Description
This article describes how to manually downgrade the IPS Engine or FMWP db on a FortiGate or FortiProxy unit. FortiOS will not accept the upload to a FortiGate unit of an IPS definition/engine that is older than the one currently installed on the unit. The error message 'Failed to upgrade database' will be reported.
Solution
The procedure to downgrade is as follows:
- From the FortiGate CLI, launch the command:
diagnose autoupdate downgrade enable
- From the FortiGate GUI, go to under System -> FortiGuard -> IPS & Application Control -> Upgrade Database -> Upload.
After the downgrade is complete a message 'Successfully upgraded database' is presented.
The procedure can be done in CLI as well using TFTP or FTP server:
execute restore ips tftp FortiGate/IPSEngine/flen-fos6.2-4.218.pkg 10.0.0.
FTP:
exec restore ips ftp <fmwp_file> <FTP_SERVER_IP@> <username> <password>
Example: # exec restore ips ftp fmwp-720-24.071.pkg 10.100.1.61 admin111 admin111
This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y
Please wait...
Connect to ftp server 10.100.1.61 ...
Get IPS database from ftp server OK.
-
Verify if the downgrade process is fine from CLI:
diagnose autoupdate versions | grep "IPS Attack" -A 6
IPS Attack Engine
---------
Version: 4.00218
Contract Expiry Date: Sat Jun 27 2020
Last Updated using manual update on Wed Sep 25 09:41:53 2019
Last Update Attempt: Tue Sep 24 14:34:26 2019
Result: No Updates
After downgrading the IPS Engine, restart it by using the CLI command:
diagnose test application ipsmonitor 99
Note: Executing the above command will terminate all TCP sessions.
Procedure for downgrade on HA cluster.
The procedure to downgrade is as follows:
- From the CLI, launch the command on all cluster members:
Master # execute ha manage 0 admin
Slave # diagnose autoupdate downgrade enable
Update downgrade enabled
Slave # exit
Connection to 169.254.0.1 closed.
Master # diagnose autoupdate downgrade enable
Update downgrade enabled
- From the GUI, on Master go to (FortiOS 6.2.x and 6.4.x):
System -> FortiGuard -> Intrusion Prevention -> Upgrade Database -> Upload.
Note: In FortiOS 6.0.x the correct path is:
System -> FortiGuard -> Firmware & General Updates -> Upgrade Database -> Upload.
The IPS Engine will be automatically downgraded on all cluster members.
After the downgrade is complete a message 'Successfully upgraded database' is presented.
After downgrading the IPS Engine, restart it by using the CLI command:
diagnose test application ipsmonitor 99
Note: Executing the above command will terminate all TCP sessions.
Important: In case the downgrade is enabled only on the Master unit, no warning message is presented, only the message 'Successfully upgraded database', however, the IPS engine is not downgraded on the Slave unit.
- Verify if the downgrade process is fine from CLI:
Master # diagnose autoupdate version | grep -A 6 "IPS Attack"
IPS Attack Engine
---------
Version: 5.00229
Contract Expiry Date: Mon Feb 7 2022
Last Updated using manual update on Sat Feb 13 22:11:44 2021
Last Update Attempt: Sat Feb 13 21:15:06 2021
Result: Updates Installed
Master # execute ha manage 0 admin
Slave # diagnose autoupdate version | grep -A 6 "IPS Attack"
IPS Attack Engine
---------
Version: 5.00229
Contract Expiry Date: Mon Feb 7 2022
Last Updated using manual update on Sat Feb 13 22:12:09 2021
Last Update Attempt: n/a
Result: Updates Installed