Technical Tip: Finding IPS signature when it is missing

When finding the IPS signature under Security Profiles -> IPS Signature, the signature cannot be found. In this case, using signature 'HTTP2.RST_STREAM.Rapid.Reset.CVE-2023-44487.DoS' as example:


However, when verifying the signature from the FortiGuard website using the following link, IPS Signature, it is stated that the signature is added to both regular and extended databases.

This can happen because there is no IPS profile referenced under any firewall policy, and the database is not updated. To verify the current IPS database version on the FortiGate, go to System -> FortiGuard -> License Information -> Intrusion Prevention.

The following CLI command also shows the current database versions, including IPS:

diagnose autoupdate versions

The latest IPS database version can be verified from the FortiGuard website: Intrusion Prevention Service.

If the IPS database is showing an older version, enable the IPS Profile under one of the firewall policies and run the command below to update the database:

execute update-now

After verifying that the IPS database is already reflecting the latest database version, the missing IPS signature should now be available.

If the IPS database is still not updated, investigate further with the steps outlined in Troubleshooting Tip: Failure on update or contact FortiGuard.

It may be required to manually update the IPS database. For more information, see Technical Tip: How to manually update the IPS Database or change to extended IPS Database.

Related article:

Technical Tip: How to update IPS signatures at FortiGate when there are less signatures