Technical Tip: Resolving IPS definition version mismatch on FortiGate

When a new IPS engine is  downloaded via FortiGuard, the major IPS definition version increases:

• Devices with the new IPS engine display IPS definitions as 36.xxx.
• Devices with the previous IPS engine display IPS definitions as 35.xxx.

For the same minor version :

• 35.172 and 36.172 refer to the same IPS signature package.
• Signature contents are identical.

This behavior is expected and is not a FortiOS bug.

The change from 35.x to 36.x is a label change tied to the IPS engine generation.

For the same minor version, detection coverage and update history are identical between 35.x and 36.x.

This is normal behavior with automatic IPS updates and does not require any manual changes to the IPS package.

If a device is to be displayed with the same IPS definition version as the FortiGuard IPS page (e.g., for operational or compliance reasons), it must be adjusted manually using the IPS package.

Example procedure (package file versions are examples):

1. Allow IPS signature downgrade:

diagnose autoupdate downgrade enable

2. Upload and apply the previous IPS signature package (for example, 35.00169).
3. Upload and apply the latest IPS signature package shown on FortiGuard.
4. Verify the IPS definition version(GUI/CLI):

GUI: System -> FortiGuard -> License Information.

CLI:

diagnose autoupdate versions | grep -A 4 "Attack Extended Definitions"