> In SmartConsole, look at each firewall's topology table. My bet is the old firewall has some antispoofing groups and the new one doesn't.

Since the old firewall and new firewall share the same IP address, I replaced one with the other in smart console, so I no longer have access to the exact setting that were in smart console. I guess i could add it back on, replacing the new one, but I doubt smart console would remember what those settings were. 

The answer to the second part helps. looking at another similar firewall, performing the same functions, there is one interface set as an internal and the other external, I copied that configuration, but didn't do an install. So all the changes I did to the interfaces via smart console to troubleshoot the issue didn't apply in the first.   

Anytime you make a change in SmartConsole, for it to take effect on the gateways, the session must be published and the policy must be installed to the gateway.

Deleting the old object before the new firewall is functional is a really bad idea. You shouldn't do that in the future. You generally shouldn't even make a new firewall object. Just use the same object, reset SIC, establish it with the replacement firewall, and push policy.

You can view old management database states. Manage & Settings > Sessions > Revisions > pick a revision, then hit View.

Not according to TAC and I agree with them, sorry. I think its actually better to delete the old object, because it makes database cleaner.

Who suggested that? It's a waste of time, and leads to issues like this when some config from the old object isn't brought over. The whole point of firewall objects in a management database is to give the management server a standardized view of the hardware so it doesn't need to care about the implementation details like what server it's on.

When a cluster member fails, do you build a whole new object for the replacement one?

Who told me that? At least 5 TAC engineers and I agree with all of them. I had been doing it that way for ages and never had a single problem. Thats your opinion its waste of time, to each their own : - )

I agree, by not wiping all the settings, I was able to utilize the old firewall while the new firewall was getting set up, so there was no user outage. I had the rack space and power to run both, so why not run both. After I had issues, I was able to troubleshoot using the management interface on the new firewall and leave the interfaces on the old firewall, only occasional moving them over to test.

Ok the good news is this worked, Setting the one interface external and the other interface internal, and installing the settings, everything worked fine, even with anti-spoofing enabled again.  But I really don't understand why. I had previously had both interfaces set for external and anti-spoofing disabled, (and Installed) but was still getting packets dropped due to spoofing.  I read somewhere that disabling anti-spoofing can only be applied globally, if this is true, then what is the point of having the option on interfaces to disable anti-spoofing if it does nothing. If anti-spoofing can be disabled on the interfaces, then no packets should have been dropped. While I understand that disabling anti-spoofing isn't exact the correct way to set up a firewall, I was just trying to get it to work and narrow down the the problem was from there.