Wouldn't the Z3 connect using Site-to-site VPN Non-Meraki VPN peers with your Checkpoint using its static IP? The IP of the Z3 wouldn't really matter since it'll be reaching out to the Checkpoint to establish the tunnel. Unless you need something on the Checkpoint side.
Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO If this was helpful click the Kudo button below If my reply solved your issue, please mark it as a solution.
Yes, with Checkpoint FW (R77) we cannot use site to site VPN with dynamic ip, at least with using certificate - which is not feasible with Meraki Z. We will investigate to purchase additional MX as suggested.
In resume, if I am not wrong
-Goal is deploy Z3 on remote site (home running xDSL and dynamic ip), so we can connect softphone or physical poe phone (as teleworker gateway)
-Purchase new MX on HQ and use MX as VPN concentrator
-Traffic arriving from MX will be inspected by our Checkpoint FW before accessing the LAN