I've been a member for years, but I don't think I've ever posted a question. I'm experienced with Juniper SSG firewalls and now I need to implement some SRX210's and 220's. I'm still learning JunOS and need some help validating a configuration I want to place at a small site.
I'm trying to get it right the first time, but I can't create a dual-WAN network in my main office lab, so I have only been able to test one leg, which works fine. I don't have access to the site after hours, so I need to install it during working hours and don't want to be troubleshooting too much on the fly.
My goal is to have ISP2 be a standby. I want fail-over to occur not just if the link goes down, but if I cannot reach a reliable IP address on the Internet (my example uses 18.104.22.168 for now). Then I want to fail back when the probe succeeds on ISP1. In addition, I will be creating site-to-site VPN tunnels with other SRX's soon after, so my dual-WAN config needs to support that.
The configuration I came up with is a conglomeration of examples I've found searching online. It uses separate routing instances and security zones for each ISP. I've attached a generic diagram and matching config file.
Questions I have:
1. In my lab network, I couldn't get out to the Internet until I changed the static route setting using the "next-table" option. Would like to know why and whether that affects other areas of the config where static routes are called out.
2. The idea of using separate routing instances and zones looks like it complicates things, but at the same time it makes sense to have things modular. Is this a good approach, or should I be using a simpler approach?
3. And last but not least, will it work as is? If not, what needs to change?
Thanks in advance!