https://community.cisco.com/t5/network-security/does-snort-drop-traffic-when-its-restarted-with-quot-inspect/m-p/3071105#M925627 <P>OK, So here is what I found on the subject. &nbsp;The teacher in the instruction video states that SNORT drops traffic with this feature enabled AND SNORT restarts. &nbsp;My question is, is traffic dropped? &nbsp;</P> <P>Here's what I found</P> <P></P> <P>Access Control Policy in question:</P> <P style="padding-left: 30px;">Inspect traffic during policy apply = Yes</P> <P></P> <P>Resource: Configuration Guide for 6.0.1</P> <P style="padding-left: 30px;">Snort® Restarts During Configuration Deployment:</P> <P style="padding-left: 60px;">The Inspect traffic during policy apply advanced access control policy general setting allows you to inspect</P> <P style="padding-left: 60px;">traffic while deploying configuration changes unless a configuration that you deploy requires the Snort process</P> <P style="padding-left: 60px;">to restart, as follows:</P> <P style="padding-left: 60px;">• Enabled — Certain configurations can require the Snort process to restart.</P> <P style="padding-left: 60px;">When the configurations you deploy do not require a Snort restart, the system initially uses the currently</P> <P style="padding-left: 60px;">deployed access control policy to inspect traffic, and switches during deployment to the access control</P> <P style="padding-left: 60px;">policy you are deploying.</P> <P style="padding-left: 60px;">• Disabled — The Snort process always restarts when you deploy. Traffic is not inspected during the</P> <P style="padding-left: 60px;">deployment.</P> <P style="padding-left: 30px;">Page: 271</P> <P><BR />Resource: Youtube</P> <P style="padding-left: 30px;">Video Title: Cisco FirePOWER Access Control Policies - Todd Lammle Training Series</P> <P style="padding-left: 30px;">Time mentioned: 15:34</P> <P style="padding-left: 30px;">Reference Link: <A href="https://youtu.be/kCZQrAYdrFo" target="_blank">https://youtu.be/kCZQrAYdrFo</A></P> <P></P> <P>Note: The Configuration Guide does not state that restarting SNORT will drop traffic, if "Inspect Traffic during policy</P> <P>apply" is set to enabled.</P> <P></P> Fri, 21 Feb 2020 14:04:46 GMT Joshua.Dixon 2020-02-21T14:04:46Z https://community.cisco.com/t5/network-security/does-snort-drop-traffic-when-its-restarted-with-quot-inspect/m-p/3071105#M925627 <P>OK, So here is what I found on the subject. &nbsp;The teacher in the instruction video states that SNORT drops traffic with this feature enabled AND SNORT restarts. &nbsp;My question is, is traffic dropped? &nbsp;</P> <P>Here's what I found</P> <P></P> <P>Access Control Policy in question:</P> <P style="padding-left: 30px;">Inspect traffic during policy apply = Yes</P> <P></P> <P>Resource: Configuration Guide for 6.0.1</P> <P style="padding-left: 30px;">Snort® Restarts During Configuration Deployment:</P> <P style="padding-left: 60px;">The Inspect traffic during policy apply advanced access control policy general setting allows you to inspect</P> <P style="padding-left: 60px;">traffic while deploying configuration changes unless a configuration that you deploy requires the Snort process</P> <P style="padding-left: 60px;">to restart, as follows:</P> <P style="padding-left: 60px;">• Enabled — Certain configurations can require the Snort process to restart.</P> <P style="padding-left: 60px;">When the configurations you deploy do not require a Snort restart, the system initially uses the currently</P> <P style="padding-left: 60px;">deployed access control policy to inspect traffic, and switches during deployment to the access control</P> <P style="padding-left: 60px;">policy you are deploying.</P> <P style="padding-left: 60px;">• Disabled — The Snort process always restarts when you deploy. Traffic is not inspected during the</P> <P style="padding-left: 60px;">deployment.</P> <P style="padding-left: 30px;">Page: 271</P> <P><BR />Resource: Youtube</P> <P style="padding-left: 30px;">Video Title: Cisco FirePOWER Access Control Policies - Todd Lammle Training Series</P> <P style="padding-left: 30px;">Time mentioned: 15:34</P> <P style="padding-left: 30px;">Reference Link: <A href="https://youtu.be/kCZQrAYdrFo" target="_blank">https://youtu.be/kCZQrAYdrFo</A></P> <P></P> <P>Note: The Configuration Guide does not state that restarting SNORT will drop traffic, if "Inspect Traffic during policy</P> <P>apply" is set to enabled.</P> <P></P> Fri, 21 Feb 2020 14:04:46 GMT https://community.cisco.com/t5/network-security/does-snort-drop-traffic-when-its-restarted-with-quot-inspect/m-p/3071105#M925627 Joshua.Dixon 2020-02-21T14:04:46Z https://community.cisco.com/t5/network-security/does-snort-drop-traffic-when-its-restarted-with-quot-inspect/m-p/3071106#M925628 <P>To inspect traffic when you deploy configuration changes unless specific configurations require restarting the Snort process, ensure that <SPAN class="uicontrol">Inspect traffic during policy apply</SPAN> is set to its default value (enabled). When this option is enabled, resource demands could result in a <SPAN style="text-decoration: underline;"><STRONG>small number of packets dropping without inspection</STRONG></SPAN>. See <A href="https://10.7.75.150/help_files/c_Snort_Restarts_During_Configuration_Deployment.html#concept_33516C5D6B574B6888B1A05F956ABDF9">Snort® Restarts During Configuration Deployment</A> for more information.</P> <TABLE class="olh_note"> <TBODY> <TR> <TD class="olh_note"><IMG src="https://10.7.75.150/help_files/template_images/caut.gif" /><BR /><B>Caution</B></TD> <TD class="olh_note"><BR /><HR /> <P>Disabling <SPAN class="uicontrol">Inspect traffic during policy apply</SPAN> restarts the Snort process when you deploy configuration changes.</P> <HR /></TD> </TR> </TBODY> </TABLE> <P></P> <P></P> <P>Answered my own question. &nbsp;It does</P> Thu, 11 May 2017 17:11:03 GMT https://community.cisco.com/t5/network-security/does-snort-drop-traffic-when-its-restarted-with-quot-inspect/m-p/3071106#M925628 Joshua.Dixon 2017-05-11T17:11:03Z