Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1433
Views
0
Helpful
6
Replies

SNORT allow/disallow traffic flow when Snort is busy or unavailable

ida71
Level 1
Level 1

‎01-13-2022 03:38 AM

Hi All,

 

I'm suffering form brain fade. I'm sure there is a setting for this on the FMC, but for the life of me I can't find it at the moment.

It's running V7.0.1.

Default is to block traffic, but we have an issue with Snort crapping out randomly and exhausting the 1550 memory Blocks.

show blocks  will get this for you.

 

Anyone know where that setting is, so I can change it to allow so if Snort craps out again, whilst TAC are trying to diagnose it, the customers will still get served.

 

Thanks

0 Helpful
6 Replies 6

ida71
Level 1
Level 1

‎01-13-2022 04:05 AM

I think have found the answer. When I first used FTD's a few years back it was as inline IPS & that setting existed in the interface configuration. Looks like it does NOT exist in routed FW mode

 

If anyone knows better, please share.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-13-2022 05:47 AM - edited ‎01-13-2022 06:29 AM

New connections will not be established when Snort is unavailable (unless of course they are fastpathed via prefilter policy).

If Snort goes down (or restarts as part of a deployment, for example), existing connections should continue to be allowed by default.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/policy_management.html#concept_uc1_gtq_ty

0 Helpful

ida71
Level 1
Level 1
In response to Marvin Rhoads

‎01-13-2022 06:00 AM

Snort is crapping out by itself, no policy deploy etc. Fully aware of the Snort traffic interrupts when Snort restarts.

We have an issue where Snort craps out on Active FW, but process is still running so FW's do NOT failover, manual failover & restart of Snort on the now Standby FW resolves the issue. To improve the customer experience, I was looking for the setting to allow traffic flow based on ACL's only if Snort fails, which does exist for inline interfaces used as IPS.

0 Helpful

ida71
Level 1
Level 1
In response to Marvin Rhoads

‎01-14-2022 11:20 AM

Thanks Marvin, appreciate the feedback.
Chris.
0 Helpful

ida71
Level 1
Level 1

‎01-13-2022 05:56 AM - edited ‎02-01-2022 01:37 AM

Hi Marvin,, not sure what's up with the link you posted but it goes to

https://spotler.e-druva.com/<SNIP>   Dead link now

 

And wants to unsubscribe you !

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ida71

‎01-13-2022 06:30 AM

Thanks for the heads up @ida71 I fixed the link. Weird - it displayed OK but did indeed have that unsubscribe link.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card