Snort 3 Multi-Process Support

On Secure Firewall 6160 and 6170 devices running Secure Firewall version 10.0, by default, Snort 3 associates multiple threads with two Snort instances. During deployment, each Snort 3 instance is automatically configured with the threads as required. Individual Snort 3 instances result in reduced memory load for each instance, reduced lock contention, and lesser core generation times. This leads to improved resiliency, performance and scalability. Any Snort instance failure results in minimal traffic impact and you can also restart a single Snort process, if required.

Snort threads are distributed over NUMA nodes where each node is considered as an independent processor. This ensures that memory boundaries are maintained. For example, Snort instance 0 uses node 0's memory, and instance 1 uses node 1's memory.

The CLI outputs of commands such as show coredump and show perfstats have been enhanced to display information on both the Snort instances. On the Management Center, navigate to Troubleshooting > Monitor > Devices to view the Overview > Critical Processes and the Memory sections for information on both the Snort instances. If there are any rule profiling errors, the Snort instance number is displayed with the error.