This morning I attempted to swap the cables that connected the old Firewall-1 Management Server to the rest of the network, and to the test LAN's management segment. It should have Just WorkedTM but it didn't.
11:23:09 drop 172.28.49.3 >bge0 product: VPN-1 & FireWall-1; src: 172.20.50.203; s_port: 2730; dst: 172.28.49.3; service: 22; proto: tcp; th_flags: 19; message_info: TCP packet out of state;
is what the logs said. Jono said that should only happen if there's a routing error, which there isn't. I'm wondering if it's got something to do with the change in interface names. Unfortunately, the way this test network is setup, the Windows Terminal Server from where I can run the management GUI is through this Management Server (it's also an Enforcement Node), so until I can convince it to pass traffic as per its policy, I can't manage it terribly well. It's really annoying, because the Lightwave that is attached to its console is also through the firewall, so I have to go into the computer room with my laptop and physically plug into the console port, which means I can't be sitting outside testing network connectivity with my laptop plugged into the normal management LAN.