Fortinet black logo

Administration Guide

Manual updates

When needed, FortiGuard Distribution Network (FDN) updates can be manually uploaded.

To manually update the signature definitions files:
  1. Log in to the Fortinet Support website.
  2. Go to Support > Service Updates.
  3. Select your OS Version from the dropdown list.
  4. Locate your device in the table, and download the signature definitions files.
  5. On the FortiGate, go to System > FortiGuard.
  6. In the License Information table, locate and expand the definitions that you are updating.
  7. From the Actions menu in the rightmost column, select Upgrade Database.
  8. In the pane that opens, click Upload, locate the downloaded definitions file on your computer, then click Open.

    The download may take a few minutes to complete.

  9. Click OK.

AV and IPS manual updates

AV and IPS packages are signed by the Fortinet CA to ensure authenticity of the packages. During manual package updates, signed and validated packages will be accepted. If a package is not signed, the following applies:

  • Level-0: accept the new package even if it is unsigned.
  • Level-1: display a warning and request a user confirmation to accept.
  • Level-2: display an error and reject the image.
  • If no level is configured, apply Level-1.
Note

Security levels are pre-configured on the BIOS.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
To verify the manual AV and IPS package updates:
# diagnose debug app updated -1
# diagnose debug enable

Manual update of an unsigned package with level-1 configured

A warning message is displayed in the console, and requests a user confirmation to accept the update of an unsigned package.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y

Please wait...

Connect to tftp server 172.16.200.55 ...
##

Get IPS database from tftp server OK.
******WARNING: This package file has no signature for validation.******
Fortinet cannot verify the authenticity of this package and therefore
there may be a risk that the package contains code unknown to Fortinet.
In short, Fortinet cannot validate the package and makes no warranties
or representations concerning the package.
Please continue only if you understand and are willing to accept the risks.
Do you want to continue? (y/n)y

Manual update of an unsigned package with level-2 configured

A warning message is displayed in the console, and the image is rejected.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y

Please wait...

Connect to tftp server 172.16.200.55 ...
##

Get IPS database from tftp server OK.

When needed, FortiGuard Distribution Network (FDN) updates can be manually uploaded.

To manually update the signature definitions files:
  1. Log in to the Fortinet Support website.
  2. Go to Support > Service Updates.
  3. Select your OS Version from the dropdown list.
  4. Locate your device in the table, and download the signature definitions files.
  5. On the FortiGate, go to System > FortiGuard.
  6. In the License Information table, locate and expand the definitions that you are updating.
  7. From the Actions menu in the rightmost column, select Upgrade Database.
  8. In the pane that opens, click Upload, locate the downloaded definitions file on your computer, then click Open.

    The download may take a few minutes to complete.

  9. Click OK.

AV and IPS manual updates

AV and IPS packages are signed by the Fortinet CA to ensure authenticity of the packages. During manual package updates, signed and validated packages will be accepted. If a package is not signed, the following applies:

  • Level-0: accept the new package even if it is unsigned.
  • Level-1: display a warning and request a user confirmation to accept.
  • Level-2: display an error and reject the image.
  • If no level is configured, apply Level-1.
Note

Security levels are pre-configured on the BIOS.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
To verify the manual AV and IPS package updates:
# diagnose debug app updated -1
# diagnose debug enable

Manual update of an unsigned package with level-1 configured

A warning message is displayed in the console, and requests a user confirmation to accept the update of an unsigned package.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y

Please wait...

Connect to tftp server 172.16.200.55 ...
##

Get IPS database from tftp server OK.
******WARNING: This package file has no signature for validation.******
Fortinet cannot verify the authenticity of this package and therefore
there may be a risk that the package contains code unknown to Fortinet.
In short, Fortinet cannot validate the package and makes no warranties
or representations concerning the package.
Please continue only if you understand and are willing to accept the risks.
Do you want to continue? (y/n)y

Manual update of an unsigned package with level-2 configured

A warning message is displayed in the console, and the image is rejected.

To execute the update:
# execute restore ips tftp nids-720-19.261.pkg 172.16.200.55
This operation will overwrite the current IPS package!
Do you want to continue? (y/n)y

Please wait...

Connect to tftp server 172.16.200.55 ...
##

Get IPS database from tftp server OK.