FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff
Article Id 196846

Description


This article describes how to manually downgrade the IPS Engine or FMWP db on a FortiGate or FortiProxy unit. FortiOS will not accept the upload to a FortiGate unit of an IPS definition/engine that is older than the one currently installed on the unit. The error message 'Failed to upgrade database' will be reported.

Solution


The procedure to downgrade is as follows:

 

  1. From the FortiGate CLI, launch the command:

 

diagnose autoupdate downgrade enable

  1. From the FortiGate GUI, go to under System -> FortiGuard -> IPS & Application Control -> Upgrade Database -> Upload.
 
 
After the downgrade is complete a message 'Successfully upgraded database' is presented.

The procedure can be done in CLI as well using TFTP or FTP server:
 
execute restore ips tftp FortiGate/IPSEngine/flen-fos6.2-4.218.pkg 10.0.0.
 
FTP:
 
exec restore ips ftp <fmwp_file> <FTP_SERVER_IP@> <username> <password>
Example: # exec restore ips ftp fmwp-720-24.071.pkg 10.100.1.61 admin111 admin111

This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y

Please wait...

Connect to ftp server 10.100.1.61 ...
Get IPS database from ftp server OK.

 

  1. Verify if the downgrade process is fine from CLI:

diagnose autoupdate versions | grep "IPS Attack" -A 6

IPS Attack Engine
---------
Version: 4.00218
Contract Expiry Date: Sat Jun 27 2020
Last Updated using manual update on Wed Sep 25 09:41:53 2019
Last Update Attempt: Tue Sep 24 14:34:26 2019
Result: No Updates
 
After downgrading the IPS Engine, restart it by using the CLI command:
 
diagnose test application ipsmonitor 99
 
Note: Executing the above command will terminate all TCP sessions. 

Procedure for downgrade on HA cluster.
The procedure to downgrade is as follows:
 
  1. From the CLI, launch the command on all cluster members:

    Master # execute ha manage 0 admin
    Slave # diagnose autoupdate downgrade enable

    Update downgrade enabled

    Slave # exit
    Connection to 169.254.0.1 closed.

    Master # diagnose autoupdate downgrade enable
    Update downgrade enabled

  2. From the GUI, on Master go to (FortiOS 6.2.x and 6.4.x):
System -> FortiGuard -> Intrusion Prevention -> Upgrade Database -> Upload.

Note: In FortiOS 6.0.x the correct path is:
System -> FortiGuard -> Firmware & General Updates -> Upgrade Database -> Upload.
 
 
The IPS Engine will be automatically downgraded on all cluster members.
After the downgrade is complete a message 'Successfully upgraded database' is presented.

After downgrading the IPS Engine, restart it by using the CLI command:
 
diagnose test application ipsmonitor 99
 
Note: Executing the above command will terminate all TCP sessions. 
 
Important: In case the downgrade is enabled only on the Master unit, no warning message is presented, only the message 'Successfully upgraded database', however, the IPS engine is not downgraded on the Slave unit.

  1. Verify if the downgrade process is fine from CLI:

Master # diagnose autoupdate version | grep -A 6 "IPS Attack"
IPS Attack Engine
---------
Version: 5.00229
Contract Expiry Date: Mon Feb  7 2022
Last Updated using manual update on Sat Feb 13 22:11:44 2021
Last Update Attempt: Sat Feb 13 21:15:06 2021
Result: Updates Installed

Master # execute ha manage 0 admin
Slave # diagnose autoupdate version | grep -A 6 "IPS Attack"

IPS Attack Engine
---------
Version: 5.00229
Contract Expiry Date: Mon Feb  7 2022
Last Updated using manual update on Sat Feb 13 22:12:09 2021
Last Update Attempt: n/a
Result: Updates Installed