Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16404
Views
3
Helpful
3
Replies

SNORT Process Restart

fatalXerror
Level 5
Level 5

‎10-01-2018 09:54 PM - edited ‎03-12-2019 07:00 AM

Hi, I want to restart my SNORT process, will it drop traffic? Is there any way to restart SNORT without any dropping of traffic? Thanks

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-01-2018 11:45 PM

A snort restart will typically interrupt active flows.

 

Here's how to do it from the sensor cli (FTD running on a Firepower appliance in this case):

 

> expert
admin@fw1:~$ sudo su    
Password: 
root@fw1:/home/admin# pmtool restartbytype snort ?
root@fw1:/home/admin# pmtool | grep snort

 

 

fatalXerror
Level 5
Level 5
In response to Marvin Rhoads

‎10-02-2018 12:38 AM

thanks @Marvin Rhoads, is there any other ways to do it without any interruption?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fatalXerror

‎10-02-2018 12:49 AM

There is an option available as of Firepower 6.2.0.2 and 6.2.3 that changed the previous default behavior.

 

configure snort preserve-connection enable

 

  • When Snort goes down connections with Allow verdict are preserved in LINA
  • Snort does NOT do a mid-session pickup on preserved flows when starting up
  • Does NOT protect against new flows while Snort is down

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp1594004510

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card