The problem that we’ve experienced at times is that $FWDIR/bin/cpisp_update sets both ISP's dynamic-objects set to 0.0.0.0 0.0.0.0, making none of the dynamic objects active in NAT rules. This happened multiple times, to the extent that we had to provide the client instructions on how to re-run the script. Since then we only use the "hide behind the gateway" option to avoid using explicit dynamic object. Now that we need to use different PAT addresses for guest, we opened a case for updates, but we were told the ISP redundancy hasn't changed much. TAC recommended the 'hide behind the gateway' option which can't be used in this case. Also, the Check Point ISP redundancy manual doesn't mention dynamic objects, so we were wondering whether dynamic object is not recommended. We asked TAC at the time whether there was any plan to implement NAT bound to the interface instead of globally, but were told that there was no such plan.