Fortinet black logo

New Features

Verifying and accepting signed AV and IPS packages

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:657131
Download PDF

Verifying and accepting signed AV and IPS packages

AV and IPS packages are now signed by the Fortinet CA to ensure authenticity of the packages. The FortiGate will execute the following checks based on the method used to perform updates:

  • During automatic updates, only signed and validated packages are accepted.
  • During manual package updates, signed and validated packages will be accepted. If a package is not signed, the following applies:
    • Level-0: accept the new package even if it is unsigned.
    • Level-1: display a warning and request a user confirmation to accept.
    • Level-2: display an error and reject the image.
    • If no level is configured, apply Level-1.
  • For HA and configuration synchronization, the secondary device will synchronize signature files from the primary in the presence of a saved signed package.
Note

Security levels are pre-configured on the BIOS.

The FortiGuard Distribution Network (FDN) will maintain signed and unsigned packages for 7.2 and pre-7.2 compatibility. FortiManagers used for package distribution will also download signed and unsigned packages for backwards compatibility.

All AV and IPS packages are forced to use the signature (others packages are optional):

  • APPDB
  • AVDB
  • AVEN
  • DBDB
  • FLDB
  • FLEN
  • ISDB
  • MMDB
  • MUDB
  • NIDS

When checking the versions of updated objects, verified versions are labeled as signed.

To verify the status for all object signatures:
# diagnose autoupdate signature check-all
aven(7,28) signature is valid.
virdb(2,2) signature is valid.
etdb(2,7) signature is valid.
exdb(2,4) signature is valid.
avai(2,19) signature is valid.
fcni(9,0) signature check passed.
contract(10,0) signature check passed.
idsen(30,78) signature is valid.
ipscfgscr(30,50) signature is missing.
fldb(34,2) signature is valid.
idsdb(4,24) signature is valid.
idsetdb(4,26) signature is valid.
idsurldb(5,1) signature is valid.
appdb(38,1) signature is valid.
isdb(39,1) signature is valid.
geoip(28,0) signature check passed.
ffdb_low(31,11) signature is valid.
ffdb_med(31,9) signature is valid.
ffdb_high(31,10) signature is valid.
uwdb(32,1) signature check passed.
certdb(33,0) signature check passed.
mmdb(35,1) signature is valid.
dnsbot(36,1) signature is valid.
sfas(40,0) signature check passed.
mcdb(42,1) signature check passed.
anphipats(49,1) signature check passed.
update objects signature check finished.
To verify the status for all object versions:
# diagnose autoupdate versions

AV Engine
---------
Version: 6.00272 signed 
Contract Expiry Date: Wed Jan  1 2031
Last Updated using scheduled update on Wed Feb 23 00:48:25 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

Virus Definitions
---------
Version: 89.09892 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Feb 23 11:34:52 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: Updates Installed

Extended set
---------
Version: 89.09892 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Feb 23 11:34:52 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: Updates Installed

Mobile Malware Definitions
---------
Version: 89.09892 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Feb 23 11:34:52 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: Updates Installed

IPS Attack Engine
---------
Version: 7.00208 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates
...

Attack Definitions
---------
Version: 19.00264 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Feb 23 00:06:22 2022
Last Update Attempt: Wed Feb 23 05:10:23 2022
Result: No Updates

Attack Extended Definitions
---------
Version: 19.00264 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

Application Definitions
---------
Version: 19.00262 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

Industrial Attack Definitions
---------
Version: 19.00262 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

IPS Malicious URL Database
---------
Version: 3.00272 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

Flow-based Virus Definitions
---------
Version: 89.09892 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Feb 23 11:34:52 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: Updates Installed

Botnet Domain Database
---------
Version: 2.00935 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

Internet-service Full Database
---------
Version: 7.02162 signed
Contract Expiry Date: n/a
Last Updated using manual update on Fri Feb  4 14:24:00 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates
...

AI/Machine Learning Malware Detection Model
---------
Version: 2.04622 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using scheduled update on Wed Feb 23 00:48:25 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates
...

Signed packages and signatures are saved to disk with a special extension (.x) to distinguish them from unsigned packages. This extension allows the HA primary device to synchronize packages directly to secondary devices without further package validation. For example, an unsigned AV signature file would be saved as /data2/vir, and a signed file as /data2/vir.x.

The following examples contain output obtained from running the following debugs while the package is being updated:

# diagnose debug app updated -1
# diagnose debug enable

Automatic update from FDN or FortiManager

The packages are only accepted if they are signed.

To verify the automatic AV and IPS package updates:
# diagnose debug app updated -1
# diagnose debug enable
...
doInstallUpdatePackage[1023]-Full obj found for NIDS026
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
[331] ftnt_code_signing_verify_and_split:
[282] __ftnt_code_signing_verify:
[56] __dump_ctx: CS INFO: 544e544601000c8fee5f46f8aadf2d
[59] __dump_ctx: Sig len: 3215
[60] __dump_ctx: Raw len: 1200241
[190] __cms_verify: Verification succeeded.
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=1203472, obj_len=1200241, sig_len=3231.
...
Sample log
1: date=2022-02-23 time=16:16:36 eventtime=1645661796729851387 tz="-0800" logid="0100041000" type="event" subtype="system" level="notice" vd="vd1" logdesc="FortiGate update succeeded" status="update" msg="Fortigate update now fcni=yes fdni=yes fsci=yes idsdb(19.00264) idsetdb(19.00264) from 192.168.100.205:443"

Manual updates

An update can be performed manually after downloading the update file from the support.fortinet.com portal.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
To verify the manual AV and IPS package updates:
# diagnose debug app updated -1
# diagnose debug enable

Manual update of a signed and validated package

This example shows a successful update where the update package is signed and validated.

Sample debugs for a successful update:
...
upd_manual_idsdb[219]-Updating ids db
doInstallUpdatePackage[1023]-Full obj found for NIDS024
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=756201, obj_len=752970, sig_len=3231.
installUpdateObject[347]-Step 2:Prepare temp file for obj 4
installUpdObjRest[757]-Step 5:Backup /etc/ips.rules->/tmp/update.backup
installUpdObjRest[785]-Step 6:Copy new object /tmp/upd4MNOqr->/etc/ips.rules
installUpdObjRest[864]-Step 7:Validate object
...
doInstallUpdatePackage[1023]-Full obj found for NIDS026
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=1165633, obj_len=1162402, sig_len=3231.
installUpdateObject[347]-Step 2:Prepare temp file for obj 4
installUpdObjRest[757]-Step 5:Backup /etc/ips.et.rules->/tmp/update.backup
installUpdObjRest[785]-Step 6:Copy new object /tmp/updf80vEs->/etc/ips.et.rules
installUpdObjRest[864]-Step 7:Validate object
...
__update_status[1237]-NIDS024(idsdb) installed successfully
__update_status[1237]-NIDS026(idsetdb) installed successfully
upd_status_save_status[131]-try to save on status file
upd_status_save_status[197]-Wrote status file
upd_manual_idsdb[269]-Update successful on NIDS24(idsdb))
upd_manual_idsdb[269]-Update successful on NIDS26(idsetdb))
Sample log
1: date=2022-02-23 time=20:58:05 eventtime=1645678685369622860 tz="-0800" logid="0100032217" type="event" subtype="system" level="notice" vd="vdom1" logdesc="IPS package - Admin update successful" status="update" msg="Fortigate updated idsdb(19.00262) idsetdb(19.00262)"

Manual update of an unsigned package with level-0 configured

This example shows an unsigned package update being accepted without any warning when the device BIOS has security level-0.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
To verify the manual AV and IPS package updates:
# diagnose debug app updated -1
# diagnose debug enable
...
upd_manual_idsdb[219]-Updating ids db
doInstallUpdatePackage[1023]-Full obj found for NIDS024
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=756201, obj_len=752970, sig_len=3231.
installUpdateObject[347]-Step 2:Prepare temp file for obj 4
installUpdObjRest[757]-Step 5:Backup /etc/ips.rules->/tmp/update.backup
installUpdObjRest[785]-Step 6:Copy new object /tmp/upd4MNOqr->/etc/ips.rules
installUpdObjRest[864]-Step 7:Validate object
...
doInstallUpdatePackage[1023]-Full obj found for NIDS026
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=1165633, obj_len=1162402, sig_len=3231.
installUpdateObject[347]-Step 2:Prepare temp file for obj 4
installUpdObjRest[757]-Step 5:Backup /etc/ips.et.rules->/tmp/update.backup
installUpdObjRest[785]-Step 6:Copy new object /tmp/updf80vEs->/etc/ips.et.rules
installUpdObjRest[864]-Step 7:Validate object
...
__update_status[1237]-NIDS024(idsdb) installed successfully
__update_status[1237]-NIDS026(idsetdb) installed successfully
upd_status_save_status[131]-try to save on status file
upd_status_save_status[197]-Wrote status file
upd_manual_idsdb[269]-Update successful on NIDS24(idsdb))
upd_manual_idsdb[269]-Update successful on NIDS26(idsetdb))
Sample log
1: date=2022-02-23 time=20:58:05 eventtime=1645678685369622860 tz="-0800" logid="0100032217" type="event" subtype="system" level="notice" vd="vdom1" logdesc="IPS package - Admin update successful" status="update" msg="Fortigate updated idsdb(19.00262) idsetdb(19.00262)"

Manual update of an unsigned package with level-1 configured

A warning message is displayed in the console, and requests a user confirmation to accept the update of an unsigned package.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y

Please wait...

Connect to tftp server 172.16.200.55 ...
##

Get IPS database from tftp server OK.
******WARNING: This package file has no signature for validation.******
Fortinet cannot verify the authenticity of this package and therefore
there may be a risk that the package contains code unknown to Fortinet.
In short, Fortinet cannot validate the package and makes no warranties
or representations concerning the package.
Please continue only if you understand and are willing to accept the risks.
Do you want to continue? (y/n)y
To verify the manual AV and IPS package updates:
# diagnose debug app updated -1
# diagnose debug enable
...
upd_manual_idsdb[219]-Updating ids db
doInstallUpdatePackage[1023]-Full obj found for NIDS024
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=756204, obj_len=756204, sig_len=0.
...
installUpdObjRest[864]-Step 7:Validate object
...
doInstallUpdatePackage[1023]-Full obj found for NIDS026
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=1370909, obj_len=1370909, sig_len=0.
...
installUpdObjRest[864]-Step 7:Validate object
...
__update_status[1237]-NIDS024(idsdb) installed successfully
__update_status[1237]-NIDS026(idsetdb) installed successfully
upd_status_save_status[131]-try to save on status file
upd_status_save_status[197]-Wrote status file
upd_manual_idsdb[269]-Update successful on NIDS24(idsdb))
upd_manual_idsdb[269]-Update successful on NIDS26(idsetdb))
Sample log
1: date=2022-02-23 time=16:19:49 eventtime=1645661989789578130 tz="-0800" logid="0100032217" type="event" subtype="system" level="notice" vd="vd1" logdesc="IPS package - Admin update successful" status="update" msg="Fortigate updated idsdb(19.00261) idsetdb(19.00261)"

Manual update of an unsigned package with level-2 configured

A warning message is displayed in the console, and the image is rejected.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y

Please wait...

Connect to tftp server 172.16.200.55 ...
##

Get IPS database from tftp server OK.
To verify the manual AV and IPS package updates:
upd_manual_idsdb[219]-Updating ids db
doInstallUpdatePackage[1023]-Full obj found for NIDS024
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
__upd_obj_signature_split[2853]-Signature verify and split failed, result=2.
installUpdateObject[302]-Failed signature verifying for obj 4, ret=-1, forced=1, len=756204
doInstallUpdatePackage[1023]-Full obj found for NIDS026
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
__upd_obj_signature_split[2853]-Signature verify and split failed, result=2.
installUpdateObject[302]-Failed signature verifying for obj 4, ret=-1, forced=1, len=1370909
upd_status_save_status[131]-try to save on status file
upd_status_save_status[202]-Status file is up-to-date
upd_manual_idsdb[247]-Update failed on NIDS24(idsdb) (-5,2)
upd_manual_idsdb[247]-Update failed on NIDS26(idsetdb) (-5,2)
Command fail. Return code -64
Sample logs
5: date=2022-02-23 time=17:00:29 eventtime=1645664429516742853 tz="-0800" logid="0100032231" type="event" subtype="system" level="notice" vd="vdom1" logdesc="FortiGuard service failed to restore" user="admin" ui="jsconsole(172.16.15.254)" action="restore-ips-package" msg="User admin failed to restore IPS package file from jsconsole(172.16.15.254)"
6: date=2022-02-23 time=17:00:29 eventtime=1645664429515611471 tz="-0800" logid="0100041009" type="event" subtype="system" level="critical" vd="vdom1" logdesc="FortiGate database signature invalid" user="admin" ui="jsconsole(172.16.15.254)" action="restore-ips" status="failure" msg="Fortigate idsetdb signature invalid."
7: date=2022-02-23 time=17:00:29 eventtime=1645664429515606594 tz="-0800" logid="0100041009" type="event" subtype="system" level="critical" vd="vdom1" logdesc="FortiGate database signature invalid" user="admin" ui="jsconsole(172.16.15.254)" action="restore-ips" status="failure" msg="Fortigate idsdb signature invalid."

Verifying and accepting signed AV and IPS packages

AV and IPS packages are now signed by the Fortinet CA to ensure authenticity of the packages. The FortiGate will execute the following checks based on the method used to perform updates:

  • During automatic updates, only signed and validated packages are accepted.
  • During manual package updates, signed and validated packages will be accepted. If a package is not signed, the following applies:
    • Level-0: accept the new package even if it is unsigned.
    • Level-1: display a warning and request a user confirmation to accept.
    • Level-2: display an error and reject the image.
    • If no level is configured, apply Level-1.
  • For HA and configuration synchronization, the secondary device will synchronize signature files from the primary in the presence of a saved signed package.
Note

Security levels are pre-configured on the BIOS.

The FortiGuard Distribution Network (FDN) will maintain signed and unsigned packages for 7.2 and pre-7.2 compatibility. FortiManagers used for package distribution will also download signed and unsigned packages for backwards compatibility.

All AV and IPS packages are forced to use the signature (others packages are optional):

  • APPDB
  • AVDB
  • AVEN
  • DBDB
  • FLDB
  • FLEN
  • ISDB
  • MMDB
  • MUDB
  • NIDS

When checking the versions of updated objects, verified versions are labeled as signed.

To verify the status for all object signatures:
# diagnose autoupdate signature check-all
aven(7,28) signature is valid.
virdb(2,2) signature is valid.
etdb(2,7) signature is valid.
exdb(2,4) signature is valid.
avai(2,19) signature is valid.
fcni(9,0) signature check passed.
contract(10,0) signature check passed.
idsen(30,78) signature is valid.
ipscfgscr(30,50) signature is missing.
fldb(34,2) signature is valid.
idsdb(4,24) signature is valid.
idsetdb(4,26) signature is valid.
idsurldb(5,1) signature is valid.
appdb(38,1) signature is valid.
isdb(39,1) signature is valid.
geoip(28,0) signature check passed.
ffdb_low(31,11) signature is valid.
ffdb_med(31,9) signature is valid.
ffdb_high(31,10) signature is valid.
uwdb(32,1) signature check passed.
certdb(33,0) signature check passed.
mmdb(35,1) signature is valid.
dnsbot(36,1) signature is valid.
sfas(40,0) signature check passed.
mcdb(42,1) signature check passed.
anphipats(49,1) signature check passed.
update objects signature check finished.
To verify the status for all object versions:
# diagnose autoupdate versions

AV Engine
---------
Version: 6.00272 signed 
Contract Expiry Date: Wed Jan  1 2031
Last Updated using scheduled update on Wed Feb 23 00:48:25 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

Virus Definitions
---------
Version: 89.09892 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Feb 23 11:34:52 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: Updates Installed

Extended set
---------
Version: 89.09892 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Feb 23 11:34:52 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: Updates Installed

Mobile Malware Definitions
---------
Version: 89.09892 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Feb 23 11:34:52 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: Updates Installed

IPS Attack Engine
---------
Version: 7.00208 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates
...

Attack Definitions
---------
Version: 19.00264 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Feb 23 00:06:22 2022
Last Update Attempt: Wed Feb 23 05:10:23 2022
Result: No Updates

Attack Extended Definitions
---------
Version: 19.00264 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

Application Definitions
---------
Version: 19.00262 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

Industrial Attack Definitions
---------
Version: 19.00262 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

IPS Malicious URL Database
---------
Version: 3.00272 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

Flow-based Virus Definitions
---------
Version: 89.09892 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Feb 23 11:34:52 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: Updates Installed

Botnet Domain Database
---------
Version: 2.00935 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Tue Feb 22 23:51:15 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates

Internet-service Full Database
---------
Version: 7.02162 signed
Contract Expiry Date: n/a
Last Updated using manual update on Fri Feb  4 14:24:00 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates
...

AI/Machine Learning Malware Detection Model
---------
Version: 2.04622 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using scheduled update on Wed Feb 23 00:48:25 2022
Last Update Attempt: Wed Feb 23 11:34:52 2022
Result: No Updates
...

Signed packages and signatures are saved to disk with a special extension (.x) to distinguish them from unsigned packages. This extension allows the HA primary device to synchronize packages directly to secondary devices without further package validation. For example, an unsigned AV signature file would be saved as /data2/vir, and a signed file as /data2/vir.x.

The following examples contain output obtained from running the following debugs while the package is being updated:

# diagnose debug app updated -1
# diagnose debug enable

Automatic update from FDN or FortiManager

The packages are only accepted if they are signed.

To verify the automatic AV and IPS package updates:
# diagnose debug app updated -1
# diagnose debug enable
...
doInstallUpdatePackage[1023]-Full obj found for NIDS026
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
[331] ftnt_code_signing_verify_and_split:
[282] __ftnt_code_signing_verify:
[56] __dump_ctx: CS INFO: 544e544601000c8fee5f46f8aadf2d
[59] __dump_ctx: Sig len: 3215
[60] __dump_ctx: Raw len: 1200241
[190] __cms_verify: Verification succeeded.
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=1203472, obj_len=1200241, sig_len=3231.
...
Sample log
1: date=2022-02-23 time=16:16:36 eventtime=1645661796729851387 tz="-0800" logid="0100041000" type="event" subtype="system" level="notice" vd="vd1" logdesc="FortiGate update succeeded" status="update" msg="Fortigate update now fcni=yes fdni=yes fsci=yes idsdb(19.00264) idsetdb(19.00264) from 192.168.100.205:443"

Manual updates

An update can be performed manually after downloading the update file from the support.fortinet.com portal.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
To verify the manual AV and IPS package updates:
# diagnose debug app updated -1
# diagnose debug enable

Manual update of a signed and validated package

This example shows a successful update where the update package is signed and validated.

Sample debugs for a successful update:
...
upd_manual_idsdb[219]-Updating ids db
doInstallUpdatePackage[1023]-Full obj found for NIDS024
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=756201, obj_len=752970, sig_len=3231.
installUpdateObject[347]-Step 2:Prepare temp file for obj 4
installUpdObjRest[757]-Step 5:Backup /etc/ips.rules->/tmp/update.backup
installUpdObjRest[785]-Step 6:Copy new object /tmp/upd4MNOqr->/etc/ips.rules
installUpdObjRest[864]-Step 7:Validate object
...
doInstallUpdatePackage[1023]-Full obj found for NIDS026
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=1165633, obj_len=1162402, sig_len=3231.
installUpdateObject[347]-Step 2:Prepare temp file for obj 4
installUpdObjRest[757]-Step 5:Backup /etc/ips.et.rules->/tmp/update.backup
installUpdObjRest[785]-Step 6:Copy new object /tmp/updf80vEs->/etc/ips.et.rules
installUpdObjRest[864]-Step 7:Validate object
...
__update_status[1237]-NIDS024(idsdb) installed successfully
__update_status[1237]-NIDS026(idsetdb) installed successfully
upd_status_save_status[131]-try to save on status file
upd_status_save_status[197]-Wrote status file
upd_manual_idsdb[269]-Update successful on NIDS24(idsdb))
upd_manual_idsdb[269]-Update successful on NIDS26(idsetdb))
Sample log
1: date=2022-02-23 time=20:58:05 eventtime=1645678685369622860 tz="-0800" logid="0100032217" type="event" subtype="system" level="notice" vd="vdom1" logdesc="IPS package - Admin update successful" status="update" msg="Fortigate updated idsdb(19.00262) idsetdb(19.00262)"

Manual update of an unsigned package with level-0 configured

This example shows an unsigned package update being accepted without any warning when the device BIOS has security level-0.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
To verify the manual AV and IPS package updates:
# diagnose debug app updated -1
# diagnose debug enable
...
upd_manual_idsdb[219]-Updating ids db
doInstallUpdatePackage[1023]-Full obj found for NIDS024
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=756201, obj_len=752970, sig_len=3231.
installUpdateObject[347]-Step 2:Prepare temp file for obj 4
installUpdObjRest[757]-Step 5:Backup /etc/ips.rules->/tmp/update.backup
installUpdObjRest[785]-Step 6:Copy new object /tmp/upd4MNOqr->/etc/ips.rules
installUpdObjRest[864]-Step 7:Validate object
...
doInstallUpdatePackage[1023]-Full obj found for NIDS026
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=1165633, obj_len=1162402, sig_len=3231.
installUpdateObject[347]-Step 2:Prepare temp file for obj 4
installUpdObjRest[757]-Step 5:Backup /etc/ips.et.rules->/tmp/update.backup
installUpdObjRest[785]-Step 6:Copy new object /tmp/updf80vEs->/etc/ips.et.rules
installUpdObjRest[864]-Step 7:Validate object
...
__update_status[1237]-NIDS024(idsdb) installed successfully
__update_status[1237]-NIDS026(idsetdb) installed successfully
upd_status_save_status[131]-try to save on status file
upd_status_save_status[197]-Wrote status file
upd_manual_idsdb[269]-Update successful on NIDS24(idsdb))
upd_manual_idsdb[269]-Update successful on NIDS26(idsetdb))
Sample log
1: date=2022-02-23 time=20:58:05 eventtime=1645678685369622860 tz="-0800" logid="0100032217" type="event" subtype="system" level="notice" vd="vdom1" logdesc="IPS package - Admin update successful" status="update" msg="Fortigate updated idsdb(19.00262) idsetdb(19.00262)"

Manual update of an unsigned package with level-1 configured

A warning message is displayed in the console, and requests a user confirmation to accept the update of an unsigned package.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y

Please wait...

Connect to tftp server 172.16.200.55 ...
##

Get IPS database from tftp server OK.
******WARNING: This package file has no signature for validation.******
Fortinet cannot verify the authenticity of this package and therefore
there may be a risk that the package contains code unknown to Fortinet.
In short, Fortinet cannot validate the package and makes no warranties
or representations concerning the package.
Please continue only if you understand and are willing to accept the risks.
Do you want to continue? (y/n)y
To verify the manual AV and IPS package updates:
# diagnose debug app updated -1
# diagnose debug enable
...
upd_manual_idsdb[219]-Updating ids db
doInstallUpdatePackage[1023]-Full obj found for NIDS024
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=756204, obj_len=756204, sig_len=0.
...
installUpdObjRest[864]-Step 7:Validate object
...
doInstallUpdatePackage[1023]-Full obj found for NIDS026
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
installUpdateObject[310]-Signature verified for obj 4, ret=0, data_len=1370909, obj_len=1370909, sig_len=0.
...
installUpdObjRest[864]-Step 7:Validate object
...
__update_status[1237]-NIDS024(idsdb) installed successfully
__update_status[1237]-NIDS026(idsetdb) installed successfully
upd_status_save_status[131]-try to save on status file
upd_status_save_status[197]-Wrote status file
upd_manual_idsdb[269]-Update successful on NIDS24(idsdb))
upd_manual_idsdb[269]-Update successful on NIDS26(idsetdb))
Sample log
1: date=2022-02-23 time=16:19:49 eventtime=1645661989789578130 tz="-0800" logid="0100032217" type="event" subtype="system" level="notice" vd="vd1" logdesc="IPS package - Admin update successful" status="update" msg="Fortigate updated idsdb(19.00261) idsetdb(19.00261)"

Manual update of an unsigned package with level-2 configured

A warning message is displayed in the console, and the image is rejected.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y

Please wait...

Connect to tftp server 172.16.200.55 ...
##

Get IPS database from tftp server OK.
To verify the manual AV and IPS package updates:
upd_manual_idsdb[219]-Updating ids db
doInstallUpdatePackage[1023]-Full obj found for NIDS024
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
__upd_obj_signature_split[2853]-Signature verify and split failed, result=2.
installUpdateObject[302]-Failed signature verifying for obj 4, ret=-1, forced=1, len=756204
doInstallUpdatePackage[1023]-Full obj found for NIDS026
doInstallUpdatePackage[1033]-Updating obj NIDS
installUpdateObject[278]-Step 1:Unpack obj 4, Total=1, cur=0
__upd_obj_signature_split[2853]-Signature verify and split failed, result=2.
installUpdateObject[302]-Failed signature verifying for obj 4, ret=-1, forced=1, len=1370909
upd_status_save_status[131]-try to save on status file
upd_status_save_status[202]-Status file is up-to-date
upd_manual_idsdb[247]-Update failed on NIDS24(idsdb) (-5,2)
upd_manual_idsdb[247]-Update failed on NIDS26(idsetdb) (-5,2)
Command fail. Return code -64
Sample logs
5: date=2022-02-23 time=17:00:29 eventtime=1645664429516742853 tz="-0800" logid="0100032231" type="event" subtype="system" level="notice" vd="vdom1" logdesc="FortiGuard service failed to restore" user="admin" ui="jsconsole(172.16.15.254)" action="restore-ips-package" msg="User admin failed to restore IPS package file from jsconsole(172.16.15.254)"
6: date=2022-02-23 time=17:00:29 eventtime=1645664429515611471 tz="-0800" logid="0100041009" type="event" subtype="system" level="critical" vd="vdom1" logdesc="FortiGate database signature invalid" user="admin" ui="jsconsole(172.16.15.254)" action="restore-ips" status="failure" msg="Fortigate idsetdb signature invalid."
7: date=2022-02-23 time=17:00:29 eventtime=1645664429515606594 tz="-0800" logid="0100041009" type="event" subtype="system" level="critical" vd="vdom1" logdesc="FortiGate database signature invalid" user="admin" ui="jsconsole(172.16.15.254)" action="restore-ips" status="failure" msg="Fortigate idsdb signature invalid."