Can i upgrade?

[bstamper]

I currently have two firewalls running Secure Platform ng R55 with AI. They are Dell 1850's. I'd have the enterprise software subscriptions for them. After talking with checkpoint (i'm new to checkpoint and this environment) with the software subsciption I can upgrade to NGX. I know this would require upgrading my smartcenter as well as my firewalls. Is there a direct upgrade from NG to NGX? Or does it require some reconfiguration? It would appear to me like NG and NGX are pretty much two seperate products. When i look online for upgrades for SecurePlatform R55 is the latest i see? I have to search under Firewall-1 or VPN-1 to see the NGX stuff. So what is the difference as well. Does the NGX not run its own OS like SecurePlatform? Can someone give me a comparison between NG and NGX? I guess i'm not sure on the product line at this point?

[RayPesek]

You're in pretty good shape.

"Is there a direct upgrade from NG (R55) to NGX?" - Yes, however with any upgrade you need to read the release notes and upgrade guide carefully because there are so many different configurations available. Any reconfiguration should not be massive.

"It would appear to me like NG and NGX are pretty much two separate products." - "NG" is pretty old, five years at least. I think the progression was this:

4.1 a.k.a. Check Point 2000
NG
NG FP1, FP2, and FP3 (feature packs, service packs with new features)
NG AI R54
NG AI R55
(a few others such as Check Point Express)
R60
R61
R62
R65

NGX R60 came out almost two years ago. R61 and R62 mainly had improvements in the management features of R60, such as the ability to partially manage Connectra boxes and separate SmartDefense settings for each firewall. R65 is only a month or two old.

Yes, SecurePlatform is still the primary OS. However Check Point, for whatever reason, stopped posting the downloads for R60 and later. You had to order an Upgrade Kit from Check Point (the CDs). Beginning with R65, Check Point started putting the .iso downloads on their web site again.

The management server must be upgraded first. Then it can manage the R55 firewalls just fine, although newer features would not be available (like the separate SmartDefense settings).

I would (and did) go from R55 to R62 on the SmartCenter. I'd get comfortable with the interface and then upgrade the firewalls once you know where everything is.

Please feel free to post any questions you may have.

Take care,

Ray

[bstamper]

WOW this should be posted just like this on checkpoints site!! Well maybe it is but if it is i couldn't find it. Thanks so much! Walking into the environment not knowing anything bout checkpoint this has been awesome. I just can't believe we're that far behind when we're probably paying good $$ for the software subscription. Anyway, So you reccomend upgrading the smartcenter server to the latest version. Then upgrade the firewalls after I'm used to the server?

Thanks,

[bstamper]

Also under my software upgrades where do I find the smartcenter to download it? I don't see it as an option? Or does it come down with the upgrade ISO for the firewalls?

[RayPesek]

Glad you found it to be of help. You're not really that far behind. R55 is still supported until June 2008. That being said, you'll find that hotfixes (known as HFA's or HotFix Accumulators) get fewer and further between for the older versions. My guess is the vast majority of NGX users are on R60 unless they needed some of the new management features in R61 or R62.

You MUST upgrade the SmartCenter first or you will lose the ability to manage the firewalls.

Each CD has everything you need for a given operating system (likewise for an .iso file).

I don't know that I would go to R65 yet. Well, I do know, actually. I would not do that. The architecture of the product was changed so that new versions or features do not need a full install. They can be added ad an add-on. I think this change is very desirable, however that big a change had to touch a lot of code and I'm conservative with my firewalls by nature. :-)

If you go into your UserCenter account and find the Upgrade Kits link, Check Point will send you the CDs you need for free if standard mail is OK. They come quickly in the US.

Take care,

Ray

[bstamper]

So what version would you reccomend i be running? And why? I guess i just said R65 cause it was newest. And why not run the newest? I mean i don't really know it now so the learning curve for any changes wont really matter. Again thanks so much for all your help. This has been great feedback.

[chillyjim]

It really depends on what features you are going to be using. My recomendation in general is R60 HFA5 or R65. If you have VPN-1 Edge boxes to manage use R65 for sure. If you just have a firewall and no other check point devices, R60 may be better as its baked longer in the real-world.

That said I've not seen any real problems with R65 yet.

[NickBrandson]

Why not R65?
It is because it usually has "limitation", that CP would claim, need to be fixed in the latest version. I bet it's pretty stable when you do not touch/related to any "Security Server" or OPSEC.

[chillyjim]

As I said R60_HFA-05 may be better. I personally haven't seen any issues with R65. A friend at TAC says it seems to be OK, but some of their tools are not working well with it, so if it does break on you trouble shooting the problem may be an issue.