When configuring a Branch Office Virtual Private Network Virtual Interface (BOVPN VI) with multiple Phase 1 Gateways, it is important to understand one method to force this tunnel to failover to the other gateway should the first one become unreachable. This can be configured by utilizing Software-Defined Wide Area Network (SD-WAN) actions. SD-WAN actions take their place at the policy level, and will test the external interfaces on the Firebox against the configured metrics within the action.
This policy level configuration can be as granular or as broad as the network engineer of the Firebox sees fit. You could recreate the BOVPN-Allow policies that are created by default, and then add the SD-WAN actions to that policy. This would encompass all of the traffic that passes through this BOVPN VI, and failover the gateways based on the metrics set in the SD-WAN action. Another option would be to configure policies for specific ports & protocols, and place those above the BOVPN-Allow policies in policy precedence. That way, the traffic that is most important would be able to failover and use both Phase 1 Gateway IP’s.