Cisco
Login
Search
Software Secure Firewall Threat Defense
Platform Secure Firewall Threat Defense Virtual
Activity Onboard

Intrusion Detection and Prevention Migrate from Snort 2 to Snort 3 Synchronize Snort 2 Rules with Snort 3

Last updated: Jul 29, 2025

Synchronize Snort 2 Rules with Snort 3

To ensure that the Snort 2 version settings and custom rules are retained and carried over to Snort 3, the Firewall Management Center provides the synchronization functionality. Synchronization helps Snort 2 rule override settings and custom rules, which you may have altered and added over the last few months or years, to be replicated on the Snort 3 version. This utility helps to synchronize Snort 2 version policy configuration with Snort 3 version to start with similar coverage.


 

Snort 2 is not supported on threat defense Version 7.7. For information on Snort 2 features that are supported in versions earlier than 7.7, refer to the Firewall Management Center guide that matches your Firewall Threat Defense version.

If the Firewall Management Center is upgraded from 6.7 or earlier to 7.0 or later version, the system synchronizes the configuration. If the Firewall Management Center is a fresh 7.0 or later version, you can upgrade to a higher version, and the system will not synchronize any content during upgrade.

Before upgrading a device to Snort 3, if changes are made in Snort 2 version, you can use this utility to have the latest synchronization from Snort 2 version to Snort 3 version so that you start with a similar coverage.


 

On moving to Snort 3, it is recommended that you manage the Snort 3 version of the policy independently and do not use this utility as a regular operation.


 

  • Only the Snort 2 rule overrides and custom rules are copied to Snort 3 and not the other way around. You may not find a one-to-one mapping of all the intrusion rules in Snort 2 and Snort 3. Your changes to rule actions for rules that exist in both versions are synchronized when you perform the following procedure.

  • Synchronization does not migrate the threshold and suppression settings of any custom or system-provided rules from Snort 2 to Snort 3.

Procedure

1

Choose Policies > Intrusion.

2

Ensure the Intrusion Policies tab is selected.
3

Click Show Snort 3 Sync status.
4

Identify the intrusion policy that is out-of-sync.
5

Click the Sync icon Snort out-of-Sync (snort versions out-of-sync).


 

If the Snort 2 and the Snort 3 versions of the intrusion policy are synchronized, then the Sync icon is in greenSnort in-Sync (snort versions in-sync).
6

Read through the summary and download a copy of the summary if required.
7

Click Re-Sync.


 

  • The synchronized settings will be applicable on the Snort 3 intrusion engine only if it is applied on a device, and after a successful deployment.

  • Snort 2 custom rules can be converted to Snort 3 using the system-provided tool. If you have any Snort 2 custom rules click the Custom Rules tab and follow the on-screen instructions to convert the rules. For more information, see Convert Snort 2 Custom Rules of a Single Intrusion Policy to Snort 3.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Previous topic View Snort 2 and Snort 3 Base Policy Mapping Next topic Deploy Configuration Changes