Site-to-site IPsec tunnels can be configured for failover in environments which have more than one WAN. If a WAN should go down and that WAN had an active IPsec tunnel, NGFW will automatically switch to another available WAN and attempt to reconnect the tunnel.
In addition to IPsec, this configuration requires the WAN Failover app. For details on setting up WAN Failover tests, please refer to this article: How do I configure a WAN Failover test?
IPsec Tunnel Configuration
In Apps > IPsec VPN > IPsec Tunnels, create or edit the tunnel you would like to use failover with. Locate the Interface drop-down and choose "Active WAN":
You will notice the Local Address attribute changes to the first available WAN interface configured in your NGFW. (Typically, this will be the lowest-numbered WAN, eth0.)
Click Done, then Save to apply the change. You may experience a brief interruption in tunnel connectivity.Follow