Reverting to Snort 2 from Snort 3 is not an ideal solution, especially since Snort 3 is designed to provide better performance and functionality. However, it might be a temporary workaround until the root cause of the high CPU usage is identified and resolved.
Before considering this workaround, I would suggest you try the following steps to diagnose and troubleshoot the issue:
1. Verify the FTD1150's software version: Ensure that you are running the latest recommended version of Firepower Threat Defense (FTD) software, as there might be bug fixes or performance improvements in the newer versions.
2. Check Snort configuration: Review the Snort configuration on your FTD1150's, specifically the inspection rules and policies. Ensure that you have not enabled unnecessary or overly aggressive rules that could be causing high CPU utilization.
3. Monitor CPU usage: Use the Firepower Management Center (FMC) or the FTD Command Line Interface (CLI) to monitor the CPU usage over time. Identify any patterns or specific times when the CPU usage spikes, which could give you clues about the cause of the issue.
4. Analyze Snort logs: Review the Snort logs for any error messages or warnings that could indicate the reason for the high CPU usage. You can access the Snort logs from the FMC or the FTD CLI.
5. Perform a packet capture: If the high CPU usage is related to specific traffic patterns, you can perform a packet capture on the FTD1150's to identify the traffic causing the issue. This can help you fine-tune your Snort rules and policies to reduce CPU usage.
6. Open a TAC case: If you are still unable to resolve the issue after trying the above steps, I recommend opening a case with Cisco TAC. Provide them with all the relevant information, including the FTD and FMC software versions, Snort configuration, logs, and any other observations you have made. The TAC engineers will be able to assist you in identifying and resolving the issue.
Remember, reverting to Snort 2 should only be considered as a temporary workaround, and it is essential to identify and resolve the root cause of the high CPU usage to ensure optimal performance and security of your FTD1150's.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.