Hi,  directly  to the question
The topology is standard, extended star topology in switching level.
Routers and firewalls are little complicated for redundancy and high availability.

For me the interesting part is the configuration of VPN in Check Point Firewalls
Forget about that the firewall is not Cisco, my question is fundamental.

When we  define the network subnet for VPN, for external users, it is necessary to define for example vlan 200 in the firewall and vlan 200  in core switches?

Тhis is complete nonsense to me after thinking about it, I am strong in switching but Firewalls are new for me  and I need your help to clarify details and concepts

I think in Firewall we define only L3 IP address of our VPN subnet, for example if our subnet is 10.10.10.0/24 for VPN external clients, we define in Firewall  10.10.10.1/24 
And so, we define the routing between internal subnets and our VPN  subnet and so.


In the Firewall we do not define vlan
In the Firewall we just define DHCP relay or helper and static IP of the VPN subnet
The IP is 10.10.10.1/24 for VPN subnet, the DHCP server is with IP 10.10.20.99/24.
The DHCP server contains the DHCP scope for subnet 10.10.10.0/24 with range 10.10.10.100-10.10.10.254 and GW 10.10.10.1/24.
Our DHCP Server is with IP of  different subnet form our internal network, but the routing between our VPN network and all internal networks is provided in layer 3 between routers, firewalls and core switches with L2/L3 roles, inter vlan routing and static routes or dynamic  :).
In the switches we do not define vlan ?

This is my big question
In the switches we do not define vlan ?
And in Firewall for our VPN subnet?



Now I see the working topology

And when I  try to check vlan 200 for VPN I didn't see mac addresses



But the clients are connected to the VPN server of the Firewall and they receive their IP address from DHCP Server and everything is okay.