Let me tell you about Nokia IP440 firewalls. They aren't as much fun as they would appear to be. Luckily for my sense of thriftyness, some one else purchased them before I started. Their web based config is nice until you realized that you can't do anything more exciting than set IP addresses and make VRRP links without using the Checkpoint Windows GUI. Ugh. I think I'll play a bit with VRRP today and see how well the stuff works. It almost smells like it should be a kernel level protocol with a user-space helper, instead of the completely userspace device they have now.