ASA FirePOWER Upgrade Behavior
Your ASA service policies for redirecting traffic to the ASA FirePOWER module determine how the module handles traffic during the Firepower software upgrade, including when you deploy certain configurations that restart the Snort process.
Traffic Redirection Policy | Traffic Behavior |
---|---|
Fail open (sfr fail-open ) |
Passed without inspection |
Fail closed (sfr fail-close ) |
Dropped |
Monitor only (sfr {fail-close}|{fail-open} monitor-only ) |
Egress packet immediately, copy not inspected |
Traffic Behavior During ASA FirePOWER Deployment
Traffic behavior while the Snort process restarts is the same as when you upgrade the ASA FirePOWER module.
You deploy configurations multiple times during the upgrade process. Snort typically restarts during the first deployment immediately after the upgrade. It does not restart during other deployments unless, before deploying, you modify specific policy or device configurations. For more information, see Configurations that Restart the Snort Process when Deployed or Activated in the Firepower Management Center Configuration Guide.
When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, restarting the Snort process interrupts traffic inspection. Your service policies determine whether traffic drops or passes without inspection during the interruption.