Technical Tip: How to downgrade or rollback IPS engine or FMWP Database

jangelis · ‎09-25-2019

Description

This article describes how to manually downgrade the IPS Engine or FMWP db on a FortiGate or FortiProxy unit. FortiOS will not accept the upload to a FortiGate unit of an IPS definition/engine that is older than the one currently installed on the unit. The error message 'Failed to upgrade database' will be reported.

Scope

FortiGate.

Solution

The procedure to downgrade is as follows:

From the FortiGate CLI, launch the command:

diagnose autoupdate downgrade enable

From the FortiGate GUI, go to System -> FortiGuard -> IPS & Application Control -> Upgrade Database -> Upload.

After the downgrade is complete, a message 'Successfully upgraded database' is presented.

The procedure can be done in CLI as well, using a TFTP or FTP server:

execute restore ips tftp FortiGate/IPSEngine/flen-fos6.2-4.218.pkg 10.0.0.

FTP:

execute restore ips ftp <fmwp_file> <FTP_SERVER_IP@> <username> <password>

Example: # exec restore ips ftp fmwp-720-24.071.pkg 10.100.1.61 admin111 admin111

This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y

Please wait...

Connect to ftp server 10.100.1.61 ...
Get IPS database from ftp server OK.

Verify if the downgrade process is fine from the CLI:

diagnose autoupdate versions | grep "IPS Attack" -A 6

IPS Attack Engine
---------
Version: 4.00218
Contract Expiry Date: Sat Jun 27 2020
Last Updated using manual update on Wed Sep 25 09:41:53 2019
Last Update Attempt: Tue Sep 24 14:34:26 2019
Result: No Updates

After downgrading the IPS Engine, restart it by using the CLI command:

diagnose test application ipsmonitor 99

Note:

Executing the above command will terminate all TCP sessions.

Procedure for downgrade on HA cluster.

The procedure to downgrade is as follows:

From the CLI, launch the command on all cluster members:

Master # execute ha manage 0 admin
Slave # diagnose autoupdate downgrade enable
Update downgrade enabled

Slave # exit
Connection to 169.254.0.1 closed.

Master # diagnose autoupdate downgrade enable
Update downgrade enabled
From the GUI, on Master go to (v6.2.x and v6.4.x): System -> FortiGuard -> Intrusion Prevention -> Upgrade Database -> Upload.

Note:

In v6.0.x and above, the correct path is: System -> FortiGuard -> Firmware & General Updates -> Upgrade Database -> Upload.

The IPS Engine will be automatically downgraded on all cluster members. After the downgrade is complete, a message 'Successfully upgraded database' is presented.

After downgrading the IPS Engine, restart it by using the CLI command:

diagnose test application ipsmonitor 99

Note:

Executing the above command will terminate all TCP sessions.

Important: In case the downgrade is enabled only on the Master unit, no warning message is presented, only the message 'Successfully upgraded database', however, the IPS engine is not downgraded on the Slave unit.

Verify if the downgrade process is fine from the CLI:

Master # diagnose autoupdate version | grep -A 6 "IPS Attack"
IPS Attack Engine
---------
Version: 5.00229
Contract Expiry Date: Mon Feb 7 2022
Last Updated using manual update on Sat Feb 13 22:11:44 2021
Last Update Attempt: Sat Feb 13 21:15:06 2021
Result: Updates Installed

Master # execute ha manage 0 admin
Slave # diagnose autoupdate version | grep -A 6 "IPS Attack"
IPS Attack Engine
---------
Version: 5.00229
Contract Expiry Date: Mon Feb 7 2022
Last Updated using manual update on Sat Feb 13 22:12:09 2021
Last Update Attempt: n/a
Result: Updates Installed

If necessary, disable scheduled updates from the FortiGuard Distribution Network to prevent the IPS engine from updating automatically.

config system autoupdate schedule
set status disable
end

Related articles:

Technical Tip: How to downgrade or rollback IPS engine or FMWP Database

You are leaving our website