Description
This article describes how to manually downgrade the IPS Engine on a FortiGate unit.
FortiOS will not accept the upload to a FortiGate unit of an IPS definition/engine that is older than the one currently installed on the unit.
The error message 'Failed to upgrade database' will be reported.
Solution
The procedure to downgrade is as follows:
1) From the FortiGate CLI, launch the command:
# diagnose autoupdate downgrade enable
2) From the FortiGate GUI, go to:
System -> FortiGuard -> IPS & Application Control -> Upgrade Database -> Upload
After the downgrade is complete a message 'Successfully upgraded database' is presented.
- The procedure can be done in CLI as well using TFTP or FTP server:
- The procedure can be done in CLI as well using TFTP or FTP server:
# execute restore ips tftp FortiGate/IPSEngine/flen-fos6.2-4.218.pkg 10.0.0.1
3) Verify if the downgrade process is fine from CLI:
# diagnose autoupdate versions | grep "IPS Attack" -A 6
IPS Attack Engine
---------
Version: 4.00218
Contract Expiry Date: Sat Jun 27 2020
Last Updated using manual update on Wed Sep 25 09:41:53 2019
Last Update Attempt: Tue Sep 24 14:34:26 2019
Result: No Updates
Procedure for downgrade on HA cluster.After downgrading the IPS Engine, restart it by using the CLI command:
# diagnose test application ipsmonitor 99Note: Executing the above command will terminate all TCP sessions.
The procedure to downgrade is as follow:
1) From the CLI, launch the command on all cluster members:
Master # execute ha manage 0 admin2 ) From the GUI, on Master go to (FortiOS 6.2.x and 6.4.x):
Slave # diagnose autoupdate downgrade enable
Update downgrade enabled
Slave # exit
Connection to 169.254.0.1 closed.
Master # diagnose autoupdate downgrade enable
Update downgrade enabled
System -> FortiGuard -> Intrusion Prevention -> Upgrade Database -> Upload.
Note: In FortiOS 6.0.x the correct path is:
System -> FortiGuard -> Firmware & General Updates -> Upgrade Database -> Upload.
The IPS Engine will be automatically downgraded on all cluster members.
After the downgrade is complete a message 'Successfully upgraded database' is presented.
After the downgrade is complete a message 'Successfully upgraded database' is presented.
After downgrading the IPS Engine, restart it by using the CLI command:
# diagnose test application ipsmonitor 99
Note: Executing the above command will terminate all TCP sessions.
Important: In case the downgrade is enabled only on Master unit, no warning message is presented, only message 'Successfully upgraded database', however the IPS engine is not downgraded on the Slave unit.
3) Verify if the downgrade process is fine from CLI:
3) Verify if the downgrade process is fine from CLI:
Master # diagnose autoupdate version | grep -A 6 "IPS Attack"
IPS Attack Engine
---------
Version: 5.00229
Contract Expiry Date: Mon Feb 7 2022
Last Updated using manual update on Sat Feb 13 22:11:44 2021
Last Update Attempt: Sat Feb 13 21:15:06 2021
Result: Updates Installed
Master # execute ha manage 0 admin
Slave # diagnose autoupdate version | grep -A 6 "IPS Attack"
IPS Attack Engine
---------
Version: 5.00229
Contract Expiry Date: Mon Feb 7 2022
Last Updated using manual update on Sat Feb 13 22:12:09 2021
Last Update Attempt: n/a
Result: Updates Installed
