Our connectors are setup as 0.0.0.0 and we are still having the issue. I'd love to move to IPSec, but the lack of support for overlapping subnets is a killer right now.

Yeah, with overlapping domains, I think it would be pointless to even use route based tunnel,with empty groups, as that probably would not solve the issue, regadless if VTIs are numbered or unnumbered, as thats more relevant wfor BGP.

We can't even try route based VPNs since despite asking multiple times have been unsuccessful in getting additional gateway licenses. I think enhanced network would fix our issues, but I can't get access to that either.

Yep, 100% that would fix the issue. I wish I could help you with licensing, but its totally different than regular fw evals. Im fairly familiar with route based tunnels, even built few through SASE itself, but licensing side sadly is not my forte, apologies.

From what I can read I'm not sure it will. We have a checkpoint firewall cluster at the main site with 5 ISP (we are an electric utility and in the middle of nowhere, so we have frequent ISP failures). Of course, without the licensing we can't test. I swear it's starting to feel like checkpoint doesn't actually want us as a customer.

Be free to message me directly and just give me a breakdown of the issue. We deal with awesome guy from SASE team, he is super smart and Im sure he would be able to give some insight.

From what I can tell that's really the only option. In my opinion for what we are paying overall that is absolutelyunacceptable. It's looking at this point our only option to look at alternatives. It's ashame because Harmony SASE has some really nice features, but those are worthless if you can't keep your on prem resources connected.

I am still waiting on TAM to respond, stand by.

Yep, i agree that it's totally unacceptable considering that on the quantum side, link selection, dead peer, isp redundancy is handled perfectly.  Hopefully my RFE will be taken seriously.

I'm not counting on it. So far we've struggled to get our account team or support to understand why this is an issue. So far the answer we've gotten is "it's easy to setup a wireguard connnector". Sure, if you have a team on site 24/7/365. We are a 2 person shop, I don't have someone sitting and waiting for this to break so they build a new connector.

Please DM me with your support ticket details. What you are describing regarding not getting support or licensing to test alternatives makes no sense to me. Also, configuring the Connector with Endpoint = 0.0.0.0 should fix the issue you're describing, it's a known workaround.

I'll have to get that information tomorrow. Basically we've told that if the public ip the traffic originates from changes it will at minimum require a connector reboot. Which since most of our isp failures happen not during normal business hours requires me to drop what I'm doing and make a site visit. We can typically count on about an issue a month.