Firesight IPS sensor Rule Update causing Packets to Drop

Ralphy006 — Sun, 10 Mar 2019 13:33:57 GMT

While the Firesight IPS sensor loads a rule update....snort restarts in order to load new configuration.

However, when this happens, the IPS sensor drops multiple packets (about 20).

Anyone know a way around this?

The IPS is set to "fail-open" from the firewall's perspective.

Any thoughts would be appreciated!

Is "Inspect traffic during

Dennis Perto — Wed, 09 Mar 2016 12:24:00 GMT

Is "Inspect traffic during policy apply" turned on, under Advanced in your Access Control policy?

Yes.

Ralphy006 — Wed, 09 Mar 2016 15:45:58 GMT

Yes. When the box is checked, there is less packet loss during rule updates. However, we still see packet loss every few days

Here is an answer from TAC:

When the inspect traffic during policy apply is set to no, and when there is a policy apply happening on the SFR modules, all traffic will be dropped

Let me explain the behavior of this feature

When you have the “Inspect traffic during policy apply” option enabled what happens is snort will inspect all traffic with the old configuration while it is validating and loading the new configuration. Once the new configuration is finished validating and initializing snort will swap the configuration and start inspecting the current traffic with the new configuration

If you disable this option, every AC policy apply will cause all traffic going to the SFR to be dropped. To prevent the traffic from being dropped during every AC policy apply, leave this option enabled. Even with this option enabled, there are still certain configuration changes in the policy that can cause snort to restart. If you are concerned about this, you should check the online help for the relevant changes that you are making. If the changes being made cause snort to restart there will be a mention in the guide

To avoid traffic interruptions, please schedule policy applies during a maintenance window

here are some situations that will require a snort restart as opposed to a snort reload. Though this is not externally documented, these include:

When you apply an access control policy that pushes a new version of Snort to a managed device following a Defense Center upgrade.
When you apply a policy for the first time after a rule import that includes shared object rules.
In some cases, when you install a VDB update.

topic Firesight IPS sensor Rule Update causing Packets to Drop in Network Security

Firesight IPS sensor Rule Update causing Packets to Drop

Is "Inspect traffic during

Yes.