YES additional layer of checkpoint behind fortigate. But fortigate has vip and vpns configured. Is there a way of configuring the checkpoint for just filtering and the vips and vpn works on the fortigate.

Actually, bridge mode would be the most reasonable way to approach this, as it will help you avoid massive network changes. Why don't you want to use it, then?

With that there is the drawback that the Check Point firewall will be blissfully unaware of what ever threath is lurking inside the VPN traffic.

So apart from good sales figures and crossing the "Different vendor firewalls in cascade" tickbox I don't understand the added value here. It does not add real security to the design.

Adding Check Point in any mode will improve security. But I understand your point, it seems too be too complex this way.

Yes complex but customer wants this setup for additional protection.

Then explain to the customer that bridge mode is best here 8) Or suggest to pay for CP Professional Services to make this setup work without issues...

YES bridge mode is the best approach but customer wants this setup instead. And they are ready for any network changes. Can you suggest the best approach for this set.

So you need to add a different default route to your internal network pointing to CP, while CP GW will have Forti as a DG. A networking exercise, starting from the drawing board.

Routing is not a problem  but the vips on the fortigate will it work with CP in place without any config changes??.

The internal traffic is cleartext. VPN tunnels are terminated on Forti. The domain has not changed. It is essentially a Forti question, but I don't see a reason for VPNs to fail after an internal routing change

OK noted. what about the vips do we have to do natting on CP ??.

Not sure what relevance the VIPs have on the Check Point configuration except maybe as a default route.
Assuming the networking is set up correctly, it should not be required to perform any NAT on the Check Point device.