Symptom

New LSP deployment fails with one or more of below errors in /ngfw/var/log/messages SF-IMS[127080]: Finished /ngfw/var/sf/detection_engines/c6aa32d4-9cf1-11ed-8c39-36f3e3577d76/snort3.lua: SF-IMS[127080]: Unknow security attribute '_' on /ngfw/var/sf/lsp/lsp-rel-20240221-1537. LSP so rules will not be loaded. SF-IMS[127080]: dlopen: loading of /ngfw/var/sf/lsp/lsp-rel-20240221-1537/talos_content/modules/3.1.21.1-114/ftd-x64/so_rules//server-webapp.so (/ngfw/var/sf/lsp/lsp-rel-20240221-1537/talos_content/modules/3.1.21.1-114/ftd-x64/so_rules/server-webapp.so) is prohibited. ….. SF-IMS[127080]: Loading browser-chrome.rules: SF-IMS[127080]: ERROR: browser-chrome.rules:1 SO rule 49442 not loaded. SF-IMS[127080]: ERROR: browser-chrome.rules:2 SO rule 49443 not loaded. …. SF-IMS[127080]: Reload failed! bad config [reload_config('/ngfw/var/sf/detection_engines/c6aa] … SF-IMS[114214]: Unknow security attribute '_' on /ngfw/var/sf/lsp/lsp-rel-20240221-1537. LSP so rules will not be loaded. SF-IMS[2093]: Last message 'Unknow security attr' repeated 4 times, suppressed by syslog-ng … SF-IMS[114214]: FATAL ERROR: see prior 3888 errors (0 warnings)

Conditions

- Multi-Instance FTD on FPR41xx or 93xx - Deploy new LSP package from FMC

Workaround

1 Log into the FTD CLI > 2. Go to expert mode (linux shell) > expert $ sudo su Password: # 3. Go to /ngfw/var/log/sf Directory # cd /var/log/sf/ # ls -al (check the update.status file is present) 3. Delete the update.status file # rm update.status # ls -al (check the update.status file is deleted) 4. Refresh the FMC UI and rerun the new LSP deployment

Further Problem Description