topic Re: Firepower Rule Updates in Network Security

Firepower Rule Updates

hdnorway — Fri, 21 Feb 2020 15:32:11 GMT

Hi.

We are currently evaluating the FirePower for use in a project.

Our current test unit is a Firepower 2110 with FTD 6.2.2.2, Managed from the Firepower Management Center.

When running automatic Rule Update. (System->Updates->Rule Updates) the traffic is interrupted for a small time when the devices activates the new rules.

My understanding is that the Rule Updates is the IPS/Snort filters.

This interruption is not acceptable to us.

Is there a setting/fix for this issue? Or is this more of an TAC question?
Not updating the filters is not an option.

Re: Firepower Rule Updates

mikael.lahtela — Mon, 19 Mar 2018 20:35:17 GMT

Hi,

You are correct, the update is for snort rules.

At the moment this is the behavior if your running inline.

Here is some more information if you haven seen it already:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/policy_management.html#concept_33516C5D6B574B6888B1A05F956ABDF9

I have configured this rule update to happen at nights.

br, Micke

Re: Firepower Rule Updates

hdnorway — Mon, 19 Mar 2018 21:27:29 GMT

The interface/zone is not part of an inline set. It is an routed interface. Basically a lan to wan scenario.

But thanks for the link. I understand a bit more. The users we are serving is connecting with a remote solution 24/7. So any connection interruption is not good at any time.

Re: Firepower Rule Updates

Marvin Rhoads — Tue, 20 Mar 2018 03:32:48 GMT

You can minimize the impact by selecting for flow Preservation during Snort restart. With that, all existing flows will continued to be allowed while the Snort engine restarts. This was a (non-default) option as of 6.2.0.2 and 6.2.2.

Any new flows will continue to be impacted during Snort engine restart.

Re: Firepower Rule Updates

hdnorway — Tue, 20 Mar 2018 09:06:29 GMT

Thanks.

Could you please point me in the direction on where i can change this in the Managment Center?

Re: Firepower Rule Updates

Marvin Rhoads — Tue, 20 Mar 2018 13:08:49 GMT

Look under your Access Control Policy > Advanced > General Settings as follows:

Re: Firepower Rule Updates

hdnorway — Tue, 20 Mar 2018 22:34:30 GMT

Thanks. I checked it and the setting was enabled. It still has some seconds drop. Enough that it will interrupt RDP sessions and some very sensitive applications.

There is now workaround for this?
Anyone now if Cisco has said anything about improving this?

Re: Firepower Rule Updates

Marvin Rhoads — Wed, 21 Mar 2018 09:47:21 GMT

Cisco is working very hard on improving this. They realize it is a current limitation and many customers and partners have raised it as a concern.

Re: Firepower Rule Updates

Marvin Rhoads — Thu, 22 Mar 2018 12:17:33 GMT

There is also an option that was introduced in 6.2.0.2. From the cli it is " configure snort preserve-connection {enable | disable} "

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/6201/relnotes/Firepower_Release_Notes_Version_620x.pdf

It's not available in 6.2.1 or 6.2.2 but I'm told it will be folded back in to the upcoming 6.2.3 release (ca. April 2018) and will be the default behavior.

That feature may further address your valid concern.

Re: Firepower Rule Updates

hdnorway — Thu, 22 Mar 2018 21:20:18 GMT

Thanks for the information,

Re: Firepower Rule Updates

andersonamorim — Wed, 02 Sep 2020 08:28:26 GMT

Hi Guys,

Anyone knows if this has been fixed on later versions of FTD (6.5 or 6.6).

cheers

Anderson