Guidelines and Limitations for Network Analysis and Intrusion Policies

  • A high percentage of traffic with small packets causes Snort performance to decrease. This behaviour is observed even when all the preprocessors are disabled.

  • When you attempt to deploy a configuration change on a threat defense device with low memory, snort deployment is also triggered. This results in high consumption of RSS memory. Snort memory usage is also impacted if you deploy large configurations on the device, such as multiple IPS policies containing a large number of snort IPS rules, network objects, and access-control lists. You can mitigate such memory issues by optimizing the configuration. For best practices on how to configure access control rules to optimize the configuration, see Best Practices for Access Control Rules.

  • If you increase the memory of a Threat Defense Virtual instance, you must redeploy the configuration for Snort 3 to utilize the additional memory.

    Note

    The Snort 3 memory allocation is not automatically adjusted when you increase the memory of the Threat Defense Virtual instance. You must redeploy the configuration to regenerate relevant configuration files, such as memory_allocation.lua, which apply the updated resource limits to Snort 3.

Feature Limitations of Snort 3 for Management Center-Managed Threat Defense

The following table lists the features that are supported on Snort 2 but not supported on Snort 3 for management center-managed threat defense devices.

Feature Limitations of Snort 3

Policy/Area

Features not supported

Access Control Policy

The following application settings:

  • Safe Search

  • YouTube EDU

Intrusion Policy

  • Global rule thresholding

  • Logging configuration:

    • SNMP

  • SRU rule updates as Snort 3 supports only LSP rule updates

Other features

Event logging with FQDN names