Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nathan_h
Staff & Editor
Staff & Editor

Created on ‎01-02-2022 07:28 AM Edited on ‎08-29-2025 10:24 AM By Moderator

Article Id 202345

Technical Tip: Upgrading IPS Engine on the primary FortiGate will also upgrade the backup FortiGate

Description This article explains how upgrading the IPS Engine on a High Availability (HA) Cluster with FortiGate devices also upgrades FortiGate backups.
Scope FortiGate.
Solution
  1. The following information before performing an IPS Engine upgrade.

 

The command below shows that IPS Engine 7.00043 is in use on the Primary FortiGate.

 

FGT_1 # diagnose autoupdate versions | grep -A 2 "IPS A"
IPS Attack Engine
---------
Version: 7.00043

 

FGT_1 # get system status | grep HA
Current HA mode: a-p, primary

 

The following command is used to move to the secondary unit in an HA Cluster:

 

FGT_1 # execute ha manage 0 admin

 

FGT_2 # get system status | grep HA
Current HA mode: a-p, secondary

 

FGT_2 # diagnose autoupdate versions | grep -A 2 "IPS A"
IPS Attack Engine
---------
Version: 7.00043

 

All units in the HA Cluster are running the same IPS Engine 7.00043.

 

  1. Upgrade the IPS Engine on the Primary FortiGate: Go to System -> FortiGuard -> Intrusion Prevention -> Actions -> Upgrade Database -> Select file -> Upload the IPS Engine and select 'OK' (even though the Upgrade Database button is next to the IPS Definitions field, the IPS engine will be upgraded).

 

nathan_h_2-1641008646298.png

 

nathan_h_1-1641008624214.png

 

Once the IPS Engine has been upgraded successfully, use the command below to restart the ipsmonitor process:

 

diagnose test application ipsmonitor 99

 

Note:

Performing the activity of upgrading the IPS engine will terminate all TCP sessions. 

 

  1. After the IPS Engine upgrade.

 

FGT_1 # get system status | grep "Version:\|HA"
Version: FortiGate-VM64 v7.0.2,build0234,211019 (GA)
Current HA mode: a-p, primary

 

FGT_1 # diagnose autoupdate versions | grep -A 2 "IPS A"
IPS Attack Engine
---------
Version: 7.00044

 

FGT_1 # execute ha manage 0 admin

 

FGT_2 # get system status | grep "Version:\|HA"
Version: FortiGate-VM64 v7.0.2,build0234,211019 (GA)
Current HA mode: a-p, secondary

 

FGT_2 # diagnose autoupdate versions | grep -A 2 "IPS A"
IPS Attack Engine
---------
Version: 7.00044

 

The above output shows that IPS Engine 7.00044 is running on both units of the HA Cluster.

Note that upgrading the IPS Engine on a Primary unit automatically upgrades it on the second unit as well.

 

All FortiOS images come with built-in IPS Engines. In case FortiOS is upgraded and the target build has the same version of ipsengine as the current FortiOS build, it is necessary to reload ipsengine after a firmware upgrade.

 

Related article:

Technical Note: How to manually upgrade the IPS Engine

 

Note:

  • Primary and secondary devices should have a valid license.
  • If the device has an evaluation license or no valid license, updating the database is not allowed.
Labels:
18312
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.