Results 1 to 21 of 21
  1. #1
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063

    Juniper SRX firewalls YAY or NAY

    I've been looking at the new SRX firwall/routers. Has anyone used these? I checked out the ScreenOS --> JunOS documentation, and it seems to be more work to accomplish the same results.

    There is no mention of a web-based admin tool. I use that daily for the Netscreens and SSGs I have. I would love some input from you guys on this. From the specs I see, they kick @ss.

  2. #2
    Join Date
    Jan 2005
    Location
    San Francisco/Hot Springs
    Posts
    991
    I have heard good and bad, either way they're the next in the series so they're gonna sell. It will be nice to have a line that goes from 100Mbps to 120Gbps
    AppliedOperations - Premium Service
    Bandwidth | Colocation | Hosting | Managed Services | Consulting
    www.appliedops.net

  3. #3
    Join Date
    Oct 2009
    Posts
    309
    Quote Originally Posted by skullbox View Post
    I've been looking at the new SRX firwall/routers. Has anyone used these? I checked out the ScreenOS --> JunOS documentation, and it seems to be more work to accomplish the same results.

    There is no mention of a web-based admin tool. I use that daily for the Netscreens and SSGs I have. I would love some input from you guys on this. From the specs I see, they kick @ss.
    you can run j-web for web management

  4. #4
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    I've used the J4350's before and while I didn't spend much time in the J-web interface it seemed very limited. Am I correct? The web interface for screenOS is really easy to use and I can do 95% of my tasks using it.

  5. #5
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    FWIW we're looking to replace our NS-5200's with SRX.

  6. #6
    We had an online demo a couple weeks ago with a Juniper engineer - the SRX series is very powerful and very easy to use. The web interface allows you to do everything you can do via the CLI.

    Our first box will be here this week

    Oh, and they have a promotion going ATM - they'll give you a free 1 year subscription to the IDP updates
    --
    I'm retired.
    Check out http://yellowfiber.net for all your needs!

  7. #7
    Join Date
    Aug 2009
    Location
    Zurich - Switzerland
    Posts
    28
    In my experience, JunOS is much more better then SceenOS.
    But the old SSG is working pretty good for us.
    ENGINE NETWORKS - Blade Dedicated Server - VMware Cloud Hosting - Colocation
    Multiple datacenter, Geneva, Zurich, and Milan
    Since 2005 in the market - http://www.enginenetworks.net

  8. #8
    We've managed and deployed over a 1000 Netscreen and SSG series by now and they are rock solid. Recently, we deployed a few SRX's with VPN's, MIP/VIPs, 802.1Q tagging, and all sorts of stuff.

    I have to say it's been a nightmare. We've always had great support from the SSG team, but the SRX guys have given us terrible support. The web interface barely works on IE and Safari, super buggy on Firefox and Chrome. Even on IE and Safari it's spitting php errors all the time, things don't load right. You click on a policy to open and edit and it actually opens a different policy. You click on commit a a change then it takes you to another page instead of committing.

    There are many tasks that are far easier to do with the web interface as bad as it is since the command line is even worse.

    JunOS is good for routing, but trying to get all this firewall functionality on it is insane. And btw, we are a Juniper partner too. I understand they are not likely to have any bug releases even till Feb of 2010 (it's Dec 4th, 2009 now).

    This is a very promising platform, especially how it scales. And JunOS head to head for routing with Cisco, and ScreenOS is rock solid, the best I've ever used (and yes I've heavily used Cisco, Foundry, Checkpoint, Fortinet, Sonicwall, and the rest). But the combo of JunOS and ScreenOS on the SRX platform is just terrible... it's amazing that it actually works. And I mentioned SRX support is not that great either right?

    I pray that Juniper gets its act together with this product... having taking two of the greatest network and security products and slammed them together and making one of the worst at this point is not going to help them with this economy.




    Quote Originally Posted by skullbox View Post
    I've been looking at the new SRX firwall/routers. Has anyone used these? I checked out the ScreenOS --> JunOS documentation, and it seems to be more work to accomplish the same results.

    There is no mention of a web-based admin tool. I use that daily for the Netscreens and SSGs I have. I would love some input from you guys on this. From the specs I see, they kick @ss.

  9. #9
    Join Date
    Feb 2006
    Location
    Bristol, UK
    Posts
    280
    I've had a play with the devices and we have three on order, as well as two EX switches. The SRX has great features and superb price/performance but if you're not comfortable doing things with the CLI then the product is probably not for you just yet.

    JWeb is not a very polished part of the product but it is improving in every JUNOS release (4 times a year). Remember that whilst JUNOS has been around for 10 years the web interface is very new.

    The CLI commands do often involve more typing than on ScreenOS but there are some very nice features like the commit confirmed / rollback type stuff that is great when you are configuring a device remotely.

    Gavin
    Network EQ
    UK VPS
    , cPanel Hosting, Dedicated Servers and Hosted Exchange

  10. #10
    We've recently also migrated from ScreenOS to JunOS.

    I can concur that it's got a STEEP learning curve. I'll definitely agree that the web interface is not up to par with the web interface found on ScreenOS products, and that pretty much everything on the box works differently.

    (For people who are coming here from a web search, I'll throw this link in here, as it's the most helpful thing that Jcare was able to give us in regards to coverting from the ScreenOS platform to the JunOS platform, keywords: convert screenos config junos config
    https://i2j.juniper.net/s2jes/index.jsp )

    In regards to the previous poster who posted about the CLI, it's definitely a little rough around the edges. We're running an SRX 240, with the latest stable (9.6R2) JunOS.

    Things I like about the cli:
    1. Semi-full unix support (means you can use utilities like awk, sed, grep, sort, uniq, etc, which can come in really handy)
    2. Merging config files ("load merge terminal" and "load merge terminal relative" will probably become good friends)
    3. Along similar lines, the ability to merge config files with default configs (a cool trick where our syslog wasn't working was solved by restoring a default configuration, copying out that section for syslog, saving it to a file, restoring our config, and then merging them together, without any downtime)
    4. Rollback (also part of the web interface)
    5. Tab indention (it's a small thing, but it makes the config MUCH more readable)

    Things I dislike about the cli:
    1. Documentation (or lack thereof, one wonderful example is the applications, where you can say, set an inactivity-timeout, but it will conflict if you're using a term statement)
    2. Inability to re-order NAT rules, etc. You have to remove them and put them back.
    3. The CLI lives in a different layer than the typical login (you have to type "cli" to get into it.
    4. (Unless I'm mistaken) No package repository for adding more utilities to the box (not everybody uses vim)
    5. My personal favorite: bugs all over the place with committing config files. Example: I remove a NAT rule, to move it to another rule-set. I add the NAT rule back to a different rule set. Attempt to "commit", am told that the NAT rule exists (even though it doesn't exist in the config file). Apparently, it's an almost necessity to "commit full" on every change where you'll be moving something, renaming something, etc.

    Platform likes:
    1. Very powerful hardware platform
    2. Great routing platform

    Platform dislikes (keep in mind, coming from ScreenOS here):
    1. The security platform features are nearly a joke (It looks like it was built as a routing platform first, with some security features thrown in. It does not integrate well
    2. Who thought it would be a good idea to NOT put static NAT configuration in the web interface? (those are MIPS, or at least a sad equivalent for those of you from ScreenOS land). You have to configure them either with the CLI or the point & click cli.
    3. MIPS (static NAT) does not work in nearly the way you expect it to coming from ScreenOS (for instance, it's zone specific, which means if you set up a static NAT on the Untrust zone, systems behind the firewall in the Trust zone will be unable to access it without a lot more work/configuration)
    4. You'd better be REAL comfortable with the CLI to get around, pretty much 50% of the features are CLI-ONLY.
    5. Coming from ScreenOS, policies work in completely different ways. To set up a policy (Untrust to Trust) in ScreenOS involved choosing the source (let's say ANY) and the destination (let's say a MIP, 4.2.2.1). On JunOS, you choose the source (again, ANY), and the destination (internal trust IP, 192.168.1.1).
    6. Along similar lines, VPN's and NAT don't play nice together. You'll have all sorts of trouble sorting it all out when coming from the much easier VPN methods on ScreenOS (basically, you'll need to forget everything you ever learned about how things "work")

    All in all, I have high hopes that Juniper gets it together, as it's a platform with promise. As it stands right now, I feel like a beta tester. Firewalls this expensive shouldn't generate php errors (as ramiel said), and shouldn't have such issues.

    Frankly, I love the ScreenOS platform, maybe JunOS will grow on me, but it's gonna take some work from Juniper (especially with them effectively replacing all ScreenOS platforms and hardware with the SRX series, no more SSG I'm afraid). With the being the flagship Juniper platform, I'd expect more.

    Michael

  11. #11
    I forgot three dislikes (and wasn't able to edit for some reason?)

    7. Ludicrously low destination NAT rule limits (only 8 per rule-set with no rule-set able to have similar context). This is a VIP for those of you from ScreenOS. While there is a "workaround" using dummy zones, 8 by default is just LAUGHABLE.
    8. Coming from ScreenOS where "from any to any app any" in Trust->Untrust was enough to provide outgoing internet access, you'll need that and a Source NAT rule in JunOS. Also, Source NAT is what you would use for Source NAT (with a DIP) on ScreenOS, except it's unfortunately not policy based (which was REALLY helpful on ScreenOS)
    9. ScreenOS had the ability to perform all sorts of limits on policies (per ip connection limit, etc). This doesn't seem to exist on JunOS (that I have found yet)

    Please correct me if any of my points are wrong.

    Michael

  12. #12
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    Thanks for all the info. I was basically looking for a review of them compared to the SSGs. You hit it on the head. Thanks again!

  13. #13
    Juniper SRX firewalls is good for the speed of traffic of 140Gbps through 16 10Gigabit Ethernet interfaces making it fast but also it rate drops down when you use enabling intrusion prevention. Also, The Network and Security Manager service Juniper supplied does not send alert to accept security from the SRX as of yet, meaning you won't know when you are under attack.

  14. #14
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    It's that time a year again. I'm digging up this thread to see if anyone has any new info considering it's more than 2 years later. Have these improved enough to go into production and replace my SSGs?

  15. #15
    Join Date
    May 2005
    Location
    Bay Area
    Posts
    1,211
    Quote Originally Posted by sykosoft View Post
    Things I dislike about the cli:
    1. Documentation (or lack thereof, one wonderful example is the applications, where you can say, set an inactivity-timeout, but it will conflict if you're using a term statement)
    2. Inability to re-order NAT rules, etc. You have to remove them and put them back.
    3. The CLI lives in a different layer than the typical login (you have to type "cli" to get into it.
    4. (Unless I'm mistaken) No package repository for adding more utilities to the box (not everybody uses vim)
    5. My personal favorite: bugs all over the place with committing config files. Example: I remove a NAT rule, to move it to another rule-set. I add the NAT rule back to a different rule set. Attempt to "commit", am told that the NAT rule exists (even though it doesn't exist in the config file). Apparently, it's an almost necessity to "commit full" on every change where you'll be moving something, renaming something, etc.
    Just to correct a few of these..

    1) Thats because when you use a term on an SRX you put it into packet mode. Since there is no flow to keep track of, you obviously cannot enforce an application specific session timeout.

    2) You can use the insert term x before term y syntax to move around terms

    3) That is because you are logging in as root, which is a big nono.

    4) Not sure, I've been pretty happy with what it comes with, though I wish they had rsync. SCP works too, though.

    5) Might have been a bug then, but thats not really the case now. That handy command can still be useful when things just aren't adding up though, like when making ipsec or ike changes. Not usually, though.

  16. #16
    Join Date
    May 2005
    Location
    Bay Area
    Posts
    1,211
    Quote Originally Posted by skullbox View Post
    It's that time a year again. I'm digging up this thread to see if anyone has any new info considering it's more than 2 years later. Have these improved enough to go into production and replace my SSGs?
    I run a few 650 and 3600 clusters, along side a handful of 210's and a few 240's. Overall I'm really happy with the boxes. For a while I was handling all of our external security requirements while at the same time taking four full BGP tables on a 650 cluster. Granted, I was over the route limit by maybe 500,000 routes so updating the forwarding plane was a bit slower than I'd have hoped for, but it got the job done.

    What are you going to be using them for? I'm pretty familiar with them. I don't use much of the UTM, IDS or user based VPN services though, since we have IBM, imperva, bluecoat and juniper SA devices for those.

    If you get into junos scripting and automation you can also do some pretty cool things to make your life easier.

    Morgan

  17. #17
    Join Date
    Nov 2009
    Location
    Cincinnati
    Posts
    1,585
    We deploy 210B to customers and we use a 650 cluster for our general purpose firewall.

    Excellent devices.
    'Ripcord'ing is the only way!

  18. #18
    We have a number of the SRX range, right from the SRX100 upwards and we have been very happy with them over the past 6-12 months. They initially were a bit buggy, however lately they have been completely stable.
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support • Web Hosting • Reseller Hosting • Cloud/VPS Plans • Dedicated Servers •

  19. #19
    Join Date
    Sep 2010
    Posts
    407
    We have a few of the lower end SRX's scattered around (a pair of 220's and a 100 ATM). Not bad boxes. We use them for a little routing, firewalling, etc. Fairly easy to configure once you know JunOS. We haven't had any stability issues yet.

  20. #20
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    Thanks for the input guys. I figured by now Juniper would have their act together so I wanted to double check.

  21. #21
    Join Date
    Feb 2011
    Posts
    607
    we use SSG clusters and MX80 in redundant pairs. We have no plans to switch to SRX. SSG is too solid to mess with, and very easy to manage. We are hooking up some of our servers directly to MX80 to reduce load on SSG where statefull firewall and VPN are not required. This way SSG will be good for us for another 10 years...

Similar Threads

  1. ResellerZoom - Nay/Yay?
    By jrandall in forum Reseller Hosting
    Replies: 34
    Last Post: 08-15-2009, 05:01 PM
  2. Brinkster, yay or nay?
    By Cleon in forum Web Hosting
    Replies: 37
    Last Post: 11-09-2004, 07:07 PM
  3. Ramblers. Yay or Nay?
    By Acsiak - Andrew in forum Web Hosting Lounge
    Replies: 3
    Last Post: 09-19-2004, 03:33 PM
  4. PDA Yay or Nay
    By Prisoner in forum Web Hosting Lounge
    Replies: 13
    Last Post: 02-16-2003, 03:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •