Hi Chris, 
I'm really glad you mentioned "Cluster XL monitors the highest and lowest active VLANs on an interface", because I didn't know this. So am I right in saying that ClusterXL will monitor itself through all physical interfaces, but if an interface is trunked with VLANs, then it elects to monitor itself through one particular VLAN on that interface? I just checked now and I can see the VLAN in question is indeed the lowest numbered VLAN on it's particular interface that it's currently being trunked on, yes. What are the implications and what steps must I follow? 

The ClusterXL admin guide and serval SK articles describe VLAN monitoring in detail.

The highest and lowest VLAN IDs on a trunk are both monitored by default (configurable).

In your situation it's important to not take shortcuts since the lowest VLAN ID is one that will directly trigger the interface active check/pnote of ClusterXL. 

The ClusterXL admin guide says the following:
"ClusterXL (including VSX) supports the Synchronization Network (CCP packets that carry Delta Sync information) only on the lowest VLAN ID (VLAN tag). For example, if three VLANs with IDs 10, 20 and 30 are configured on interface eth1, then you can use only the VLAN interface eth1.10 for the State Synchronization."

This leaves me with more questions than answers. Okay so here are my questions:

Is the state synchronization mentioned here the same type of synchronization offered by a 'Sync' interface?
If I have a dedicated 'Sync' interface, is the above statement about 'the lowest VLAN ID' irrelevant?
If the state synchronization mentioned here is a different type of synchronization offered by a 'Sync' interface, then what exactly is that difference, where I can learn more information about this difference, and what are the mitigation steps to avoid any issues if this 'lowest VLAN ID' were to be deleted?
Where exactly does it mention that the lowest VLAN ID is one that will directly trigger the interface active check/pnote of ClusterXL?

Any information you can shed is very  gratefully appreciated. 

For a given cluster there is typically only a single sync interface defined in the cluster topology either physical or VLAN.

Again, both the highest and lowest VLAN are monitored on a trunk port used as a data interface by default.

Just to tell you something from my own experience...when you add clans in web UI, and you go to dashboard, do NOT click "get interface with topology", as that can mess up everything. Just do get interfaces without topology and I would also recommend to set topology as "network defined by routes", as that calculates topology behind the interface.

@the_rock - thank you for this note about your experience with adding VLANs. I did actually see this in another post, that adding "WITH topology" will cause problems. I'll make sure I add new interfaces WITHOUT topology, yes. Many thanks for this. 

Hi - could you not simply delete the interface in Cluster XL and then delete the interfaces on the gateway?

In very simple terms you have described what sk57100 documents as the removal process.

Thanks Chris. What I was wondering was, could you delete the cluster interface, and remove/disable the interface on the gateways, without entering "cphastop" and then "cphastart" on the standby gateway?

This was the exact process I used. I did not need to use cpstop/cpstart.

1. Backup both gateways

Take backups and snapshots. Save to external location.

2. Disable the interfaces from Solarwinds Monitoring.

3. Edit the Cluster object in SMS

Go into Cluster member tab, change the IP addresses for both cluster members to the new IP addresses.

4. Perform a SIC test in SMS to ensure comms to/from both gateways function as expected.
SIC was working fine.

5. Update the Alias URL (Platform Portal URL) within Smart Centre.
1. Place the new URLs in manually for each gateway.

6. Push an blank/empty Policy change to the firewall cluster in SMS

7. Change the Management IP address of the gateway in GAIA

Update each gateway to the new management interface in CLISH

Update the DNS host file entry for the firewall hostname/IP mapping:

8. Check ID Awareness PDP to ensure the firewalls are still connected to ID sharing peers:

pdp connections pep

pep show pdp all

Perform validation testing

Thanks - I was just wondering. I am due to remove a cluster object and reinstate it on a different interface on our firewall gateways. Would you recommend following that process?

Sorry, no. I didn't read the title of this thread properly. That process I just gave you was for changing a Management interface to a new interface on the same firewall. Do not follow it for what you are doing, no. 

Thanks Martin. So, would you recommend following the process outlined earlier in this post, or just delete the cluster interface, reconfigure the physical interfaces on the gateways, and then add the cluster interface referencing the new physical interfaces?

yes, follow it. You will need to cpstop / cpstart. 

Thanks - so that is "cphastop/cphastart" on the standby gateway? Just making sure to cover all bases.

yes, exactly as I have written it in bold in the original post. 

Thank you Martin. Much appreciated.