Snort Restart Traffic Behavior

The following tables explain how different devices handle traffic when the Snort process restarts.

The Threat Defense and the Threat Defense Virtual Restart Traffic Effects

Interface Configuration

Restart Traffic Behavior

inline: Snort Fail Open: Down: disabled

dropped

inline: Snort Fail Open: Down: enabled

passed without inspection

Some packets can be delayed in buffer for several seconds before the system recognizes that Snort is down. This delay can vary depending upon the load distribution. However, the buffered packets are eventually passed.

routed, transparent (including EtherChannel, redundant, subinterface): preserve-connection enabled (configure snort preserve-connection enable ; default)

For more information, see Cisco Secure Firewall Threat Defense Command Reference.

existing TCP/UDP flows: passed without inspection so long as at least one packet arrives while Snort is down

new TCP/UDP flows and all non-TCP/UDP flows: dropped

Note that the following traffic drops even when preserve-connection is enabled:

  • plaintext, passthrough prefilter tunnel traffic that matches an Analyze rule action or an Analyze all tunnel traffic default policy action

  • connections that do not match an access control rule and are instead handled by the default action.

  • decrypted TLS/SSL traffic

  • a safe search flow

  • a captive portal flow

routed, transparent (including EtherChannel, redundant, subinterface): preserve-connection disabled (configure snort preserve-connection disable )

dropped

inline: tap mode

egress packet immediately, copy bypasses Snort

passive

uninterrupted, not inspected

Note
In addition to traffic handling when the Snort process is down while it restarts, traffic can also pass without inspection or drop when the Snort process is busy, depending on the configuration of the Snort Fail Open Busy option (see Configure an Inline Set). A device supports either the Failsafe option or the Snort Fail Open option, but not both.
Note
When the Snort process is busy but not down during configuration deployment, some packets may drop on routed, switched, or transparent interfaces if the total CPU load exceeds 60 percent.
Warning
Do not reboot the system while the Snort Rule Update is in progress.

Snort-busy drops happen when snort is not able to process the packets fast enough. Lina does not know whether Snort is busy due to processing delay, or if is stuck or due to call blocking. When transmission queue is full, snort-busy drops occur. Based on Transmission queue utilization, Lina will try to access if the queue is being serviced smoothly.