Migrating Checkpoint 4.1 DES VPN to another version of Checkpoint

Hi! I have Checkpoint Firewall 4.1 DES VPN working on NT 4.0 SP6A, it works well, but have limited resources for new policies we want apply and has some vulnerabilityes and it is old, too.
We are migratin NT4 to Windows 2003 Server and we want upgrade the Checkpoint Firewall too.

Times ago, I noticed tha Checkpoint had a new version, named Checkpoint NG. And nowadays
I am lost. Is there a new version? Is it stable?

Which version is recommended for migrating from Checkpoint 4.1? A secure and
bugless version?

Or, do you recommend another firewall, which has a excelent administration gui and
is secure and has resources like checkpoint? I accept suggestions.

PS: Discard appliances.

Best Regards,
Who is Participating?
dbardbarConnect With a Mentor Commented:
The orignal FirelWall-1 NG was released quite a few years ago, and then it had several service packs (which CP called Feature Packs), up to FP3.
Then the names realy started to get funky. There was R54, R55, R55W and now R60.

I have exprience with all versions up to R55W. Personally I think R55 was the most stable, but generly speaking they were all pretty stable. The major infrastructure changes were done between 4.1 and the orignal NG, which becuase of that had tons of bugs. But after FP3 (including), they were all pretty stable (in my opinion).
Upgrading from 4.1 to R60 is not supported. You shoudl upgrade to R55.
Personally, I would then upgrade to R60. But wait and see for the opnions of the other guys here at EE.

As always, don't expect the most latest, most cutting edge features to be bug-free. But the basic hard-core functionality is reliable.
Especialy in the case of Resources - I think there was a lot of improvment there compared to 4.1. Also, there lot of new functionality, and a much nicer and better GUI. (You just "love" the Log Viwer in 4.1, don't you? :-)

What you should be reading about is the "Upgrade Utilities"/"Upgrade Tools". Those are a set of a few simple utilties (each version has it's own set), which you can run on your old machine, and it will suck all the information it needs into a nice little zip file. You can then take the zip file to your new machine, run another utility, and it will take all your configuration and upgrade it to the newer version on the new machine. You could then at your own time test the new FW-1, see that everything got upgraded correctly, and everything is working properly. When you are good to go, you can take your old machine offline, and put the new one instead, with little downtime.
This is all explained pretty good in the Upgrade documents of each version. You can download the documentation from CP site, with your user center account. If you do not have an account, you can open one for free.

You might also might want to consider "SecurePlatform". It is a Linux distribution that was created by Check Point, which has a lot of integration with the other Check Point software. It can be installed on any plain (or server class) PC, and gives you a nice "appliance" look and feel. Personally, I like it. If and when you get the new R55/R60 CD, if you boot from it, it will install SecurePlatform on the harddrive (wiping it clean!), along with FW-1. I think you should at least give it a look. It has been around since about NG FP2, so it is pretty stable and feature-rich right now.

Regarding the licensing - you should definantly talk to your local reseller, to help you in the licenseing maze, to choose the license most fitting your needs. The licenseing scheme has changed over the years, and it is now quite complex.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.