Is it Mandatory to configure gateway as MTA for threat extraction to work ? Also do we have to change the mx record ?
Yes, the Gateway must be set up as an MTA so it can see & control the delivery of all mail as it gets scanned.
Depending on how you have your email delivery configured, you may not have to change MX records. For example, you could leave your existing Internet-facing MTA where it is and insert your Threat Extraction Gateway in-between the public MTA and your Internal mail server. If you did it this way, you'd only have to change where the public MTA forwards mail inside and make sure your e-mail server is configured to accept mail from the Check Point Gateway.
I have MTA in dmz segment connected to Checkpoint.
I have not changed the MX record to Checkpoint.
Challenge with my deployment was, I was not getting any traffic hitting threat extraction blade in logs.
If you already have a separate MTA in a DMZ, I would send the SMTP traffic from that MTA to the Check Point and then have the Check Point Gatway relay it back inside to your mail server. The other benefit of this method is that you won't have to mess with moving any certificates you may have in place on your current MTA for TLS. You also don't have to wait for Internet DNS to propagate when you change MX records. The fallback procedure is a lot cleaner if you need to revert to your old design.
Retrieving data ...