Description
This article describes how to manually upgrade the IPS Engine on a FortiGate.
Scope
FortiGate, IPS Engine, FortiProxy.
Solution
Each FortiOS release contains a version of the IPS Engine built into the firmware. The IPS Engine is the main software that applies flow-based security inspection on the FortiGate, which notably includes the application of Intrusion Prevention (IPS) and Application Control signatures. Occasionally, IPS Engine updates are also delivered through FortiGuard updates, as well as regular updates of the IPS and Application Control signature databases. For more information on each IPS Engine version, refer to the IPS Engine Release Notes.
With that being said, the FortiGate does support manual upgrades/downgrades of the IPS Engine in certain scenarios (such as when a known issue exists that can be solved with an interim IPS Engine build). In these scenarios, Technical Support can provide an IPS Engine package (.pkg) file that can be manually applied to the FortiGate.
Important Note 1:
If a FortiGate firmware upgrade is performed then the currently-installed IPS Engine version will be overwritten with the version that is included with the new firmware. This is generally not an issue because a) different major versions use different versions of the IPS Engine (i.e. FortiOS 7.2 and 7.4 would use different sets of IPS Engines) and also b) the IPS Engine contained in the firmware tends to be the latest available for that major branch.
However, there can be instances where the IPS Engine version manually installed to the FortiGate is ahead of the version included in the upgraded firmware, and so in those situations the recommendation is to perform the FortiOS firmware upgrade, check the IPS Engine version, then if necessary perform another manual upgrade of the IPS Engine.
Starting from FortiOS 7.2.0, AV and IPS packages are digitally signed by Fortinet's Certificate Authority to ensure authenticity and integrity. Before proceeding with the upgrade, confirm with the TAC specialist whether the provided IPS engine image is dual-signed. If the provided .pkg file is not cryptographically signed and the FortiGate's BIOS security level is set to 2 then it will be necessary to change the BIOS security level to 1 or 0 to successfully perform the upgrade.
To change the BIOS security level, refer to the following article: Troubleshooting Tip: Downgrade of FortiOS fails due to BIOS check. Additional information can also be found in the following Administration Guide section: BIOS-level signature and file integrity checking.
With all that in mind, follow the instructions below to perform an upgrade of the IPS engine:
- Collect the IPS Engine process ID and uptime values with the following CLI command:
Login to the FortiGate GUI and go to System -> FortiGuard -> IPS & Application Control -> Upgrade Database -> Upload.

Note:
The version information can be seen in the GUI. v4.00035 is used in the above example.
For v7.0, v7.2, v7.4, v7.6, go to System -> FortiGuard -> Intrusion Prevention -> Actions -> Upgrade Database -> Upload to perform the upgrade:
-
Browse to the .pkg file and select 'OK'. The process will take 1 to 2 minutes maximum.
-
If necessary, the IPS Engines can all be gracefully restarted with the following CLI command:
IPS Attack Engine
---------
Version: 4.00035
Contract Expiry Date: Fri Jan 10 2020
Last Updated using manual update on Wed Aug 28 13:07:23 2019
Last Update Attempt: Wed Aug 28 10:34:13 2019
Result: No Updates
- Performing an IPS Engine upgrade should generally be non-disruptive to existing sessions through the FortiGate. Existing traffic will be exempted from further flow-based inspection when the upgrade is conducted, but sessions established after the upgrade will undergo flow-based inspection as normal.
- If an IPS engine is loaded to the FortiGate HA cluster, the HA primary unit will push the IPS engine to the HA secondary unit.
- The FIPS-CC Certified and CVE-Patched firmware employs a different set of version numbers for the IPS engine. The example below is a sample output taken from a FortiGate running FortiOS FIPS-CC-70-16 build 9223:
---------
Version: 7.00800 signed
Contract Expiry Date: Sun Jul 6 2025
Last Updated using scheduled update on Wed May 10 16:08:37 2023
Last Update Attempt: Thu Nov 21 08:39:37 2024
Result: No Updates
- When upgrading the IPS Engine on FortiGates with FIPS-CC Certified/CVE-Patched firmware, the version number present on the FortiGate may be higher than the version number of the intended IPS Engine upgrade so it is technically considered a downgrade. With that in mind, it is necessary to run the following CLI command to allow the IPS Engine upgrade to complete (e.g. such as upgrading from IPS Engine 7.00800 shown above to IPS Engine 7.00667, the latest version used for FortiOS 7.0.16 GA.):
- It is only possible to receive an IPS Engine package from Fortinet Technical Support if the FortiGate has an active support contract. If the device has an evaluation license or no valid license then updating the IPS Engine/database is not allowed.
Note:
FortiGate and FortiProxy use the same IPS engine database.