Correct.  It can only be configured via Powershell - which is what the web page creates for you. ... View more

Independent of your topology failovers will happen in two scenario's. 1) Both WAN's are down in the primary (in this case the primary MX will send a VRRP message that excludes the primary firewall as active forwarder). 2) The spare unit no longer gets any VRRP messages from the primary.  ( if the active firewall is still there then you will have an active active scenario with instability as effect ). ... View more

Access VLANs are fine, you just usually cannot trunk VLANs over an unmanaged switch. ... View more

You don't have to have Duo.  You can use any Idp that supports geographic restrictions.  Another example is AzureAD/EntraID with an appropriate licence for conditional access.   I'm just giving you what is required to do what you have asked.  You need to buy all the appropriate bits of the solution for it to work.  Buying only some of the bits ... well that just wont work. ... View more

Yes exactly that.   Reserved IP is taking those IP addresses out of the DHCP scope. ... View more

Yes, all the traffic will go through spare MX ... View more