Technical Tip: How to manually update the IPS signatures definitions

Description

This article describes how to manually upgrade the IPS signatures definitions on a FortiGate.

Scope

FortiGate.

Solution

Log in to the Support Portal (Support), then navigate to Support -> Download -> Service Updates.
Select FortiGate under Product and choose the current firmware version under OS Version. Make sure to select the code version that matches the current FortiOS version running on the firewall. Download the Attack Definition (.pkg) file.

 

In FortiOS versions 7.2.x and 7.4.x :

• Log in to the GUI and navigate to: System -> FortiGuard -> Intrusion Prevention -> Actions
• Select 'Upgrade Database', browse the new IPS definitions package, and select 'Apply'.
  
  

 

In FortiOS v7.6.2 and above:

• Log in to the GUI and navigate to: System -> FortiGuard -> FortiGuard Security Services.
• Select the Upload icon and upload the package.

 

 

 

After upgrading the IPS definitions, restart it by using the following CLI command:

 

diagnose test application ipsmonitor 99

 

Upgrading the IPS signatures will terminate all active TCP sessions. The IPS Engine version can be verified before and after the upgrade from both the GUI and CLI.

 

In the CLI:

 

diagnose autoupdate versions | grep "IPS Attack" -A 6

 

If no Intrusion Prevention license information (such as the IPS Engine version or IPS license status) appears on the FortiGuard page, enable Intrusion Prevention under System -> Feature Visibility -> Intrusion Prevention.

 

After enabling it, return to the FortiGuard page and confirm that the IPS-related information is displayed.

Related articles:

• Technical Tip: How to manually upgrade the IPS Engine
• Technical Tip: How to downgrade or rollback IPS engine or FMWP Database 
  
• Technical Tip: Cannot upload the IPS database manually from the GUI without internet connection to FortiGate