Upgrading from NG FP2

[lowfell]

I have a customer who has the NGFP2 running a Nokia IP300
"Check Point VPN-1(TM) & FireWall-1(R) NG Feature Pack 2 Build 52284"

The Nokia is running
Ipsrd version ipsrd-IPSO-3.6-FCS3-08.01.2002-12:41:34

My questions are these

1. Given the versions the customer is currently running, what is the latest version they can upgrade to, can they go stright to NGX? Or can trhey only go to NG ???

2. Will the Nokia IPSO need uprading as well, or will the checkpoint run over the top of this version regardless ?

Thanks in advance, your input is greatly appreciated.

[chuachongchee]

Quote:

Originally Posted by lowfell

I have a customer who has the NGFP2 running a Nokia IP300
"Check Point VPN-1(TM) & FireWall-1(R) NG Feature Pack 2 Build 52284"

The Nokia is running
Ipsrd version ipsrd-IPSO-3.6-FCS3-08.01.2002-12:41:34

My questions are these

1. Given the versions the customer is currently running, what is the latest version they can upgrade to, can they go stright to NGX? Or can trhey only go to NG ???

2. Will the Nokia IPSO need uprading as well, or will the checkpoint run over the top of this version regardless ?

Thanks in advance, your input is greatly appreciated.

For qns 1, i would advise to migrate the config thru upgrade_export/upgrade_import, but you cannot upgrade the checkpoint app straight to NGX..

For qns 2, i'm not a nokia kinda guy.. so i'm not sure...

[RayPesek]

You would have to go to NG FP3 Hotfix 2. I think you can stay on IPSO 3.6.

Then you would have to go to R55 HFA20.

Then take IPSO to v3.9 for the first NGX-compatible version of IPSO.

Then go to R60

Then go to whatever version of CP and IPSO you need to.

What's the hardware? That's pretty old software and my guess is the hardware won't handle NGX.

Personally, I would build a brand new R65 system and recreate all of the objects and rules from scratch. You're going to hit some issues because you won't be able to adequately test each intermediate step and it will be a lot cleaner system after you're done.

Ray

[mcnallym]

I would say that as IPSO 3.6 then will be an IP330 as the IP350/380 were IPSO 3.5.1 then 3.7 etc, they don't run IPSO 3.6.

In my opinion the 330 is not suitable for NGX as too slow, also it goes EOL in September so will need to be replaced this year anyway.

As such I would suggest as Ray, and start again clean. I would also advise that migrates to a seperate management server as Nokia is wasted when used for Management. I would suggest a SPLAT Server for Mgmt and then either SPLAT for Gateways or a new Nokia.

I would also advise that they update more frequently in future.