https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332816#M1122864 <P>Yes very common. All major firewall vendors have "scheduled deploy" features for this exact reason (among others).</P> Tue, 23 Sep 2025 19:41:51 GMT ahollifield 2025-09-23T19:41:51Z https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332707#M1122855 <P>The FTD's (managed by FMC) used to drop traffic all the time when doing policy deploys. But it seems to be better in 7.x.</P><P>We have some critical network traffic flowing through the firewall. At times we do see traffic disrupted during policy deploys. I believe this is due to the snort process restarting. Is there any way to make it so traffic is NEVER disrupted even when snort needs to restart? Like a fail open?</P><P>I'm looking for any tips or setting changes to ensure traffic stays up. Thanks!</P> Tue, 23 Sep 2025 13:50:25 GMT https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332707#M1122855 Ralphy006 2025-09-23T13:50:25Z https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332724#M1122856 <P>I'm not aware of any. If the policy deploy requires a service restart, that's a fact of life.</P> Tue, 23 Sep 2025 15:19:47 GMT https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332724#M1122856 ahollifield 2025-09-23T15:19:47Z https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332731#M1122857 <P>Looks same as i know refer below the when the snort restart take place :</P> <P><A href="https://docs.defenseorchestrator.com/cdfmc/c_snort_restart_scenarios.html#:~:text=When%20the%20traffic%20inspection%20engine,whether%20the%20Snort%20process%20restarts" target="_blank">https://docs.defenseorchestrator.com/cdfmc/c_snort_restart_scenarios.html#:~:text=When%20the%20traffic%20inspection%20engine,whether%20the%20Snort%20process%20restarts</A>.</P> Tue, 23 Sep 2025 15:54:42 GMT https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332731#M1122857 balaji.bandi 2025-09-23T15:54:42Z https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332750#M1122858 <P>Is this common among other firewall vendors too? Personally, I feel it's unacceptable to have no workaround</P> Tue, 23 Sep 2025 16:20:12 GMT https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332750#M1122858 Ralphy006 2025-09-23T16:20:12Z https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332752#M1122860 <P>yeah that's what I was reading too. Looks line "inline" ports has a fail open option. I'm not sure how many FTD users use the "inline" feature. I'd think most used routed interfaces. In which there is no option but to drop traffic which is a shame. I was hoping there was some workaround</P> Tue, 23 Sep 2025 16:23:03 GMT https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332752#M1122860 Ralphy006 2025-09-23T16:23:03Z https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332754#M1122861 <P>May cisco working on that i guess - but not that i am aware any version yet. even FMC you do not have multi user policy change (unlike other vendor - just to mentioned) - some limitation, But cisco BU look this and make use case to add features.</P> <P>so suggestion is do the changes in maintenance window, like off peak ours.</P> <P>&nbsp;</P> Tue, 23 Sep 2025 16:32:24 GMT https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332754#M1122861 balaji.bandi 2025-09-23T16:32:24Z https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332816#M1122864 <P>Yes very common. All major firewall vendors have "scheduled deploy" features for this exact reason (among others).</P> Tue, 23 Sep 2025 19:41:51 GMT https://community.cisco.com/t5/network-security/ftd-7-6-2-snort-fail-open/m-p/5332816#M1122864 ahollifield 2025-09-23T19:41:51Z