https://community.cisco.com/t5/network-security/temporary-loss-of-internet/m-p/3032762#M1006520 <P>Veronike - please correct me if I am wrong; but I believe any policy deployment that includes Snort rule updates will require a restart of the Snort engine and thus cause a brief traffic disruption.</P> Sun, 21 May 2017 12:59:13 GMT Marvin Rhoads 2017-05-21T12:59:13Z https://community.cisco.com/t5/network-security/temporary-loss-of-internet/m-p/3032760#M1006515 <P>Every so often when we apply SourceFire policies to our firewalls there will be a temporary (approximately 5 minutes) loss of all internet traffic. &nbsp;Does this happen to anyone else? &nbsp;Any idea what could be the cause? &nbsp;I'd say it happens about 10% of the time. &nbsp;Thanks.</P> Tue, 12 Mar 2019 13:24:22 GMT https://community.cisco.com/t5/network-security/temporary-loss-of-internet/m-p/3032760#M1006515 darin.gottman1 2019-03-12T13:24:22Z https://community.cisco.com/t5/network-security/temporary-loss-of-internet/m-p/3032761#M1006517 <P>Hello Darin,</P> <P></P> <P>from provided description this might be caused by specific configuration change that is done to Access Control Policy bundle. Some configuration settings requires snort/detection engine restart which will cause network disruption, with this in mind temporary network outage can be expected. But there is opportunity to avoid such network interruption by adjusting ACP advance settings tab, there is option "<SPAN>Inspect traffic during policy apply</SPAN>" that can allow you to say whether traffic should be inspected or not during ACP apply.</P> <P>Documentation reference:</P> <P>http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/policy_management.html#concept_33516C5D6B574B6888B1A05F956ABDF9</P> <P></P> <P>Best regards,</P> <P>Veronika</P> Sun, 21 May 2017 11:03:36 GMT https://community.cisco.com/t5/network-security/temporary-loss-of-internet/m-p/3032761#M1006517 Veronika Klauzova 2017-05-21T11:03:36Z https://community.cisco.com/t5/network-security/temporary-loss-of-internet/m-p/3032762#M1006520 <P>Veronike - please correct me if I am wrong; but I believe any policy deployment that includes Snort rule updates will require a restart of the Snort engine and thus cause a brief traffic disruption.</P> Sun, 21 May 2017 12:59:13 GMT https://community.cisco.com/t5/network-security/temporary-loss-of-internet/m-p/3032762#M1006520 Marvin Rhoads 2017-05-21T12:59:13Z https://community.cisco.com/t5/network-security/temporary-loss-of-internet/m-p/3032763#M1006522 <P>Marvin,</P> <P>that's correct and one of very great example's.</P> <P></P> <P>This can be confirmed by performing IPS update along with policy bundle re-apply action in lab. First new SRU will be downloaded from Cisco owned download server, SRU will be installed and afterwards policy reapplied from FMC down to sensor. What we can observe during this process is that whenever detection engine restarts, it's process it will be changed and during this time traffic disruption will be observed, just note that during reload of the detection engine process ID would remain same and traffic will be process without interruption.&nbsp;</P> <P></P> <P>Demonstration from lab environment:</P> <PRE class="prettyprint">&gt; <STRONG>expert</STRONG><BR />sudo admin@fmc:~$ <STRONG>sudo su</STRONG><BR />root@fmc:/Volume/home/admin# <STRONG>head /var/sf/detection_engines/0b93c184-34ad-11e7-ab1b-7f2c11b82031/ngfw.rules</STRONG><BR />#### ngfw.rules<BR />##############################################################################<BR />#<BR /># AC Name : new<BR /># Policy Exported : Mon May 22 08:19:01 2017 (UTC)<BR /># File Written : Mon May 22 08:19:37 2017 (UTC)<BR />#<BR /># DC Version : 6.2.0<BR /><STRONG># SRU : 2016-03-28-001-vrt</STRONG><BR /># VDB : 271<BR />root@fmc:/Volume/home/admin# <STRONG>pmtool status | grep -i "de,snort"; date</STRONG> <BR />0b93c184-34ad-11e7-ab1b-7f2c11b82031-d01 (de,snort) - Running <STRONG>9542 --&gt; process ID of detection engine before any policy changes and before SRU update</STRONG><BR />0b93c184-34ad-11e7-ab1b-7f2c11b82031-d02 (de,snort) - Running <STRONG>9543</STRONG><BR />0b93c184-34ad-11e7-ab1b-7f2c11b82031-d03 (de,snort) - Running <STRONG>9544</STRONG><BR />0b93c184-34ad-11e7-ab1b-7f2c11b82031-d04 (de,snort) - Running <STRONG>9545</STRONG><BR />Mon May 22 08:53:31 UTC 2017<BR />root@fmc:/Volume/home/admin#<BR />root@fmc:/Volume/home/admin#<BR />root@fmc:/Volume/home/admin#</PRE> <H5 class="prettyprint">Outputs&nbsp;after&nbsp;SRU update and policy reapply is being pushed down to sensor:</H5> <PRE class="prettyprint">root@fmc:/Volume/home/admin#<BR />root@fmc:/Volume/home/admin# <STRONG>pmtool status | grep -i "de,snort"; date</STRONG><BR />0b93c184-34ad-11e7-ab1b-7f2c11b82031-d01 (de,snort) - Running <STRONG>22575 --&gt; process ID changed after detection engine restart</STRONG><BR />0b93c184-34ad-11e7-ab1b-7f2c11b82031-d02 (de,snort) - Running <STRONG>22576</STRONG><BR />0b93c184-34ad-11e7-ab1b-7f2c11b82031-d03 (de,snort) - Running <STRONG>22577</STRONG><BR />0b93c184-34ad-11e7-ab1b-7f2c11b82031-d04 (de,snort) - Running <STRONG>22578</STRONG><BR />Mon May 22 09:29:46 UTC 2017<BR />root@fmc:/Volume/home/admin# <STRONG>head /var/sf/detection_engines/0b93c184-34ad-11e7-ab1b-7f2c11b82031/ngfw.rules</STRONG><BR />#### ngfw.rules<BR />##############################################################################<BR />#<BR /># AC Name : new<BR /><STRONG># Policy Exported : Mon May 22 09:25:27 2017 (UTC)</STRONG><BR /># File Written : Mon May 22 09:26:32 2017 (UTC)<BR />#<BR /># DC Version : 6.2.0<BR /><STRONG># SRU : 2017-05-18-001-vrt --&gt; new SRU pushed to detection engine</STRONG><BR /># VDB : 271<BR />root@fmc:/Volume/home/admin#</PRE> <P></P> <P>Best regards,</P> <P>Veronika</P> Mon, 22 May 2017 09:40:52 GMT https://community.cisco.com/t5/network-security/temporary-loss-of-internet/m-p/3032763#M1006522 Veronika Klauzova 2017-05-22T09:40:52Z