Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahv
Staff
Staff

Created on ‎08-29-2019 04:03 AM Edited on ‎12-26-2024 11:46 PM By Community Manager

Article Id 194513

Technical Tip: How to manually upgrade the IPS Engine

Description

 

This article describes how to manually upgrade the IPS Engine on a FortiGate.

 

Scope

 

FortiGate, IPS Engine, FortiProxy.


Solution

 

Each FortiOS release contains a version of the IPS Engine built into the firmware. The IPS Engine is the main software that applies flow-based security inspection on the FortiGate, which notably includes the application of Intrusion Prevention (IPS) and Application Control signatures. Occasionally, IPS Engine updates are also delivered through FortiGuard updates, as well as regular updates of the IPS and Application Control signature databases. For more information on each IPS Engine version, refer to the IPS Engine Release Notes.

 

With that being said, the FortiGate does support manual upgrades/downgrades of the IPS Engine in certain scenarios (such as when a known issue exists that can be solved with an interim IPS Engine build). In these scenarios, Technical Support can provide an IPS Engine package (.pkg) file that can be manually applied to the FortiGate.

 

Important Note 1:

If a FortiGate firmware upgrade is performed then the currently-installed IPS Engine version will be overwritten with the version that is included with the new firmware. This is generally not an issue because a) different major versions use different versions of the IPS Engine (i.e. FortiOS 7.2 and 7.4 would use different sets of IPS Engines) and also b) the IPS Engine contained in the firmware tends to be the latest available for that major branch.

 

However, there can be instances where the IPS Engine version manually installed to the FortiGate is ahead of the version included in the upgraded firmware, and so in those situations the recommendation is to perform the FortiOS firmware upgrade, check the IPS Engine version, then if necessary perform another manual upgrade of the IPS Engine.

 

Important Note 2:

Starting from FortiOS 7.2.0, AV and IPS packages are digitally signed by Fortinet's Certificate Authority to ensure authenticity and integrity. Before proceeding with the upgrade, confirm with the TAC specialist whether the provided IPS engine image is dual-signed. If the provided .pkg file is not cryptographically signed and the FortiGate's BIOS security level is set to 2 then it will be necessary to change the BIOS security level to 1 or 0 to successfully perform the upgrade.

 

To change the BIOS security level, refer to the following article: Troubleshooting Tip: Downgrade of FortiOS fails due to BIOS check. Additional information can also be found in the following Administration Guide section: BIOS-level signature and file integrity checking.

 

With all that in mind, follow the instructions below to perform an upgrade of the IPS engine:

 

  1. Collect the IPS Engine process ID and uptime values with the following CLI command:

 

diagnose test application ipsmonitor 1
 

ssener_0-1641453289844.png

 

Login to the FortiGate GUI and go to System -> FortiGuard -> IPS & Application Control -> Upgrade Database -> Upload.

 

 

Note:

The version information can be seen in the GUI. v4.00035 is used in the above example.

 

For v7.0, v7.2, v7.4, v7.6, go to System -> FortiGuard -> Intrusion Prevention -> Actions ->  Upgrade Database -> Upload to perform the upgrade:

 
Untitled1.gif
  1. Browse to the .pkg file and select 'OK'. The process will take 1 to 2 minutes maximum.

    aquilingan_0-1732269616674.png
After upgrading the IPS Engine, verify that the engines have automatically restarted after the update with the following CLI command:
diagnose test application ipsmonitor 1
 
In particular, check that the engine uptime has reset and that the process IDs have changed.
 
ssener_1-1641453487385.png
 
In this example, the IPS engine was upgraded to 4.00203. The change can now be verified in the GUI:
 
Stephen_G_0-1674209434611.png
 
  1. If necessary, the IPS Engines can all be gracefully restarted with the following CLI command:
 
diagnose test application ipsmonitor 99
 
To validate the results of the upgrade, run the following command in the CLI:
 
diagnose autoupdate versions | grep "IPS Attack" -A 6
 
The following example is taken from a FortiGate-800D running FortiOS 6.0 (which uses IPS Engine version 4.x)
 
FGT800D-1 # diagnose autoupdate versions | grep "IPS Attack" -A 6
IPS Attack Engine
---------
Version: 4.00035
Contract Expiry Date: Fri Jan 10 2020
Last Updated using manual update on Wed Aug 28 13:07:23 2019
Last Update Attempt: Wed Aug 28 10:34:13 2019
Result: No Updates
 
After a successful IPS engine upgrade, a log id 32217 will be generated in System Event logs. The below example shows the log after upgrading IPS engine 7.00559:
 
32217Logs.png
 
Additional Notes:
  • Performing an IPS Engine upgrade should generally be non-disruptive to existing sessions through the FortiGate. Existing traffic will be exempted from further flow-based inspection when the upgrade is conducted, but sessions established after the upgrade will undergo flow-based inspection as normal.
  • If an IPS engine is loaded to the FortiGate HA cluster, the HA primary unit will push the IPS engine to the HA secondary unit.
  • The FIPS-CC Certified and CVE-Patched firmware employs a different set of version numbers for the IPS engine. The example below is a sample output taken from a FortiGate running FortiOS FIPS-CC-70-16 build 9223:
 
FortiGate # diag autoupdate versions | grep -A 6 "IPS Attack"
IPS Attack Engine
---------
Version: 7.00800 signed
Contract Expiry Date: Sun Jul 6 2025
Last Updated using scheduled update on Wed May 10 16:08:37 2023
Last Update Attempt: Thu Nov 21 08:39:37 2024
Result: No Updates
 
  • When upgrading the IPS Engine on FortiGates with FIPS-CC Certified/CVE-Patched firmware, the version number present on the FortiGate may be higher than the version number of the intended IPS Engine upgrade so it is technically considered a downgrade. With that in mind, it is necessary to run the following CLI command to allow the IPS Engine upgrade to complete (e.g. such as upgrading from IPS Engine 7.00800 shown above to IPS Engine 7.00667, the latest version used for FortiOS 7.0.16 GA.):

 

diagnose autoupdate downgrade enable
 
  • Note that it is only possible to receive an IPS Engine package from Fortinet Technical Support if the FortiGate has an active support contract. If the device has an evaluation license or no valid license then updating the IPS Engine/database is not allowed.

 

Note:

FortiGate and FortiProxy use the same IPS engine database.

 

Related articles:
Technical Tip: Cannot upload the IPS database manually from the GUI without internet connection to F...
Technical Tip: How to downgrade or rollback IPS engine or FMWP Database 
Technical Tip: Understanding and Configuring Security Levels for AV and IPS Package Verification 
81081
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.