Solved: Re: FMC Policy Deploy and Snort Restart Question

ChristopherCraddock66504 · ‎02-25-2021

Dear Community,

I read in a post online recently that in some instances pushing policy to your FTD's from the FMC may cause the Snort process to restart, potentially causing traffic disruption. I was wondering if the following actions may cause traffic disruption:

-Enabling the "Deploy updated policies to targeted devices after rule update completes" in the Recurring Rule Updates section.

-Making a change to a Network Object Group that is used by rules in the ACP and then redeploying the ACP to the FTD's after the Object is updated.

Also, as a side question regarding the Geolocation Updates. I also have this set to automatically do recurring updates from the support site. However, in the FMC I do not see any option to "deploy" these changes. How do these Geolocation updates get Deployed to the FTD's for something like Security Intelligence to use?

Thank you for all your help!

Marius Gunnerud · ‎02-26-2021

Yes traffic will be dropped when the intrusion rules are deployed.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-25-2021

Changes to groups that are used in ACP doesn't result in a restart of the snort process (i.e. drop in traffic).

When you say deploying after recurring rule, do you mean recurring task (as in scheduled task)?

for an overview of when a deploy will stop the inspection / drop traffic refer to the following link:

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/policy_management.html#concept_uc1_gtq_ty

As for the Geolocation information, this is automatically pushed from the FMC to the managed devices, which is why deployment is not necessary or present.

--
Please remember to select a correct answer and rate helpful posts

ChristopherCraddock66504 · ‎02-26-2021

Marius,

Thanks so much for the quick and detailed reply. To answer your question, yes I am talking about the recurring update tasks under System->Updates->Rule Updates->Recurring Rule Update Imports. There is a checkbox option that tells the FMC to deploy any rule updates to the devices after theyre downloaded. I am wondering if this action would cause a drop in traffic due to snort restarting. I attached at screenshot of the option.

Thanks so much!

Marius Gunnerud · ‎02-26-2021

Yes traffic will be dropped when the intrusion rules are deployed.

--
Please remember to select a correct answer and rate helpful posts

JerryLarson7922 · ‎03-10-2022

Hello Marius,

I have come across this same question. When I check the deploy update box will it automatically deploy any updates in the Q. I have three devices that did not update manually when I updated them today. If I check the below box will I lose traffic or only when new update comes in?

Policy Deploy

Deploy updated policies to targeted devices after rule update completes

check box?

Marvin Rhoads · ‎03-10-2022

@JerryLarson7922 checking the box only comes into play when new SRUs (Snort 2) or LSPs (Snort 3) are published after making that setting. It won't affect managed devices right away, no matter what their current package version is.

I tend to recommend not checking the box since the deployment could include work in progress on other changes that are not ready or approved for production deployment yet. I always recommend a deployment be an affirmative and explicit choice made by the authorized administrator(s).