Upgrading Single FW to Cluster

[Scrif]

I have a single Nokia FW running CP R60. We are replacing this fw with two new Nokia's (IP 350's in a VRRP HA cluster). The current fw has a VPN terminated on it. So far I have this as my process:

1) Build new FW cluster according to our specs
2) Add new cluster to manager and Save the current policy with a new name
3) Change all old FW object references in new policy to new fw cluster
4) Save and push

There is obvioulsy some cutover tasks that Im concerned with. Obviously I will have all but the admin ints disabled until 'go time'. My question is regarding the VPN. The VIP of the new cluster will be the same as the current fw's outside IP.

- How do I leave this VPN disabled prior to cutover so I dont break the existing tunnel.
- What other gotcha's do others recommend I watch out for based on previous experinces with builds like this.

Thanks

[tdvit]

when configuring vrrp make sure you disable monitor firewall state. this sometimes gets people and they will see the vrrp in a backup backup state...

to disable the VPN tunnel on the new hardware just disable the rules in the rulebase but I wouldnt see this as a potential issue. the vpn will just rekey so why not just swap over and leave it enabled?