Who rated this post

This is good, last year I execute a project using route based VPN, BGP over MPLS and 4G LTE, SDWAN checkpoint (but all check point on same on prem SMS). From a Check Point perspective, the cleanest way to replicate this behavior is to move to a fully route-based VPN.

The cleaner design is to run BGP over the route-based VPN as well, using it as a backup path. This avoids static routes entirely and gives you predictable failover and convergence, very similar (or better) than what ASA provides today.

Policy-based VPN don't work vere well for this scenario on Check Point, but reproducing this kind of routing-driven failover is much more reliable with route-based VPN on Check Point. So you create a complete route-based configuration on Check Point using empty groups on community, tunnel management per gateway, VTI. Configure the BGP and the Route Redistribution, you can set static route pointing to VTI and adjust the ranks (its good to review on gaia advanced routing admin guide > Default Protocol Ranks that show all ranks).

For BGP on check point need create network rule enabling BGP, same for OSPF the sk39960 describe the correct rules to enable the BGP on Check Point "sk39960 - How to allow Dynamic Routing protocols traffic (OSPF, BGP, PIM, RIP, IGRP) through Check Point Security Gateway".