[mcnallym]

In ISP Redundancy then all outbound Static NAT traffic will go down the primary ISP link, wether set to use Load Balancing or Primary and Backup.

Your DG should be setup on the Primary ISP link. This is actually documented in the knowledgebase as a known issue, lookup under ISP Redundancy Static NAT. I believe Check Point class this as a design choice, not a fault as such.

I don't think that your existing setup is necessarily suited to Check Point ISP Redundancy as it currently is due to the way that Check Point works.

Normally what you would have is that the DNS points to a DNS Server located in your DMZ so that all DNS requests for your domain go through the Check Point gateway.

The Check Point gateway then intercepts the DNS lookup for A records and then responds with either an IP address from ISP-1 or ISP-2 depending upon how you configure the ISP Redundancy.

Other DNS lookups such as MX will be passed through the Check Point onto the DNS Server which will need to respond.

The traffic then arrives on ISP-1 or ISP2 and is then NATted through to the DMZ.

Effectively each publicly accessible server is NATted behind two IP addresses depending upon which ISP link connecting from.

In the outbound then you also need to create Static NAT's for each Server for going out via both ISP links, but effectively all of the traffic will go through the ISP-1

Hide NAT will need to be done using the AutoNAT with the option set to Hide Behind Gateway, so that the traffic leaves with the address of the gateway interface that the traffic leaves on.

You will need to NAT rather then Route traffic through the firewalls.