Guidelines and Limitations for Network Analysis and Intrusion Policies

  • A high percentage of traffic with small packets causes Snort performance to decrease. This behaviour is observed even when all the preprocessors are disabled.

  • When you attempt to deploy a configuration change on a threat defense device with low memory, snort deployment is also triggered. This results in high consumption of RSS memory. Snort memory usage is also impacted if you deploy large configurations on the device, such as multiple IPS policies containing a large number of snort IPS rules, network objects, and access-control lists. You can mitigate such memory issues by optimizing the configuration. For best practices on how to configure access control rules to optimize the configuration, see Best Practices for Access Control Rules.

  • If you increase the memory of a Threat Defense Virtual instance, you must redeploy the configuration for Snort 3 to utilize the additional memory.

    Note

    The Snort 3 memory allocation is not automatically adjusted when you increase the memory of the Threat Defense Virtual instance. You must redeploy the configuration to regenerate relevant configuration files, such as memory_allocation.lua, which apply the updated resource limits to Snort 3.

  • If an SIP stream is followed by RTP streams from the same connection, Snort inspects the initial SIP communication that is sent for connection establishment and allows SIP traffic. The RTP streams that follow the SIP communication are also trusted by default and bypass the configured rules. To prevent such scenarios, trusting the parent SIP connection or adding the parent SIP connection to a prefilter rule ensures that only the SIP stream bypasses Snort inspection and allows the subsequent RTP streams to be evaluated separately against the corresponding rules.

Feature Limitations of Snort 3 for Firewall Management Center-Managed Firewall Threat Defense

The following table lists the features that are supported on Snort 2 but not supported on Snort 3 for Firewall Management Center-managed Firewall Threat Defense devices.

Feature Limitations of Snort 3

Policy/Area

Features not supported

Access Control Policy

The following application settings:

  • Safe Search

  • YouTube EDU

Intrusion Policy

  • Global rule thresholding

  • Logging configuration:

    • SNMP

  • SRU rule updates as Snort 3 supports only LSP rule updates

Other features

Event logging with FQDN names