[leahrev]

We have a pair of Linux boxes set up w/ checkpoint FW software (NG w/ AI, running SPLAT in an HA pair scenario) The HA pair was working fine, but then something got out of synch with the config on the two machines because we noticed that when fw1 was up it would not allow our OWA (web version of Microsoft Outlook) to work. So as a short-term fix, we just forced fw2 as the “Active Up” member of the HA pair. This seemed to work well until a new global policy was pushed that messed something up and caused the HA pair to flap. So we stopped fw1 via the Smart Dashboard GUI. This caused fw2 to stay active and things remained stable, but then all of a sudden a bunch of our NATs (used for outbound emails) failed! The NATs only began working again once fw1 was brought back up – eventhough it is still the standby member of the HA pair! So, my questions are:

1. Any thoughts on why/how this happened? Do the standby members of an HA pair still handle any traffic? They apparently are in our case, but is this “normal” or is something else messed up?!

2. Is there any way to force a synch of the members in an HA pair – ie, we know the two FWs have mismatched configs (since OWA App works when one FW is active and consistently fails when the other is active) but the checkpoint GUI just looks at the pair's overall policy as one-in-the-same. So is there a way to push a config from one member of an HA pair to another? Is this best done via the GUI or CLI?

3. I may just end up building a new machine and adding it to the XL cluster – any feedback or recommendations on this would be greatly appreciated since I have limited experience w/ HA in SPLAT

Thanks in advance for any/all feedback!
Regards, Leah