https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policy-push-on-security-gateway-cluster/m-p/137802#M20879 <P>Hi Ratnesh,<BR /><BR />It really doesn't make a difference, policy will start applying once the active gets it, whilst the standby is on-freeze and not getting data connections.</P><P>&nbsp;</P><P>Having said that, Which one "installs first" will depend on many factors but mainly:</P><P>&nbsp;</P><UL><LI>Which member gets the policy files on&nbsp;$FWDIR/state/__tmp/FW1 first<UL><LI>This will depend if the standby is a silent standby, or independent with different network speeds from manager to active and manager to standby</LI></UL></LI><LI>Which one processes those files first<UL><LI>Here, as you guess, will depend on the resources available. In general, a standby member is idler than the active so it installs the policy first.</LI></UL></LI></UL><P>Hope that helps.</P> Thu, 06 Jan 2022 09:58:59 GMT Juan_ 2022-01-06T09:58:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policy-push-on-security-gateway-cluster/m-p/137751#M20870 <P>Hi Team,</P><P>I need some clarification. When we are installing policy on security gateway cluster configured in HA (Active/ Standby) .On which gateway policy will get install 1st . Standby or Active or both in parallel . Thanks&nbsp;</P> Wed, 05 Jan 2022 15:34:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policy-push-on-security-gateway-cluster/m-p/137751#M20870 Ratnesh_Singh 2022-01-05T15:34:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policy-push-on-security-gateway-cluster/m-p/137755#M20871 <P>I could be wrong when I say this, but I dont believe there is a method to it. I had seen many times where backup member gets policy first, but then in lots of cases, its master that gets done before backup.</P> Wed, 05 Jan 2022 16:15:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policy-push-on-security-gateway-cluster/m-p/137755#M20871 the_rock 2022-01-05T16:15:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policy-push-on-security-gateway-cluster/m-p/137802#M20879 <P>Hi Ratnesh,<BR /><BR />It really doesn't make a difference, policy will start applying once the active gets it, whilst the standby is on-freeze and not getting data connections.</P><P>&nbsp;</P><P>Having said that, Which one "installs first" will depend on many factors but mainly:</P><P>&nbsp;</P><UL><LI>Which member gets the policy files on&nbsp;$FWDIR/state/__tmp/FW1 first<UL><LI>This will depend if the standby is a silent standby, or independent with different network speeds from manager to active and manager to standby</LI></UL></LI><LI>Which one processes those files first<UL><LI>Here, as you guess, will depend on the resources available. In general, a standby member is idler than the active so it installs the policy first.</LI></UL></LI></UL><P>Hope that helps.</P> Thu, 06 Jan 2022 09:58:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policy-push-on-security-gateway-cluster/m-p/137802#M20879 Juan_ 2022-01-06T09:58:59Z