to bebacked up can befiltered based on theprotocol, port, andlifetime.


Sessionlogs

Packet loss logs can besampled and then sent.

The packet losslogging functionis enhanced.

None



110


IPSecThe maximum IPSecanti-replay window sizecan be 8K.


IPSec IPSec supports theDH18 algorithm.


IPSecInterworking betweenmulti-VPN instance andIPSec is supported.


Deleted FeaturesNone

2.1.3.1.2 Impact of Command Changes

New CommandsCommand Description Impact

[ undo ]ppp accm { accm |enable }

Enables/disables the PPPACCM function.

None

display inventory ne-id ne-id

Displays the inventory dataof a specific NE. None

display rm bfd-session [ all |[ [ vpn-instance vpn-instance-name ][ destination destination-address ] [ source source-address ] [ interfaceinterface-type interface-number ] [ protocol { bgp |isis-l1 | isis-l2 | isis-l1l2 |ospf | rip | pim } ] ] ]

displays the configurationsof BFD sessions in RouteManagement (RM). Theconfigurations include theglobal status of BFD,number of BFD sessions,and VPN instance,destination address, sourceaddress, interface, andsession status of each BFDsession.

None

[ undo ] ipv6 route-statictrack bfd-session session-name STRING<1-15>admindown invalid

The command deletes theconfigured static routes.

None



111

Command Description Impact

ipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-addressprefix-length interface-typeinterface-number [ nexthop-ipv6-address ] [ { preferencepreference | tag tag } * ][ track bfd-session bfd-name| track nqa admin-name test-name ] [ description text ]


None

ipv6 route-static dest-ipv6-address prefix-lengthinterface-type interface-number [ nexthop-ipv6-address ] [ { preferencepreference | tag tag } * ][ description text ]


None

ipv6 route-static vpn-instance vpn-instance-namedest-ipv6-address prefix-length interface-typeinterface-number [ nexthop-ipv6-address ] [ preferencepreference | tag tag ] *[ description text ]


None

ipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-addressprefix-length nexthop-ipv6-address [ public ][ { preference preference |tag tag } * ] [ track bfd-session bfd-name | track nqaadmin-name test-name |inherit-cost ] [ descriptiontext ]


None

undo ipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-addressprefix-length [ interface-typeinterface-number ][ nexthop-ipv6-address ][ { preference preference |tag tag } * ] [ track bfd-session ]

The command withdrawsthe IPv6 unicast static routesin a VPN instance.

None



112


undo ipv6 route-static trackbfd-session [ session-namebfd-name ] admindowninvalid

The command deletes theconfigured static routes.

None

display bgp ipv6 bfd session{ [ vpnv6 vpn-instance vpn-instance-name ] peer ipv6-address | all }


None

display bgp ipv6 bfd sessionall [ vpnv6 vpn-instancevpn-instance-name ]


None

undo peer { ipv4-address |ipv6-address } bfd block

The command restores apeer to inherit the BFDfunction from its peer group.

None

undo peer { group-name |ipv4-address | ipv6-address } bfd enable

The command prohibits apeer from inheriting theBFD function from its peergroup.

None

undo peer { group-name |ipv4-address | ipv6-address } bfd { min-tx-interval min-tx-interval |min-rx-interval min-rx-interval | detect-multipliermultiplier | wtr wtr-value } *

The command restoresdefault values of BFDdetection parameters.

None

peer { group-name | ipv4-address | ipv6-address } bfdenable [ single-hop-prefer ]

The command sets up aBGP session for a peer orpeer group.

None

undo peer { group-name |ipv4-address | ipv6-address } bfd { min-tx-interval | min-rx-interval |detect-multiplier | wtr } *

The command restoresdefault values of BFDdetection parameters.

None

display ospfv3 [ process-id ]bfd session [ interface-name| interface-type interface-number ] [ neighbor-id ][ verbose | all ]

The command displaysbidirectional forwardingdetection (BFD) sessioninformation of all OSPFv3processes.

None

bfd all-interfaces enable The command enables BFDin the IS-IS process.

None



113


bfd all-interfaces { min-transmit-interval min-transmit-value | min-receive-interval min-receive-value | detect-multiplier detect-multiplier-value } *

The command enables BFDfor OSPFv3 or configuresbidirectional forwardingdetection (BFD) specificparameters for OSPFv3.

None

ospfv3 bfd block [ instanceinstance-id ]

The command blocks thebidirectional forwardingdetection (BFD)dynamically created by aninterface.

None


The command configuresOSPFv3 BFD on a specificinterface or configures BFDsession parameters.

None

undo bfd all-interfacesenable

The command enables BFDfor OSPF in an OSPFprogress and sets BFDsession parameters.

None

undo bfd all-interfaces{ min-transmit-interval[ min-transmit-value ] | min-receive-interval [ min-receive-value ] | detect-multiplier [ detect-multiplier-value ] } *

The command disables BFDfor OSPFv3 or unconfiguresBFD specific parameters forOSPFv3. By default, BFD isnot enabled or configured atOSPFv3 process level.

None


The command enables thebidirectional forwardingdetection (BFD) on thespecified interface enabledwith OSPFv3, or sets theparameter values of a BFDsession.

None

display dns-filter safe-search cache [ slot slot-idcpu cpu-id ]

The command displays thecache information about thesecure search function ofDNS filtering.

None

reset dns-filter safe-searchcache { all | type { bing |google | youtube } }

The command clears thecache information about thesecure search function ofDNS filtering.

None



114


undo banner enable The command disables thedisplay of the systembanner.

None

undo web-manager securityverify-ssl-peer

The command disablesbidirectional certificateauthentication between theFW and client.

None

undo web-manager securityca-certificate ca-certificate-name

The command deletes theCA certificate specified forthe FW to authenticate theclient certificate.

None

web-manager security ca-certificate ca-certificate-name

The command specifies theCA certificate used by theFW to authenticate theclient certificate.

None

undo gawa-log non-certificate

The command configuresthat server certificatevalidation is required duringthe upload of log files to theFTPS server.

None

file-upload name name ftpsip-address [ port port ] useruser-name passwordpassword [ directorydirectory | certificatecertificate-name ] *

The command enables thefunction of uploading filesto an FTP or FTPS server.

None

hwtacacs-server accountingip-address [ port ] [ vpn-instance vpn-instance-name ] [ secondary | third ]

The command configures anHWTACACS accountingserver.

None

ldap-server source{ loopback interface-number | ip-address ip-address | vlanif interface-number }

The command configuresthe source IP address that adevice uses when sendingpackets to the LDAP server.

None

undo ldap-server source The command restores thedefault configuration. Bydefault, when a device sendspackets to the LDAP server,the IP address of the actualoutbound interface is usedas the source IP address.

None



115


ad-server source { loopbackinterface-number | ip-address ip-address | vlanifinterface-number }

The command configuresthe source IP address that adevice uses when sendingpackets to the AD server.

None

undo ad-server source The command restores thedefault configuration.

None

debugging hardware fast-forwarding filter acl acl-number [ number packet-number ]

The command enables thefunction of filteringhardware fast forwardingdebugging information.

None

undo debugging hardwarefast-forwarding filter

The command disables thefunction of filteringhardware fast forwardingdebugging information.

None

failover commit The command submits SPUbackup configurations.

None

display firewall scalestatistic session

The command displaysstatistics on migratedsession entries after SPUscaling or the SPU backupstatus changes.

None

firewall scale finish The command terminatesscaling tasks.

None

display cluster channelstatus verbose [ backup |forward | negotiation ][ node-id ]

The command displaysdetailed information aboutthe cluster channel status.

None

undo cluster session-syncfilter enable

The command disables thecluster sessionsynchronization filteringfunction.

None

cluster session-sync filter idid { exclude | include }{ protocol { protocol-type[ port port-number ] |protocol-number } | existed-time existed-time } *

The command sets filteringconditions for clustersession synchronization.

None

undo cluster session-syncfilter id id

The command deletesfiltering conditions forcluster sessionsynchronization.

None



116


undo cluster channelforward heartbeat enable

The command disables thefunction of detectingheartbeats in the clusterforwarding channel.

None

display cluster channeldrop-statistics [ backup{ dataplane | management[ node-id ] } | negotiationmanagement [ node-id ] |node-id ]

The command displaysstatistics on packets droppedin the cluster channel.

None

display cluster negotiationstatus [ history | verbose ]

The command displays thecluster negotiation statusinformation.

None

reset cluster negotiation{ history | statistics }

The command clears clusternegotiation information.

None

Modified CommandsOriginalCommand New Command Change

Description Upgrade Impact

undo debuggingpolicy accelerateslot slot-id cpu cpu-id

undo debuggingpolicy accelerate{ all | error | event }slot slot-id cpu cpu-id

The commanddisables thedebugging functionof policy backup-based acceleration.

display user-managegroup-in-basednSTRING<1-256>{ ldap | ad | tsm }templateSTRING<1-32>

display user-managegroup-in-basednSTRING<1-258>{ ldap | ad | tsm }templateSTRING<1-32>

The value range isextended.

group-filterSTRING<1-256>

group-filterSTRING<1-258>


security-group-filterSTRING<1-256>

security-group-filterSTRING<1-258>


server basednSTRING<1-256>

server basednSTRING<1-258>


server searchdnSTRING<1-256>

server searchdnSTRING<1-258>




117

OriginalCommand New Command Change


undo serversearchdnSTRING<1-256>

undo serversearchdnSTRING<1-258>


undo user-filter{ STRING<1-256> |all }

undo user-filter{ STRING<1-258> |all }


user-filterSTRING<1-256>

user-filterSTRING<1-258>


display protocol-identify{ STRING<1-32> |all } [ slotINTEGER<1-16>cpuINTEGER<0-3> ]

display protocol-identify{ STRING<1-256> |all } [ slotINTEGER<1-16>cpuINTEGER<0-3> ]


reset protocol-identify{ STRING<1-32> |all }

reset protocol-identify{ STRING<1-256> |all }


diagnose ipsec peer[ X:X::X:X ][ timeoutINTEGER<10-120>]

diagnose ipsec peerX:X::X:X [ timeoutINTEGER<10-120>]

The command isrepeatedlyregistered.

diagnose ipsec peervpn-instanceSTRING<1-31>[ X:X::X:X ][ timeoutINTEGER<10-120>]

diagnose ipsec peervpn-instanceSTRING<1-31>X:X::X:X [ timeoutINTEGER<10-120>]


undo userSTRING<1-63> undo user TEXT0

In V5, the IKE userID cannot containChinese characters.

diagnose ipsec peer[ vpn-instanceSTRING<1-31> ][ X:X::X:X ][ timeoutINTEGER<10-120>]

diagnose ipsec peer[ vpn-instanceSTRING<1-31> ]X:X::X:X [ timeoutINTEGER<10-120>]




118

OriginalCommand New Command Change




The packet valuerange is changedfrom 2-65535 to6-65535.

reset cluster channel{ management-plane| dataplane }statistics

reset cluster channel{ management-plane| dataplane |forward } statistics

The command isadjusted.

display clusterbackup{ management-plane| dataplane }statistics

display clusterbackup statistics


display clusterchannel { lpu-statistics | fpath-statistics | message-statistics | drop-statistics }

display clusterchannel { lpu-statistics | fpath-statistics }


display clustertracked-interface

display cluster{ tracked-interface |tracked-vrrp }


reset cluster backup{ management-plane| dataplane }statistics

reset cluster backupstatistics




119

Deleted CommandsCommand Cause of Deletion Impact

statistic enable The VLAN statisticsfunction is not supported.

The command configurationis lost after the upgrade.

2.1.3.1.3 Impact of Licenses

The license can still be used after the upgrade from V500R001C80 to V500R001C80SPC100.

2.1.3.1.4 Dynamic Loading

Note that you must dynamically load the dynamic features after the upgrade fromV500R001C80 to V500R001C80SPC100. Otherwise, these features are unavailable.

The dynamic loading packages are as follows:

l The content security package is divided into the content security package (basic) andcontent security package (enhanced).Content security package (basic): provides content security-related functions. The deviceperformance is affected if multiple content security-related functions are enabled.Purchase these functions based on service requirements.

Item Description

File filtering File filtering blocks the specified types of files to prevent downloadsof files infected by malware and viruses or uploads of dynamic filesto the Internet.

Contentfiltering

Content filtering prevents dynamic information leaks.

Mail filtering Mail filtering controls email sending and receiving to prevent spamand anonymous mails and data leaks.

Applicationbehaviorcontrol

Application behavior control implements refined control overHTTP- and FTP-based behavior.

URL sessionlog

URL session log indicates that the device parses the URLs of theaccessed websites and then sends these URLs to the log server viasession logs.

SSL-EncryptedTrafficDetection

SSL-Encrypted Traffic Detection is used to decrypt SSL traffic forcontent security detection and audit.

l Content security package (enhanced): provides audit and smart DNS. Enabling multiple

content security-related functions simultaneously affects the device processingcapability. Therefore, purchase functions as required.



120

Item Description

Audit The Audit and audit profile are used to record the Internet accessbehavior for future audit and analysis.

IntelligentDNS

Intelligent DNS is used to provide different server IP addresses fordifferent ISP users so that the ISP users can access intranet servicesusing their own ISP networks. By doing as, intelligent DNS ensuresminimized delay and optimal service experience.

l URL Remote Query package:

Item Description

URL remotequery

This component is required when the URL filtering function is usedto query predefined URL categories. After this component is loaded,the firewall can use the URL remote query function to obtainpredefined URL categories.

URLreputation

This component is required when the URL filtering function is usedto detect URL reputation. After this component is loaded, thefirewall can check the credibility of URLs and block URLs with lowcredibility.

Feedbackenhancement

This component is used to enhance the user experience improvementprogram. After this component is loaded, the firewall provides thefunction of viewing historical feedback records and detecting andreporting dynamic fields.

l Cloud Sandbox Component Package: In cloud sandbox detection, the device extractsfiles transmitted over the network and sends them to the cloud sandbox for in-depthdetection of whether they contain APT attack traffic. The device periodically obtainsanalysis results from the sandbox. If the sandbox detects malicious traffic, it instructs thedevice to block the traffic.

l The dynamic load component package must be compatible with the version software.Therefore, ensure that the component package of the corresponding version is available.

l The dynamic load component package is license-controlled and unavailable by default.You must dynamically load a component package to use the corresponding feature.

l You must dynamically load the dynamic load component package after the upgrade toV5. Otherwise, corresponding features are unavailable.

l The corresponding feature configurations do not take effect immediately after thedynamic component package is loaded. You must leave the configurations unsaved andrestart the device. Then, the device will load and save the configurations and restoreservices.

l If the version is upgraded to V500R001C80 or a later version for the first time, thematching full content security package can still be used. After the upgrade succeeds, thebasic and enhanced content security packages should be used.

l The content security component of V500R001C80 cannot be directly installed andloaded or set to the package for next startup in V500R001C80. It can be set to thepackage for next startup only in versions earlier than V500R001C80.



121

l Before the upgrade from versions earlier than V500R001C80 to V500R001C80, set thecontent security package for next startup can be set to the one in V500R001C80 becausethe versions earlier than V500R001C80 cannot identify the basic content securitypackage or the enhanced content security package.

l After the content security component is upgraded from versions earlier thanV500R001C80 to versions later than V500R001C80, the function is not affected, but thebasic content security component and enhanced content security component cannot beloaded.

l To upgrade the content security package that has been upgraded from V500R001C60 orearlier versions to V500R001C80, cancel the current package for next startup, set apackage for next startup, and restart the device.

2.1.3.2 Other Upgrade Impacts

l Eth-TrunkOnly the USG9500 supports trunk max member number.By default, the USG9500 supports a maximum of 16 Eth-Trunk member interfaces.Running the trunk max member number command starts the switching mode. Theswitching is complete within five minutes. The command cannot be used during theswitching period. If you run this command again during the switchover, the messageError: The command cannot be configured during the mode switching. will bedisplayed.The maximum number of Eth-Trunk member interfaces can be switched to 32 only whenthe device has only the LPUF-240, LPUF-120, and LPUF-101. When the device has theLPUF-40–A or LPUF-21, the maximum number of Eth-Trunk member interfaces cannotbe switched to 32.When the maximum number of Eth-Trunk member interfaces is switched to 32 on thedevice that has the LPUF-40–A or LPUF-21, the LPUF-40–A or LPUF-21 fails to bepowered on. When any of the low threshold set using the least active-linknumber link-number command, upper threshold set using the max active-linknumber link-numbercommand, or weight of each Eth-Trunk member interface set using the distribute-weight weight-value command is greater than 16, the maximum number of Eth-Trunkmember interfaces cannot be switched back to 16.

NOTICEChanging the maximum number of Eth-Trunk member interfaces causes serviceinterruptions on the Eth-Trunk interface. After the switchover completes, the service isrestored to normal.

l Impact of switching the encoding format to UTF8.V500R001C80 supports UTF8 encoding. Note the following points when switching theencoding format:– If there are online users during trancoding, the device is automatically restarted.

After the device restart is complete, the converted user information takes effect.– Command lines do not support encoding format rollback. After the transcoding is

complete, the old configuration file and user database file are stored.



122

<sysname>dir /charset_backup/ Idx Attr Size(Byte) Date Time FileName 0 -rw- 35,840 Nov 03 2017 15:30:34 usermanage.db 1 -rw- 59,141 Nov 03 2017 18:20:00 charset_back.cfg

– To roll back to the previous encoding format, set charset_back.cfg as theconfiguration file for next startup, copy usermanage.db to the umdb/umsystem/directory to overwrite the user database file, and run the delete log sdb command inthe system view to delete log-related files. Then restart the device.

– In the hot standby scenario, the encoding format switching can be performed onlyin the active/standby hot standby environment but not the load-balancing hotstandby environment.

– In the hot standby scenario, complete the encoding format switching on the standbydevice, perform an active/standby device switchover, and then complete theencoding format switching on the new standby device.

l Impact on MIB nodes:Use the mapping MIB database.

l Impact on the SSL VPN client:– When a plug-in is updated, the local device needs to obtain the new SecoClient.– During version upgrade, you are advised to upgrade matching program SecoClient

so that new functions can work properly. For example, SecoClient 1.50.2 applies toV500R001C50.

l DSVPNDSVPN is incorporated in V500R001C50 and later versions. However, DSVPN does notsupport hot standby.

NOTE

Although DSVPN does not support service backup between two devices, active/standby hotstandby can be implemented for load balancing or fault tolerance. If the active device or the link ofa service interface fails, an active/standby device switchover can be performed. The standbydevice automatically takes over services. Traffic interruption may occur during the active/standbydevice switchover.The service restoration time on the active and standby devices is related to the registration intervalconfigured using the nhrp registration interval command and entry aging time configured usingthe nhrp entry holdtime seconds command.

l Impact on the signature databases:After the software version is upgrade, you must upgrade the signature databases as well.

l Impact on the web database:In V500R001C50 and later versions, the web database type is changed to SQL. The userweb database can be upgraded smoothly. However, to ensure availability and versionrollback, back up the database to the local PC. That is, you can use FTP to export /hda1/webuserinfo.db from the device.

l Impact on ACLs:If ACLs are used to control SNMP, SSH, TELNET, WEB, API, FTP, and NTP access,check whether the referenced ACL and accessed interface are in the same VPN instance.If not, the administrator cannot log in to the device. In this case, modify theconfiguration. To be specific, bind the ACL to the corresponding VPN instance. The



123

problem will not occur after V1 is upgraded to V500R001C30. For the upgrade fromV500R001C00 to V500R001C30 to the current version, check whether the configurationmeets the preceding rule. If the ACL should be bound to a VPN instance, bind it. Forexample, the ACL is not bound to the VPN instance (acl number 3000). After themodification, the ACL is bound to the corresponding VPN instance (acl number 3000vpn-instance default).

l Local sandbox login port change: In V500R001C80SPC100 and later versions, afterlocal sandbox association succeeds, the default port on the System > Sandbox > LocalSandbox > Login to Local Sandbox on the web UI changes from 443 to 32229.

l One-click trial of the cloud sandbox function: V500R001C60SPC100 supports theinterworking between the FW and cloud sandbox. The interworking protocol is HTTPSand is determined by the device certificate file. To upgrade a version earlier thanV500R001C60SPC100 to V500R001C60SPC100, contact R&D engineers to generatethe corresponding device certificate and import to the device.

2.1.4 System Software

The system software required for the upgrade includes the system software (*.cc), PAF file,and license file.

l During the upgrade, select the system program according to the product model.

Product Model System Software Example

USG9520 USG9500_version-number.cc

USG9500V500R001C80SPC100.cc

USG9560

USG9580

l During the upgrade, select the PAF file paf_USG_X.txt.l During the upgrade, select the license file license_USG_X.txt.


2.2.1 Impact of the Upgrade

2.2.1.1 Impact on the Current System During the Upgrade

When upgrading the software version during the running of the device, to make the newsoftware version effective, you need to restart the USG9500, which interrupts services.

When to restart the USG9500 for the upgrade depends on your requirements. You need tochoose a suitable upgrade time to minimize the impacts on services.

2.2.2 Precautions

During the upgrade, take the following precautions:



124

1. Ensure the stable power supply during the upgrade and avoid power failures. If thedevice cannot start normally after a power failure, try to upgrade in BootROM mode. Fordetails, see section Upgrade Through BootROM.

2. The registration of boards takes a period of time. After the device is restarted, do notperform any operations until all the boards are registered. When you run the displaydevice command to display the registration status of a board, Registered is displayed inthe Register field and Normal is displayed in the Status field.

3. Do not use the USB port of the MPU for version upgrade.

4. In case of dual MPUs, if one MPU is faulty and you replace it with a new one, you mustupgrade the new one. For details, see "Appendix: Upgrading the MPU."

2.2.3 Upgrade Flow

Figure 1 shows the flow for upgrading to V500R001C80SPC100 from an earlier version.

Figure 2-1 Upgrade flowchart

Table 2-2 Upgrade overview

Category


Informationcollection

Partinformation

Run the display deviceand display esn allcommands.

To collect hardware information andthe device ESN, including the BOMcode.



125

Category


Versioninformation

Run the display versioncommand.

l To collect the software versioninformation.

l Check whether the associatedNMS needs to be upgraded. If theNMS version does not match, donot perform the upgrade.

Licenseinformation

Run the display licensecommand.

To collect the license information.

Databackup

Configuration file

Save the softwarepackage and export itto a local PC.

To back up the currently usedconfiguration file.

Softwareversion


To back up the currently usedsoftware package.

License file(license.dat)


To back up the currently used licensefile.

Patch file Save the softwarepackage and export itto a local PC.

To back up the currently used patchfile.

Usermanagement database(usermanage.db)


To back up the currently used usermanagement database (upgrade fromV500R001 or later versions).

DynamicFeatureComponentPackages


To back up the dynamic featurecomponent files loaded in the system(upgrade from V500R001 or laterverTo convert the sourceconfiguration filesaccordingly.sions).

Upgradepreparation tool


Obtaining the VersionSoftware Required Bythe Upgrade

V500R001C80SPC100 versionsoftware.



V500R001C80SPC100 versionsoftware.

paf file Obtaining the VersionSoftware Required Bythe Upgrade

Select the paf.txt file.



126

Category


Chassislicense file


Select the license_HUAWEI_X.txtfile.

(Optional)dynamicfeaturecomponentpackage

Downloading dynamicFeature ComponentPackages

To download the dynamic featurecomponent package.

(Optional)Signaturedatabaseupdate file


To update the signature databases.

Configurationanalysis

License fileanalysis

See "Impact ofCommand Changes" inUpgrade Impact

To analyze the display licensecommand output and check whetherthe license file needs to be convertedor merged according to thedescription in section LicenseImpact.

ImportingFiles for theUpgrade

Importing Files for theUpgrade

l To import the license file.l To import the configuration file.l To import the dynamic feature

component package.l To specify the startup

configuration file.

Upgradeoperations(operationsperformed afterthedevice isisolatedfrom theserviceenvironment)

Upgrade toV500R001

Upgrade to V500R001 l Restart the device to complete theupgrade toV500R001C80SPC100.

l To specify the startupconfiguration file.

l To load the license file forV500R001C80SPC100 but do notsave the configuration.

Upgradeverification

Upgradeverification

Verifying the Upgrade To verify the upgrade.



127

Category


Versionrollback

Versionrollback

Version rollback l To import backup data.l To specify the configuration file

for the next startup.l (Optional)To apply for the license

of the source version and activateit.

2.2.4 Preparations for the Upgrade

2.2.4.1 Obtaining the Version Software Required By the Upgrade

Context

You need to collect the following files for the upgrade:

1. System program (*.cc)Indicates the file with file name extension as .cc.(USG9520)USG9500V500R001C80SPC100.cc: Its size is 463,551,738 bytes.(USG9520)USG9500V500R001C80SPC100PWE.cc: Its size is 434,283,593 bytes.(USG9560&USG9580)USG9500V500R001C80SPC100.cc: Its size is 421,527,550bytes.(USG9560&USG9580)USG9500V500R001C80SPC100PWE.cc: Its size is 392,321,837bytes.

2. License fileIndicates a version information file. Select the license_USG_X.txt file.

3. PAF fileIndicates a version information file. Select the paf_USG_X.txt file.

You need to prepare the following documents for reference:

HUAWEI USG6000&USG9500 V500R001C80SPC100 Upgrade_guide

HUAWEI USG6000&USG9500 V500R001C80SPC100 Release Notes

Procedure

Step 1 Log in to the homepage of Huawei at .

Step 2 If you are not a registered user, you need to go to 3 to register first. If you are already aregistered user, go to 4 to log in.

Step 3 Click Register and register with the system according to the prompt. After the registrationsucceeds, you will obtain your account and password. Keep them safe.



128

Step 4 Enter the user name, password, and displayed verification code, and then click Login.

Step 5 Click SUPPORT, Choose "USG9500"and download the software and release documents.

----End

2.2.4.2 Downloading Content Security Feature Component Packages

Context

Content security feature component packages are not released along with the softwarepackage. You must access the security center website and load the packages in online mode,or download and load them locally.

In V500R001, the following content security features compose the content securitycomponent package: file blocking,data filtering,application behavior control,mailfiltering,smart DNS,and audit.

Procedure

Step 1 Access Huawei security center at http://sec.huawei.com/sec .(Internet Explorer: version 8.0or later or Firefox)

Step 2 Expand the USG tab and select the product model and version, such as USG9520 -V500R001C80SPC100.



CSG: content security component package, including the file blocking,datafiltering,application behavior control,mail filtering,smart DNS,and audit.



129

https://sec.huawei.com/sec/web/freesignature.do

NOTE

Other tabs on this page, such as AV, CNC, and IPS, are signature databases, irrelevant to content securityfeature component packages.

The content security feature component package to be loaded must be compatible with the systemsoftware.

----End

2.2.4.3 Preparing the Upgrade Environment

Prerequisites

Before the upgrade, you need to log in to the CLI of the USG9500 to prepare the upgradeenvironment.

By default, IP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on theMPU of the USG9500.Or another accessible IP address on the device has been set.

l You can use this IP address and the default user name admin and password Admin@123to log in to the CLI of the USG9500 through Telnet.

l If the Telnet configuration is canceled or you desire to use SSH for the login, log in tothe USG9500 from the console port to construct the Telnet or SSH environment. Fordetails, see chapter "Appendix: Establishing the Upgrade Environment Through theConsole Port." You are advised to use SSH to log in to the USG9500 to secure datatransfer.

Preparing Upgrade Tools

It is recommended that you prepare the following tools for upgrade:

l Login toolLogin tools help you log in to the device through the console port, Telnet, or SSH. Thisdocument uses the tool in Windows as an example. In practice, it is recommended thatyou use a legitimate third-party tool, for example, SecureCRT, to log the upgradeoperations in detail.

l File comparison toolFile comparison tools help you compare the configuration files before and after upgradefor configuration loss. In practice, it is recommended that you use a legitimate third-party tool, for example, Beyond Compare.

l Inspection toolInspection tools, SmartKit NSE2700 for example, help you comprehensively inspect thedevice after upgrade to ensure no problems exist. In practice, it is recommended that youuse a certain version of the inspection tool that is applicable the target version.

Preparing the Environment for the Upgrade Through CLI

The key to the upgrade through the CLI is how to transfer the version software to CF card 1of the USG9500. Currently, the following modes are supported:

l FTP mode with the USG9500 as the FTP serverl FTP mode with the USG9500 as the FTP client



130

l TFTP mode with the USG9500 as the TFTP clientl SFTP mode with the USG9500 as the SFTP server

NOTICEUse interface GigabitEthernet 0/0/0 on the MPU of the USG9500 to transfer the versionsoftware. If you use an interface on the LPU to transfer the version software, use the FTPservice but not the TFTP service for transfer.

The following is an example in which the USG9500 functions as an FTP server. This methodis easy because it does not require a third-party FTP server. For details on other modes, see"Appendix: Uploading and Downloading Files." You are advised to use SFTP to transferfiles to secure data transfer.

As shown in Figure 1, the USG9500 is configured as the FTP server and version software islocated on PC2 serving as the FTP client. On PC2, log in to the FTP server and upload theversion software to CF card 1 of the USG9500 through FTP.

NOTE

You can use only one PC on which you run both the Telnet/SSH client and the FTP client. To facilitatedescription, the network using two PCs is used as an example. The following steps apply to this two-PCnetwork.

Figure 2-2 Schematic diagram of the USG9500 serving as the FTP server

Perform the following steps to configure the USG9500 as the FTP server:

1. On PC1, log in to the CLI of the USG9500 through Telnet or SSH. For the Telnet or SSHlogin method, see the related configuration example inHUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation.You are recommended to use interface GigabitEthernet 0/0/0 on the MPU of theUSG9500 for login. By default, the IP address for interface GigabitEthernet 0/0/0 is192.168.0.1, the user name is admin, and the password is [email protected] both MPUs can be detected, use GigabitEthernet 0/0/0 on the active MPU for theupgrade. You can check whether the MPU is active through the ACT indicator on it. If



131

the ACT indicator is on, the MPU is active. If the ACT indicator is off, the MPU isstandby.

2. Enter the system view and start the FTP service. Configure a user account with username ftpuser and password Admin@123, and specify the storage path of the FTP file.This storage path must be cfcard:. You can use other user accounts as required.V500R001:[sysname] ftp server enable[sysname]aaa [sysname-aaa] manager-user ftpuser[sysname-aaa-manager-user-ftpuser] password Enter Password: Confirm Password: [sysname-aaa-manager-user-ftpuser] service-type ftp Warning: The user access modes include Telnet or FTP, so security risks exist.[sysname-aaa-manager-user-ftpuser] level 3[sysname-aaa-manager-user-ftpuser] ftp-directory cfcard:/[sysname-aaa-manager-user-ftpuser] quit[sysname-aaa] quit

3. On PC2, log in to the FTP server to check whether configurations are effective.The following uses the configuration of Windows FTP client as an example. In practice,you are advised to use a legitimate third-party FTP client (such as Cute FTP) to transferfiles.– Click Start and then Run. Enter cmd and then press Enter.– Enter ftp 192.168.0.1. This IP address is used when you log in to the USG9500

through Telnet or SSH.– Enter the user name after the User (192.168.0.1:(none)) prompt and the password

after the Password prompt.The following information is displayed:C:\> ftp 192.168.0.1 Connected to 192.168.0.1. 220 FTP service ready. User (192.168.0.1:(none)): ftpuser 331 Password required for ftpuser. Password: 230 User logged in. ftp>

If 230 User logged in. is displayed on the FTP client, you have logged in to the FTPserver normally.After the configuration is verified, you can either keep this connection for further use, orexit from the FTP server and relog in to it when required.

Preparing for the Environment for the Upgrade Through Web (HTTPS)

As shown in Figure 2, the USG9500 is configured as the Web server and the version softwareis located on PC2. On PC2, log in to the USG9500 using the browser and then upload theversion software to the CF card of the USG9500 through Web.

To transfer PAF file to the CF card of the USG9500, you need to configure PC2 as the FTPserver so that the USG9500 can download PAF file and license file from PC2 as an FTPclient.

The Web service is enabled on the USG9500 by default. You can use the IP address192.168.0.1 of interface GigabitEthernet 0/0/0 on the MPU and the default user name adminand password Admin@123 to log in to the web UI of the USG9500 through HTTPS. If you



132

have disabled the Web service or deleted the default user, do as follows to reconfigure theservice.

NOTE

You can use only one PC on which you run both the Telnet/SSH client and the browser/FTP server. Tofacilitate description, the network using two PCs is used as an example. The following steps apply tothis two-PC network.

Figure 2-3 Schematic diagram of the USG9500 serving as the Web server

Do as follows to configure the USG9500 as the Web server:

1. On PC1, log in to the CLI of the USG9500 through Telnet or SSH. For the Telnet or SSHlogin method, see the related configuration example inHUAWEI USG6000&USG9500 V500R001C80SPC100 Product Documentation.You are recommended to use interface GigabitEthernet 0/0/0 on the MPU of theUSG9500 for login. By default, the IP address for interface GigabitEthernet 0/0/0 is192.168.0.1, the user name is admin, and the password is [email protected] both MPUs can be detected, use GigabitEthernet 0/0/0 on the active MPU for theupgrade. You can check whether the MPU is active through the ACT indicator on it. Ifthe ACT indicator is on, the MPU is active. If the ACT indicator is off, the MPU isstandby.

2. Enter the system view and start the Web service. Configure a user with user namewebuser and password Admin@123 and the level of the Web user. You can use otheruser names and passwords as required.[sysname]web-manager security enable Info: Web server has been enabled. [sysname]aaa [sysname-aaa] manager-user webuser [sysname-aaa-manager-user-webuser]password Enter Password: Confirm Password: [sysname-aaa-manager-user-webuser]level 3 [sysname-aaa-manager-user-webuser]service-type web



133

[sysname-aaa-manager-user-webuser]quit [sysname-aaa]quit

3. On PC2, configure an IP address in the same network segment as GigabitEthernet 0/0/0.Log in to https://192.168.0.1:8443 using the Internet Explorer on PC2 to verify theconfigurations.

If the login interface of the Web server is displayed in the IE browser, and the loginsucceeds through webuser and Admin@123, it indicates that you can log in to the Webserver normally.

After the configuration is verified, you can either keep this connection for further use, orexit from the Web server and relog in to it when required.

4. Configure the FTP server.

This document does not provide the details about the FTP server program. Obtain theFTP server program in a legitimate way, and configure the program according to relateddocuments. Assume that you have already created an FTP user account whose name is123 and password is 123, and specified the root directory of the user as the directory forsaving the downloaded files.

Preparing for the Environment for the Upgrade Through CF card

When you use a CF card to upgrade the device, no network environment is required fortransferring the version software. However, to verify the upgrade result, you still need to issuecommands. Therefore, you need to build up an environment in which you can log in to thedevice through the console port, telnet, or SSH.

Preparing the Environment for the Upgrade Through BootROM

During the device startup, you can access the BootROM menu. In BootROM environment,transfer the version software to CF card 1 of the device, specify this version software for thenext startup, and restart the device.

NOTICEUse interface GigabitEthernet 0/0/0 on the MPU of the USG9500 to transfer the versionsoftware.

The USG9500 currently allows you to transfer the version software to CF card 1 through FTPor TFTP in the BootROM menu. No matter you use FTP or TFTP, the USG9500 functions asthe client that downloads the version software from the FTP or TFTP server.Figure 3 showsthe network for this case. In both modes, you must install third-party FTP or TFTP serversoftware on PC2.

NOTE

You can use only one PC on which you run both the HyperTerminal program and the FTP/TFTP server.To facilitate description, the network using two PCs is used as an example. The following steps apply tothis two-PC network.



134

Figure 2-4 Schematic diagram of the USG9500 serving as the FTP/TFTP client

This section uses the USG9500 serving as the FTP client as an example.

This document does not provide the details about the FTP server program. Obtain the FTPserver program in a legitimate way, and configure the program according to relateddocuments. Assume that you have already created an FTP user account whose name is 123and password is 123, and specified the root directory of the user as the directory for saving thedownloaded files.

2.2.4.4 Checking the Information About the Current Version Software

Example

In any view, run the display version command to check the information about the runningversion software. The following uses V500R001C30SPC100 as an example. Part of output isomitted.

<USG9500> display versionHuawei Technologies Versatile Security Platform Software Software Version: USG9520 V500R001C30SPC100 (VSP (R) Software, Version 5.70) ..........

In any view, run the display startup command to check the version software andconfiguration file in use. You need to record the underscored file names, facilitating filebackup.

<USG9500> display startupMainBoard: Configed startup system software: cfcard:/v500r001c30spc100.cc Startup system software: cfcard:/v500r001c30spc100.cc Next startup system software: cfcard:/USG9520V500R001C80SPC100.cc Startup saved-configuration file: cfcard:/config.cfg Next startup saved-configuration file: cfcard:/config.cfg Startup paf file: cfcard:/paf.txt Next startup paf file: cfcard:/paf.txt Startup license file: cfcard:/license.txt Next startup license file: cfcard:/license.txt Startup patch package: cfcard:/patchpackage.pat Next startup patch package: cfcard:/patchpackage.pat

2.2.4.5 Checking the License In Use



135

Prerequisites

If the license function is not in use, skip this section.

Background Information

The licenses of the USG9500 comprise the commercial and non-commercial ones.

l Commercial licensesIndicates the licenses purchased by signing official contracts.

l Non-commercial licensesIndicates the licenses used for testing. Non-commercial licenses have time limitationsand the general validity period is three months.

Before the upgrade, it is recommended that you perform the following procedure to check theinformation on the current license, and ensure the validity of the license.

Procedure

Step 1 Check information on the current license

Run the display license command in any view to check the license information.

NOTICEThe length of storage path and file name of the license.dat file cannot be more than 64characters.

<USG9500> display licenseMainBoard: Device ESN is: 02734710 The file activated is: cfcard:/license.datThe time when activated is: 2013/04/12 16:14:11 Number of VPN Tunnels-R: 1000000 Number of Virtual Systems: 4095 GTP: Enable 6RD Session Scale: 1280M NAT64 Session Scale: 1280M DS-Lite Session Scale: 1280M Firewall Upgrade Additional Performance: 1280Gbps



136

The underscored fields in the information that is displayed indicate the activated license file.Here license.dat is only used as an example. In practice, use the actual information.

The following is a sample displayed after the more command is executed in the user view ofthe USG9500 to check the license file. Here license.dat is only used as an example. Inpractice, use the actual license name to replace license.dat.

<USG9500> more license.dat.......... Product=USG9500 Feature=FWVTNL1 Esn="ANY" Attrib="DEMO, 2019-06-01, 60, NULL, NULL, NULL"Resource="LFWCVTNL07=10000" Comment="() Activated by FNOWS ON251511-AA793E790A5-" Sign= 2DA1A02B097D9151BDF18C71B42FA186733F68A387C4BF9891E7F1AC76AAD020555E5B90382CDC1BAFB6F907E29AEA581F7C0862082194B3025E39F2A0E7CEFD9609D654931AD00943B15043CA9ABAC62C1017AEAA8EF237731CC1752225B98E5FD731C0AA38C4C6F1596E11430D10C9296F2AF663F70333F2BDACBC606765C3 ..........

Note the underscored text. DEMO indicates that the license is a non-commercial licensewhereas COMM stands for the commercial license. 2019-06-01 indicates the validity periodof the license file.

Apply for a license file.

If the license has expired, you need to apply for a license file, see chapter "Appendix:Applying for a License."

----End

2.2.4.6 Checking the Running Status of the Device

Checking the CPU and Memory UsageIn any view, run the display health command to check the CPU and memory usage. You needto record the CPU and memory usage before and after upgrade for comparison. This will helpyou check whether the running status of the device is normal after upgrade.

<USG9500> display healthSlot CPU Usage Memory Usage(Used/Total) --------------------------------------------------------- 9 MPU(Master) 7% 14% 280MB/1887MB 1 LPU 7% 31% 129MB/405MB 6 SPU 5% 41% 382MB/917MB 8 LPU 6% 32% 133MB/405MB 10 MPU(Slave) 6% 14% 279MB/1887MB

Checking the Registration Status of BoardsIn any view, run the display device command to check the registration status of the boards. Innormal cases, the Status column should be Normal.

<USG9500> display device



137

USG9520's Device status: Slot # type online register status primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 LPU Present Registered Normal NA 6 SPU Present Registered Normal NA 8 LPU Present Registered Normal NA 9 MPU Present NA Normal Master 10 MPU Present Registered Normal Slave 11 SFU Present Registered Normal NA 12 SFU Present Registered Normal NA 13 SFU Present Registered Normal NA 14 SFU Present Registered Normal NA 15 CLK Present Registered Normal Master 16 CLK Present Registered Normal Slave 17 PWR Present Registered Normal NA 18 PWR Present Registered Normal NA 19 FAN Present Registered Normal NA

When Unregistered is displayed in the Register column, it indicates that the board in the slotfails to be registered. When Abnormal is displayed in the Status column, it indicates that theboard in the slot is running abnormally.

NOTE

If NA is displayed in the Register field, the board is a master MPU.

When the board in a certain slot cannot be registered or runs abnormally, record the boardstatus and contact technical support personnel to check whether the device can be upgraded orthe board needs to be replaced. After the upgrade, check the status of the board. If the boardcannot run normally still, contact technical support personnel.

Checking Session Statistics

In any view, run the display firewall session statistics command to check session statistics.You need to record the session statistics before and after upgrade for comparison. This willhelp you check whether the services of the device are normal after upgrade.

<USG9500> display firewall session statisticsSession Statistics: Slot 6 cpu 0: 0 Slot 6 cpu 1: 0 Slot 6 cpu 2: 0 Slot 6 cpu 3: 0 Total 0 session(s) on all slots. Session Creation Rate(num/s): Slot 6 cpu 0: 0 Slot 6 cpu 1: 0 Slot 6 cpu 2: 0 Slot 6 cpu 3: 0 Total session(s) creation rate on all slots is 0.

Checking Traffic Statistics

In any view, run the display interface interface-type interface-number command to check thetraffic statistics on a service interface. You need to record the traffic statistics before and afterupgrade for comparison. This will help you check whether the services of the device arenormal after upgrade.

The following is sample output from this command on GigabitEthernet 1/0/2:

<USG9500> display interface GigabitEthernet 1/0/2GigabitEthernet1/0/2 current state : UP Line protocol current state : UP Description: test



138

Route Port,The Maximum Transmit Unit is 1500 Internet protocol processing : disabled IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-8239-1e5c Media type: twisted-pair ,Link type: auto negotiation Loopback:none, Maximal BW:1G, Current BW:1G,full-duplex mode, negotiation: enable, Pause Flowcontrol:Receive Enable and Send Enable Last physical up time : 2013-04-12 17:54:44 UTC+08:00 Last physical down time : 2013-04-12 17:54:36 UTC+08:00 Max input bit rate: - Max output bit rate: - Max input packet rate: - Max output packet rate: - Statistics last cleared:never Last 300 seconds input rate: 0 bits/sec, 0 packets/sec Last 300 seconds output rate: 216 bits/sec, 0 packets/sec Input: 228 bytes, 3 packetsOutput: 58214 bytes, 647 packets Input: Unicast: 0 packets, Multicast: 2 packets Broadcast: 1 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets, InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 647 packets Broadcast: 0 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets System: 0 packets, Overruns: 0 packets TxPause: 0 packets Unknown Vlan: 0 packets Input bandwidth utilization : 0.00% Output bandwidth utilization : 0.01%

2.2.4.7 Backing Up the Important Data in CF Card

Context

The important data refers to the configuration file, license file(*.dat), patch file, and systemprogram before the upgrade. You can use the display startup command to view theconfiguration file, patch file, and system program in use and the display license command toview the license file in use.

Do as follows to back up the important data in CF card:

Procedure

Step 1 On PC2, log in to the USG9500 through FTP.The following uses the FTP client of theWindows operating system as an example. In practice, you are advised to use a legitimatethird-party FTP client (such as Cute FTP) to transfer files.

The following information is displayed:

C:\> ftp 192.168.0.1 Connected to 192.168.0.1. 220 FTP service ready. User (192.168.0.1:(none)): ftpuser 331 Password required for ftpuser. Password: 230 User logged in. ftp>



139

Step 2 Set the transmission mode of the file and configure the directory for storing the backup file asa directory on PC2, for example, D:\FTP\Backup. Note that the directory must already exist.You can use another existing directory as required.ftp> binary /Run the binary command to configure the binary mode for transmitting files. ftp> lcd "d:\FTP\Backup" /Configure the directory on PC2 for storing the backup file.

Step 3 Run the getremote-filename [ local-filename ] command to download the file and save it inthe D:\FTP\Backup directory of PC2.For example, download config.cfg, paf.txt,license_huawei_x.txt, license.dat (if available),sensitive feature component package*.mod(ifavailable) and the system program before the upgrade (v500r001c50.cc) to PC2 for backup.ftp> get config.cfg .......... ftp: 4545 bytes received in 0.01Seconds 303.00Kbytes/sec. ftp> get license.dat .......... ftp: 2032 bytes received in 0.01Seconds 202.83Kbytes/sec. ftp> get paf.txt .......... ftp: 109256 bytes received in 1.3Seconds 1087.67Kbytes/sec.ftp> get get v500r001c50.cc .......... ftp: 216118051 bytes received in 82.90Seconds 1087.67Kbytes/sec.ftp> get license_huawei_x.txt .......... ftp: 15307 bytes received in 1.3Seconds 1087.67Kbytes/sec.ftp>cd $_install_modftp> get CSG_H50010000.mod .......... ftp: 955129 bytes received in 82.90Seconds 1087.67Kbytes/sec.ftp> get URLRMT_H50010000.mod .......... ftp: 955129 bytes received in 82.90Seconds 1087.67Kbytes/sec.

After the downloading is complete, check whether the sizes of the files on PC2 are the sameas those in the CF card. If no, re-download files to ensure that they are completely backed upto PC2.

After the configuration is verified, you can either keep this FTP connection for further use, orexit from the FTP server and relog in to it when required.

----End

2.2.4.8 Checking the Remaining Space of the CF Card

Checking Remaining Space

In the user view, run the dir cfcard: command to check the remaining space of CF card 1 andensure that CF card 1 has sufficient space to contain the target version software.

<USG9500> dir cfcard:Directory of cfcard:/ 0 -rw- 53 Jan 25 2010 12:19:36 private-data.txt 1 -rw- 66033 Jan 25 2010 12:10:50 paf.txt 2 -rw- 12757 Jan 25 2010 12:11:02 license.txt 3 -rw- 4545 Sep 25 2009 16:02:46 config.cfg 4 -rw- 216118051 Jan 25 2010 12:15:38 USG9500v500r001c00.cc



140

5 -rw- 2032 Feb 05 2010 11:12:38 license.dat .......... 1013760 KB total (791776 KB free)

The underscored text indicates the remaining space of CF card 1.

In addition, you can run the dir cfcard2: command in the user view to check the free space ofCF card 2. If no log server is deployed on the live network, and the free space of the CF card2 is insufficient, you can manually save log files to a PC through FTP, preventing new logsfrom overriding old ones.

<USG9500> dir cfcard2:Directory of cfcard2:/ 0 drw- - Jan 06 2011 05:54:48 log 498680 KB total (286512 KB free)

The underscored text in the previous information indicates the free space of CF card 2.

Deleting Unnecessary FilesIf the remaining space is smaller than the size of the target version software, you need todelete unnecessary files. In the user view, run the delete command to delete useless files inCF card 1.

<USG9500> delete /unreserved cfcard:/bak.txtThe contents cannot be recycled!!! Delete cfcard:/bak.txt?[Y/N]:y<USG9500> delete /unreserved slave#cfcard:/bak.txtThe contents cannot be recycled!!! Delete slave#cfcard:/bak.txt?[y/n]:y

Files are directly deleted and cannot be restored after the delete command with the /unreserved parameter is configured.

NOTE

l The system program (*.cc) is large in size. Deleting unnecessary system programs can greatly savethe space of CF card 1. However, you cannot delete the system program currently used by thedevice.

l If you use the BootROM for upgrade, delete the useless files in BootROM environment. For detailson operation methods, see Upgrade Through BootROM.

2.2.5 Upgrade Procedure

2.2.5.1 Upgrade Modes

To enable the upgrade from an earlier version to V500R001C80SPC100, select a properupgrade mode as required, as shown in Table 2.

Upgrade modes



141

Upgrade Mode ApplicationScenario

Strength Prerequisites

CLI (recommended) When the device isrunning normallyand carries servicetraffic, the CLI isrecommended forthe upgrade.

All versions supportthe CLI mode. TheCLI mode is easy-to-operate and hassmall impacts onservices.

Transmitting theversion softwarerequires the supportof the networkenvironment.The device needs tobe configured as theFTP server or thethird-party FTP/TFTP serverprogram is required.

Web When the device isrunning normallyand carries servicetraffic, users familiarwith graphicalinterfaces can usethis mode for theupgrade.

The Web interfacesare graphical, easy-to-operate, andvisualized. Thismode has smallimpacts on services.

Transmitting theversion softwarerequires the supportof the networkenvironment and thedevice needs to beconfigured as theWeb server.When you transferPAF file and licensefile, the deviceneeds to beconfigured as theFTP server or thethird-party FTP/TFTP serverprogram is required.

CF card The upgradeenvironment doesnot need to beprepared. Users whoare not familiar withthe CLI or Weboperations can usethis mode for theupgrade.

The operations areeasy. This modedoes not require thesupport of thenetworkenvironment and hassmall impacts onservices.

The CF card needsto be prepared.

BootROM When the devicecannot be started orthe version softwareis faulty, use thismode for theupgrade.

All versions supportthis mode. When thedevice is faulty orthe version softwarecannot be loaded,the upgrade can beperformed in thismode only.

The operations arecomplicated andhave great impactson services.Transmitting theversion softwarerequires the supportof the networkenvironment.



142

Upgrade Mode ApplicationScenario

Strength Prerequisites

NOTEThe mentioned version software includes the system program (*.cc), PAF file, Sensitive FeatureComponent Package and license file.

Version software must be stored in CF card 1. CF card 1 is located in the circuit board of the MPU andmainly used to store the version software and configuration file. CF card 2 is located in the panel of theMPU and mainly used to store log and alarm information.

2.2.5.2 Upgrade Through CLI

Upgrade Flow

Figure 1shows the flow of upgrading the version software through CLI.

Figure 2-5 Flowchart of the version software upgrade through the CLI

Procedure

Step 1 On PC2, log in to the USG9500 through FTP. FTP is used only as an example. You areadvised to use SFTP to transfer files to secure data transfer.The following uses the WindowsFTP client as an example. In practice, you are advised to use a legitimate third-party FTPclient (such as Cute FTP) to transfer files.

The following uses the Windows FTP client as an example. In practice, you are advised to usea legitimate third-party FTP client (such as Cute FTP) to transfer files.

If the FTP connection established for backing up the important data to CF card 1 remain,perform Step 2; if the FTP connection has timed out, log in again.



143

Step 2 Set the transmission mode of the file and configure the directory for storing the requiredupgrade files as a directory on PC2, for example, D:\FTP. Note that the directory mustalready exist. You can use another existing directory as required.ftp> binary /Run the binary command to configure the binary mode for transferring files. ftp> lcd "d:\FTP" /Configure the directory on PC2 for storing the required upgrade files.

CAUTIONThe binary mode is required for file integrity, especially in the Linux or Unix system.

Step 3 Run the put command to upload USG9500 to CF card 1 of the USG9500.ftp> put USG9520V500R001C80SPC100.cc .......... ftp: 254711997 bytes sent in 192.90Seconds 970.68Kbytes/sec.

Uploading the system program may take a few minutes, depending on the network conditions.Please wait patiently.

NOTICEAfter the uploading is complete, check whether the size of the file in the CF card is the sameas that on PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.

Step 4 Run the put command to upload the configuration file (such as vrpcfg_new.cfg) to the CFcard on the USG9500.The name of the file to be uploaded cannot be the same as the name ofany file on the CF card.If a file with the same name exists on the CF card, the file will bereplaced by the uploaded one.ftp> put D:\FTP\vrpcfg_new.cfg

NOTICEAfter the uploading is complete, check whether the size of the file on the CF card is the sameas that on PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.

Step 5 Rename license_Secospace_X.txt to license_spcxxx.txt, and upload the file to the CF card 1in the USG9500. If a file with the same name exists in CF card 1, the system displays amessage to indicate whether to overwrite the original file.

NOTE

You can modify the names of the system program (*.cc), the PAF file, and license file. To ensure thattwo software versions work on the same device, you are advised to modify the names of PAF and licensefiles and add the SPC version at the end of the file name, such as license_spcxxx.txt.After the uploading is complete, check whether the size of the file in the CF card is the same as that onPC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.

ftp> put license_spcxxx.txt .......... ftp: 12757 bytes sent in 0.03Seconds 425.23Kbytes/sec.



144

Step 6 Rename paf.txt to paf_spcxxx.txt and upload it to the CF card 1 in USG9500. If a file with thesame name exists in CF card 1, the system prompts you to determine whether to overwrite theoriginal file.ftp> put paf_spcxxx.txt .......... ftp: 66033 bytes sent in 0.05Seconds 1320.66Kbytes/sec.

NOTICEAfter the uploading is complete, check whether the size of the file in the CF card is the sameas that on PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.

After the uploading is complete, check whether the size of the file in the CF card is the sameas that on PC2. If no, re-upload the file to ensure that it is completely uploaded to the CF card.

Step 7 After files are uploaded, exit from the FTP environment. On PC1, log in to the CLI of theUSG9500 through Telnet or SSH. You are advised to use SSH to log in to the USG9500 tosecure data transfer.

Step 8 If both MPUs are present, run the copy command in the user view to copyUSG9520V500R001C80SPC100.cc, PAF,CFG and license to the standby MPU.<USG9500> copy cfcard:/USG9520V500R001C80SPC100.cc slave#cfcard:/ <USG9500> copy cfcard:/vrpcfg_new.cfg slave#cfcard:/<USG9500> copy cfcard:/paf_spcxxx.txt slave#cfcard:/ <USG9500> copy cfcard:/license_spcxxx.txt slave#cfcard:/

Step 9 Run the startup system-softwarefilename command to configure the version software usedfor the next startup of the USG9500.<USG9500> startup system-software USG9520V500R001C80SPC100.ccInfo: Succeeded in setting the software for booting system.

Step 10 Run the startup licensefilename command to configure the license file used for the nextstartup of the USG9500.<USG9500> startup license license_spcxxx.txt Info: Succeeded in setting main board resource file for system.

Step 11 Run the startup paffilename command to configure the PAF file used for the next startup ofthe USG9500.<USG9500> startup paf paf_spcxxx.txt Info: Succeeded in setting main board resource file for system.

Step 12 Run the startup save-configuration filename command to set the configuration file used forthe next startup of the USG9500.The uploaded configuration file is the post-conversion one.<USG9500> startup save-configuration vrpcfg_new.cfg Info: Succeeded in setting the configuration for booting system.

Step 13 If both MPUs are in position, run the following commands in the user view to configure theversion software, license file and PAF file for the next startup of the standby MPU of theUSG9500.<USG9500> startup system-software USG9520V500R001C80SPC100.cc slave-board Info: Succeeded in setting the software for booting system. <USG9500> startup license license_spcxxx.txt slave-board Info: Succeeded in setting slave board resource file for system. <USG9500> startup paf paf_spcxxx.txt slave-board Info: Succeeded in setting slave board resource file for system.

Step 14 (Optional) Upgrade Content Security Features.



145

Run the put command to upload the content security feature component package (such asCSG_H50010000_xxx.mod or URLRMT_H50010000_xxx.mod) of V500R001C80SPC100to the $_install_mod folder in the CF card of the USG6000. The name of the file to beuploaded cannot be the same as the name of any existing file in the CF card. If a file with thesame name already exists in the CF card, the file is replaced by the uploaded file.

NOTICEl If no content security feature is involved, skip this step.l Ensure that an activated license file is available. If the license file is not activated, the

upgrade fails.l You must obtain the component package from the security center (http://sec.huawei.com)

in advance and upload it to the $_install_mod folder in the root directory. Then, load thecomponent package as follows:

Upgrade package:

l Upgrading V500R001 to V500R001C80SPC100.– Content security component package

install-module CSG_H50010000_yyy.mod next-startup– URL component package

install-module URLRMT_H50010000_yyy.mod next-startup– Cloud sandbox component package

install-module CSB_H50010000_yyy.mod next-startup

After the configuration is complete, run the display module-information verbose commandto view details on the dynamically loaded component package. The following information is apart of the command output. If the State value is INSTALL_OK, the component package hasbeen successfully loaded.

<USG9500> display module-information verbose Module Information ------------------------------------------------------------------------ Module Version InstallTime PackageName ------------------------------------------------------------------------ ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_yyy.mod URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_yyy.mod ************************************************************************ * Content Security Group information, as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK - ************************************************************************ * URL Filter information , as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK - …………………

Step 15 Run the reboot command to restart the USG9500.



146


NOTICEl Before the reboot command is configured, run the display startup command to check the

version software used for the next startup of the USG9500.l If the configuration file is imported, do not restart the device.l For the upgrade from V500R001 to V500R001C80SPC100, if the configuration file is not

imported, you are advised to save the current configurations before restarting the device.

Restart without save<USG9500> reboot fast mpu 9: Next startup system software: cfcard:/USG9520V500R001C80SPC100.ccPaf: V500R001C80SPC100 License: V500R001C80SPC100 Next startup saved-configuration file: cfcard:/ vrpcfg_new.cfg Info: The system is now comparing the configuration, please wait. Warning: All the configuration will be saved to the configuration file for the next startup:cfcard:/vrpcfg_new.cfg, Continue?[Y/N]:n System will reboot! Continue?[Y/N]:y

Save and restart<USG9500> rebootmpu 9: Next startup system software: cfcard:/USG9520V500R001C80SPC100.cc Paf: V500R001C80SPC100 License: V500R001C80SPC100 Next startup saved-configuration file: cfcard:/ vrpcfg_new.cfg Info: The system is now comparing the configuration, please wait. Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file cfcard:/ vrpcfg_new.cfg . Continue? [Y/N]:y Now saving the current configuration to the slot 9. Save the configuration successfully. Info: If want to reboot with saving diagnostic information, input 'N' and then execute 'reboot save diagnostic-information'. System will reboot! Continue?[Y/N]:y

The duration of device startup depends on the hardware configurations and configuration file.The more boards the device has, the longer the board registration lasts; the more items areconfigured, the longer the configuration restoration lasts.






147



Run the put command to upload the new license file (for example, license_new.dat) to the CFcard of the NGFW. The name of the file to be uploaded cannot be the same as the name of anyexisting file in the CF card. If a file with the same name already exists in the CF card, the fileis replaced by the uploaded file.

Run the license file filename command in the system view to activate the license file.

[NGFW] license active license_new.dat Info:License is successfully activated.

----End

2.2.5.3 Upgrade Through Web

Upgrade Flow

Figure 1 shows the flow of upgrading the version software through Web.

Figure 2-6 Flowchart of the version software upgrade through the Web

Procedure

Step 1 Enter https://192.168.0.1 in the address box of the Internet Explorer on PC2, enter user namewebuser and password Admin@123 to log in to the USG9500.

Step 2 Upload the system program.1. Choose System > System Upgrade to view the current version.Current version:

USG9580 V500R001C80SPC100 (VRP (R) Version 5.160)



148

2. Click Select corresponding to Master MPU. The Master MPU System SoftwareManagement interface is displayed. Click . The Upload File dialog box is displayed.Click Browse... and select the file to be uploaded. Click Import, as shown in Figure 2.

Figure 2-7 Uploading file

NOTE

If the file fails to be uploaded, the uploaded incomplete file cannot be deleted immediately.Therefore, you need to delete the incomplete file after the device is restarted.

The file to be uploaded must end with suffix .cc and the file with the same name cannot exist inthe CF card. After the file is successfully uploaded, return to the Master MPU System SoftwareManagement interface.

The corresponding file is displayed in the list. You need to check whether the size of the file in thelist is the same as that on PC2. If no, re-upload the file.

Step 3 Upload the license file and PAF file. (If the files can not be uploaded, run related commandsto perform the upgrade through ClI)

1. Click Select corresponding to Master MPU. The Master MPU PAF File Managementinterface is displayed. Click . The Upload File dialog box is displayed. ClickBrowse... and select the file to be uploaded. Click Import, as shown in Figure 3.


NOTE

The file to be uploaded must end with suffix .txt. If a file with the same name exists in CF card 1,the system displays a message to indicate whether to overwrite the original file.

After the file is successfully uploaded, return to the Master MPU PAF File Managementinterface. The corresponding file is displayed in the list. You need to check whether the size of thefile in the list is the same as that on PC2. If no, re-upload the file.

2. Click Select corresponding to Master MPU. The Master MPU License FileManagement interface is displayed. Click . The Upload File dialog box is displayed.Click Browse... and select the file to be uploaded. Click Import, as shown in Figure 4.



149


NOTE

The file to be uploaded must end with suffix .txt. If a file with the same name exists in CF card 1,the system displays a message to indicate whether to overwrite the original file.

After the file is successfully uploaded, return to the Master MPU License File Managementinterface. The corresponding file is displayed in the list. You need to check whether the size of thefile in the list is the same as that on PC2. If no, re-upload the file.

Step 4 If both MPUs are present, perform the following operations to copy the file to the Slave MPU.

1. On the System Upgrade tab, click Select in the Slave MPU Next Startup SystemSoftware, Slave MPU PAF File Management, Slave MPU License File Managementgroup box respectively. The Slave MPU Next Startup System Software, Slave MPUPAF File Management, Slave MPU LicenseFile Management interface is displayedrespectively. Click

to select the file to be copied and enter the name of the target file. If no name isentered, the name of the file to be copied is used as that of the new file. Click OK, asshown in Figure 5.

Figure 2-10 Copying files from the master MPU to the Slave MPU

Step 5 On the System Software Management interface, click

corresponding to the uploaded file and configure the current file as the version softwareused during next startup.

If both MPUs are present, respectively click corresponding to the uploaded files on theMain MPU System Software Management, Main MPU PAF File Management,MainMPU License File Management and Slave MPU System Software Management, SlaveMPU PAF File Management, Slave MPU License File Managementinterfaces to configurethe current file as the version software used during next startup.

Step 6 (Optional) Upgrade sensitive features.



150

NOTE

l Ensure that an activated license file is available. If the license file is not activated, the upgrade fails.

l Ensure that the device can access the security center directly or through a proxy server.

l Configure a security policy to permit HTTP and FTP packets when the device directly connects tothe security center or permit HTTP packets when the device connects to the security center through aproxy server. For details, see the description of security policies and content security inUSG6000&USG9500 V500R001C80SPC100 Administrator Guide.

l Before executing the following online loading procedure, ensure that the DNS server address hasbeen configured and the DNS server can correctly parse http://sec.huawei.com.

l Upgrading V500R001 to V500R001C80SPC100.

1. Move the pointer to on the lower right of the page and click to openthe CLI console. Click any space on the page. If the command prompt <FW> isdisplayed, you can perform configurations on the CLI.download module nextstartupinstall-module CSG_H50010000_yyy.mod next-startupinstall-module URLRMT_H50010000_yyy.mod next-startup

2. After the loading in either local or online mode, run the display module-informationverbose command to view details on the dynamically loaded component package. Thefollowing information is a part of the command output. If the State value isINSTALL_OK, the component packet has been successfully loaded.<USG9500> display module-information verbose Module Information ------------------------------------------------------------------------ Module Version InstallTime PackageName ------------------------------------------------------------------------ ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_yyy.mod URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_yyy.mod ************************************************************************ * Content Security Group information, as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK - ************************************************************************ * URL Filter information , as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK - …………………

Step 7 Choose System > Setup > Restart. Click Save and Restart to save the configurations andrestart the system. Or Click Restart not to save the configurations and restart the system.



151


NOTICEl If the configuration file is imported, do not restart the device.l For the upgrade from V500R001C00 to V500R001C80SPC100, if the configuration file is

not imported, you are advised to save the current configurations before restarting thedevice.






----End

2.2.5.4 Upgrade Through CF Card

Upgrade FlowFigure 1 shows the flow of upgrading the version software through CF card.



152

Figure 2-11 Flowchart of the version software upgrade through the CF card

Procedure

Step 1 Copy the files to the startup folder in the CF card.The files related to the upgrade must besaved in the startup folder in the root directory of the CF card, and their names should satisfythe following rules:l The system program must end with suffix .cc and only one can be saved.l The name of the PAF file must be paf.txt, and that of the license file must be license.txt.l The name of the configuration file must contain keyword vrpcfg and end with file name

extension .cfg or .zip. In addition, only one configuration file can be saved. It isrecommended that you name the configuration file vrpcfg.cfg or vrpcfg.zip.

One CF card can be used for only one upgrade of one MPU. Therefore, if two MPUs are inposition, two CF cards are required.

Step 2 Insert the CF card into CF card slot 2 of the MPU.

Step 3 Set the startup mode.The MPU of the USG9500 applies fast startup by default. During faststartup, the device does not read the CF card, and the upgrade using a CF card is thereforeimpossible. If you need to upgrade using a CF card, change the startup mode of the MPUfrom fast startup to normal startup mode. Run the display bootmode-next command to viewthe current startup mode of the MPU.

In system view, run the diagnose command to access the diagnose view. In the diagnose view,run the undo set bootmode-next fastboot all command. The detailed operations are asfollows:

<USG9500> system-view [USG9500] diagnose [USG9500-diagnose] undo set bootmode-next fastboot all



153

Caution! After set operation, 'startup' 'modify' 'set atm iwf' and 'set cpos' command maybe useless. Are you sure to do this operation?[Y/N]:y Set Boot mode successfully. [USG9500-diagnose] quit [USG9500] quit

Step 4 Run the reboot command in the user view to restart the USG9500.After the reboot commandis configured, the device displays two prompts for confirmation, and you need to enter yrespectively to continue the operation.<USG9500> reboot mpu 9: Next startup system software: cfcard:/ v500r001c00spc500.cc Paf: V500R001C80SPC100 License: V500R001C80SPC100 Next startup saved-configuration file: cfcard:/config.cfg Info: The system is now comparing the configuration, please wait. Warning: All the configuration will be saved to the configuration file for the next startup:cfcard:/config.cfg, Continue?[Y/N]:y System will reboot! Continue?[Y/N]:y

During the restart, the device automatically searches the startup folder of CF card 2 andcopies the files to CF card 1. Then the device loads the new version software.


Step 5 (Optional) After the upgrade completes, upgrade the content security feature.l Local mode

You must obtain the component package from the security center in advance and uploadit to the $_install_mod folder in the root directory. Then, load the component package asfollows:– Content security component package

install-module CSG_H50010000_yyy.mod next-startup– URL component package

install-module URLRMT_H50010000_yyy.mod next-startup– Cloud sandbox component package

install-module CSB_H50010000_yyy.mod next-startupl Online mode

Ensure that the device can access the security center directly or through a proxy server.Configure a security policy to permit HTTP and FTP packets when the device directlyconnects to the security center or permit HTTP packets when the device connects to thesecurity center through a proxy server. For details, see the description of security policiesand content security in HUAWEI USG6000&USG9500 V500R001C80SPC100 ProductDocumentation.

NOTE

Before executing the following online loading procedure, ensure that the DNS server address hasbeen configured and the DNS server can correctly parse http://sec.huawei.com.

download module nextstartupinstall-module filename CSG_H50010000_xxx.mod next-startupinstall-module filename URLRMT_H50010000_xxx.mod next-startup

After the loading in either local or online mode, run the display module-informationverbose command to view details on the dynamically loaded component package. The



154


following information is a part of the command output. If the State value is INSTALL_OK,the component packet has been successfully loaded.

<sysname> display module-information verbose Module Information ------------------------------------------------------------------------ Module Version InstallTime PackageName ------------------------------------------------------------------------ ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_xxx.mod URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_xxx.mod ************************************************************************ * Content Security Group information, as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK - ************************************************************************ * URL Filter information , as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK -

NOTICERestart the device. Then, the device will automatically load the content security componentpackage based on the license functions. To ensure that the sensitive feature configurationtakes effect, restart the device without saving the configuration or run the reboot fastcommand to restart the device and re-load the configuration.

Now, the upgrade to V500R001 is complete. The optional follow-up task is to restore and testservices.





----End

2.2.5.5 Upgrade Through BootROM

Context

Figure 1 shows the flow of upgrading the version software through BootROM.



155

Figure 2-12 Flowchart of the version software upgrade through the BootROM

Procedure

Step 1 Switch on the power supply to power on the USG9500.

Step 2 After the device is powered on, you can view the process of the device startup through theterminal emulation program (such as the HyperTerminal on Windows XP). When thefollowing information is displayed, press and hold CTRL+B. **************************************************** * * * 8090 boot ROM, Ver 60.01 * * * **************************************************** Copyright 2001-2015 Huawei Tech. Co., Ltd. Creation date: Aug 19 2013, 09:39:45 CPU type : MPC8548E

Press Ctrl+B to enter Main Menu... 1

Password: **********

Then access the BootROM main menu.

NOTE

The default password to access the BootROM main menu is WWW@HUAWEI, which is casesensitive.

You are advised to change the default password after login for security. Keep your new password secure.



156

You are advised to change the default password after login for security. Keep your new password secure. Main Menu(bootload ver: 60.01) 1. Boot with default mode 2. Boot from CFcard 3. Enter ethernet submenu 4. Set boot file and path 5. Modify boot ROM password 6. Chkdsk CFcard 7. Format CFcard 8. List file in CFcard 9. Delete file from CFcard 10. Set patch mode 11. Set version back signal 12. Reboot Enter your choice(1-12):

Step 3 Delete the useless files in CFcard.

Check the CF card and delete useless files to ensure that there is enough free space in the CFcard for the target host software.

1. Check the free space in the CF card. Enter 8 to list files in the CF card.Enter your choice(1-12): 8 CFcard Content List Submenu 1. List file(s) in CFcard 2. List file(s) in CFcard2 3. Return to main menu

The host software must be stored in CFcard. Enter 1 to list files in CFcard.

Enter your choice(1-3): 1 List contents of selected CFcard 66820 Aug 6 20:27 cfcard:/patchpackage_b22.pat 65004 Jul 17 16:29 cfcard:/patchpackagev2.pat 14321590 Aug 31 12:15 cfcard:/console_info_record.txt 69680 Aug 6 18:07 cfcard:/linuxpatchstate.dat 2028 Jul 27 11:29 cfcard:/patchnpstate.dat 16384 Aug 31 12:20 cfcard:/default-sdb/ 16384 Aug 19 18:22 cfcard:/gpmbak/ 16384 Jul 12 15:16 cfcard:/update/ 255093046 Aug 22 19:20 cfcard:/USG9520V500R001C80SPC100.cc 525361 Sep 2 10:25 cfcard:/private-data.txt 66820 Jul 12 17:26 cfcard:/patchpackage_0712.pat 991 Aug 5 20:10 cfcard:/vrpcfg.zip 66852 Aug 12 19:30 cfcard:/



157

patchpackage0812_1816.pat 66820 Aug 2 10:55 cfcard:/patchpackage_0730.pat ............Total size: 998656KB, free size: 40976KB CFcard Content List Submenu 1. List file(s) in CFcard 2. List file(s) in CFcard2 3. Return to main menu Enter your choice(1-3): 3

free size indicates the free space in CFcard. Compare the free space and the size of thetarget host package.

2. If the free space in CFcard is less than the host package size, enter 9 to delete files fromCFcard.Enter your choice(1-12): 9 Main Menu(bootload ver: 60.01) 1. Boot with default mode 2. Boot from CFcard 3. Enter ethernet submenu 4. Set boot file and path 5. Modify boot ROM password 6. Chkdsk CFcard 7. Format CFcard 8. List file in CFcard 9. Delete file from CFcard 10. Set patch mode 11. Set version back signal 12. Reboot

Enter 1 to delete files from CFcard. cfcard:/USG9520V500R001C80SPC100.cc is usedonly as an example. You must enter the absolute path.

Enter your choice(1-3): 1 BE CAREFUL! If you delete a directory, all of its contents will be



158

deleted! Please input the file name you want to delete, e.g.: test.txt ('*' for display all files and directory in cfcard:) cfcard:/ USG9520V500R001C80SPC100.cc File "cfcard:/USG9520V500R001C80SPC100.cc" will be deleted! Are you sure? Yes or No(Y/N)y Delete successfully!

After the deletion is complete, enter 3 to return to the BootROM main menu.

Step 4 In the BootROM main menu, enter 3 to access the Ethernet submenu.Enter your choice(1-12): 3

Ethernet Submenu

1. Download file to SDRAM through ethernet interface and boot 2. Download file to CFcard through ethernet interface 3. Modify ethernet interface boot parameters 4. Return to main menu

Step 5 Change the parameter settings of the Ethernet interface mode. In the Ethernet submenu, enter3. The following information is displayed. After the parameters are specified, return to theEthernet submenu.Enter your choice(1-4): 3 Note: two protocols for download, tftp & ftp. You can modify the flags following the menu. tftp--0x80, ftp--0x0. '.' = clear field; '-' = go to previous field; ^D = quit boot device : motetsec0 processor number : 0 host name : host file name : USG9520V500R001C80SPC100.cc inet on ethernet (e) : 172.16.104.208 inet on backplane (b): host inet (h) : 172.16.104.20 gateway inet (g) : user (u) : 123 ftp password (pw) (blank = use rsh): *** flags (f) : 0x0 target name (tn) : startup script (s) : other (o) :

Parameters to be specified are as follows:

l boot deviceThe value of parameter boot device is fixed, that is, mottsec3 for the USG9520 andmotetsec0 for the USG9560 and USG9580.

l file nameIndicates the name of the file to be downloaded. The previous information usesUSG9500_USG9520V500R001C80SPC100.cc as an example. If this parameter is blank,enter the name of the file that you want to download. If this parameter is a file other than



159

the wanted one, you can modify it by enter the wanted file next to the existing one andpress Enter. This modification method is also applicable to the following parameters.

l inet on ethernet (e)Indicates the IP address of the USG9500. This IP address and that of the PC providingFTP services should be on the same network segment.

l host inet (h)Indicates the IP address of the PC providing FTP services.

l gateway inet (g)Indicates the gateway IP address. When the USG9500 and PC are not on the samenetwork segment, specify this parameter.

l user (u)Indicates the FTP user name. The user name must have been specified on the PCproviding FTP services. The previous information takes 123 as an example.

l ftp password (pw) (blank = use rsh)Indicates the password of the FTP user. The password must have been specified on thePC providing FTP services. The previous information takes 123 as an example.

l flags (f)Indicates the protocol adopted for downloading files. 0x0 indicates FTP, and 0x80indicates TFTP. The previous information takes FTP as an example.

Other parameters do not need to be specified, and you can adopt the default values.

Step 6 In the Ethernet submenu, enter 2 to download files from the FTP server.Enter your choice(1-4): 2 boot device : motetsec0 unit number : 0 processor number : 0 file name : USG9520V500R001C80SPC100.cc inet on ethernet (e) : 172.16.104.208 host inet (h) : 172.16.104.20 gateway inet (g) : user (u) : 123 ftp password (pw) : *** flags (f) : 0x0 Loading......................................................................... ................................................................................ ................................................................................ ................................................................................ .....Done! Writing to CFcard...Done!

Step 7 Repeat step 5 to set file name to license.txt. Other parameters do not need to be changed.

Step 8 Repeat step 6 to download license.txt to CF card 1. If the file of the same name exists on CFcard 1, the system displays a message to indicate whether to overwrite the original file isdisplayed.

Step 9 Repeat step 5 to set file name to paf.txt. Other parameters do not need to be changed.

Step 10 Repeat step 6 to download paf.txt to CF card 1. If the file of the same name exists on CF card1, the system displays a message to indicate whether to overwrite the original file isdisplayed.



160

Step 11 In the Ethernet submenu, enter 4 to return to the BootROM main menu.

Step 12 In the BootROM main menu, enter 4 to access the Boot Files Submenu. Enter 1 to set theversion software for the next startup.Enter your choice(1-7): 1 Boot file is cfcard:/USG9520V500R001C80SPC100.cc, modify the file name if needed. Please input correctly, e.g.: cfcard:/USG9520V500R001C80SPC100.cc cfcard:/USG9520V500R001C80SPC100.cc The file name you input is cfcard:/USG9520V500R001C80SPC100.cc.

Are you sure? Yes or No(Y/N)y

Setting ...Done! Clear version back signal...Done!

You must enter an absolute path when setting the version software for the next startup.

Step 13 In the Boot Files Submenu, enter 2 to set the PAF file for the next startup.Enter your choice(1-7): 2 Paf file is cfcard:/paf.txt, modify the file name if needed.

Please input correctly, e.g.: cfcard:/paf.txt cfcard:/paf.txt

The file name you input is cfcard:/paf.txt.


Setting ...Done!

Clear version back signal...Done!

You must enter an absolute path when setting the PAF file for the next startup.

Step 14 In the Boot Files Submenu, enter 3 to set the license file for the next startup.Enter your choice(1-7): 3 License file is cfcard:/license.txt, modify the file name if needed.

Please input correctly, e.g.: cfcard:/license.txt cfcard:/license.txt

The file name you input is cfcard:/license.txt.


Setting ...Done!

Clear version back signal...Done!

You must enter an absolute path when setting the license file for the next startup.

Step 15 In the Boot Files Submenu, enter 7 to return to the BootROM main menu.

Step 16 If both MPUs are in position, insert the cable connected to the console port of PC1 into theconsole port of the standby MPU, and the cable connected to the network interface of PC2into interface GE0/0/0 of the master MPU. Press the Reset button to restart the MPU, enterthe BootROM menu, download the version software, and set the version software, PAF fileand license file for the next startup.

Step 17 In the BootROM main menu, enter 2 to start the device from CF card 1.If both MPUs are inposition, insert the cable connected to the console port into the console ports of the master and



161

standby MPUs respectively. In the BootROM main menu, enter 2 to start the device from CFcard 1.

Step 18 (Optional) After the upgrade completes, upgrade the content security feature.

There are two modes for loading the content security component package: local mode andonline mode. The local mode is recommended.

l Local mode

You must obtain the component package from the security center in advance and uploadit to the $_install_mod folder in the root directory. Then, load the component package asfollows:

– Content security component packageinstall-module CSG_H50010000_yyy.mod next-startup

– URL component packageinstall-module URLRMT_H50010000_yyy.mod next-startup

– Cloud sandbox component packageinstall-module CSB_H50010000_yyy.mod next-startup

l Online mode

Ensure that the device can access the security center directly or through a proxy server.

Configure a security policy to permit HTTP and FTP packets when the device directlyconnects to the security center or permit HTTP packets when the device connects to thesecurity center through a proxy server. For details, see the description of security policiesand content security in HUAWEI USG6000&USG9500 V500R001C80SPC100 ProductDocumentation.

NOTE

Before executing the following online loading procedure, ensure that the DNS server address hasbeen configured and the DNS server can correctly parse http://sec.huawei.com.

download module nextstartupinstall-module filename CSG_H50010000_yyy.mod next-startupinstall-module filename URLRMT_H50010000_yyy.mod next-startup

After the loading in either local or online mode, run the display module-informationverbose command to view details on the dynamically loaded component package. Thefollowing information is a part of the command output. If the State value is INSTALL_OK,the component packet has been successfully loaded.

<sysname> display module-information verbose Module Information ------------------------------------------------------------------------ Module Version InstallTime PackageName ------------------------------------------------------------------------ ConSecGroup 1.0.0.0 2015-12-23 11:13:37+00:00 CSG_H50010000_yyy.mod URL Filter 1.0.0.0 2015-12-23 11:13:37+00:00 URLRMT_H50010000_yyy.mod ************************************************************************ * Content Security Group information, as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK - ************************************************************************ * URL Filter information , as follows: * ************************************************************************ Slot Type State Detail ------------------------------------------------------------------------ - NP INSTALL_OK -



162


NOTICERestart the device. Then, the device will automatically load the content security componentpackage based on the license functions. To ensure that the sensitive feature configurationtakes effect, restart the device without saving the configuration or run the reboot fastcommand to restart the device and re-load the configuration.

Now, the upgrade to V500R001 is complete. The optional follow-up task is to restore and testservices.





----End

2.2.6 Upgrade Result Verification

2.2.6.1 Checking the Information About the Current Version Software

ExampleAfter the device is started, log in to the CLI. In any view, run the display version command tocheck the information about the running version software. The following is a sample outputfor this command.

<USG9500> display versionHuawei Technologies Versatile Security Platform Software Software Version: USG9520&USG9560&USG9580 V500R001C80SPC100(VSP (R) Software, Version 5.70) ..........

In any view, run the display startup command to check the version software andconfiguration file in use.

<USG9500> display startupMainBoard: Configured startup system software: cfcard:/USG9520V500R001C80SPC100.cc Startup system software: cfcard:/USG9520V500R001C80SPC100.cc Next startup system software: cfcard:/USG9520V500R001C80SPC100.cc Startup saved-configuration file: cfcard:/config.cfg Next startup saved-configuration file: cfcard:/config.cfg Startup paf file: cfcard:/paf.txt Next startup paf file: cfcard:/paf.txt Startup license file: cfcard:/license.txt Next startup license file: cfcard:/license.txt Startup patch package: cfcard:/patchpackage.pat Next startup patch package: cfcard:/patchpackage.pat



163

The underscored text indicates the version of current software. Check whether the version isthe same as the target version. If no, check the upgrade procedure, locate the fault, and re-upgrade software to the target version.

2.2.6.2 Checking Whether Boards Have Been Successfully Registered

ContextIn any view, run the display device command to check the registration status of the boards. Innormal cases, the Status column should be Normal.

Example<USG9500> display deviceUSG9580's Device status: Slot # type online register status primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 LPU Present Registered Normal NA 6 SPU Present Registered Normal NA 8 LPU Present Registered Normal NA 9 MPU Present NA Normal Master 10 MPU Present Registered Normal Slave 11 SFU Present Registered Normal NA 12 SFU Present Registered Normal NA 13 SFU Present Registered Normal NA 14 SFU Present Registered Normal NA 15 CLK Present Registered Normal Master 16 CLK Present Registered Normal Slave 17 PWR Present Registered Normal NA 18 PWR Present Registered Normal NA 19 FAN Present Registered Normal NA

Half an hour after the registration of the MPU, if any board fails in registration, you need tocheck whether the board is normal. Remove and re-insert the board. If it still cannot beregistered successfully, contact technical support personnel.

2.2.6.3 Checking License Status

ContextRun the display license command in any view to check the license status.

Example<USG9500> display licenseMainBoard:Device ESN is: 210305G06R The file activated is: cfcard:/license.dat The time when activated is: 2016/01/07 22:56:01 The time when expired is: 2023-04-24 Virtual System : 4096 IPSec VPN : 278710 Carrier Network Enhanced Security Supported License: Enabled Content Security Group: Enabled Encryption Function : Enabled Firewall Upgrade Additional Performance: 150Gbps 6RD Session Scale : 16M NAT64 Session Scale : 16M DS-Lite Session Scale: 16M URL Remote Query : Enabled; service expire time: 2023/04/24



164

IPS Update : Enabled; service expire time: 2023/04/24 Anti Virus Update : Enabled; service expire time: 2023/04/24

2.2.6.4 Checking the Running Status of the Device

Checking the CPU and Memory Usage

In any view, run the display health command to check the CPU and memory usage. If theCPU and memory usage before and after upgrade differs slightly, it indicates that the device isrunning normally.

<USG9500> display healthSlot CPU Usage Memory Usage(Used/Total) Simulate CPU ----------------------------------------------------------------------- 4 MPU(Master) 7% 45% 772MB/1714MB None 1 LPU 15% 35% 293MB/820MB None 2 SPU-CPU1 82% 17% 85MB/500MB 0% 2 SPU-CPU3 80% 17% 85MB/500MB 0% 2 SPU-CPU6 2% 14% 57MB/398MB None

Checking Session Statistics

In any view, run the display firewall session statistics command to check session statistics. Ifthe session statistics before and after upgrade differ slightly, it indicates that services arerunning normally.

<USG9500> display firewall session statisticsSession Statistics: Slot 6 cpu 0: 0 Slot 6 cpu 1: 0 Slot 6 cpu 2: 0 Slot 6 cpu 3: 0 Total 0 session(s) on all slots.

Checking Traffic Statistics

In any view, run the display interface interface-type interface-number command to check thetraffic statistics on a service interface. If the traffic statistics before and after upgrade differslightly, it indicates that services are running normally.

The following is sample output from this command on GigabitEthernet 1/0/2:

<USG9500> display interface GigabitEthernet 1/0/2GigabitEthernet1/0/2 current state : UP Line protocol current state : UP Description:Huawei, FW Series, GigabitEthernet1/1/1 InterfaceRoute Port,The Maximum Transmit Unit is 1500 Internet Address is 101.1.1.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-8239-1e5c The Vendor PN is PLRXPL-VI-S24-HW The Vendor SN is CE10QQ8VK The Vendor Name is JDSU Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode Rx Power: -5.50dBm, Warning range: [-16.99, 0.00]dBm Tx Power: -4.97dBm, Warning range: [-9.50, 0.00]dBm Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send EnableLast physical up time : 2016-01-28 14:12:56 UTC+08:00 Last physical down time : 2016-01-28 13:56:19 UTC+08:00Max input bit rate: 837731200 bits/sec at 2016-01-28 19:28:32 Max output bit rate: 96 bits/sec at 2016-01-28 14:23:09



165

Max input packet rate: 793306 packets/sec at 2016-01-28 19:28:32 Max output packet rate: -Statistics last cleared:never Last 300 seconds input rate: 834716840 bits/sec, 790451 packets/sec Last 300 seconds output rate: 0 bits/sec, 0 packets/sec Input: 2017488712530 bytes, 15284005410 packets Output: 1906 bytes, 27 packets Input: Unicast: 15284005405 packets, Multicast: 0 packets Broadcast: 5 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets, InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 24 packets, Multicast: 0 packets Broadcast: 3 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets System: 0 packets, Overruns: 0 packets TxPause: 0 packets Unknown Vlan: 0 packets Input bandwidth utilization : 96.12% Output bandwidth utilization : 0.01%

2.2.6.5 Checking Whether Configurations Are Recovered

ContextRun the compare configuration command in the user view to compare the currentconfiguration file with that saved on CF card 1 and check whether configurations are lost orchanged.

If no configuration is lost, the following is displayed:

<USG9500> compare configurationInfo:The current configuration is the SAME as the saved configuration!

If certain configurations are lost, the following shows that the underscored configurations arelost (only the first difference is displayed; however, multiple differences may exist):

<USG9500> compare configurationWarning:The current configuration is NOT the same as the saved configuration! ====== Current configuration line 13343 ====== #-----end----# #*****begin****vfw1****# # firewall packet-filter default permit interzone local trust direction inbound ====== Configuration file line 13343 ====== #-----end----#

The previous information serves as an example, and you should use actual displayinformation in the network environment.

It is recommended that you use Beyond Compare to compare the configuration files beforeand after upgrade for any difference. If any configuration is lost, use the configuration filebefore upgrade for recovery or contact technical support personnel.



166

2.2.6.6 Checking Whether Services Are Normal

ContextThere are two methods of checking whether the service is normal:

l Collect several tables and compare the tables with those before upgrade to check whethercertain entries are lost, including routing table, FIB table, MAC table, session tableentries, and whether service traffic amount after upgrade is approximately the same asthat before upgrade.

l Contact the network administrator of the office and check whether the service is normal.

2.2.6.7 Running Inspection Tool

ContextIt is recommended that you use SmartKit NSE2700 to comprehensively check the device afterupgrade. This will help you discover faults in time, ensuring device operation stability.

2.2.7 Version Rollback

Prerequisites

NOTICEBefore rolling V500R001C50 and later versions back to earlier versions, run the set system-software check-mode all command in the system view. Directly roll other versions back toearlier ones.2.Before rolling back the original version, make sure that the corresponding configuration file(already backed up before the upgrade) is loaded to the CF card of the device and is specifiedas the file for next startup by running the startup saved-configuration cfg-filename command.Then restart the device, avoiding configuration loss due to CLI differences between versions.3.After V500R001C30 is upgraded to a version later than V500R001C50, PKI virtualizationis supported, and the storage directory of PKI certificate configuration file ca_config.ini ischanged from the root directory to the pki/public directory. When the current version is rolledback to V500R001C30 and PKI service configurations are modified, the /pki/public/ca_config.ini file needs to be deleted. Otherwise, the follow-up upgrade does not trigger theupgrade of PKI services, and the PKI certificate configuration is lost after the upgrade.7. In the hot standby scenario, during the version rollback from V500R001C80 and laterversions to V500R001C60 and earlier versions, SSL VPN users need to re-log in.

Application ScenarioThe version rollback needs to be implemented if:

l The device cannot start normally after upgrade, and the current version needs to be rolledback to the previous one.



167

In this case, you need to roll the version to the backup source version in BootROMmode. The detailed procedure is the same as that of upgrading the version software inBootROM mode. For details, see Upgrade Through BootROM.

l The device can start normally after upgrade, but a certain function cannot run normally,and therefore the current version needs to be rolled back to the previous one.

In this case, you can adopt either of the following modes to roll back the version:

– Roll back the version through command lines. The detailed procedure is the same asthat of upgrading the version software in CLI mode. For details, see UpgradeThrough CLI.

– Roll back the version through Web. The detailed procedure is the same as that ofupgrading the version software in Web mode. For details, see Upgrade ThroughWeb.

– Roll back the version through CF card. The detailed procedure is the same as that ofupgrading the version software in CF card mode. For details, see UpgradeThrough CF Card.

– Roll back the version in one-click mode.

During the version rollback, note the following:

One-Click Version Rollbac

NOTICEl If the folder does not exist, the One-clickversion rollback fails. You can specify the version

to be rolled back and the configuration file.

l Version rollback does not involve license rollback. If the license files are different in thesource and target versions, manually load the required license file according to the productdocumentation after the rollback.

Upgrade operations:

1. Check whether the backup file (backcfg.zip) is available. The backup file should be inthe CFcard:/backupyyyyMMddHHmmss/ folder. If the backup file is unavailable, thefollow-up procedure cannot be performed.<FW>dir backup/ --Check whether the backup file is in the backup folder.Directory of CFcard:/backup/

Idx Attr Size(Byte) Date Time FileName 0 drw- - Nov 26 2015 16:30:18 20151126163018 1 drw- - Nov 26 2015 16:58:56 20151126165855

601,328 KB total (253,232 KB free) <FW>cd backup/<FW>cd 20151126163018/dir Directory of CFcard:/backup/20151126163018/

Idx Attr Size(Byte) Date Time FileName 0 -rw- 2,375 Nov 26 2015 16:30:18 backcfg.zip

601,328 KB total (253,200 KB free)



168

2. Copy the target version of version rollback to the CF card. For details, see Appendix:Uploading and Downloading Files.

3. The system software file of versions earlier than V500R001C50 does not include anydigital certificate. To load the system software file of an early version, run the setsystem-software check-mode all command to set the mode for verifying systemsoftware integrity to all. Otherwise, the file cannot be used for the next startup.

4. Access the diagnose view and run the recover system filename command.

NOTICEl If multiple CFcard:/backup/yyyyMMddHHmmss folders exist, use the latest one

for the version rollback.

[FW-diagnose]recover system V500R001C50.ccConfirm: Will you recover and reboot the system ?[Y/N] y

Procedure

Step 1 The precautions and the result check method of the version rollback operation are the same asthose of the version upgrade operation. For details, see the descriptions of correspondingupgrade modes.

Step 2 During the version rollback, services are interrupted temporarily. The interruption durationdepends on the rollback mode and the service configuration.

Step 3 Before the version rollback, contact technical support personnel to determine whether thetarget version needs to be patched. If yes, install the patch immediately after the versionrollback is complete. For how to install the patch, see the usage guide of the correspondingpatch version.

----End

2.3 Upgrading Version Software in Dual-System HotBackup

2.3.1 Overview

Dual-system hot backup is an important feature of the device . Dual-system hot backupindicates that two deviceba are deployed, if one device is faulty, the other takes over the workimmediately. In this way, the single point failure is avoided, and the network stability andreliability are improved. For details, refer to the corresponding product document.

You should comply with certain procedure and principle to upgrade version software in thedual-system hot backup networking. The main principle of the upgrade is upgrading thebackup device and then the master device independently. Note that the HRP backup channel(the heartbeat line) must be disconnected during the upgrade.



169

NOTICEUpgrading version software in dual-system hot backup, the target version software of themaster device must be the same as that of the backup device.

2.3.2 Upgrading System Software in Hot Standby Scenarios(Applicable to Versions Later Than V500R001C30SPC300)


Networking Requirements

As shown in Figure 2-13, two FWs work in active/standby mode. GE1/0/7 is the heartbeatinterface, GE1/0/1 the upstream service interface, and GE1/0/3 the downstream serviceinterface. You need to upgrade system software versions of the two FWs to a specifiedversion.



Configuration Procedure1. Upgrade the standby FW. Before the upgrade, run the shutdown command to disable the

service and heartbeat interfaces of the standby FW to isolate the standby FW.2. After the standby FW is upgraded, run the undo shutdown command to enable the

heartbeat interface first. After the heartbeat interface becomes Up, synchronize session



170

entries between the active and standby FWs. After the session entries are synchronized,run the undo shutdown command to enable the service interface. It takes around twominutes to synchronize the entries.

3. Upgrade the active FW. Before the upgrade, run the shutdown command to disable theservice and heartbeat interfaces of the active FW to isolate the active FW. In this case,service traffic is switched to the standby FW for forwarding.

4. After the active FW is upgraded, run the undo shutdown command to enable theheartbeat interface first. After the heartbeat interface becomes Up, synchronize sessionentries between the active and standby FWs. After the session entries are synchronized,run the undo shutdown command to enable the service interface. It takes around twominutes to synchronize the entries.


NOTE

If the active and standby FW run different versions, the active cannot back up configurations to the standby.Therefore, do not deliver upgrade-irrelevant configurations to the FWs during the upgrade.Before the upgrade or rollback, run the undo hrp base config enable command on the active and standbyFWs to disable the function of automatically synchronizing configurations from the peer. If this function isenabled, after the FWs restart upon the upgrade or rollback, they will automatically synchronizeconfigurations from the peer. As configuration commands of different versions may vary, if the configurationssynchronized from the peer conflict with the local software version, the configurations cannot be properlyrestored.

Procedure


Step 2 Run the shutdown command to disable the service and heartbeat interfaces of FW_B(standby device). You must run the shutdown command to disable the service interface firstand then the heartbeat interface. You can run the shutdown command to disable the heartbeatinterface of FW_B but not that of FW_A.HRP_S<FW_B> system-viewHRP_S[FW_B] interface GigabitEthernet 1/0/3 HRP_S[FW_B-GigabitEthernet1/0/3] shutdown HRP_S[FW_B-GigabitEthernet1/0/3] quit HRP_S[FW_B] interface GigabitEthernet 1/0/1 HRP_S[FW_B-GigabitEthernet1/0/1] shutdown HRP_S[FW_B-GigabitEthernet1/0/1] quitHRP_S[FW_B] interface GigabitEthernet 1/0/7 HRP_S[FW_B-GigabitEthernet1/0/7] shutdownHRP_M[FW_B-GigabitEthernet1/0/7] quitHRP_M[FW_B] quit





171

Step 5 After FW_B is restarted, run the undo shutdown command to enable the heartbeat interface.HRP_M<FW_B> system-viewHRP_M[FW_B] interface GigabitEthernet 1/0/7 HRP_M[FW_B-GigabitEthernet1/0/7] undo shutdownHRP_M[FW_B-GigabitEthernet1/0/7] quit


Step 7 Run the undo shutdown command to enable the service interface of FW_B.HRP_S[FW_B] interface GigabitEthernet 1/0/3 HRP_S[FW_B-GigabitEthernet1/0/3] undo shutdown HRP_S[FW_B-GigabitEthernet1/0/3] quit HRP_S[FW_B] interface GigabitEthernet 1/0/1 HRP_S[FW_B-GigabitEthernet1/0/1] undo shutdown HRP_S[FW_B-GigabitEthernet1/0/1] quitHRP_S[FW_B] quitHRP_S<FW_B> saveInfo: The system is now comparing the configuration, please wait. Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file hda1:/vrpcfg.zip. Continue? [Y/N]:y Now saving the current configuration to the slot 0.... Save the configuration successfully.

Step 8 Run the shutdown command to disable the service and heartbeat interfaces of FW_A (activedevice). You must run the shutdown command to disable the service interface first and thenthe heartbeat interface. You can run the shutdown command to disable the heartbeat interfaceof FW_A but not that of FW_B.HRP_M<FW_A> system-viewHRP_M[FW_A] interface GigabitEthernet 1/0/3 HRP_M[FW_A-GigabitEthernet1/0/3] shutdown HRP_S[FW_A-GigabitEthernet1/0/3] quit HRP_S[FW_A] interface GigabitEthernet 1/0/1 HRP_S[FW_A-GigabitEthernet1/0/1] shutdown HRP_S[FW_A-GigabitEthernet1/0/1] quitHRP_S[FW_A] interface GigabitEthernet 1/0/7 HRP_S[FW_A-GigabitEthernet1/0/7] shutdownHRP_M[FW_A-GigabitEthernet1/0/7] quitHRP_M[FW_A] quit

After the preceding operations, service traffic is switched to FW_B for forwarding.

Step 9 Set the system software for the next startup of FW_A.HRP_M<FW_A> startup system-software xxxxx.bin Info:System software for the next startup:hda1:/xxxxx.bin, start read file.... Succeeded in setting the software for booting system.





172


Step 13 Run the undo shutdown command to enable the service interface of FW_A.HRP_S[FW_A] interface GigabitEthernet 1/0/3 HRP_S[FW_A-GigabitEthernet1/0/3] undo shutdown HRP_S[FW_A-GigabitEthernet1/0/3] quit HRP_S[FW_A] interface GigabitEthernet 1/0/1 HRP_S[FW_A-GigabitEthernet1/0/1] undo shutdown HRP_S[FW_A-GigabitEthernet1/0/1] quitHRP_S[FW_A] quitHRP_S<FW_A> saveInfo: The system is now comparing the configuration, please wait. Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file hda1:/vrpcfg.zip. Continue? [Y/N]:y Now saving the current configuration to the slot 0.... Save the configuration successfully.

----End

Verification1. Test whether services are normal.

2. Test the active/standby switchover.

Configure a PC in the intranet to constantly the internet host and run the shutdowncommand on GE1/0/1 of FW_A. Then check the status switchover of the FW anddiscarded ping packets. If the status switchover is normal, FW_B switches to the activedevice and carries services. The command prompt of FW_B is changed from HRP_S toHRP_M, and the command prompt of FW_A is changed from HRP_M to HRP_S. No orseveral ping packets (1 to 3 packets, depending on actual network environments) arediscarded.

Run the undo shutdown command on GE1/0/1 of FW_A and check the statusswitchover of the FW and discarded ping packets. If the status switchover is normal,FW_A switches to the active device and starts to carry service after the preemption delay(60s by default) expires. The command prompt of FW_A is changed from HRP_S toHRP_M, and the command prompt of FW_B is changed from HRP_M to HRP_S. No orseveral ping packets (1 to 3 packets, depending on actual network environments) arediscarded.

2.3.3 Upgrading System Software in Hot Standby Scenarios(Applicable to Versions Earlier Than V500R001C30SPC300)


Networking Requirements

As shown in Figure 2-14, two FWs work in active/standby mode. GE1/0/7 is the heartbeatinterface, GE1/0/1 the upstream service interface, and GE1/0/3 the downstream serviceinterface. You need to upgrade system software versions of the two FWs to a specifiedversion.



173



Configuration Procedure1. Upgrade the standby FW first. Before the upgrade, run the shutdown command to

disable the service and heartbeat interfaces of the standby FW to isolate the standby FW.2. After the standby FW is upgraded, run the shutdown command to disable the service

and heartbeat interfaces of the active FW to isolate the active FW. Then run the undoshutdown command to enable the heartbeat and service interfaces of the standby FWand switch service traffic to the standby FW for forwarding.

3. Upgrade the active FW.4. After the active FW is upgraded, run the undo shutdown command to enable the

heartbeat interface first. After the heartbeat interface becomes Up, synchronize sessionentries between the active and standby FWs. After the session entries are synchronized,run the undo shutdown command to enable the service interface. It takes around twominutes to synchronize the entries.


Procedure


Step 2 Run the shutdown command to disable the service and heartbeat interfaces of FW_B(standby device). You must run the shutdown command to disable the service interface firstand then the heartbeat interface. You can run the shutdown command to disable the heartbeatinterface of FW_B but not that of FW_A.



174

HRP_S<FW_B> system-viewHRP_S[FW_B] interface GigabitEthernet 1/0/3 HRP_S[FW_B-GigabitEthernet1/0/3] shutdown HRP_S[FW_B-GigabitEthernet1/0/3] quit HRP_S[FW_B] interface GigabitEthernet 1/0/1 HRP_S[FW_B-GigabitEthernet1/0/1] shutdown HRP_S[FW_B-GigabitEthernet1/0/1] quitHRP_S[FW_B] interface GigabitEthernet 1/0/7 HRP_S[FW_B-GigabitEthernet1/0/7] shutdownHRP_M[FW_B-GigabitEthernet1/0/7] quitHRP_M[FW_B] quit



Step 5 After FW_B is restarted and the LPU and SPU are restored, run the shutdown command todisable the service and heartbeat interfaces of FW_A (active device). After the service andheartbeat interfaces of FW_A are disabled, services are interrupted. To reduce the serviceinterruption duration, after interfaces of FW_A are disabled, run the undo shutdowncommand to enable the heartbeat and service interfaces of FW_B immediately and switchservice traffic to FW_B for forwarding.

# Run the shutdown command to disable the service and heartbeat interfaces of FW_A. Youmust disable the service interface first and then the heartbeat interface.

HRP_M<FW_A> system-viewHRP_M[FW_A] interface GigabitEthernet 1/0/3 HRP_M[FW_A-GigabitEthernet1/0/3] shutdown HRP_M[FW_A-GigabitEthernet1/0/3] quit HRP_M[FW_A] interface GigabitEthernet 1/0/1 HRP_M[FW_A-GigabitEthernet1/0/1] shutdown HRP_M[FW_A-GigabitEthernet1/0/1] quitHRP_M[FW_A] interface GigabitEthernet 1/0/7 HRP_M[FW_A-GigabitEthernet1/0/7] shutdownHRP_M[FW_A-GigabitEthernet1/0/7] quitHRP_M[FW_A] quit

# Run the undo shutdown command to enable the heartbeat and service interfaces of FW_B.You must enable the heartbeat interface first and then the service interface.

HRP_M<FW_B> system-viewHRP_M[FW_B] interface GigabitEthernet 1/0/7 HRP_M[FW_B-GigabitEthernet1/0/7] undo shutdownHRP_M[FW_B-GigabitEthernet1/0/7] quitHRP_M[FW_B] interface GigabitEthernet 1/0/3 HRP_M[FW_B-GigabitEthernet1/0/3] undo shutdown HRP_M[FW_B-GigabitEthernet1/0/3] quit HRP_M[FW_B] interface GigabitEthernet 1/0/1 HRP_M[FW_B-GigabitEthernet1/0/1] undo shutdown HRP_M[FW_B-GigabitEthernet1/0/1] quit

Step 6 Set the system software for the next startup of FW_A.



175

HRP_M<FW_A> startup system-software xxxxx.bin Info:System software for the next startup:hda1:/xxxxx.bin, start read file.... Succeeded in setting the software for booting system.




Step 10 Run the undo shutdown command to enable the service interface of FW_A.HRP_S[FW_A] interface GigabitEthernet 1/0/3 HRP_S[FW_A-GigabitEthernet1/0/3] undo shutdown HRP_S[FW_A-GigabitEthernet1/0/3] quit HRP_S[FW_A] interface GigabitEthernet 1/0/1 HRP_S[FW_A-GigabitEthernet1/0/1] undo shutdown HRP_S[FW_A-GigabitEthernet1/0/1] quit

----End





176

2.4 Appendix: Establishing the Upgrade EnvironmentThrough the Console Port

PrerequisitesThe prerequisites for console port login are as follows:

l A PC (with RS232 serial port) and an RS-232 cable are available.l A terminal simulation program (such as Windows XP HyerTerminal) is installed on the

PC.l The USG9500 is powered on and running properly.

Background InformationIP address 192.168.0.1 has been set for interface GigabitEthernet 0/0/0 on the MPU of theUSG9500 by default. You can use this IP address and the default user name admin andpassword Admin@123 to log in to the CLI of the USG9500 through Telnet. If the Telnetconfiguration is canceled or you desire to use SSH for the login, log in to the USG9500 fromthe console port to construct the Telnet or SSH environment.

Figure 1 shows how to construct the Telnet or SSH environment through the console port. Theserial port of the PC is connected to the console port of the USG9500 through a standardRS-232 configuration cable.

Figure 2-15 Establishing the upgrade environment through the console port

Procedure

Step 1 Select Start > All Programs > Accessories > Communication > HyerTerminal to start theterminal simulation program (for example, Windows XP HyerTerminal) on the PC. TheConnection Description dialog box is displayed, as shown in Figure 2.



177

Figure 2-16 Connection Description dialog box

Step 2 Click OK and the Connect to dialog box is displayed. Select the serial port (such as COM1)of the PC for connecting to the USG9500 from the Connect using drop-down list box, asshown in figure 3.

Figure 2-17 Connect to dialog box

Step 3 Click OK. The COM1 Properties dialog box is displayed. Set the communication parametersof the port, as shown in figure 4. The communication parameters of COM1 must be the sameas those of the console port on the USG9500.



178


Step 4 Log in to the USG9500, and enter the CLI.By default, the user name and password are adminand Admin@123 respectively for logging in to the USG9500 through the console port.

Step 5 Configure upgrade environment.

1. Configure STelnet for login.Set the IP address of GigabitEthernet 0/0/0 on the MPU of the USG9500 to 192.168.0.1and subnet mask to 255.255.255.0. Set the authentication mode on the virtual typeterminal (VTY) to AAA and protocol to Telnet. Create a local Telnet user with the username user1, user level 3, password Password1.[USG9500] aaa[USG9500-aaa] manager-user vtyadmin[USG9500-aaa-manager-user-vtyadmin] password Enter Password: Confirm Password: [USG9500-aaa-manager-user-vtyadmin] service-type telnet[USG9500-aaa-manager-user-vtyadmin] quit[USG9500-aaa] bind manager-user vtyadmin role system-admin

If an interface on the interface board is used to construct the Telnet environment, youneed to not only configure the previous commands, but also assign the interface to asecurity zone and enable the interzone security policy between this security zone and theLocal zone. The following command output uses assigning GigabitEthernet 1/0/1 to theTrust zone as an example. The IP address of the Telnet client is 192.168.0.2.[USG9500] firewall zone trust [USG9500-zone-trust] add interface GigabitEthernet 1/0/1 [USG9500-zone-trust] quit [USG9500] policy interzone local trust inbound [USG9500-policy-interzone-local-trust-inbound] policy 1 [USG9500-policy-interzone-local-trust-inbound-1] policy source 192.168.0.2 0 [USG9500-policy-interzone-local-trust-inbound-1] policy destination



179

192.168.0.1 0 [USG9500-policy-interzone-local-trust-inbound-1] action permit

2. Configure SSH for login.Set the IP address of GigabitEthernet 0/0/0 on the MPU of the USG9500 to 192.168.0.1and subnet mask to 255.255.255.0. Set the authentication mode on the virtual typeterminal (VTY) to AAA and protocol to SSH. Create a local SSH user with the username user1, user level 3, password Password1.<USG9500> system-view[USG9500] user-interface vty 0 4[USG9500-ui-vty0-4] authentication-mode aaa[USG9500-ui-vty0-4] user privilege level 3[USG9500-ui-vty0-4] quit[USG9500] aaa[USG9500-aaa] manager-user sshadmin[USG9500-aaa-manager-user-sshadmin] passwordEnter Password: Confirm Password: [USG9500-aaa-manager-user-user1] service-type ssh[USG9500-aaa-manager-user-user1] level 3[USG9500-aaa-manager-user-sshadmin] quit[USG9500-aaa] bind manager-user sshadmin role system-admin[USG9500-aaa] quit[USG9500] stelnet server enable[USG9500] rsa local-key-pair create[USG9500] ssh user sshadmin[USG9500] ssh user sshadmin authentication-type password[USG9500] ssh user sshadmin service-type stelnetIf an interface on the interface board is used to construct the SSH environment, you needto not only configure the previous commands, but also assign the interface to a securityzone and enable the interzone security policy between this security zone and the Localzone. The following command output uses assigning GigabitEthernet 1/0/1 to the Trustzone as an example. The IP address of the SSH client is 192.168.0.2.[USG9500] firewall zone trust [USG9500-zone-trust] add interface GigabitEthernet 1/0/1 [USG9500-zone-trust] quit [USG9500] policy interzone local trust inbound [USG9500-policy-interzone-local-trust-inbound] policy 1 [USG9500-policy-interzone-local-trust-inbound-1] policy source 192.168.0.2 0 [USG9500-policy-interzone-local-trust-inbound-1] policy destination 192.168.0.1 0 [USG9500-policy-interzone-local-trust-inbound-1] action permit

----End

2.5 Appendix: Uploading and Downloading Files

About This Chapter

2.5.1 Device Serving as the FTP Client to Upload or DownloadFiles Through FTP

ContextAs shown in Figure 1, PC2 serves as the FTP server. Log in to the FTP server from theUSG9500 and upload or download files through FTP. This method requires the third-partyFTP server software to be installed on the PC2.



180

NOTE

You can also use a PC as both the Telnet/SSH client and the FTP server. The following exampledescribes takes the two-PC deployment.

Figure 2-19 Schematic diagram of uploading/downloading files through FTP and with thedevice serving as the FTP client

Procedure

Step 1 Configure the FTP server.Install the FTP server program on PC2 and configure the FTPserver using the document available with the program. Suppose that you obtain the FTPserver program in a legitimate way and description of the program is beyond the coverage ofthis document. Assume that an FTP user already exists with the user name 123 and password123, and that the root directory of the user is set to the storage path of files to be uploaded/downloaded.


Step 3 Log in to the FTP server on the USG9500.Run the ftp ip-address command in the user viewto establish an FTP connection to the PC and enter the FTP client view. The followingoperation assumes that the IP address of the FTP server as 192.168.0.2.<USG9500> ftp 192.168.0.2 Trying 192.168.0.2 ... Press CTRL+K to abort Connected to 192.168.0.2. 220 ready for new user User(192.168.0.2:(none)):123 331 Give me your password, please Password: 230 Logged in successfully [ftp]

Step 4 Upload files in storage media of the USG9500 to the FTP server.Run the put local-filename[ remote-filename ] command in the FTP client view to upload files to the FTP server.[ftp] binary /Run the binary command to specify file transmission in binary mode. [ftp] put test.cc

After the uploading is complete, check whether the sizes of files on the FTP server are thesame as those in the CF card. If no, re-upload the files to ensure that they are completelyuploaded to the FTP server.

Step 5 Download files from the FTP server to storage media of the USG9500.Run the get remote-filename [ local-filename ] command in the FTP client view to download files from the FTPserver.



181

[ftp] binary /Run the binary command to specify file transmission in binary mode. [ftp] get temp.cc

After the downloading is complete, check whether the sizes of files in the CF card are thesame as those on the FTP server. If no, re-download the files to ensure that they arecompletely downloaded to the CF card.

----End

2.5.2 Device Serving as the TFTP Client to Upload or DownloadFiles Through TFTP

Context

As shown in Figure 1, PC2 serves as the TFTP server. Log in to the TFTP server from theUSG9500 and upload or download files through TFTP. This method requires the third-partyTFTP server software to be installed on the PC2.

NOTE

You can also use a PC as both the Telnet/SSH client and the TFTP server. The following exampledescribes takes the two-PC deployment.

Figure 2-20 Schematic diagram of uploading/downloading files through TFTP and with theUSG9500 serving as the TFTP client

Procedure

Step 1 Configure the TFTP server.Install the TFTP server program on PC2 and configure the TFTPserver using the document available with the program. Suppose that you obtain the TFTPserver program in a legitimate way and description of the program is beyond the coverage ofthis document. The following operation assumes that the root directory of the TFTP server isset to the storage path of files to be uploaded/downloaded.


Step 3 Upload files in storage media of the USG9500 to the TFTP server.Run the tftp ip-address putsource-filename [ destination-filename ] command in the user view to upload files to theTFTP server. The following operation assumes that the IP address of the TFTP server as192.168.0.2.<USG9500> tftp 192.168.0.2 put test.cc



182

After the uploading is complete, check whether the sizes of files on the TFTP server are thesame as those in the CF card. If no, re-upload the files to ensure that they are completelyuploaded to the TFTP server.

Step 4 Download files from the TFTP server to CF card of the USG9500.Run the tftp ip-address getsource-filename [ destination-filename ] command in the user view to download files from theTFTP server.<USG9500> tftp 192.168.0.2 get temp.cc

After the downloading is complete, check whether the sizes of files in the CF card are thesame as those on the TFTP server. If no, re-download the files to ensure that they arecompletely downloaded to the CF card.

----End

2.5.3 Device Serving as the SFTP Server to Upload or DownloadFiles Through SFTP

ContextAs shown in Figure 1, USG9500 serves as the SFTP server. Log in to the SFTP server fromthe PC2 and upload/download files through SFTP. This method requires the third-party SFTPclient program (such as WinSCP) to be installed on the PC2.

NOTE

You can also use a PC as both the Telnet/SSH client and the SFTP server. The following exampledescribes takes the two-PC deployment.

Figure 2-21 Schematic diagram of uploading/downloading files through SFTP and with theUSG9500 serving as the SFTP server

Procedure

Step 1 Configure the SFTP client.Install the SFTP client program on PC2 and configure the SFTPclient using the document available with the program. Suppose that you obtain the SFTPclient program in a legitimate way and description of the program is beyond the coverage ofthis document.


Step 3 On the USG9500, create an SFTP user with user name user1 and password Admin@123 andenable the SFTP server service.



183

<USG9500> system-view [USG9500] rsa local-key-pair create [USG9500] user-interface vty 0 4 [USG9500-ui-vty0-4] authentication-mode aaa [USG9500-ui-vty0-4] protocol inbound ssh [USG9500-ui-vty0-4] quit [USG9500] aaa [USG9500-aaa] local-user user1 password Please cofigure the login password(8-16) Enter Password: Confirm Password: Submit password successfully. [USG9500-aaa] local-user user1 service-type ssh [USG9500-aaa] local-user user1 level 3 [USG9500-aaa] quit [USG9500] ssh user user1 [USG9500] ssh user user1 authentication-type password [USG9500] ssh user user1 service-type sftp [USG9500] ssh user user1 sftp-directory cfcard: [USG9500] sftp server enable

Step 4 Download files from CF card of the USG9500 to the SFTP client.After the downloading iscomplete, check whether the sizes of files on the SFTP client are consistent with those in theCF card. If no, re-download the files to ensure that they are completely uploaded to the SFTPserver.

Step 5 Upload files from the SFTP client to CF card of the USG9500.After the uploading iscomplete, check whether the sizes of files in the CF card are consistent with those on theSFTP client. If no, re-download the files to ensure that they are completely downloaded to theCF card.

----End

2.6 Appendix: Activating the ESN

Context

As the ESNs of certain MPUs manufactured earlier are not activated, you cannot view theESNs by running the display license command.

<USG9500> display licenseDevice ESN is: (null) License file is not activated, please use default configuration!

In this case, you need to run the active mpu-esn command in the diagnose view to activateESNs manually. Then you can view the ESNs of the device.

Procedure

Step 1 In the user view, run the system-view command to access the system view.<USG9500> system-view [USG9500]

Step 2 Run the diagnose command, and access the diagnose view.



184

[USG9500] diagnose [USG9500-diagnose]

Step 3 Run the active mpu-esn command to activate the ESN of the master MPU.[USG9500-diagnose] active mpu-esn

If both MPUs can be detected on the device, run the following command to activate the ESNof the standby MPU.

[USG9500-diagnose] active mpu-esn slave-board

If the current device does not support the active mpu-esn slave-board command, you need torun the active mpu-esn command on both MPUs respectively. That is, insert MPU A first.After MPU A is successfully registered, run the active mpu-esn command. Then pull outMPU A, and insert MPU B. After MPU B is successfully registered, run the active mpu-esncommand. After the previous operations are complete, ensure that both MPUs are in positionat the same time, and then perform subsequent operations.

----End

2.7 Appendix: Applying for a License

ContextThe license file to be loaded on the device is a .dat file. This file is not delivered with thedevice and is independently generated by the license center of Huawei.

Procedure

Step 1 The license on each device is unique. For the license center to generate the license for yourdevice, you need to collect the following information:l Contract No.

It is available in the license certificate that is delivered with the device.l Equipment serial number (ESN)

It is displayed after you run the display license command in any view of the CLI.

NOTE

l The ESN identifies a device from all other devices. It is recorded in the electrical label of the MPU.If the device has two MPUs, record the ESNs of both the active and standby MPUs.

l The ESN is case-sensitive. Note the case when you record the ESN.

Step 2 Provide the previous information to the local technical support personnel of Huawei. Theapplication will be handled as soon as possible.

Step 3 ou need to obtain a new license if you want to enlarge the license capacity or use new servicesthat are subject to license control. In this case, the previous procedure still is applicable. Thelicense center automatically combines the licenses for new features with the existing license,and generates a new license.

----End

2.8 Appendix: Upgrade Record Table



185

Office name Upgrade time

Current version Target version

Upgrade engineer Customer:Huawei:

Upgrade successfulor not

Check Item Result Anomaly Handling

Check before theupgrade

Check of upgradeoperations

Check after theupgrade


Table 2-3 Abbreviations

AAA Authentication, Authorization andAccounting


AUX Auxiliary port


CF Compact Flash

DNS Domain Name System

ESN Equipment Serial Number

FTP File Transfer Protocol

GRE Generic Routing Encapsulation

GTP GPRS Tunneling Protocol

HTTPS Secure HTTP

ICMP Internet Control Message Protocol

IP Internet Protocol



186

IPS Intrusion Prevention System

IPSec IP Security

MPU Main Processing Unit

RADIUS Remote Authentication Dial in User Service

SPUA Service Processing Unit A

SSH Secure Shell

TCP Transmission Control Protocol

TFTP Trivial File Transfer Protocol

UDP User Datagram Protocol

VTY Virtual Type Terminal



187

Upgrade Guide - Huawei Technical Support

Documents

Transcript of Upgrade Guide - Huawei Technical Support