[ChrisA]

We are running CheckPoint NGX HFA02 on IPSO 3.9. Currently we use only static routes.

We have a dedicated TLS (using Cisco routers, also with static routes) to another company, and we would like to provide an automatic failover to a site-to-site VPN connection through the Internet. We have the VPN definitions in place and they have been tested. I've disabled the Encrypt rules so that the tunnel does not start. I have a separate set of Accept rules for the normal TLS traffic.

Is it possible to provide an automatic failover from the TLS connection to a VPN tunnel, and if so, how can this be done? I'm thinking we need to configure dynamic routing on both the f/w and the routers, but I'm not sure of all I need to do, or if it's even possible. Any advice/guidance would be appreciated. Thank you.