Solved: Firepower 6.7.0 and Snort 3.0

ZhulienKeremedchiev8741 · ‎11-06-2020

Hi All,

I am facing some issue after an upgrade from 6.6.0 to 6.7.0 for both my FMCv and FTDv. As per the release notes I should be able to switch to using Snort 3.0 after the update from the "Device > Updates page, in the Intrusion Rules group", but am unable to find said menu.

The above is taken from the release notes of 6.7:

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

Anyone able to advise on how to switch from Snort 2 to Snort 3 and vice-versa or if there are any limitations?

umapatel · ‎01-13-2021

Snort 3.0 support is available to FDM/FTD6.7.0 and not yet available with FMC/FTD6.7.0.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html#Cisco_Concept.dita_a80d279e-cfa6-4372-a748-5ce7d3d7cd0a

View solution in original post

Marvin Rhoads · ‎11-08-2020

I think they haven't actually put that in the menus, contrary to the release notes.

I checked my lab FMC 6.7 and don't see it. I also downloaded and searched the entire 3067 page FMC Configuration Guide and that menu choice doesn't appear there either.

It looks like it is available as one of the rare cli configuration commands:

> configure snort3 
  disable  Disable Snort3 on the next deploy.
  enable   Enable Snort3 on the next deploy.

ZhulienKeremedchiev8741 · ‎11-09-2020

Hi Marvin,

Thank you for the information. Could you please share what FTD you are using as that option is not available on any of the FTDv devices I have in our lab environment:

> configure snort3

> configure snort
snort Configure Snort options

> configure snort
preserve-connection preserve connection

I even deployed an FTDv for ESXi directly on 6.7 and upgraded another FTDv from 6.6 to 6.7 on the other and the option is not available on either.

Eric R. Jones · ‎09-15-2021

I have a similar issue where we need to run on snort3 and make sure the version is higher than 2.9.18 due to IAVA release. Will running this command cause the FTD's to reboot or just at the next deployment restart the snort engine as V3?

I've been trying to confirm through CLI which one were using but could only find a section in Advanced Troubleshooting section showing the version.

ej

ZhulienKeremedchiev8741 · ‎12-10-2020

Anyone found a solution?

umapatel · ‎01-13-2021

Snort 3.0 support is available to FDM/FTD6.7.0 and not yet available with FMC/FTD6.7.0.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html#Cisco_Concept.dita_a80d279e-cfa6-4372-a748-5ce7d3d7cd0a

ZhulienKeremedchiev8741 · ‎01-14-2021

Thanks Uma, indeed I can see the option on the newly deployed FTD managed locally ... I missed the line where it says the features are only for FDM

Do you have an ETA when this will be added to FMC/FTD combo?

Regards,

Zhulien

Marvin Rhoads · ‎01-13-2021

Correct - the device I checked was an FTDv 6.7 that's locally-managed (FDM).