Policy push on security gateway cluster

Hi Team,

I need some clarification. When we are installing policy on security gateway cluster configured in HA (Active/ Standby) .On which gateway policy will get install 1st . Standby or Active or both in parallel . Thanks 

I could be wrong when I say this, but I dont believe there is a method to it. I had seen many times where backup member gets policy first, but then in lots of cases, its master that gets done before backup.

Hi Ratnesh,

It really doesn't make a difference, policy will start applying once the active gets it, whilst the standby is on-freeze and not getting data connections.


Having said that, Which one "installs first" will depend on many factors but mainly:


  • Which member gets the policy files on $FWDIR/state/__tmp/FW1 first
    • This will depend if the standby is a silent standby, or independent with different network speeds from manager to active and manager to standby
  • Which one processes those files first
    • Here, as you guess, will depend on the resources available. In general, a standby member is idler than the active so it installs the policy first.

Hope that helps.


