you might be able to upgrade your passive firewall to 4.9 next to the active 4.7 one. it looks like the protocol stayed the same so they should be able to talk to each other.
however, it looks like bulk updates were broken in 4.7, which would explain your failover problems. you can work around that by going "pfctl -S /dev/stdout | ssh activefw pfctl -L /dev/stdin" as root on the passive fw. as a matter of interest, are you using ospf for failover on one side of your firewalls? dlg On 20/04/2011, at 2:45 PM, Jonathan Lassoff wrote: > On Tue, Apr 19, 2011 at 7:14 PM, David Gwynne <l...@animata.net> wrote: >> i had this same problem and fixed it in time for the 4.8 release. is it possible you can upgrade? > > Do you mean that this was an issue in 4.7 that was fixed in 4.8? > > I most definitely plan to upgrade (all the way to 4.9, most likely), > but am stuck with 4.7 for now, since there's not a hitless way for me > to upgrade right now (mostly due to pfsync causing sessions to reset > when failing over). > > Thanks for the pointer. > > Cheers, > jof
