Yes. When the box is checked, there is less packet loss during rule updates. However, we still see packet loss every few days
Here is an answer from TAC:
When the inspect traffic during policy apply is set to no, and when there is a policy apply happening on the SFR modules, all traffic will be dropped
Let me explain the behavior of this feature
When you have the “Inspect traffic during policy apply” option enabled what happens is snort will inspect all traffic with the old configuration while it is validating and loading the new configuration. Once the new configuration is finished validating and initializing snort will swap the configuration and start inspecting the current traffic with the new configuration
If you disable this option, every AC policy apply will cause all traffic going to the SFR to be dropped. To prevent the traffic from being dropped during every AC policy apply, leave this option enabled. Even with this option enabled, there are still certain configuration changes in the policy that can cause snort to restart. If you are concerned about this, you should check the online help for the relevant changes that you are making. If the changes being made cause snort to restart there will be a mention in the guide
To avoid traffic interruptions, please schedule policy applies during a maintenance window
here are some situations that will require a snort restart as opposed to a snort reload. Though this is not externally documented, these include:
- When you apply an access control policy that pushes a new version of Snort to a managed device following a Defense Center upgrade.
- When you apply a policy for the first time after a rule import that includes shared object rules.
- In some cases, when you install a VDB update.
