Technical Tip: 3 different types of IPS engine Database

tino_p · ‎11-30-2023

Description

This article describes that in a customer's environment where there are several models of Firewall FortiGate, the customer may observe the differences in the number of IPS signatures between those Firewalls, although having the same FortiOS, same IPS engine's version, database (extended), and both of them can connect to FortiGuard servers normally as well as still have enough space for storage.

For example:

There are 16,149 IPS signatures on Firewall 601E.

But there are only 10,184 IPS signatures on Firewall 800D.

Scope

IPSengine, FortiOS.

Solution

The reason here is that the 800D device has CP8 SPU whereas 601E has CP9 SPU. A firewall with CP9 SPU will get the Full Extended Database (the largest IPS Database) ; thus it will have more IPS signatures than the others.

Currently, there are three (3) types of IPS Databases:

Regular Database: This is the smallest IPS Database which contains the most active and useful IPS signatures. It is usually used when the customer prefers performance instead of security.
Full Extended Database: This is the largest IPS Database which contains literally all the IPS signatures. It is usually used when the customer prefers security instead of performance.
Slim Extended Database: This is the slim version of the full extended DB which is used when customers prefer security instead of performance, but their Firewall (for example CP8 models) is no longer able to handle all the IPS signatures.

This also can be used to explain why some IPS signatures only are available in Full Extended Database (such as 'MS.Exchange.Server.CVE-2021-26858.Remote.Code.Execution'). The customer will need to upgrade the Firewall to a new model (which has CP9 SPU) to get the full list of IPS signatures.