I went through the whole comments. Thank you for sharing. I have a similar issue. We are implementing Direct connect, but for now we have a VPN using a VSX virtual system to connect to a VGW. We want to migrate that VPN connection to an actual pair of Cloud Guard Transit gateways. When we do that VPN is established, but the request flows between a transit Cloud Guard FW in AZ1, which is routed through transit VPC, to its corresponding EC2 instance in a different VPC, in a a specific AZ. The reply from that EC2 instance is routed through a transit Cloud Guard FW in AZ2 (Which is blocked because it is asymetric, this CGFW didn't see the SYN coming).
I got two different suggestions:
1. Checkpoint support mentioned that to fix this I was supposed to configure BGP between CG transit FW, and on-prem (VSX that doesn't support VTIs). My question is: is possible to setup BGP over two different VPNs using public IPs and private ASN between two CG transit FWs, and on-prem VSX?. Will this fix my issues regarding asymmetric routing?
2. Somebody else was mentioning to configure MEP on actual CG transit FWs to select an active, and a standby CG FW. At the same time configure BGP routemaps with different priorities to make always a CG FW Active, and other one Standby.
Another question I have is: Will this BGP implementation on my actual VS VPN firewall cause any potential impact on my other actual VPNs with third parties?.
Thanks for all suggestions I can get from you.