03-19-2018 01:11 PM - edited 02-21-2020 07:32 AM
Hi.
We are currently evaluating the FirePower for use in a project.
Our current test unit is a Firepower 2110 with FTD 6.2.2.2, Managed from the Firepower Management Center.
When running automatic Rule Update. (System->Updates->Rule Updates) the traffic is interrupted for a small time when the devices activates the new rules.
My understanding is that the Rule Updates is the IPS/Snort filters.
This interruption is not acceptable to us.
Is there a setting/fix for this issue? Or is this more of an TAC question?
Not updating the filters is not an option.
Solved! Go to Solution.
03-22-2018 05:16 AM - edited 03-22-2018 05:17 AM
There is also an option that was introduced in 6.2.0.2. From the cli it is " configure snort preserve-connection {enable | disable} "
It's not available in 6.2.1 or 6.2.2 but I'm told it will be folded back in to the upcoming 6.2.3 release (ca. April 2018) and will be the default behavior.
That feature may further address your valid concern.
09-02-2020 01:28 AM
Hi Guys,
Anyone knows if this has been fixed on later versions of FTD (6.5 or 6.6).
cheers
Anderson
03-19-2018 01:32 PM - edited 03-19-2018 01:35 PM
Hi,
You are correct, the update is for snort rules.
At the moment this is the behavior if your running inline.
Here is some more information if you haven seen it already:
I have configured this rule update to happen at nights.
br, Micke
03-19-2018 02:27 PM
The interface/zone is not part of an inline set. It is an routed interface. Basically a lan to wan scenario.
But thanks for the link. I understand a bit more. The users we are serving is connecting with a remote solution 24/7. So any connection interruption is not good at any time.
03-19-2018 08:32 PM
You can minimize the impact by selecting for flow Preservation during Snort restart. With that, all existing flows will continued to be allowed while the Snort engine restarts. This was a (non-default) option as of 6.2.0.2 and 6.2.2.
Any new flows will continue to be impacted during Snort engine restart.
03-20-2018 02:06 AM
Thanks.
Could you please point me in the direction on where i can change this in the Managment Center?
03-20-2018 06:08 AM
Look under your Access Control Policy > Advanced > General Settings as follows:
03-20-2018 03:34 PM
Thanks. I checked it and the setting was enabled. It still has some seconds drop. Enough that it will interrupt RDP sessions and some very sensitive applications.
There is now workaround for this?
Anyone now if Cisco has said anything about improving this?
03-21-2018 02:47 AM
Cisco is working very hard on improving this. They realize it is a current limitation and many customers and partners have raised it as a concern.
03-22-2018 05:16 AM - edited 03-22-2018 05:17 AM
There is also an option that was introduced in 6.2.0.2. From the cli it is " configure snort preserve-connection {enable | disable} "
It's not available in 6.2.1 or 6.2.2 but I'm told it will be folded back in to the upcoming 6.2.3 release (ca. April 2018) and will be the default behavior.
That feature may further address your valid concern.
03-22-2018 02:20 PM
Thanks for the information,
09-02-2020 01:28 AM
Hi Guys,
Anyone knows if this has been fixed on later versions of FTD (6.5 or 6.6).
cheers
Anderson
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide