Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
6
Replies

FTD - 7.6.2 - Snort Fail Open?

Ralphy006
Level 1
Level 1

‎09-23-2025 06:50 AM

The FTD's (managed by FMC) used to drop traffic all the time when doing policy deploys. But it seems to be better in 7.x.

We have some critical network traffic flowing through the firewall. At times we do see traffic disrupted during policy deploys. I believe this is due to the snort process restarting. Is there any way to make it so traffic is NEVER disrupted even when snort needs to restart? Like a fail open?

I'm looking for any tips or setting changes to ensure traffic stays up. Thanks!

0 Helpful
6 Replies 6

ahollifield
VIP
VIP

‎09-23-2025 08:19 AM

I'm not aware of any. If the policy deploy requires a service restart, that's a fact of life.

0 Helpful

Ralphy006
Level 1
Level 1
In response to ahollifield

‎09-23-2025 09:20 AM

Is this common among other firewall vendors too? Personally, I feel it's unacceptable to have no workaround

0 Helpful

ahollifield
VIP
VIP
In response to Ralphy006

‎09-23-2025 12:41 PM - edited ‎09-23-2025 12:41 PM

Yes very common. All major firewall vendors have "scheduled deploy" features for this exact reason (among others).

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎09-23-2025 08:54 AM

Looks same as i know refer below the when the snort restart take place :

https://docs.defenseorchestrator.com/cdfmc/c_snort_restart_scenarios.html#:~:text=When%20the%20traffic%20inspection%20engine,whether%20the%20Snort%20process%20restarts.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Ralphy006
Level 1
Level 1
In response to balaji.bandi

‎09-23-2025 09:23 AM

yeah that's what I was reading too. Looks line "inline" ports has a fail open option. I'm not sure how many FTD users use the "inline" feature. I'd think most used routed interfaces. In which there is no option but to drop traffic which is a shame. I was hoping there was some workaround

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Ralphy006

‎09-23-2025 09:32 AM

May cisco working on that i guess - but not that i am aware any version yet. even FMC you do not have multi user policy change (unlike other vendor - just to mentioned) - some limitation, But cisco BU look this and make use case to add features.

so suggestion is do the changes in maintenance window, like off peak ours.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card