Bear in mind that, for the majority of flows, recent MX firmware does block traffic through a new rule, pretty much immediately.  In my experience it's only ICMP that needs to age / be removed from current flow tables to function.   So if you don't use ping as your test, you'll probably find that traffic fails straight away. ... View more

Workload Peering       vMX//Firewall Peering   If you want the full pictures happy to PM them to you ... View more