For anyone who has never used VRRP for Nokia appliances running Checkpoint, I just wanted to point out a "gotcha" that you will probably come across during the configuration that seems to get me every time (for some reason, I always forget )

After the VRRP configurations are done in Voyager, there is a rule that needs to be added to the Checkpoint rulebase before the FO configuration will work properly. You basically need to add a rule to allow VRRP multicast to be accepted on the VRRP interfaces. Now this is where I always screw it up. You would think that you would need a rule like this:

SOURCE
-------------
FW1
FW2

DESTINATION
------------------
FW1
FW2

SERVICE
--------------
VRRP

ACTION
---------------
Accept

This you might think would allow VRRP multicast traffic to be sent between the 2 firewalls right? Wrong...this will not work!!!!

The solution is actually found in the statement above. VRRP is actually multicast traffic, therefore the destination is not actually the VRRP interface on the firewall. Instead the destination should be the VRRP multicast address (224.0.0.18). So when it is all said and done, your CP rule should look something like this:

SOURCE
------------
FW1
FW2

DESTINATION
------------------
VRRP-Multicast address (224.0.0.18)

SERVICE
-------------
VRRP

ACTION
------------
ACCEPT

Well, I do not know how many of you guys might find this information useful, but if you ever do need it, hopefully it will save you lots of troubleshooting, and you will not be as dumb as me and forget every time...lol

The answer is not really difficult, but can be misleading because logic will lead you in the wrong direction!!

Good Luck

iNViCTuS