cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15736
Views
46
Helpful
10
Replies

Firepower Rule Updates

hdnorway
Level 1
Level 1

Hi.

We are currently evaluating the FirePower for use in a project.

Our current test unit is a Firepower 2110 with FTD 6.2.2.2, Managed from the Firepower Management Center.

 

When running automatic Rule Update. (System->Updates->Rule Updates) the traffic is interrupted for a small time when the devices activates the new rules.

My understanding is that the Rule Updates is the IPS/Snort filters. 

This interruption is not acceptable to us. 

Is there a setting/fix for this issue? Or is this more of an TAC question?
Not updating the filters is not an option.

 

2 Accepted Solutions

Accepted Solutions

There is also an option that was introduced in 6.2.0.2. From the cli it is " configure snort preserve-connection {enable | disable} "

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/6201/relnotes/Firepower_Release_Notes_Version_620x.pdf

 

It's not available in 6.2.1 or 6.2.2 but I'm told it will be folded back in to the upcoming 6.2.3 release (ca. April 2018) and will be the default behavior.

 

That feature may further address your valid concern.

 

View solution in original post

andersonamorim
Level 1
Level 1

Hi Guys,

Anyone knows if this has been fixed on later versions of FTD (6.5 or 6.6).

 

cheers

Anderson

View solution in original post

10 Replies 10

mikael.lahtela
Level 4
Level 4

Hi,

 

You are correct, the update is for snort rules.

At the moment this is the behavior if your running inline.

Here is some more information if you haven seen it already:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/policy_management.html#concept_33516C5D6B574B6888B1A05F956ABDF9

 

I have configured this rule update to happen at nights. 

 

br, Micke

 

The interface/zone is not part of an inline set. It is an routed interface. Basically a lan to wan scenario. 

But thanks for the link. I understand a bit more. The users we are serving is connecting with a remote solution 24/7. So any connection interruption is not good at any time. 

Marvin Rhoads
Hall of Fame
Hall of Fame

You can minimize the impact by selecting for flow Preservation during Snort restart. With that, all existing flows will continued to be allowed while the Snort engine restarts. This was a (non-default) option as of 6.2.0.2 and 6.2.2. 

 

Any new flows will continue to be impacted during Snort engine restart.

Thanks.

Could you please point me in the direction on where i can change this in the Managment Center?

 

Look under your Access Control Policy > Advanced > General Settings as follows:

 

FMC Inspect during policy apply option.PNG

Thanks. I checked it and the setting was enabled. It still has some seconds drop. Enough that it will interrupt RDP sessions and some very sensitive applications. 

There is now workaround for this? 
Anyone now if Cisco has said anything about improving this?

Cisco is working very hard on improving this. They realize it is a current limitation and many customers and partners have raised it as a concern.

 

 

There is also an option that was introduced in 6.2.0.2. From the cli it is " configure snort preserve-connection {enable | disable} "

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/6201/relnotes/Firepower_Release_Notes_Version_620x.pdf

 

It's not available in 6.2.1 or 6.2.2 but I'm told it will be folded back in to the upcoming 6.2.3 release (ca. April 2018) and will be the default behavior.

 

That feature may further address your valid concern.

 

Thanks for the information,

andersonamorim
Level 1
Level 1

Hi Guys,

Anyone knows if this has been fixed on later versions of FTD (6.5 or 6.6).

 

cheers

Anderson

Review Cisco Networking for a $25 gift card