Results 1 to 21 of 21
Thread: Juniper SRX firewalls YAY or NAY
-
11-18-2009, 06:30 PM #1Web Hosting Master
- Join Date
- Aug 2009
- Location
- Orlando, FL
- Posts
- 1,063
Juniper SRX firewalls YAY or NAY
I've been looking at the new SRX firwall/routers. Has anyone used these? I checked out the ScreenOS --> JunOS documentation, and it seems to be more work to accomplish the same results.
There is no mention of a web-based admin tool. I use that daily for the Netscreens and SSGs I have. I would love some input from you guys on this. From the specs I see, they kick @ss.-=SKULLBOX.NET=-
-
11-18-2009, 11:29 PM #2NetOps Guy
- Join Date
- Jan 2005
- Location
- San Francisco/Hot Springs
- Posts
- 991
I have heard good and bad, either way they're the next in the series so they're gonna sell. It will be nice to have a line that goes from 100Mbps to 120Gbps
AppliedOperations - Premium Service
Bandwidth | Colocation | Hosting | Managed Services | Consulting
www.appliedops.net
-
11-19-2009, 08:45 AM #3Web Hosting Guru
- Join Date
- Oct 2009
- Posts
- 309
-
11-20-2009, 12:06 PM #4Web Hosting Master
- Join Date
- Aug 2009
- Location
- Orlando, FL
- Posts
- 1,063
I've used the J4350's before and while I didn't spend much time in the J-web interface it seemed very limited. Am I correct? The web interface for screenOS is really easy to use and I can do 95% of my tasks using it.
-=SKULLBOX.NET=-
-
11-20-2009, 12:14 PM #5CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
FWIW we're looking to replace our NS-5200's with SRX.
-
11-23-2009, 02:56 PM #6WHT Addict
- Join Date
- Nov 2007
- Posts
- 122
We had an online demo a couple weeks ago with a Juniper engineer - the SRX series is very powerful and very easy to use. The web interface allows you to do everything you can do via the CLI.
Our first box will be here this week
Oh, and they have a promotion going ATM - they'll give you a free 1 year subscription to the IDP updates
-
11-23-2009, 03:36 PM #7Newbie
- Join Date
- Aug 2009
- Location
- Zurich - Switzerland
- Posts
- 28
In my experience, JunOS is much more better then SceenOS.
But the old SSG is working pretty good for us.█ ENGINE NETWORKS - Blade Dedicated Server - VMware Cloud Hosting - Colocation
█ Multiple datacenter, Geneva, Zurich, and Milan
█ Since 2005 in the market - http://www.enginenetworks.net
-
12-05-2009, 12:53 AM #8New Member
- Join Date
- Jan 2007
- Posts
- 1
We've managed and deployed over a 1000 Netscreen and SSG series by now and they are rock solid. Recently, we deployed a few SRX's with VPN's, MIP/VIPs, 802.1Q tagging, and all sorts of stuff.
I have to say it's been a nightmare. We've always had great support from the SSG team, but the SRX guys have given us terrible support. The web interface barely works on IE and Safari, super buggy on Firefox and Chrome. Even on IE and Safari it's spitting php errors all the time, things don't load right. You click on a policy to open and edit and it actually opens a different policy. You click on commit a a change then it takes you to another page instead of committing.
There are many tasks that are far easier to do with the web interface as bad as it is since the command line is even worse.
JunOS is good for routing, but trying to get all this firewall functionality on it is insane. And btw, we are a Juniper partner too. I understand they are not likely to have any bug releases even till Feb of 2010 (it's Dec 4th, 2009 now).
This is a very promising platform, especially how it scales. And JunOS head to head for routing with Cisco, and ScreenOS is rock solid, the best I've ever used (and yes I've heavily used Cisco, Foundry, Checkpoint, Fortinet, Sonicwall, and the rest). But the combo of JunOS and ScreenOS on the SRX platform is just terrible... it's amazing that it actually works. And I mentioned SRX support is not that great either right?
I pray that Juniper gets its act together with this product... having taking two of the greatest network and security products and slammed them together and making one of the worst at this point is not going to help them with this economy.
-
12-05-2009, 03:15 PM #9Web Hosting Guru
- Join Date
- Feb 2006
- Location
- Bristol, UK
- Posts
- 280
I've had a play with the devices and we have three on order, as well as two EX switches. The SRX has great features and superb price/performance but if you're not comfortable doing things with the CLI then the product is probably not for you just yet.
JWeb is not a very polished part of the product but it is improving in every JUNOS release (4 times a year). Remember that whilst JUNOS has been around for 10 years the web interface is very new.
The CLI commands do often involve more typing than on ScreenOS but there are some very nice features like the commit confirmed / rollback type stuff that is great when you are configuring a device remotely.
Gavin
-
12-07-2009, 06:44 PM #10New Member
- Join Date
- Jun 2009
- Posts
- 2
We've recently also migrated from ScreenOS to JunOS.
I can concur that it's got a STEEP learning curve. I'll definitely agree that the web interface is not up to par with the web interface found on ScreenOS products, and that pretty much everything on the box works differently.
(For people who are coming here from a web search, I'll throw this link in here, as it's the most helpful thing that Jcare was able to give us in regards to coverting from the ScreenOS platform to the JunOS platform, keywords: convert screenos config junos config
https://i2j.juniper.net/s2jes/index.jsp )
In regards to the previous poster who posted about the CLI, it's definitely a little rough around the edges. We're running an SRX 240, with the latest stable (9.6R2) JunOS.
Things I like about the cli:
1. Semi-full unix support (means you can use utilities like awk, sed, grep, sort, uniq, etc, which can come in really handy)
2. Merging config files ("load merge terminal" and "load merge terminal relative" will probably become good friends)
3. Along similar lines, the ability to merge config files with default configs (a cool trick where our syslog wasn't working was solved by restoring a default configuration, copying out that section for syslog, saving it to a file, restoring our config, and then merging them together, without any downtime)
4. Rollback (also part of the web interface)
5. Tab indention (it's a small thing, but it makes the config MUCH more readable)
Things I dislike about the cli:
1. Documentation (or lack thereof, one wonderful example is the applications, where you can say, set an inactivity-timeout, but it will conflict if you're using a term statement)
2. Inability to re-order NAT rules, etc. You have to remove them and put them back.
3. The CLI lives in a different layer than the typical login (you have to type "cli" to get into it.
4. (Unless I'm mistaken) No package repository for adding more utilities to the box (not everybody uses vim)
5. My personal favorite: bugs all over the place with committing config files. Example: I remove a NAT rule, to move it to another rule-set. I add the NAT rule back to a different rule set. Attempt to "commit", am told that the NAT rule exists (even though it doesn't exist in the config file). Apparently, it's an almost necessity to "commit full" on every change where you'll be moving something, renaming something, etc.
Platform likes:
1. Very powerful hardware platform
2. Great routing platform
Platform dislikes (keep in mind, coming from ScreenOS here):
1. The security platform features are nearly a joke (It looks like it was built as a routing platform first, with some security features thrown in. It does not integrate well
2. Who thought it would be a good idea to NOT put static NAT configuration in the web interface? (those are MIPS, or at least a sad equivalent for those of you from ScreenOS land). You have to configure them either with the CLI or the point & click cli.
3. MIPS (static NAT) does not work in nearly the way you expect it to coming from ScreenOS (for instance, it's zone specific, which means if you set up a static NAT on the Untrust zone, systems behind the firewall in the Trust zone will be unable to access it without a lot more work/configuration)
4. You'd better be REAL comfortable with the CLI to get around, pretty much 50% of the features are CLI-ONLY.
5. Coming from ScreenOS, policies work in completely different ways. To set up a policy (Untrust to Trust) in ScreenOS involved choosing the source (let's say ANY) and the destination (let's say a MIP, 4.2.2.1). On JunOS, you choose the source (again, ANY), and the destination (internal trust IP, 192.168.1.1).
6. Along similar lines, VPN's and NAT don't play nice together. You'll have all sorts of trouble sorting it all out when coming from the much easier VPN methods on ScreenOS (basically, you'll need to forget everything you ever learned about how things "work")
All in all, I have high hopes that Juniper gets it together, as it's a platform with promise. As it stands right now, I feel like a beta tester. Firewalls this expensive shouldn't generate php errors (as ramiel said), and shouldn't have such issues.
Frankly, I love the ScreenOS platform, maybe JunOS will grow on me, but it's gonna take some work from Juniper (especially with them effectively replacing all ScreenOS platforms and hardware with the SRX series, no more SSG I'm afraid). With the being the flagship Juniper platform, I'd expect more.
Michael
-
12-07-2009, 06:53 PM #11New Member
- Join Date
- Jun 2009
- Posts
- 2
I forgot three dislikes (and wasn't able to edit for some reason?)
7. Ludicrously low destination NAT rule limits (only 8 per rule-set with no rule-set able to have similar context). This is a VIP for those of you from ScreenOS. While there is a "workaround" using dummy zones, 8 by default is just LAUGHABLE.
8. Coming from ScreenOS where "from any to any app any" in Trust->Untrust was enough to provide outgoing internet access, you'll need that and a Source NAT rule in JunOS. Also, Source NAT is what you would use for Source NAT (with a DIP) on ScreenOS, except it's unfortunately not policy based (which was REALLY helpful on ScreenOS)
9. ScreenOS had the ability to perform all sorts of limits on policies (per ip connection limit, etc). This doesn't seem to exist on JunOS (that I have found yet)
Please correct me if any of my points are wrong.
Michael
-
12-07-2009, 06:57 PM #12Web Hosting Master
- Join Date
- Aug 2009
- Location
- Orlando, FL
- Posts
- 1,063
Thanks for all the info. I was basically looking for a review of them compared to the SSGs. You hit it on the head. Thanks again!
-=SKULLBOX.NET=-
-
12-08-2009, 11:25 PM #13Newbie
- Join Date
- Dec 2009
- Posts
- 10
Juniper SRX firewalls is good for the speed of traffic of 140Gbps through 16 10Gigabit Ethernet interfaces making it fast but also it rate drops down when you use enabling intrusion prevention. Also, The Network and Security Manager service Juniper supplied does not send alert to accept security from the SRX as of yet, meaning you won't know when you are under attack.
-
01-05-2012, 02:25 PM #14Web Hosting Master
- Join Date
- Aug 2009
- Location
- Orlando, FL
- Posts
- 1,063
It's that time a year again. I'm digging up this thread to see if anyone has any new info considering it's more than 2 years later. Have these improved enough to go into production and replace my SSGs?
-=SKULLBOX.NET=-
-
01-05-2012, 05:25 PM #15Web Hosting Master
- Join Date
- May 2005
- Location
- Bay Area
- Posts
- 1,211
Just to correct a few of these..
1) Thats because when you use a term on an SRX you put it into packet mode. Since there is no flow to keep track of, you obviously cannot enforce an application specific session timeout.
2) You can use the insert term x before term y syntax to move around terms
3) That is because you are logging in as root, which is a big nono.
4) Not sure, I've been pretty happy with what it comes with, though I wish they had rsync. SCP works too, though.
5) Might have been a bug then, but thats not really the case now. That handy command can still be useful when things just aren't adding up though, like when making ipsec or ike changes. Not usually, though.
-
01-05-2012, 05:29 PM #16Web Hosting Master
- Join Date
- May 2005
- Location
- Bay Area
- Posts
- 1,211
I run a few 650 and 3600 clusters, along side a handful of 210's and a few 240's. Overall I'm really happy with the boxes. For a while I was handling all of our external security requirements while at the same time taking four full BGP tables on a 650 cluster. Granted, I was over the route limit by maybe 500,000 routes so updating the forwarding plane was a bit slower than I'd have hoped for, but it got the job done.
What are you going to be using them for? I'm pretty familiar with them. I don't use much of the UTM, IDS or user based VPN services though, since we have IBM, imperva, bluecoat and juniper SA devices for those.
If you get into junos scripting and automation you can also do some pretty cool things to make your life easier.
Morgan
-
01-05-2012, 06:34 PM #17Web Hosting Master
- Join Date
- Nov 2009
- Location
- Cincinnati
- Posts
- 1,585
We deploy 210B to customers and we use a 650 cluster for our general purpose firewall.
Excellent devices.'Ripcord'ing is the only way!
-
01-05-2012, 07:09 PM #18Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 2,197
We have a number of the SRX range, right from the SRX100 upwards and we have been very happy with them over the past 6-12 months. They initially were a bit buggy, however lately they have been completely stable.
crucialparadigm - Affordable, Reliable, Professional :
Web Hosting
• 24/7 Support • Web Hosting • Reseller Hosting • Cloud/VPS Plans • Dedicated Servers •
-
01-05-2012, 09:08 PM #19Aspiring Evangelist
- Join Date
- Sep 2010
- Posts
- 407
We have a few of the lower end SRX's scattered around (a pair of 220's and a 100 ATM). Not bad boxes. We use them for a little routing, firewalling, etc. Fairly easy to configure once you know JunOS. We haven't had any stability issues yet.
-
01-09-2012, 12:08 PM #20Web Hosting Master
- Join Date
- Aug 2009
- Location
- Orlando, FL
- Posts
- 1,063
Thanks for the input guys. I figured by now Juniper would have their act together so I wanted to double check.
-=SKULLBOX.NET=-
-
01-09-2012, 10:43 PM #21Web Hosting Master
- Join Date
- Feb 2011
- Posts
- 607
we use SSG clusters and MX80 in redundant pairs. We have no plans to switch to SRX. SSG is too solid to mess with, and very easy to manage. We are hooking up some of our servers directly to MX80 to reduce load on SSG where statefull firewall and VPN are not required. This way SSG will be good for us for another 10 years...
Similar Threads
-
ResellerZoom - Nay/Yay?
By jrandall in forum Reseller HostingReplies: 34Last Post: 08-15-2009, 05:01 PM -
Brinkster, yay or nay?
By Cleon in forum Web HostingReplies: 37Last Post: 11-09-2004, 07:07 PM -
Ramblers. Yay or Nay?
By Acsiak - Andrew in forum Web Hosting LoungeReplies: 3Last Post: 09-19-2004, 03:33 PM -
PDA Yay or Nay
By Prisoner in forum Web Hosting LoungeReplies: 13Last Post: 02-16-2003, 03:40 PM