Revert FTD HA pair to Snort 2

phil6564 · ‎09-27-2022

Hi all

We have an FTD 1010 pair, in high availability, running version 7.0.3 and Snort 3 which is incorrectly classifying packets as malicious and blocking them. We have been advised to downgrade to Snort 2. Has anyone done this before on an HA pair? We've done it on a non HA device but I need to know the following things:

1. Can we do the downgrade on the secondary, deploy, then failover and do the primary or do we have to do it at HA level, thus doing both at the same time?

2 If we have to do it at HA level does FMC automatically manage the failover and keep traffic flowing or is there an outage?

3. I believe the Snort process stops during this procedure so, if that's the case, for how long?

Thanks in advance,

Phil.

manabans · ‎10-25-2022

Snort 3 is the default inspection engine for newly registered FTD devices of version 7.0 and above. However, for FTD devices of lower versions, Snort 2 is the default inspection engine. You can switch Snort versions when required.

1. No. We can downgrade the Snort version on the FTD HA level, but not individual devices.
2. During the deployment process, there will be a momentary traffic loss since the current inspection engine needs to be shut down.
3. Definite time internal of the impact may not be defined.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/migrating.html#concept_D87B73A83ACA42CCA656F0041F9D860B-enabledisable