04-05-2017 12:04 PM - edited 02-21-2020 06:02 AM
According to the configuration guide, if a Threat Defense device is configured with interfaces in either redundant or transparent mode and the Snort process restarts as part of a configuration deployment, packets will be dropped.
However, if the interfaces are configured in inline mode, it is possible to set a "Snort Fail Open" setting to enabled, causing packets to instead simply be passed without inspection.
Is it not possible to have this same fail-open behavior when the interfaces are routed, or is there some other trick that can be used to prevent any Snort restart from killing my traffic?
Solved! Go to Solution.
04-05-2017 08:47 PM
I don't think you can do that as of the current FTD 6.2. We'll have to watch for it in a future release.
If it's important to your use case, please raise it via your Cisco account manager as an enhancement request.
Routed mode presents a particular challenge since the device may be a gateway or next hop for all traffic so it cannot just be shunted directly to the egress interface.
04-05-2017 08:47 PM
I don't think you can do that as of the current FTD 6.2. We'll have to watch for it in a future release.
If it's important to your use case, please raise it via your Cisco account manager as an enhancement request.
Routed mode presents a particular challenge since the device may be a gateway or next hop for all traffic so it cannot just be shunted directly to the egress interface.
06-01-2017 02:06 PM
06-02-2017 06:57 AM
You can only fail open if the interfaces are in an inline set. It is not possible with routed mode.
06-02-2017 07:12 AM
That's correct Isaih - thank you for pointing that out.
One of Cisco's design goals going forward is to gretly reduce the number of times (and duration of) Snort restarts during configuration changes / deployments. They realize the current situation is a shortcoming and are endeavoring to remedy it.
10-27-2017 01:16 AM
Hello Marvin,
Do you know what kind of configuration can lead to the SNORT restart ?
We should know this before pushing the policy.
Please confirm on below :
1- whenever we push a new signature database to the FTDs will it surely restart the SNORT and hence there would be an outage for a brief amount ?
2- We have seen SNORT restart is also resetting the whole connection table hence these changes should be made on an approved outage window.
This is really something serious which we should be worrying about.
We should have a checklist stating configuration that can lead to a SNORT restart.
Thanks,
Prashant
10-27-2017 05:40 AM - edited 10-27-2017 05:41 AM
Prashant,
This behavior has been one area where Cisco has focused lately. The following is valid as of Release 6.2.2:
In general, routine policy changes do not cause Snort restart by default.
However some operations require memory reconfiguration and engine reload. Those include:
- HA, MTU, and other infrequent platform changes
- Application preprocessor settings in Network Analysis Policy (NAP)
- URL category/reputation, application detector changes
- Creating/removing TLS, Network Analysis, File/AMP, and NAP policies
Note that VDB updates replace Snort binary and always require a restart
If you have an HA pair or a cluster, engines restart on both HA peers and all cluster members together.
You should also see that unavoidable restarts and binary changes will now generate warnings prior to committing to deploy.
10-29-2017 05:54 PM
Thanks Marvin for your reply.
I want to know if there is any way where we can find out the difference in policies between two deployments ?
Let say, I login to the FMC and can see that FTDs are having some unsaved/underemployment policies , I would like to know what all the changes that has been configured but not been deployed. This exercise can help us to understand if SNORT requires restart or not.
I faced some strange issue, last week I pushed the policy and noticed that users lost the access for they needed to reconnect the sessions. later on I found that Signature DB has been updated which has restarted the SNORT or connection table of the firewalls.
In our deployment, most of the policies are configured for "allow" action which certainly send traffic to the SNORT engine even though you don't an IPS/IDS or file policy associated with it.
You thought please.
10-30-2017 05:30 AM
For all policies EXCEPT the ACP (not sure why that one isn't included), you can select "Compare Policy"and get a report of the delta between the running and chosen policy.
Procedure
10-30-2017 06:40 PM
Compare is not availble for ACP, may be Cisco will include this in 6.3 code.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: