Solved: Re: Snort upgrade in HA FTD 4100

laurathaqi · ‎03-31-2022

Dear community,

I want to upgrade Snort 2 to Snort 3 in a HA FTD setup. Can someone tell me the process without causing downtime?

Second use case is, Upgrade of Snort in a Active/Active Setup also?

Any information would highly be appreciated.

Thank you,

Laura

balaji.bandi · ‎03-31-2022

I have not done this upgrade - but was one of the presentation to learn.

check below links may help you :

https://edge.us.cdo.cisco.com/content/docs/t-deploy-changes-to-a-single-ftd-meraki-or.html#!c_upgrade-to-snort-30.html

https://www.youtube.com/watch?v=7vNNYG5_k3Q

Second use case is,  Upgrade of Snort in a Active/Active Setup also?

Can you explain this, this is cluster of FTD right ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Marvin Rhoads · ‎04-01-2022

The guide doesn't specify, but I believe changing from Snort 2 to Snort 3 will restart the Snort engines on both members (HA) or all members (cluster) and thus interrupt traffic. So it is not zero downtime - but it is a brief traffic interruption.

https://www.cisco.com/c/en/us/td/docs/security/firepower/710/snort3/config-guide/snort3-configuration-guide-v71/migrating.html

View solution in original post

balaji.bandi · ‎03-31-2022

I have not done this upgrade - but was one of the presentation to learn.

check below links may help you :

https://edge.us.cdo.cisco.com/content/docs/t-deploy-changes-to-a-single-ftd-meraki-or.html#!c_upgrade-to-snort-30.html

https://www.youtube.com/watch?v=7vNNYG5_k3Q

Second use case is,  Upgrade of Snort in a Active/Active Setup also?

Can you explain this, this is cluster of FTD right ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

laurathaqi · ‎04-02-2022

Hi @balaji.bandi

Thank you for the much appreciated information shared.

I have two physical appliances Series 4100, with 2x Contexts on it: Context one has 2xFTD in a HA Setup, meanwhile Context 2 has 2xFTD with Cluster Setup.

The issue is that I am not sure how long does the downtime take in each environment, and its critical service, and documentation of Cisco in this case, does not provide much details about Snort 3 upgrade!

Any information would be highly appreciated.

Thank you,

Laura

Marvin Rhoads · ‎04-01-2022

The guide doesn't specify, but I believe changing from Snort 2 to Snort 3 will restart the Snort engines on both members (HA) or all members (cluster) and thus interrupt traffic. So it is not zero downtime - but it is a brief traffic interruption.

https://www.cisco.com/c/en/us/td/docs/security/firepower/710/snort3/config-guide/snort3-configuration-guide-v71/migrating.html

laurathaqi · ‎04-02-2022

Hi @Marvin Rhoads

Thank you for the guide shared with me.

I will be doing the process of upgrade during today, and hopefully the downtime does not last to much, as Cisco documentation does not give any aprox. time about it.

I will update this thread after the upgrade applied

Thank you,

Laura

laurathaqi · ‎04-02-2022

Hi @Marvin Rhoads , @balaji.bandi

I applied the commands as recommended on the Cisco Documentation and the following is the information I was able to perceive:

Context 1: Which contained 2x FTD in a HA Setup, activated Sort 3 and Deployed the changed. The deploy lasted for around six minutes and its the fastest deployment done so far. I assume is due to FTD version 7.0.1 processing the process faster than older versions. No traffic downtime noticed. So I assume it rebooted only the engine of Sort, and not all the appliance, thus affected only the Access Rules that had IPS enabled.

Context 2: Which contained 2X FTD in a Cluster setup, which also lasted for around 5 minutes and no more.

I synchronized the rules between Snort 2 and 3, and no issues encountered.

To conclude, this whole upgrade was smooth and straight forward.

Thank you for your much needed support,

Laura