This question has come up on the community previously about how to have a Remote Access VPN configured so the tunnel is "always up" before the user is logged in.
The answer is to use Machine Authentication, which provides a certificate-based authentication mechanism not tied to a specific user.
This requires R80.40 and above.
To have a user-specific tunnel when a user is logged into the same machine, you have to configure multiple authentication schemes (Machine and User Authentication).
The user-specific VPN will replace the machine-specific VPN tunnel when the user is logged in.
Refer to: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...