What are the Security / NAT Rule Best Practices?

It’s best to maintain a consistent set of Zones on both devices. The security rules that are related to inbound traffic (destination NAT) need to configured with tuples that apply to both devices/networks. It’s advisable to use a public DNS service that’s capable of checking the health of a service endpoint and failing the DNS record over to the public IP address on the standby device. TTL on these DNS records should be set to less than five minutes.