This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-12-04 12:24 PM
In response to Joe_Kanaszka

You don't technically need to, but pushes should be frequent anyway, otherwise you risk accumulating latent issues. That is, if you only push a given firewall's policy once per quarter, and you have a problem after a push, you have three months of changes to look through.

In my environment, we push every single policy almost every single weekday. Most are pushed M-F, some (from mergers) are only M-R. That way, if something breaks, we only need to review a few sessions to see what it could be.

The rest of this isn't directly related to updating the management server.

I find the best way to prevent outages is to test stuff as frequently as I realistically can. We do all updates and most upgrades with CDT, which has an automatic failover. We update everything at least twice per year, so every cluster gets at least two failovers per year to make sure both members actually work.

You may want to check out my cluster config diff tool. It runs on a management server, finds all the clusters which report to it, dumps their clish configurations, and checks for differences. This helps spot things which could be an issue (like a route on one member which was forgotten on the other member) before you fail over.

(1)
Who rated this post