We have two Checkpoint clusters at different datacenters. We had a VAR come in and design a solution for SSL VPN to use a cluster that is spread out between the two data centers. So the real answer is to have a better design or consolidate the clusterXL boxes to be in one cluster rather than two, however, the business does not like these ideas.

So in short we now have four Checkpoints and two SSL VPN boxes. Since the SSLVPN boxes share state between data centers but the checkpoints only share state with the geographically similar boxes we have issues where the arp entry changes and causes the default route to flip from data center to datacenter on the checkpoints. We can force the arp entry to be static to each location but that would still require manual intervention in the case of a failover. What I would like to do is have a VIP (VRRP) on the cross-campus interface of the checkpoint clusters and then have the SSL VPN use that for its default gateway. The question is can you set up VRRP between two Checkpoint Clusters (four devices) already using clusterXL.

Looking at the guides online all I see that eludes to this is the commit "On Gaia, VRRP can be used with and without ClusterXL enabled."

Also, if this can be done what are the issues of doing something like this, as I know its not good design practice.