technosmith

I can't speak to Cisco's FirePower setup, but I do know that Palo Alto has a version of their GlobalProtect that you can run on-premise (so it's not sent to their cloud) but for non-government organizations / non Fortune 500, it's probably too expensive.

I'm pretty sure you want to have the circuit group reflect "best child status" so it only goes down if all objects are down. As a HA Pair, you don't want one circuit being down to suppress legitimate alerts on remote devices that are still reachable.