ISP Failover: Configure J-Series/SRX for dual ISP without dynamic routing protocols

This article contains a sample configuration for J-Series and SRX Branch with dual ISP connection. This will allow for ISP failover without dynamic routing protocols such as OSPF or BGP.

Topology Assumptions

Trust zone network is on ge-0/0/0
DMZ zone network is on ge-0/0/1

ISP1 zone network is on fe-0/0/6
ISP2 zone network is on fe-0/0/7

Note: ISP1 is in the default routing instance. ISP2 is in the ISP2 routing instance.


  • Trust and DMZ zones should egress out ISP1 with source-nat.
  • If ISP1 interface goes down, then Trust and DMZ zones should egress out ISP2 instead with source-nat.
  • If ISP1 interface returns, then Trust and DMZ zones should revert back to using ISP1 again.
  • ISP1 must allow destination NAT for web server in Trust zone and mail server in DMZ zone.
  • ISP2 also has destination NAT for same web and mail servers.
  • When both ISPs are up, destination NAT addresses should be available from both ISPs for both web and mail servers.

This is possible using a combination of multiple routing-instance with filter-based forwarding and qualified-next-hop on the default route. Below is a sample working configurations for above scenario.


About the author


1 Comment

  • Why the next-hop IP addresses in below config part are and ?? they should be and, right ??

    routing-instances {
    instance-type forwarding;
    routing-options {
    static {
    route next-hop;
    route next-hop;

Leave a Comment