Well, I have the first proper training course for the new FireBricks starting tomorrow. Two day course.
It is a tricky topic as you end up spending your time explaining basic IP routing if you are not careful (and that is a separate course).
The way the new FB2700 and FB2500 work is a tad different to the older FB105 FireBricks, which is not surprising as we re-wrote the whole thing from scratch. This makes the training course slightly more complex. If someone knows the FB105 we have to cover all the differences, but if they don't we can explain the new system from scratch.
The main difference is the underlying routing logic. The FB105 made routing very much tied in to the session tracking logic at a low level. The session tracking was the routing cache. So the basic logic for establishing a session also defined the routing. It meant the routing rules were a list of rules (match the first you find) defining where the packets were to go, and that stuck for the session.
The new system is not that far off in some ways as there is a session based routing override, but at its heart the new FireBricks use conventional routing logic. This means you decide where a packet goes based on the target IP address and the current route you have (most specific applies). This is different to a 105 as it would work on a rule list not a most specific routing rule, and is also not per-packet. The new routing is based on static routes, profiles, and BGP and all sorts and can change per packet - like normal routers.
However the new FireBricks have a trick up their sleeve - there have per session logic to allow or deny the session, obviously, but that can set a new gateway for routing for the session. This works using a route override table checked at the session set-up just like the 105 and kept for the whole session. Unlike the 105, instead of saying where the packet goes directly it says indirectly by saying a new target IP for routing purposes. This allows routing based on protocol and source IP just like the 105, but as the target is itself just an IP it allows the target to be subject to routing rules as they change in real time. The end result is a lot more flexible, especially when looking at fall-back type arrangements where you want routing to change on the fly for an established session.
Of course, that is not the only change - but it is probably the most deep change to try and explain. We have a totally new web user interface, and a new idea of a config that is all in XML (with web based editing tools). One of the biggest changes is that IPv6 is fully supported and pretty seamless. Basically, almost anywhere you can put an IP address you can put either IPv4 or IPv6. At present DHCP settings are an exception but even that will probably change. We even do new VRRP3 so IPv4 and IPv6 are just interchangeable on VRRP settings.
The new FireBricks then have a load of new features like L2TP and BGP, but they are not too hard to explain.
Should be a fun course.
Next month we are considering doing a one-day course on this for end users rather than dealers, and I would be interested to hear if anyone wants to go on that. No idea on course pricing yet - catch me on irc.