@viragomann thanks for the suggestions. Masquerading could work, I see.
I will not be trying this only because I found a workaround that suits what I needed, even if it's not a solution that would apply to everyone. For information to other forum members: I disabled the monitoring of the public IP gateway, so now it is considered always up. I made a gateway group with the private and public IP gateways, and configured private as tier 1 and public as tier 2. Then I made this gateway group the default gateway of the firewall. Now thing work as I had planned: if the upper level firewall is connected to LAN4, it becomes the gateway. If it is disconnected and the ISP router is connected to LAN4 instead, the router becomes the gateway.
The use of the "physical" IP only occurs for the monitoring ping. When routing packets to the public IP gateway, the firewall uses the virtual IP and everything works just fine.