FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
heng
Staff
Staff
Article Id 202644
Description

This article describes how to update the IPS engine to FortiGate via FortiManager. 

 

FortiGate can points to FortiManager to update its FortiGuard packages e.g. like Anti Virus signature, IPS signature and others.

 

It is also possible to update the FortiGate IPS engine via FortiManager for the scenario when the FortiManager is in a closed network environment or the FortiManager is able to connect to FortiGuard for an update.

 

The following solution will demonstrate how is the IPS engine version can be updated via FortiManager FortiGuard module.

 

Note.

It is not necessary to often upgrade the IPS engine frequently.

The IPS engine only being provided by TAC support to upgrade when there is a bug hits on the engine itself. 

Scope FortiManager.
Solution

 

  1. First, configure FortiGate to point to FortiManager for update, for the configuration guide.

     

    Refer to Technical Tip: How to setup FortiGate to get updates from FortiManager.

    Note: Make sure the IPS or AV profile is being used in a policy.

  2. In the FortiManager, make sure the services on the interface are enabled from GUI under System Settings -> Interface -> Edit port -> Services Access: FortiGate Updates & Web Filtering.

 

fyheng_1-1641456583668.png

 

 

  1. In the FortiGate FortiGuard module, the IPS Engine shows as version 7.00043. 

    For this example, version 7.00043 will be upgraded to 7.00044.

 

 

fyheng_0-1641456506782.png

 

 

  1. Check the FortiGate version under the FortiManager GUI: FortiGuard -> Package Management -> Service Status. It should show the current running version in the FortiGate is version 7.00043, which is the same as in step 3.

 

 

fyheng_0-1641456755084.png

 

 

  1. Get the IPS engine from the Fortinet TAC support and import it from the GUI. Under FortiGuard -> Package Management -> Receive Status -> Import, select the IPS engine package. It will have a name similar to flen-fos7.0-7.044.pkg.

    For this example, IPS engine version 7.00044 will be imported. 

 

 

fyheng_0-1641456904612.png

 

 

  1. Look for the imported IPS Engine (64 bit), under the 'To Be Deployed Version' and make sure the current version selection is set to 'Latest'.

 

 

fyheng_1-1641457248699.png

 

 

  1. From the GUI, under FortiGuard -> Package Management -> Service Status, the 'Pending' status update will be visible where the FortiManager detects the version differences between the two.

 

 

fyheng_3-1641457720524.png

 

 

  1. Navigate to FortiGuard -> Package Management -> Service Status -> Select the unit, and select 'Push Pending' to push the update to the FortiGate.

 

 

fyheng_4-1641457776385.png

 

 

  1. The status will change to 'Up to Date' if the push is successful. 

 

 

fyheng_5-1641457949960.png

 

 

  1. Check the FortiGate FortiGuard GUI module to ensure that the IPS engine version was updated from version 7.00043 to 7.00044. 

 

 

fyheng_6-1641458150220.png

 

 

  1. Alternatively, run the following CLI command in FortiGate to check the IPS engine version has been updated.

 

 

diagnose autoupdate versions

....

IPS Attack Engine
---------
Version: 7.00044
Contract Expiry Date: Mon Aug 22 2022
Last Updated using manual update on Thu Jan 6 16:31:40 2022
Last Update Attempt: Thu Jan 6 16:50:07 2022
Result: No Updates

....