Hello CheckMates Community,
We are in the process of refreshing out Hardware and will be running the new Firewalls in parallel with the old.
For the cutover we are planning to simply change the routing currently pointed to Check Point Firewalls to the new Check Point Firewalls.
To reduce impact I was considering disabling Out of State TCP checks for the initial cutover with the assumption that the Firewall would then build it's session table without worrying about seeing the initial SYN allowing the current active sessions to stay active. Once we confirmed everything was up and functional I was going to enable the Out of State checks.
My question is: Does the Firewall build the session table and then no longer care about Out of State Packets once a session is in the table or once re-enabled it will simply drop all connections it never saw a TCP SYN for?