02-25-2021 01:21 PM
Dear Community,
I read in a post online recently that in some instances pushing policy to your FTD's from the FMC may cause the Snort process to restart, potentially causing traffic disruption. I was wondering if the following actions may cause traffic disruption:
-Enabling the "Deploy updated policies to targeted devices after rule update completes" in the Recurring Rule Updates section.
-Making a change to a Network Object Group that is used by rules in the ACP and then redeploying the ACP to the FTD's after the Object is updated.
Also, as a side question regarding the Geolocation Updates. I also have this set to automatically do recurring updates from the support site. However, in the FMC I do not see any option to "deploy" these changes. How do these Geolocation updates get Deployed to the FTD's for something like Security Intelligence to use?
Thank you for all your help!
Solved! Go to Solution.
02-26-2021 02:57 PM
Yes traffic will be dropped when the intrusion rules are deployed.
02-25-2021 03:24 PM
Changes to groups that are used in ACP doesn't result in a restart of the snort process (i.e. drop in traffic).
When you say deploying after recurring rule, do you mean recurring task (as in scheduled task)?
for an overview of when a deploy will stop the inspection / drop traffic refer to the following link:
As for the Geolocation information, this is automatically pushed from the FMC to the managed devices, which is why deployment is not necessary or present.
02-26-2021 05:49 AM
Marius,
Thanks so much for the quick and detailed reply. To answer your question, yes I am talking about the recurring update tasks under System->Updates->Rule Updates->Recurring Rule Update Imports. There is a checkbox option that tells the FMC to deploy any rule updates to the devices after theyre downloaded. I am wondering if this action would cause a drop in traffic due to snort restarting. I attached at screenshot of the option.
Thanks so much!
02-26-2021 02:57 PM
Yes traffic will be dropped when the intrusion rules are deployed.
03-10-2022 08:40 AM
Hello Marius,
I have come across this same question. When I check the deploy update box will it automatically deploy any updates in the Q. I have three devices that did not update manually when I updated them today. If I check the below box will I lose traffic or only when new update comes in?
Policy Deploy
Deploy updated policies to targeted devices after rule update completes |
check box?
03-10-2022 09:39 AM
@JerryLarson7922 checking the box only comes into play when new SRUs (Snort 2) or LSPs (Snort 3) are published after making that setting. It won't affect managed devices right away, no matter what their current package version is.
I tend to recommend not checking the box since the deployment could include work in progress on other changes that are not ready or approved for production deployment yet. I always recommend a deployment be an affirmative and explicit choice made by the authorized administrator(s).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide