Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
0
Helpful
1
Replies

Applying policies to 5506-X drops traffic for 30 seconds or so

Go to solution
Lucas Phelps
Level 5
Level 5

‎05-16-2018 10:22 AM - edited ‎02-21-2020 07:46 AM

It seems like any time I edit an access policy in the FirePower Management Center and then deploy it to my numerous 5506-X appliances, it takes about a minute and 30 seconds to apply it on the devices.  During that time, traffic on the 5506-X is dropped for 30-45 seconds.  

 

It's nearly impossible to make policy/firewall changes during the day with it operating like this.  I can't drop real-time traffic to change policies.  Any thoughts on how to stop this or what I'm doing wrong?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎05-16-2018 10:39 AM

Traffic interruption usually happens when the Snort engine has to restart when a change is made. The conditions for this are well explained and documented in the configuration guide here:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/policy_management.html#concept_33516C5D6B574B6888B1A05F956ABDF9

 

FYI: the Firepower 6.2.3 version improved the Snort restart process such that there are fewer conditions where the engine has to restart. In addition to this, The FMC also provides you information stating when traffic interruption is expected during a deploy. See pic below:

 

ftd-traffic-interrupt.PNG

 

If you do not have the 6.2.3 version, I would recommend you to move to it after reviewing the release notes.

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎05-16-2018 10:39 AM

Traffic interruption usually happens when the Snort engine has to restart when a change is made. The conditions for this are well explained and documented in the configuration guide here:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/policy_management.html#concept_33516C5D6B574B6888B1A05F956ABDF9

 

FYI: the Firepower 6.2.3 version improved the Snort restart process such that there are fewer conditions where the engine has to restart. In addition to this, The FMC also provides you information stating when traffic interruption is expected during a deploy. See pic below:

 

ftd-traffic-interrupt.PNG

 

If you do not have the 6.2.3 version, I would recommend you to move to it after reviewing the release notes.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card