Migrating Checkpoint 4.1 DES VPN to another version of Checkpoint

Posted on 2006-05-03
Last Modified: 2013-11-16
Hi! I have Checkpoint Firewall 4.1 DES VPN working on NT 4.0 SP6A, it works well, but have limited resources for new policies we want apply and has some vulnerabilityes and it is old, too.
We are migratin NT4 to Windows 2003 Server and we want upgrade the Checkpoint Firewall too.

Times ago, I noticed tha Checkpoint had a new version, named Checkpoint NG. And nowadays
I am lost. Is there a new version? Is it stable?

Which version is recommended for migrating from Checkpoint 4.1? A secure and
bugless version?

Or, do you recommend another firewall, which has a excelent administration gui and
is secure and has resources like checkpoint? I accept suggestions.

PS: Discard appliances.

Best Regards,
Question by:artur_dietrich
    1 Comment
    LVL 5

    Accepted Solution

    The orignal FirelWall-1 NG was released quite a few years ago, and then it had several service packs (which CP called Feature Packs), up to FP3.
    Then the names realy started to get funky. There was R54, R55, R55W and now R60.

    I have exprience with all versions up to R55W. Personally I think R55 was the most stable, but generly speaking they were all pretty stable. The major infrastructure changes were done between 4.1 and the orignal NG, which becuase of that had tons of bugs. But after FP3 (including), they were all pretty stable (in my opinion).
    Upgrading from 4.1 to R60 is not supported. You shoudl upgrade to R55.
    Personally, I would then upgrade to R60. But wait and see for the opnions of the other guys here at EE.

    As always, don't expect the most latest, most cutting edge features to be bug-free. But the basic hard-core functionality is reliable.
    Especialy in the case of Resources - I think there was a lot of improvment there compared to 4.1. Also, there lot of new functionality, and a much nicer and better GUI. (You just "love" the Log Viwer in 4.1, don't you? :-)

    What you should be reading about is the "Upgrade Utilities"/"Upgrade Tools". Those are a set of a few simple utilties (each version has it's own set), which you can run on your old machine, and it will suck all the information it needs into a nice little zip file. You can then take the zip file to your new machine, run another utility, and it will take all your configuration and upgrade it to the newer version on the new machine. You could then at your own time test the new FW-1, see that everything got upgraded correctly, and everything is working properly. When you are good to go, you can take your old machine offline, and put the new one instead, with little downtime.
    This is all explained pretty good in the Upgrade documents of each version. You can download the documentation from CP site, with your user center account. If you do not have an account, you can open one for free.

    You might also might want to consider "SecurePlatform". It is a Linux distribution that was created by Check Point, which has a lot of integration with the other Check Point software. It can be installed on any plain (or server class) PC, and gives you a nice "appliance" look and feel. Personally, I like it. If and when you get the new R55/R60 CD, if you boot from it, it will install SecurePlatform on the harddrive (wiping it clean!), along with FW-1. I think you should at least give it a look. It has been around since about NG FP2, so it is pretty stable and feature-rich right now.

    Regarding the licensing - you should definantly talk to your local reseller, to help you in the licenseing maze, to choose the license most fitting your needs. The licenseing scheme has changed over the years, and it is now quite complex.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now