Q: How do I check if state sync is working between the firewalls?

A:

Used to be able to use netstat -an on previous versions of FW-1; this no longer works. Those older versions used TCP to synchronize the connections table; newer versions use a custom UDP-like L2 protocol. cphaprob state is supposed to give the status of the HA config. However, according to Nokia, it is more reliable to execute fw tab -t connections -s on each firewall, then compare the value for #VALS (which is the number of entries in the connection table). They should be close.