Skip to main content



Cisco Defense Orchestrator

Revert From Snort 3.0 for FTD

Some intrusion rules in Snort 2.0 might not exist in Snort 3.0. If you downgrade to 2.0, any custom intrusion policies that you created are converted to the base policy used in the custom policy. As far as possible, rule action overrides are retained. If more than one custom policy uses the same base policy, the overrides of the custom policy that is used in the most access control policies are retained, and the overrides for the other custom policies are lost. Access control rules that used these"duplicate"policies will now use the base policy created from your most-used custom policy. All custom policies are deleted.

Before you opt to revert from Snort 3.0, read Managing Intrusion Policies (Snort2) of the Firepower Device Manager Configuration Guide and find out how switching snort engine versions will affect your current rules and policies. 

Note: Reverting to version 2 does not uninstall Version 6.7.

Revert From Snort 3.0

If you change the Snort version,the system will perform an automatic deployment to implement the change. Note that you can only revert individual devices from Snort 3.0 to version 2.

Use the following procedure to revert the intrusion prevention engine:

  1. Log in to CDO.
  2. In the navigation pane, click Devices & Services and click the device you want to revert. 
  3. In the action pane located to the right, click Upgrade.  
  4. Set the upgrade toggle to Intrusion Prevention Engine.
    upgrade_snort3 only.png
  5. In Step 1, confirm you want to revert from Snort version 3, and click Revert to Snort Engine 2
    revert snort3.png
  6. From the Device & Services page, devices that are upgrading have a "Upgrade in Progress" configuration status.


Monitor the Upgrade Process 

Warning: If you decide to cancel the upgrade while it is in progress, click Abort Upgrade from the Upgrade page. If you cancel the upgrade after it has started, CDO does not deploy or check for changes from the device and the device does not roll back to the previous configuration. This may cause the device to enter an unhealthy state. If you experience any issues during the upgrade process, contact Cisco TAC.

You can view the progress of your single device by selecting that device on the Devices & Services page and clicking the upgrade button. CDO takes you to the Device Upgrade page for that device.

If the upgrade fails at any point, CDO displays a message. CDO does not automatically restart the upgrade process. 

Warning: Upgrading devices that have self-signed certificates may experience issues; see New Certificate Detected for more information


Related Articles:


  • Was this article helpful?