set version 11.4R9.4
set groups node0 system host-name siteA-node0
set groups node0 interfaces fxp0 unit 0 family inet
set groups node1 system host-name siteA-node1
set groups node1 interfaces fxp0 unit 0 family inet
set apply-groups "${node}"
set system domain-name mydomain.com
set system time-zone PST8PDT
set system no-redirects
set system root-authentication encrypted-password "Password"
set system name-server 192.168.1.10
set system services ssh root-login allow
set system services ssh protocol-version v2
set system services web-management http interface reth0.0
set system services web-management https system-generated-certificate
set system services web-management https interface reth1.0
set system services web-management https interface reth2.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any warning
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
# Disable UTM permanently if you are not using it to save memory
set system processes utmd disable
set system ntp server 10.10.0.1
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/2 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-3/0/2 weight 255
set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-0/0/1 gigether-options redundant-parent reth1
set interfaces ge-0/0/2 gigether-options redundant-parent reth2
set interfaces ge-3/0/0 gigether-options redundant-parent reth0
set interfaces ge-3/0/1 gigether-options redundant-parent reth1
set interfaces ge-3/0/2 gigether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/5
set interfaces fab1 fabric-options member-interfaces ge-3/0/5
# Set the lo0 with an unused dummy IP that is not on your network
set interfaces lo0 unit 0 family inet address 172.16.172.181/32
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 description LAN
set interfaces reth0 unit 0 family inet mtu 1500
set interfaces reth0 unit 0 family inet filter input LAN-IN-FILTER
set interfaces reth0 unit 0 family inet address 10.10.0.2/30
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 description ISP1
set interfaces reth1 unit 0 family inet mtu 1500
set interfaces reth1 unit 0 family inet filter input ISP1-IN-FILTER
set interfaces reth1 unit 0 family inet address 66.66.66.66/28
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 description ISP2
set interfaces reth2 unit 0 family inet mtu 1500
set interfaces reth2 unit 0 family inet filter input ISP2-IN-FILTER
set interfaces reth2 unit 0 family inet address 77.77.77.77/28
set interfaces st0 unit 0 description VPN-SITEB-ISP1
set interfaces st0 unit 0 family inet mtu 1350
set interfaces st0 unit 0 family inet address 10.0.0.1/30
set interfaces st0 unit 1 description VPN-SITEB-ISP2
set interfaces st0 unit 1 family inet mtu 1350
set interfaces st0 unit 1 family inet address 10.0.0.5/30
set snmp location SITEA
set snmp community public authorization read-only
# Only allow host 10.10.10.10 to access SNMP
set snmp community public clients 10.10.10.10/32
set routing-options interface-routes rib-group inet inside
# Set the virtual-router ISP1 as the default route out
set routing-options static route 0.0.0.0/0 next-table ISP1.inet.0
# I do not think you need the next line anymore with 11.4 but I put it in just for kicks on how confusing this setup is
set routing-options static route 88.88.88.88/32 next-hop 172.16.172.181
set routing-options static route 10.10.10.0/24 next-hop 10.10.0.1
set routing-options static route 10.10.11.0/24 next-hop 10.10.0.1
# rib-groups basically import and export routing tables from other instances
set routing-options rib-groups inside import-rib inet.0
set routing-options rib-groups inside import-rib TRUST-VRF.inet.0
set routing-options rib-groups inside import-rib ISP1.inet.0
set routing-options rib-groups inside import-rib ISP2.inet.0
# This is only for comestics which sets the OSPF router ID
set routing-options router-id 10.10.0.2
# This is for adding more routes via OSPF, not necessary if your internal router supports OSPF
set protocols ospf export Export-Local-Nets
# Now lets create a simple OSPF area for the VPNs and routing between sites so we dont have massive static routes to babysit
set protocols ospf area 0.0.0.0 interface st0.0 metric 150
# Notice how this interface is a higher metric than st0.0.  We dont want VPN traffic going over st0.1 unless st0.0 is down
set protocols ospf area 0.0.0.0 interface st0.1 metric 160
# If you don't have OSPF on your internal router add the word passive at the end of the next line
set protocols ospf area 0.0.0.0 interface reth0.0
# I dont use spamming-tree so its disabled
set protocols stp disable
# This is just an example of hosts that get dropped with my firewall interface filter 
set policy-options prefix-list blocked-access 111.111.111.111/32
set policy-options prefix-list blocked-access 222.222.222.222/32
# This list is for hosts I want to give ssh and https access so they can manage this firewall remotely
set policy-options prefix-list mgmnt-access 55.55.55.55/24
set policy-options prefix-list mgmnt-access 55.55.55.44/32
# If you do not have OSPF on your internal router then add the lines below if you have internal routes that dont hit the firewall
# From my static routes above in the routing-options section, Im adding my 2 internal subnets
set policy-options policy-statement Export-Local-Nets term 1 from protocol static
set policy-options policy-statement Export-Local-Nets term 1 from protocol direct
set policy-options policy-statement Export-Local-Nets term 1 from route-filter 10.10.10.0/24 exact
set policy-options policy-statement Export-Local-Nets term 1 from route-filter 10.10.11.0/24 exact
set policy-options policy-statement Export-Local-Nets term 1 then accept
# Below is the VPN settings
set security ike proposal SHA1-PSK-DH2-AES128 authentication-method pre-shared-keys
set security ike proposal SHA1-PSK-DH2-AES128 dh-group group2
set security ike proposal SHA1-PSK-DH2-AES128 authentication-algorithm sha1
set security ike proposal SHA1-PSK-DH2-AES128 encryption-algorithm aes-128-cbc
set security ike proposal SHA1-PSK-DH2-AES128 lifetime-seconds 86400
set security ike policy PSK-IKE-Policy mode main
set security ike policy PSK-IKE-Policy proposals SHA1-PRE-AES128
set security ike policy PSK-IKE-Policy pre-shared-key ascii-text "PreSharedKey"
# OK so this gets funky
# For DUAL-ISPs you need to add the local and remote identities on both sides of the VPN
# Also there is a bug with Juniper and ike v1's dead peer detection so use version v2 which has
# it in there by default and does not have this bug.  You can still use v1 but you get weird 
# errors in the logs like "Notification payload contains invalid protocol id"
set security ike gateway SITEB-GW-ISP1 ike-policy PSK-IKE-Policy
set security ike gateway SITEB-GW-ISP1 address 88.88.88.88
set security ike gateway SITEB-GW-ISP1 local-identity inet 10.0.0.1
set security ike gateway SITEB-GW-ISP1 remote-identity inet 10.0.0.2
set security ike gateway SITEB-GW-ISP1 external-interface reth1.0
set security ike gateway SITEB-GW-ISP1 version v2-only
set security ike gateway SITEB-GW-ISP2 ike-policy PSK-IKE-Policy
set security ike gateway SITEB-GW-ISP2 address 88.88.88.88
set security ike gateway SITEB-GW-ISP2 local-identity inet 10.0.0.5
set security ike gateway SITEB-GW-ISP2 remote-identity inet 10.0.0.6
set security ike gateway SITEB-GW-ISP2 external-interface reth2.0
set security ike gateway SITEB-GW-ISP2 version v2-only
set security ipsec proposal SHA1-AES128-ESP protocol esp
set security ipsec proposal SHA1-AES128-ESP authentication-algorithm hmac-sha1-96
set security ipsec proposal SHA1-AES128-ESP encryption-algorithm aes-128-cbc
set security ipsec proposal SHA1-AES128-ESP lifetime-seconds 3600
set security ipsec policy IPSEC-PFS2-Policy perfect-forward-secrecy keys group2
set security ipsec policy IPSEC-PFS2-Policy proposals SHA1-AES128-ESP
set security ipsec vpn SITEB-VPN-ISP1 bind-interface st0.0
set security ipsec vpn SITEB-VPN-ISP1 ike gateway SITEB-GW-ISP1
set security ipsec vpn SITEB-VPN-ISP1 ike ipsec-policy IPSEC-PFS2-Policy
set security ipsec vpn SITEB-VPN-ISP2 bind-interface st0.1
set security ipsec vpn SITEB-VPN-ISP2 ike gateway SITEB-GW-ISP2
set security ipsec vpn SITEB-VPN-ISP2 ike ipsec-policy IPSEC-PFS2-Policy
# Address book entries.  I put them all in global to make life easy.
set security address-book global address LAN_SMTP_SERVER 10.10.10.250/32
# All my inside subnets
set security address-book global address NET_LOOPBACK 172.16.172.181/32
set security address-book global address NET_LAN10 10.10.10.0/24
set security address-book global address NET_LAN11 10.10.11.0/24
set security address-book global address NET_LAN1 10.10.0.0/30
# Group them up
set security address-book global address-set NET_LOCAL address NET_LOOPBACK
set security address-book global address-set NET_LOCAL address NET_LAN10
set security address-book global address-set NET_LOCAL address NET_LAN11
set security address-book global address-set NET_LOCAL address NET_LAN1
# Algs are mostly broken so disable them to avoid headaches
set security alg dns disable
# If you want to keep DNS then add the entry below
set security alg dns maximum-message-length 8192
set security alg dns doctoring none
set security alg mgcp disable
set security alg msrpc disable
set security alg sunrpc disable
set security alg sql disable
set security flow allow-dns-reply
# Below is only needed for certain DSL connections to fix web site loading
# For example, if yahoo.com doesnt load correctly add the line below
set security flow tcp-mss all-tcp mss 1350
# Add the line below for your VPN connections -- fixes fragmentation problems
set security flow tcp-mss ipsec-vpn mss 1350
# This screen stuff is just all default -- keep or tweak at your own discretion
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
# This is the source NAT (outgoing) setup for both ISPs.
# For examples sake Im using a different IP for the primary ISP
# and just the same IP as the interface for the secondary ISP
set security nat source pool SNAT-ISP1-67 address 66.66.66.67/32
set security nat source rule-set SNAT-ISP1 from routing-instance default
set security nat source rule-set SNAT-ISP1 to routing-instance ISP1
# I'm adding my address book entry "NET_LOCAL" just to be anal
# you can use "source-address 0.0.0.0/0" just as well
set security nat source rule-set SNAT-ISP1 rule SNAT-POOL-ISP1-67 match source-address-name NET_LOCAL
set security nat source rule-set SNAT-ISP1 rule SNAT-POOL-ISP1-67 match destination-address 0.0.0.0/0
set security nat source rule-set SNAT-ISP1 rule SNAT-POOL-ISP1-67 then source-nat pool SNAT-ISP1-67
# Now to add ISP2 in case ISP1 ever goes down
set security nat source rule-set SNAT-ISP2 from routing-instance default
set security nat source rule-set SNAT-ISP2 to routing-instance ISP2
set security nat source rule-set SNAT-ISP2 rule SNAT-INTERFACE-ISP2 match source-address-name NET_LOCAL
set security nat source rule-set SNAT-ISP2 rule SNAT-INTERFACE-ISP2 match destination-address 0.0.0.0/0
set security nat source rule-set SNAT-ISP2 rule SNAT-INTERFACE-ISP2 then source-nat interface
# This is the destination NAT (incoming) setup for the SMTP server
set security nat destination pool DNAT_SMTP_SERVER address 10.10.10.250/32
set security nat destination rule-set ISP1-dnat from routing-instance ISP1
set security nat destination rule-set ISP1-dnat rule ISP1-to-SMTP_SERVER match source-address 0.0.0.0/0
set security nat destination rule-set ISP1-dnat rule ISP1-to-SMTP_SERVER match destination-address 66.66.66.68/32
set security nat destination rule-set ISP1-dnat rule ISP1-to-SMTP_SERVER then destination-nat pool DNAT_SMTP_SERVER
set security nat destination rule-set ISP2-dnat from routing-instance ISP2
set security nat destination rule-set ISP2-dnat rule ISP2-to-SMTP_SERVER match source-address 0.0.0.0/0
set security nat destination rule-set ISP2-dnat rule ISP2-to-SMTP_SERVER match destination-address 77.77.77.79/32
set security nat destination rule-set ISP2-dnat rule ISP2-to-SMTP_SERVER then destination-nat pool DNAT_SMTP_SERVER
# Add all external IPs that will be used here (not including the interface IPs)
set security nat proxy-arp interface reth1.0 address 66.66.66.67/32
set security nat proxy-arp interface reth1.0 address 66.66.66.68/32
set security nat proxy-arp interface reth2.0 address 77.77.77.79/32
# Now this is where we define security ACLs
# I like to block garbage traffic from going out
set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match source-address any-ipv4
set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match destination-address any-ipv4
# Below is just an example of stuff to block
# You can create your own at the end of the config or use "show configuration groups junos-defaults applications" to see the predefined ones
set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-netbios-session
set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-smb-session
set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-nbname
set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-nbds
set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-cifs
set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff then deny
set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 match source-address NET_LOCAL
set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 match destination-address any-ipv4
set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 match application any
set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 then permit
# Copy the above for ISP2
set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-netbios-session
set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-smb-session
set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-nbname
set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-nbds
set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-cifs
set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff then deny
set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 match source-address NET_LOCAL
set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 match destination-address any-ipv4
set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 match application any
set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 then permit
# Allow LAN to LAN
set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match source-address any
set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match destination-address any
set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match application any
set security policies from-zone LAN to-zone LAN policy LAN-to-LAN then permit
# Allow Destination NAT traffic
set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER match source-address any-ipv4
set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER match destination-address LAN_SMTP_SERVER
# Notice how im using my own application called cust-smtp
# Which will be explained at the end of the config
set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER match application cust-smtp
set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER then permit
set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER match source-address any-ipv4
set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER match destination-address LAN_SMTP_SERVER
set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER match application cust-smtp
set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER then permit
# Add allowed traffic to hit the firewall
# Note: this isn't allowing traffic to pass through firewall, but rather actually hit the interfaces of the firewall
set security zones security-zone LAN host-inbound-traffic system-services all
set security zones security-zone LAN host-inbound-traffic protocols ospf
# adding a custom entry here instead of the global one above for LAN because the loopback interface doesnt need ospf on it
# You can do the same for the reth0.0 interface is you dont have an internal router using OSPF
set security zones security-zone LAN interfaces lo0.0 host-inbound-traffic system-services all
set security zones security-zone LAN interfaces reth0.0
set security zones security-zone LAN interfaces st0.0
set security zones security-zone LAN interfaces st0.1
# For the ISP zones, services will be limited
set security zones security-zone ISP1 screen untrust-screen
set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services ike
set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services traceroute
set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services ping
set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services ssh
set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services https
set security zones security-zone ISP2 screen untrust-screen
set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services ping
set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services ike
set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services traceroute
set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services ssh
set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services https

#
# Now these are the firewall interface filters.  They are used before the policies.
#
# The LAN-IN-FILTER is an example only if you want a certain host or subnet to go out ISP2 instead of the default ISP1
# Here the computer at 10.10.10.100 will be using ISP2 by default.
set firewall filter LAN-IN-FILTER term 1 from source-address 10.10.10.100/32
set firewall filter LAN-IN-FILTER term 1 from destination-address 0.0.0.0/0
set firewall filter LAN-IN-FILTER term 1 from destination-address 10.0.0.0/8 except
set firewall filter LAN-IN-FILTER term 1 then routing-instance ISP2
set firewall filter LAN-IN-FILTER term 2 then accept

# The ISP1 and ISP2-IN-FILTERs handle routing traffic coming back in from the virtual routers 
set firewall filter ISP1-IN-FILTER term 1 from source-prefix-list blocked-access
set firewall filter ISP1-IN-FILTER term 1 then discard
# Because ssh and https from the remote management networks needs to be accepted for it to work
# This term will do that.  Otherwise it gets re-routed and dropped.
set firewall filter ISP1-IN-FILTER term 2 from source-prefix-list mgmnt-access
set firewall filter ISP1-IN-FILTER term 2 from protocol tcp
set firewall filter ISP1-IN-FILTER term 2 from destination-port 22
set firewall filter ISP1-IN-FILTER term 2 from destination-port 443
set firewall filter ISP1-IN-FILTER term 2 then accept
# Here all other trafficon our ISP subnet gets rerouted to the default instance and checked for policies and NAT
set firewall filter ISP1-IN-FILTER term 3 from destination-address 66.66.66.64/28
set firewall filter ISP1-IN-FILTER term 3 then routing-instance TRUST-VRF
set firewall filter ISP1-IN-FILTER term 4 then accept

# Rinse and repeat for ISP2
set firewall filter ISP2-IN-FILTER term 1 from source-prefix-list blocked-access
set firewall filter ISP2-IN-FILTER term 1 then discard
set firewall filter ISP2-IN-FILTER term 2 from source-prefix-list mgmnt-access
set firewall filter ISP2-IN-FILTER term 2 from protocol tcp
set firewall filter ISP2-IN-FILTER term 2 from destination-port 22
set firewall filter ISP2-IN-FILTER term 2 from destination-port 443
set firewall filter ISP2-IN-FILTER term 2 then accept
set firewall filter ISP2-IN-FILTER term 3 from destination-address 77.77.77.74/28
set firewall filter ISP2-IN-FILTER term 3 then routing-instance TRUST-VRF
set firewall filter ISP2-IN-FILTER term 4 then accept

# Setup the virtual routers
set routing-instances ISP1 instance-type virtual-router
set routing-instances ISP1 interface reth1.0
set routing-instances ISP1 routing-options interface-routes rib-group inet inside
set routing-instances ISP1 routing-options static route 0.0.0.0/0 next-hop 66.66.66.69
set routing-instances ISP2 instance-type virtual-router
set routing-instances ISP2 interface reth2.0
set routing-instances ISP2 routing-options interface-routes rib-group inet inside
set routing-instances ISP2 routing-options static route 0.0.0.0/0 next-hop 77.77.77.80
# Setup the forwarder
set routing-instances TRUST-VRF instance-type forwarding
# Add in any internal routes that are not connected directly to the firewall
set routing-instances TRUST-VRF routing-options static route 10.10.10.0/24 next-hop 10.10.0.1
set routing-instances TRUST-VRF routing-options static route 10.10.11.0/24 next-hop 10.10.0.1

# Setup the IP Monitoring service in case one of the ISP goes down
# I'm using the gateway of ISP1 and the next hop of ISP2's gateway for examples sake
set services rpm probe ISP1-GW test uplink target address 66.66.66.69
set services rpm probe ISP1-GW test uplink probe-count 5
set services rpm probe ISP1-GW test uplink probe-interval 3
set services rpm probe ISP1-GW test uplink test-interval 30
set services rpm probe ISP1-GW test uplink thresholds successive-loss 5
set services rpm probe ISP1-GW test uplink thresholds total-loss 5
set services rpm probe ISP1-GW test uplink destination-interface reth1.0
set services rpm probe ISP1-GW test uplink next-hop 66.66.66.69
# ISP2 probing
set services rpm probe ISP2-GW test uplink target address 77.77.78.1
set services rpm probe ISP2-GW test uplink probe-count 5
set services rpm probe ISP2-GW test uplink probe-interval 3
set services rpm probe ISP2-GW test uplink test-interval 30
set services rpm probe ISP2-GW test uplink thresholds successive-loss 5
set services rpm probe ISP2-GW test uplink thresholds total-loss 5
set services rpm probe ISP2-GW test uplink destination-interface reth2.0
set services rpm probe ISP2-GW test uplink next-hop 77.77.77.80

# This is what to do when the probe fails
# Basically we are taking the ISP that is down and giving it the gateway of the ISP that is up
set services ip-monitoring policy ISP1-Tracking match rpm-probe ISP1-GW
set services ip-monitoring policy ISP1-Tracking then preferred-route routing-instances ISP1 route 0.0.0.0/0 next-hop 77.77.77.80
set services ip-monitoring policy ISP2-Tracking match rpm-probe ISP2-GW
set services ip-monitoring policy ISP2-Tracking then preferred-route routing-instances ISP2 route 0.0.0.0/0 next-hop 66.66.66.69

# This is where we define our custom ports or applications
set applications application cust-tcp-587 protocol tcp
set applications application cust-tcp-587 destination-port 587
# We can group applications together for simplicity
# Here im going to group my custom port along with the default SMTP one
set applications application-set cust-smtp application cust-tcp-587
set applications application-set cust-smtp application junos-smtp