| Description | This articles explains how upgrading the IPS Engine on a High Availability (HA) Cluster with FortiGate devices also upgrades FortiGate backups. |
| Scope | FortiGate. |
| Solution |
The command below shows that IPS Engine 7.00043 is in use on the Primary FortiGate.
FGT_1 # diag autoupdate versions | grep -A 2 "IPS A"
FGT_1 # get sys status | grep HA
The following command is used to move to the secondary unit in an HA Cluster:
FGT_1 # exec ha manage 0 admin
FGT_2 # get sys status | grep HA
FGT_2 # diag autoupdate versions | grep -A 2 "IPS A"
All units in the HA Cluster are running the same IPS Engine 7.00043.
Go to System -> FortiGuard -> Intrusion Prevention -> Actions -> Upgrade Database -> Select file -> Upload the IPS Engine and select 'OK'.
Once the IPS Engine has been upgraded successfully, use the below command to restart the ipsmonitor process:
diag test application ipsmonitor 99
Note: Performing the activity of upgrading the IPS engine will terminate all TCP sessions.
FGT_1 # get sys status | grep "Version:\|HA"
FGT_1 # diag autoupdate versions | grep -A 2 "IPS A"
FGT_1 # exec ha manage 0 admin
FGT_2 # get sys status | grep "Version:\|HA"
FGT_2 # diag autoupdate versions | grep -A 2 "IPS A"
The above output shows that IPS Engine 7.00044 is running on both units of the HA Cluster. Note that upgrading the IPS Engine on a Primary unit automatically upgrades it on the second unit as well.
All FortiOS images come with built-in ipsengines. In case FortiOS firmware is upgraded and target build has the same version of ipsengine as the current FortiOS build, it is necessary to reload ipsengine after a firmware upgrade.
Related article: Technical Note: How to manually upgrade the IPS Engine
Note: Primary and Secondary device should have valid license. Note: If device has evaluation license or no valid license, updating the database is not allowed. |
