While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Cisco FTD Software Release 6.7.0

For Cisco FTD Software Release 6.7.0, as a workaround when the Snort 3 configuration option is enabled, an administrator may enable built-in rule 129:2 in the intrusion policy and set the action to Drop instead of Alert.

Use the following steps to verify that the Snort 3 configuration option is enabled. For more details, see the Switching Between Snort 2 and Snort 3 section of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.7.

1. Log in to the Admin Portal for the FTD deployment.
2. Navigate to Policies > Intrusion.
3. Look for the Snort Version line above the table. The current version is the first number in the complete version number. For example, 2.9.17-95 is a Snort 2 version.

Use the following steps to enable rule 129:2. For more details, see the Changing Intrusion Rule Actions (Snort 3) section of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.7.

1. Log in to the Admin Portal for the FTD deployment.
2. Navigate to Policies > Intrusion.
3. Choose any system-provided policy, such as Balanced Security and Connectivity.
4. Search for rule 129:2.
5. Check the check box next to the rule to enable it.
6. Choose Drop from the Action drop-down list.
7. Add the intrusion policy to a rule in Access control policy.