April 11th, 2002, 09:48 PM
Need some checkpoint advice plz
Right now I'm running FW-1 v 4.1. I'd like to upgrade to NG. But I'd like to do it in a test environment before I do it in production. There are also some things I'd like to mess around with with FW-1 in general, but I'm not going to do it on our active server. I talked to CP, and they said that I could get an eval version to run tests on. But they said that I could not run the upgrade from 4.1 to NG on the eval version.
CP's licensing makes the product bound to the IP address, so its not like I could just install the product elsewhere and try it out. I'd like to have the test server have access to the internet, but cant do that because of the IP licensing. I can't put a proxy in front of the CP machine to hide its IP, because all our external IPs are in the same range (see where the problem there is?)
So does anyone have a decent method for testing CP's FW-1?
April 11th, 2002, 09:51 PM
You're telling me that they don't supply you with a way to test the upgrade, before you upgrade? Nice.
etsh911(mrwall) or Invictus could probably help.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
April 11th, 2002, 10:40 PM
Yeah it was a great feeling. Called them up, and the 'support' guy just stammered and said..."There's no way to do that, that I know of. Go ahead and upgrade, then call support if it messes up." Just a little bit frustrating...
April 12th, 2002, 12:31 AM
Build your test environment offline (from the internet anyway), use the same ip and copy the rulebase and confs into the new one. Make sure the two can't see each other. Then upgrade and test. That's the best way if you can't connect to the internet and don't want to pay for another. If you don't mind extra work - put some web and ftp servers etc into a dmz coming off this test net and then upgrade and see how it goes.
April 12th, 2002, 03:11 PM
I'm probably going to do just that Gold Eagle. I'm waiting to see what Invictus or mrwall say about this one, but thats the route I'm probably going to take.
April 12th, 2002, 04:49 PM
I have used CP 4.1, what tests did you wanna run?
Have you tried http://www.phoneboy.com
Good advice / tips & tricks.
Also read, Essential Checkpoint Firewall-1 : ISBN 0-201-69950-8
Good luck !!!
April 12th, 2002, 05:24 PM
I'd just like to have a test environment out there to play with. I've been meaning to get that book, but no time.
thanks for the reply!
April 12th, 2002, 09:11 PM
Ok....this is actually a pretty simple one.
Here is what you need to do.
1. Go to the user center and relicense your current version of CP to the test IP and upgrade it to NG.
2. Keep the old 4.1 license on your production box until you are ready to upgrade in production.
3. Do any testing you wish on the new box, and when it is ready, go back to the CP usercenter and relicense NG to the production IP address.
4. Upgrade the production box, apply the new license, and you should have no problems.
**There is actually an engineer from CP working with me right now, and I verified this process with him. There are no problems with doing it this way.
Hope this helps.
April 12th, 2002, 09:17 PM
Hey sounds pretty good! Thanks alot man!
I'll try it out now.
Hey worked like a charm (not that I had any doubt!) The checkpoint people said you could switch 5 times before having to ask them to reset it, but man this is perfect!
Thanks alot man!