FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
fyheng
Staff
Staff
Description

This article describes how to update IPS engine to FortiGate via FortiManager. 

 

FortiGate can points to FortiManager to update its FortiGuard packages e.g. like Anti Virus signature, IPS signature and others.

 

It is also possible toupdate the FortiGate IPS engine via FortiManager for the scenario when the FortiManager is in a closed network environment or the FortiManager is able to connect to FortiGuard for an update.

 

The following solution will demonstrate how is the IPS engine version can be updated via FortiManager FortiGuard module.

 

Note.

It is not necessary to often upgrade the IPS engine frequently.

The IPS engine only being provided by TAC support to upgrade when there is a bug hits on the engine itself. 

Scope  
Solution

1) First of all, configure FortiGate to point to FortiManager for update, for the configuration guide.

Refer to the following article:

 

Technical Tip: How to setup FortiGate to get updates from FortiManager

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-setup-FortiGate-to-get-updates-from...

 

2) In the FortiManager, it is necessary to make sure the services on the interface is enable from GUI: System Settings -> Interface -> Edit port -> Services Access: FortiGate Updates & Web Filtering

 

fyheng_1-1641456583668.png

 

3) In the FortiGate FortiGuard module,  the IPS Engine is showing as version 7.00043. 

For this example, version 7.00043 will be upgraded to 7.00044.

 

fyheng_0-1641456506782.png

 

4) Check under the FortiManager GUI: FortiGuard -> Package Management -> Service Status: It showing the current running version in the FortiGate is version 7.00043 which is the same in step (3).

 

fyheng_0-1641456755084.png

 

5) It is possible to get the IPS engine from the Fortinet TAC support and import from GUI: FortiGuard ->  Package Management -> Receive Status -> Import , select the IPS engine package, example of the package name will be flen-fos7.0-7.044.pkg.

 

For this example here, IPS engine version 7.00044 will be imported. 

 

fyheng_0-1641456904612.png

 

6) Look for the imported IPS Engine (64 bit), under the 'To Be Deployed Version' and make sure the current version selection is set to 'Latest'.

 

fyheng_1-1641457248699.png

 

7) From GUI: FortiGuard -> Package Management -> Service Status, the status update showing 'Pending' will be visible where the FortiManager detects the version differences between the two.

 

fyheng_3-1641457720524.png

 

8) From GUI: FortiGuard -> Package Management -> Service Status -> Select the unit, select 'Push Pending' to update to the FortiGate.

 

fyheng_4-1641457776385.png

 

9) The status will change to 'Up to Date' if the push is successful. 

 

fyheng_5-1641457949960.png

 

10) Check in the FortiGate FortiGuard GUI module, the IPS engine version should be updated from version 7.00043 to 7.00044. 

 

fyheng_6-1641458150220.png

 

11) Alternately, run CLI command below in FortiGate to check the IPS engine version that being updated.

 

msan01 (global) # diagnose autoupdate versions

....

IPS Attack Engine
---------
Version: 7.00044
Contract Expiry Date: Mon Aug 22 2022
Last Updated using manual update on Thu Jan 6 16:31:40 2022
Last Update Attempt: Thu Jan 6 16:50:07 2022
Result: No Updates

....

 

Contributors