Our organization is very new to our FTD's managed through FMC so bare with me. We went from ASA's to FTD's and are discovering weird behavior as we move forward. After cutting over to our FTD's all was good and we weren't really experiencing any major issues. We have a variety of automated FTP jobs connecting out to various FTP servers for third party systems for sending/receiving files. I swear everything month or so, these jobs decide to fail randomly. After performing a capture w/ trace, I see that snort is randomly deciding to block and drop the packets, but it is intermittent. Sometimes I'll see a "blocked by SSL" message in the capture. Why does this happen randomly and without any rhyme or reason? I have had to constantly add these connections to our prefilter as the jobs randomly fail. Now our prefilter is growing because apparently the ACL's aren't sufficient enough? It's extremely frustrating. Even connecting out to some websites gets blocked by snort. Anyone else experience this or have any type of explanation as to why snort is doing this?
May be due to cut over ASA to FTD, i would suggest first put the SNORT in Monitor Mode and undertand the network, make a decision before you geting to close mode. - this way most of them work as expected, and you can incorporate SNORT IPS rules slowly adding and Monitoring step by step.
There may be false postive which may have impacting the device,. by the way what model of the device here ?