Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahv
Staff
Staff

Created on ‎08-29-2019 04:03 AM Edited on ‎11-24-2024 10:53 PM By Moderator

Article Id 194513

Technical Tip: How to manually upgrade the IPS Engine

Description


This article describes how to manually upgrade the IPS Engine on a FortiGate.

 

Scope

 

FortiGate.

Solution

 

For each FortiOS release, an IPS engine is built into the firmware. The information about the IPS engine can be found in its corresponding Release Notes. IPS signature updates are quite often released from FortiGuard which are updated on FortiGate through scheduled updates. These signatures are loaded by the IPS engine for use.

 

The FortiGate supports manual upgrade/downgrade of the IPS engine in special cases, such as for troubleshooting or resolving a temporary issue that Technical Support deems necessary, wherein an IPS engine package file is provided by Technical Support. To upgrade an IPS engine, follow the instructions below.

 

  1. Collect the IPS engine processid and uptime values with the following CLI command:
 
diagnose test application ipsmonitor 1
 

ssener_0-1641453289844.png

 

  1. Login to the FortiGate GUI and go to System -> FortiGuard -> IPS & Application Control -> Upgrade Database -> Upload.

     

     
For v7.0, v7.2, v7.4, v7.6  System -> FortiGuard -> Intrusion Prevention -> Actions ->  Upgrade Database -> Upload.
 
Untitled1.gif  

Note:

The version information can be seen in the GUI. v4.00035 is used in the above example.


In the CLI:
 
diag autoupdate versions | grep "IPS Attack" -A 6
 
FGT800D-1 # diagnose autoupdate versions | grep "IPS Attack" -A 6
IPS Attack Engine
---------
Version: 4.00035
Contract Expiry Date: Fri Jan 10 2020
Last Updated using manual update on Wed Aug 28 13:07:23 2019
Last Update Attempt: Wed Aug 28 10:34:13 2019
Result: No Updates
 
diag autoupdate versions | grep "IPS Attack" -A 6

IPS Attack Engine
---------
Version: 6.00036
Contract Expiry Date: Sat Jan 16 2021
Last Updated using manual update on Mon Aug 31 14:17:05 2020
Last Update Attempt: Mon Oct  5 22:49:27 2020
Result: No Update
 
Browse to the pkg file and select 'OK'. The process will take 1 to 2 minutes maximum. 
 
aquilingan_0-1732269616674.png

 

After upgrading the IPS Engine, verify the engines are restarted with the following CLI command:
 
diagnose test application ipsmonitor 1
 
Check that the engine uptime has reset and the process IDs have changed.
 
ssener_1-1641453487385.png
 
In this example, the IPS engine was upgraded to 4.00203. The change can now be verified in the GUI:
 
Stephen_G_0-1674209434611.png
 
Manually restart the IPS engines with the following command if necessary:
 
diag test app ipsmonitor 99
 
Note:
Performing the activity of upgrading the IPS engine will terminate all TCP sessions.
 
If an IPS engine is loaded to the FortiGate HA cluster, the HA primary unit will push the IPS engine to the HA secondary unit.
All FortiOS images come with built-in IPS engines. In case FortiOS firmware is upgraded and the target build has the same version of the IPS engine as the current FortiOS build, it is necessary to reload the IPS engine after a firmware upgrade.
 
Note:  The FIPS-CC-certified firmware employs a different set of version numbers for the IPS engine. For example below output is from FortiOS 7.0.12 FIPS-CC build 9223
 
FW#diag autoupdate versions | grep -A 6 "IPS Attack"
IPS Attack Engine
---------
Version: 7.00800 signed
Contract Expiry Date: Sun Jul 6 2025
Last Updated using scheduled update on Wed May 10 16:08:37 2023
Last Update Attempt: Thu Nov 21 08:39:37 2024
Result: No Updates
 
If the current IPS engine version on the FIPS-CC is higher than the latest IPS engine version it is technically a downgrade becuase the latest IPS engine has a lower version number. For example, to upgrade the IPS engine to version 7.00189 (latest) on FIPS-CC-certified firmware with FortiOS 7.0.12, it is necessary to execute the following command: 'diagnose autoupdate downgrade enable' before upgrading.
 
Note:
It is only possible to get the IPS Engine from a TAC Support Engineer. If the device has an evaluation license or no valid license, updating the database is not allowed.

Important note:

Starting from v7.2.0, AV and IPS packages are digitally signed by Fortinet's CA to ensure authenticity and integrity. Before proceeding with the upgrade, confirm with the TAC engineer whether the provided IPS engine image is dual-signed. If the provided image is not signed and the BIOS security level is set to 2, it will be necessary to change the BIOS security level to 1 or 0 to successfully perform the upgrade. More details are available in the article below: BIOS-level signature and file integrity checking.


Related articles:
Technical Tip: Cannot upload the IPS database manually from the GUI without internet connection to F...
Technical Tip: How to downgrade or rollback IPS engine or FMWP Database 
Technical Tip: Understanding and Configuring Security Levels for AV and IPS Package Verification 
78134
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.