Guidelines and Limitations for Network Analysis and Intrusion Policies
-
A high percentage of traffic with small packets causes Snort performance to decrease. This behaviour is observed even when all the preprocessors are disabled.
-
When you attempt to deploy a configuration change on a threat defense device with low memory, snort deployment is also triggered. This results in high consumption of RSS memory. Snort memory usage is also impacted if you deploy large configurations on the device, such as multiple IPS policies containing a large number of snort IPS rules, network objects, and access-control lists. You can mitigate such memory issues by optimizing the configuration. For best practices on how to configure access control rules to optimize the configuration, see Best Practices for Access Control Rules.
-
If you increase the memory of a Threat Defense Virtual instance, you must redeploy the configuration for Snort 3 to utilize the additional memory.
NoteThe Snort 3 memory allocation is not automatically adjusted when you increase the memory of the Threat Defense Virtual instance. You must redeploy the configuration to regenerate relevant configuration files, such as
memory_allocation.lua
, which apply the updated resource limits to Snort 3.
Feature Limitations of Snort 3 for Management Center-Managed Threat Defense
The following table lists the features that are supported on Snort 2 but not supported on Snort 3 for management center-managed threat defense devices.
Policy/Area |
Features not supported |
---|---|
Access Control Policy |
The following application settings:
|
Intrusion Policy |
|
Other features |
Event logging with FQDN names |