You can only fail open if the interfaces are in an inline set.  It is not possible with routed mode.

That's correct Isaih - thank you for pointing that out.

One of Cisco's design goals going forward is to gretly reduce the number of times (and duration of) Snort restarts during configuration changes / deployments. They realize the current situation is a shortcoming and are endeavoring to remedy it.

Hello Marvin,

Do you know what kind of configuration can lead to the SNORT restart ?

We should know this before pushing the policy.

Please confirm on below :

1- whenever we push a new signature database to the FTDs will it surely restart the SNORT and hence there would be an outage for a brief amount ?

2- We have seen SNORT restart is also resetting the whole connection table hence these changes should be made on an approved outage window.

This is really something serious which we should be worrying about.

We should have a checklist stating configuration that can lead to a SNORT restart.

Thanks,

Prashant

Prashant,

This behavior has been one area where Cisco has focused lately. The following is valid as of Release 6.2.2:

In general, routine policy changes do not cause Snort restart by default.

However some operations require memory reconfiguration and engine reload. Those include:
- HA, MTU, and other infrequent platform changes
- Application preprocessor settings in Network Analysis Policy (NAP)
- URL category/reputation, application detector changes
- Creating/removing TLS, Network Analysis, File/AMP, and NAP policies

Note that VDB updates replace Snort binary and always require a restart

If you have an HA pair or a cluster, engines restart on both HA peers and all cluster members together.

You should also see that unavoidable restarts and binary changes will now generate warnings prior to committing to deploy.

Thanks Marvin for your reply.

I want to know if there is any way where we can find out the difference in policies between two deployments ?

Let say, I login to the FMC and can see that FTDs are having some unsaved/underemployment policies , I would like to know what all the changes that has been configured but not  been deployed. This exercise can help us to understand if SNORT requires restart or not.

I faced some strange issue, last week I pushed the policy and noticed that users lost the access for they needed to reconnect the sessions. later on I found that Signature DB has been updated which has restarted the SNORT or connection table of the firewalls.

In our deployment, most of the policies are configured for "allow" action which certainly send traffic to the SNORT engine even though you don't an IPS/IDS or file policy associated with it. 

You thought please.

For all policies EXCEPT the ACP (not sure why that one isn't included), you can select "Compare Policy"and get a report of the delta between the running and chosen policy.

Procedure

Compare is not availble for ACP, may be Cisco will include this in 6.3 code.