In a DBHA setup, after disabling CoreXL on 2 members of the cluster on the VRRP backup chassis, traffic can be affected on the primary due to a mismatch in security policy/configuration on the firewalls.To review, a firewall policy consists of both the rule set and the features enabled on the Check Point Security Gateway/Cluster Member. After disabling CoreXL on the VRRP backup chassis and then reloading the APM's, we found that tcp traffic (ie. an ssh session) was inconsistently able to connect, as opposed to when all APMs had the same policy/configuration. As noted, after disabling the CoreXL on the VRRP backup chassis and then reloading the APMs, their "sync" status (via cphaprob state) came up in an "active" state. On the primary, when the APMs booted up, each APM's "sync" status went into a "ready" state.