Thank you so much for the quick response.

I had found some reading on it last week and in fact did find that it was configurable by enabling fhrp version vrrp v3 but again not sure I am going the right way. I had also read on the PBR and I have a meeting with our Firewall Vendor tech support tomorrow.

This is what I have in my switch so far and I thought I could put an IP on another VLAN and complete the VRRP config from there???

fhrp version vrrp v3

interface Vlan199
ip address xxx.xxx.xxx.251 255.255.255.0
vrrp 1 address-family ipv4
exit-vrrp

I would have loved that solution with an ASR but turns out it will take over 9 months to get one probably. That was my first suggestion until I got quotes back and all said no less than 6 to 9 month lead time. The problem with the ISP routers is they are completely managed by the separate ISP and they do not like to play nice together so we would need to bring both circuits into an ASR and do a Virtual IP. Again this was my first solution of choice smh.

Sorry the CAT 9200 is our managed switch where we can terminate both ISP but then go to the firewall.

Currently both ISP go directly to the Firewall and the firewall supports ISP redundancy out of the box but does not support SIC failover on those ISP links to the other Firewalls in the WAN. So if the ISP that has SIC going over it fails we still have internet locally but all the outlying sites have nothing.

how is your failover working now ?  what Checkpoint version is this ? R80 ?

how about return traffic failover ?

That's just it the failover is not working today. It is Checkpoint R80 and when the main ISP fails we have internet here in our office only but no SIC or internet at the other sites because they get internet though us via the SIC link.

but no SIC or internet at the other sites because they get internet though us via the SIC link.

Can you explain what is SIC Link ? (you mean Manange CP FW using Management ?) 0r i miunderstood this ?

Couple quesiton that can be fixed if understand your setup :

1. Right side FW (INET for all sites)  means that FW using to connect to internet, that is Main site.

2. ISP A and ISP B is the MPLS Links or Internet Links ?

3. Remote FW and FW  have VPN ?

4. CLOUD ? what you mean Cloud ( is this hosted any AWS ? or any other ?)

Can you make some traffic flow and descriptions so we (as community can offer some solution to fix)

Can you explain what is SIC Link ? (you mean Manange CP FW using Management ?) 0r i miunderstood this ?   SIC is Secure Internal Communication link which makes all traffic flow between firewalls and we have no local internet running at the remote sites. They pull their internet from our site ISP A at the time.

Couple quesiton that can be fixed if understand your setup :

1. Right side FW (INET for all sites) means that FW using to connect to internet, that is Main site. Yes that is the main site but ISP A has to be up for the remote sites to establish SIC and connect to the internet.

2. ISP A and ISP B is the MPLS Links or Internet Links ? ISP A and B are straight Ethernet IP links directly to the internet.

3. Remote FW and FW have VPN ?

4. CLOUD ? what you mean Cloud ( is this hosted any AWS ? or any other ?) Cloud is meaning the internet itself. Each remote site has an Ethernet IP internet circuit but the firewall requires the SIC connection to our main firewall for them to pull internet and internal traffic from us.

Can you make some traffic flow and descriptions so we (as community can offer some solution to fix)