How to find
problem with IPS in fortigate firewall?
In our case issues is High memory utilization in the devices so start
the capture memory process first.
1st step
#diagnose hardware sysinfo memory
Run Time: 41 days, 16 hours and 7
minutes
4U, 0N, 1S, 94I, 0WA, 0HI, 1SI,
0ST; 3615T, 764F
ipsengine
23181 S < 12.7
3.6 ( Noticed that the IPS engine
is taking lot of memory)
ipsengine 23183 S <
4.9 3.7
ipsengine 23180 S <
4.9 3.7
scanunitd 3505
S < 4.9 0.6
ipsengine
23179 S < 2.9
3.7
miglogd 262
S 0.9 1.9
2d step
# diag debug crashlog read
>>>>Not able to find anything related to ips engine
3d step
n0_fw (global) # get sys
fortiguard-service status
NAME VERSION LAST UPDATE METHOD EXPIRE
AV Engine 6.149 2020-05-29 21:34:00 manual
2025-08-11 23:59:59
Virus Definitions 89.7121
2021-11-23 10:04:37 scheduled
2025-08-11 23:59:59
Extended set 89.7121
2021-11-23 10:04:37 scheduled
2025-08-11 23:59:59
Flow-based Virus Definitions 89.7121
2021-11-23 10:04:37 scheduled
2025-08-11 23:59:59
Attack Definitions
6.741 2015-12-01 02:30:00 manual
2025-08-11 23:59:59 Find this
outdated
Attack Extended Definitions 18.200
2021-11-22 20:05:11 scheduled
2025-08-11 23:59:59
IPS Malicious URL Database 3.195
2021-11-22 20:05:11 scheduled
2025-08-11 23:59:59
IPS/FlowAV Engine 6.071
2021-02-17 20:28:04 scheduled
2025-08-11 23:59:59
IPS Config Script 1.009
2019-06-06 14:02:00 manual 2025-08-11 23:59:59
Application Definitions 18.199 2021-11-18 20:07:31 scheduled 2025-08-11 23:59:59
Industrial Attack Definitions 6.741
2015-12-01 02:30:00 manual n/a
4th
step
(Solution for this we need update the IPS from cli using below command)
#execute
update-ips (In global mode)
Note: Performing the activity of upgrading IPS engine will terminate all TCP
sessions. This will have impact to firewall. Make sure that you schedule this activity
Few more commands to trouble shoot the IPS enginediagnose test application
ipsmonitor 5 (This command will help us to bypass the IPS for monitoring)
diagnose ips packet status (This will help to check ips packet counters/monitor the traffic for ips)
dia ips session list
dia test application ipsmonitor 13 > This will soft restart the ips
diagnose ips packet status
diag ips session performance
diag ips session performance
diag ips signature status
diag ips packet status
n0_fwl_i (global) # dia ips session list
Total TCP sessions: 165
SESSION id:105637489 serial:754130096 proto:6 group:0 age:6 idle:6 flag:0x200027
feature:0x202 encap:0 ignore:1,0 ignore_after:0,204800
C-212.224.76.233:44882, S-94.154.20.19:80
state: C-ESTABLISHED/731/0/0/0/0, S-ESTABLISHED/0/0/0/0/0 pause:0, paws:0
expire: 24
app: unknown:0 last:0 unknown-size:0
cnfm: http
set: http sip rtsp
asm: http
n0_fwl1_i (global) # dia test application ipsmonitor 13
Session List: pid=23179
vf=4 proto=6 194.154.20.10:49770->92.168.217.1:3306
vf=4 proto=6 82.4.241.19:39352->94.154.20.7:443
Total session :26660
n0_fwl1_i (global) # diag ips session performance
PERFORMANCE STATISTICS
name : sess | pkts cycles | pkts cycles
decoder : 0 | 1007720701 0 | 0 0
session : 0 | 1007720701 0 | 0 0
protocol : 0 | 969665012 0 | 0 0
application : 0 | 1544856777 0 | 63603439 0
detect : 0 | 0 0 | 0 0
match : 0 | 2096202687 0 | 0 0
NC match : 0 | 2931515123 0 | 0 0
Cross Tag : 0 | 107154002 0 | 0 0
-------------------------------------------------------------------------