[cciesec2006]

In the lab:

1- build the secondary firewall with VRRP and use the physical IP address
of the primary fireall as VRRP but remove this firewall from the network
so that you do not have IP conflict.

2- install the latest HFA on the secondary firewall. Make sure you have
the ip address in place,

3- perform fw unloadlocal,

4- perform SIC with the secondary from the SmartCenter, create gateway
cluster and so forth,

5- push policy to the firewall cluster from the SmartCenter,

6- bring everything down,

7- bring up the SmartCenter and the Secondary nokia into your
production network, but have the switchport shutdown for these
devices,

8- shutdown the primary firewall,

9- enable the switchports for the secondary Nokia and the SmartCenter.
Clear the CAM table on the layer-2 switch and clear arp on the
upstream router,

10- At this point, traffics should flow normal,

11- rebuild the primary nokia and put it into the cluster,

12- push policy to the cluster again,

12- if everything goes accordingly, you should be down no more
than 30 seconds, depending on how fast your are with step 8 and step 9,

I used to do this all the time when I work as an engineer for an MSSP,
we managed nothing but Nokia devices with Provider-1,


Enjoy!!!!!