Limitations of Snort inspection on Engines
These limitations apply to Snort inspection on Engines.
- Snort inspection is currently not supported for Master Engines and Virtual Engines.
If you install a policy that includes Access rules for Snort inspection on Master Engines and Virtual Engines, the rules are ignored.
- Snort inspection is not supported for Capture interfaces.
- Snort inspection is supported for VLAN interfaces, but the same Snort rules apply to the traffic regardless of the VLAN tag. Snort inspection is only applied to the IP datagrams without Ethernet headers. It is not possible to apply different Snort rules to traffic from different VLANs.
- If you use Logical Interfaces that have overlapping IP address spaces as matching criteria in Access rules that select traffic for Snort inspection, traffic might not match Snort rules as intended.
- We do not recommend using services that match based on the payload of connections, such as Network Applications, URL Categories, or URL List Applications, in
Access rules that select traffic for Snort inspection.
At the beginning of a connection, the Engine cannot determine whether the traffic should be selected for Snort inspection. The Engine selects all potentially matching traffic for Snort inspection. As a result, Snort inspection might be applied to traffic that was not intended to be selected for Snort inspection. Applying Snort inspection to this traffic can create false positive Snort rule matches.
- Snort inspection cannot be applied to traffic that has been decrypted for TLS inspection.
- If Snort inspection fails, the traffic is allowed by default.
- Engines do not receive automatic updates for Snort rule sets. When new Snort rule sets are available, you must import new Snort configuration files and refresh the policy on the Engine to start using the new Snort rule sets.