Showing results for 
Search instead for 
Did you mean: 

Understanding FTD Snort




Our organization is very new to our FTD's managed through FMC so bare with me. We went from ASA's to FTD's and are discovering weird behavior as we move forward. After cutting over to our FTD's all was good and we weren't really experiencing any major issues. We have a variety of automated FTP jobs connecting out to various FTP servers for third party systems for sending/receiving files. I swear everything month or so, these jobs decide to fail randomly. After performing a capture w/ trace, I see that snort is randomly deciding to block and drop the packets, but it is intermittent. Sometimes I'll see a "blocked by SSL" message in the capture. Why does this happen randomly and without any rhyme or reason? I have had to constantly add these connections to our prefilter as the jobs randomly fail. Now our prefilter is growing because apparently the ACL's aren't sufficient enough? It's extremely frustrating. Even connecting out to some websites gets blocked by snort. Anyone else experience this or have any type of explanation as to why snort is doing this? 


Any insight would be awesome thank you!

2 Replies 2

VIP Community Legend VIP Community Legend
VIP Community Legend

May be due to cut over ASA to FTD, i would suggest first put the SNORT in Monitor Mode and undertand the network, make a decision before you geting to close mode. - this way most of them work as expected, and you can incorporate SNORT IPS rules slowly adding and Monitoring step by step.


There may be false postive which may have impacting the device,. by the way what model of the device here ?




***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hey Balaji,


They are FTD 2110s. How would I go about setting snort to monitor mode? We don't have any intrusion policies set currently.





Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: