Checkpoint Express and VRRP

[F1LL82]

Hello all.

Up till now my organisation has always used a Nokia IP130 with a checkpoint express license running with both the enforcement and management modules on the nokia box. We have recently purchased two Nokia IP350's and two more checkpoint express license's with the plan being to implement a VRRP cluster that is centrally managed from a windows based machine.

Firstly, are these licenses suitable for what we have in mind. I have seen various posts on the net referring to a HA license. Is this necessary for use with VRRP?
Secondly, after re reading through some of the "Essential Checkpoint Firewall-1 NG" book on how to build this centrally managed cluster i notice a few differences to what i see when installing. I am presuming this is down to upgraded versions of IPSO and Checkpoint. The version of IPSO both IP350's are running is 3.0 build 41 and Checkpoint is NGX R60. When i run this initial setup of CPCONFIG i am presented with the options Checkpoint enterprise pro and Checkpoint express CI. as my license is for Checkpoint express would i be right in thinking that it is the express i need to install? If this is the case, will i still be prompted to decide between if i want it to act as a standalone or distributed server. I ask before trying as i have had long drawn out problems going through the reinstall of checkpoint in the past and would prefer to avoid doing so again.

Any help or suggestions would be greatly appreciated.

Regards,
Phill

[Lackie]

Quote:

Originally Posted by F1LL82

I have seen various posts on the net referring to a HA license. Is this necessary for use with VRRP?

The version of IPSO both IP350's are running is 3.0 build 41 and Checkpoint is NGX R60.

When i run this initial setup of CPCONFIG i am presented with the options Checkpoint enterprise pro and Checkpoint express CI. as my license is for Checkpoint express would i be right in thinking that it is the express i need to install? If this is the case, will i still be prompted to decide between if i want it to act as a standalone or distributed server.

You don't need an HA license to run VRRP on IPSO. It's a function of IPSO, you will just need a firewall license for both appliances.

I'm presuming that you ment 4.0 build 41.

In all of my past installations, every time I pick anything with express, it installs it as a standalone (management and firewall on one) which is not what you want in a VRRP cluster. I would install the pro, I think you can still put the express license on it.