Symptom
Snort process memory growth may exceed expected limits and trigger uninterruptible D state for the snort process.
If this occurs, the device may experience a partial or complete failure to pass traffic.
Conditions
Snort is using a "high" amount of memory, "high" being very relative terms relating to the model, version, and features enabled on the device.
This seems more likely to happen if snort has not been restarted for a long (1+ weeks) period of time.
Workaround
Restart snort periodically via the command:
pmtool restartbytype DetectionEngine
Note: this may cause a brief traffic interruption, similar to applying a policy which requires detection to restart.
This can be automated with Cron job as shown below :
\-1-\ - SSH in to the FTD and escalate to root
> expert
$ sudo su
\-2-\ - Add the cron job as below
root@FTD66-R:/home/admin# echo '00 05 * * 1,4 /ngfw/usr/local/sf/bin/pmtool restartbytype snort' >> /var/spool/cron/root
\-3-\ - Verify the result
root@FTD66-R:/home/admin# crontab -l
30 * * * * /usr/bin/ntpdate-sync silent
00 05 * * 1,4 /ngfw/usr/local/sf/bin/pmtool restartbytype snort
Note: The ntpdate cron job is there by default in all FTDS
This will restart Snort instances on Monday (1) and Thursday(4) at 05:00AM UTC (00 05) (12:am Est).
If you would like to change this schedule, you can change as below
Mon, Wed, Sat - 1, 3, 6
01:30 AM Est (6:30AM UTC) - 30 06
The new cron job schedule will be as below
30 06 * * 1,3,6 /ngfw/usr/local/sf/bin/pmtool restartbytype snort
\-4-\ - Check cron log to confirm the scheduled restart is working.
After the restart happen, you should see a message similar to the following in cron log (/ngfw/var/log/cron)
Mar 4 15:30:01 FTD66-R CROND[5408]: (root) CMD (/ngfw/usr/local/sf/bin/pmtool restartbytype snort)
Optionally you can have snort automatically restart every time that you deploy, if you disable the "Inspect traffic during policy apply" in the advanced section of the Access Control policy. Note that this may cause interruptions in traffic during deploy.
