>- When a failover occurs a GARP is not sent for the 1:1 NATs therefore in the case of a failover anything that uses our 1:1's stop working I haven't run into this issue before. I'm guessing whatever upstream device you are using is requiring this. >- The hit counters on the firewall rules don't work. I have verified this and also have confirmation from tech support. Agreed. >Client VPN. There isn't a way to apply different rules to users since you can't assign a static IP to a VPN client and the MAC address is not registered on the firewall so you can't apply a group policy to it. Negative. I do this all the time. You get the user to VPN in once (I typically do it myself the first time to test everything is working and they are getting the correct access), and then apply the group policy to that connection. The group policy is applied against the user, not any MAC address in this case. Then you use group policy firewall rules to control what they can access. >No way to positively verify that firewalls rules are working as intended. Agreed. I wish this was better. >Failover order doesn't make sense. At least not to me. I guess this is a matter of perception. The idea is that the warm spare does not kick in unless the primary unit has failed. That can either occur because the physical unit has failed, or it has lost all connectivity to the Internet. Typically you connect your primary circuit to both MX units, but this does require a routed /29. In your case, you should plug your two best circuits into your primary MX, and your backup circuit into the warm spare. Ageed - they are difficult to use a DC style environment. They have a particular vertical feature set, and they work great in that vertical. Once you start going outside of that things get tough or you have to make compromises.
... View more