Management
Reply
Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007

Re: Want some examples why NSM is a piece of junk?

use the --lax flag (will relax the OVF conversion) and you'll get a usable file. I love how it says 'Completed with errors" when what it really means is "Abject failure"

 

:smileyhappy:

 

-Keith

Super Contributor
cryptochrome
Posts: 496
Registered: ‎03-29-2008
0

Re: Want some examples why NSM is a piece of junk?

Thanks Keith, much appreciated! Here is the result on my end using --lax:

 

reptilehouse:VMware OVF Tool sascha$ ovftool --lax /Volumes/data/Downloads/space-12.1R1.8.ova /Volumes/data/temp/temp/space12.1.vmx
Opening OVA source: /Volumes/data/Downloads/space-12.1R1.8.ova
Opening VMX target: /Volumes/data/temp/temp/space12.1.vmx
Warning:
 - Hardware compatibility check is disabled.
Writing VMX file: /Volumes/data/temp/temp/space12.1.vmx
Disk Transfer Completed                    
Completed successfully

 Worked like a champ. Let's see if VMWare Fusion will eat this.

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007
0

Re: Want some examples why NSM is a piece of junk?

Up your processor cores (it defaults to 1 I think) and give it another or bigger drive before you start it.

 

-K

Super Contributor
cryptochrome
Posts: 496
Registered: ‎03-29-2008
0

Re: Want some examples why NSM is a piece of junk?

done. running with 4 cores, 8 GB RAM, second 130 GB hard drive. going through first time setup now and after that off to the couch. cold german beer is waiting :smileyhappy: cheers sascha
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
cryptochrome
Posts: 496
Registered: ‎03-29-2008
0

Re: Want some examples why NSM is a piece of junk?

Couple of questions on the virtual appliance:

 

The OVF file uses VMWare hardware version 4 (quite old). Could we use newer versions instead (thinking 8)? Also, there are no VMWare tools installed in the virtual machine as far as I can tell. Can we install them to enhance performance?

 

Thanks

Sascha

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Re: Want some examples why NSM is a piece of junk?

Any feedback thus far on the production release of Security Design, good, bad, or otherwise?

Super Contributor
cryptochrome
Posts: 496
Registered: ‎03-29-2008

Re: Want some examples why NSM is a piece of junk?

[ Edited ]

My feedback so far on Security Design (and only that, I am not speaking about the whole Space platform) is this: It's a huge step forward. The interface is so much better than NSM. It's fast, it's easy, it's less complex, it's modern. It has a fantastic search engine built in (think Google for your address object, firewall rules etc.). People knowing other firewall management systems will feel right at home. It has some very nice features.

 

I immediately fell in love with the object merger, which finds duplicates and offers you to merge them into a single object. This is great for "housekeeping". I also like the fact that you can export and import objects in CSV format, which is great for bulk operations. Automatic device re-sync is another feature I noticed. If you enable that, it will automatically re-import devices that you have configured out-of-band (e.. through CLI). No more competing configs!

 

It's those little details that give you the impression that Juniper have done their homework.

 

Security Design has an option to import your NSM configuration. I tried it and it worked really good. Do a database export on NSM, import the resulting xdiff file into Space and voila, you have all your objects and firewall policies. Really well done.

 

The fact that the user interface is basically HTML doesn't feel like a drawback. The interface is quick, even on 500+ rule policies. I am not a web expert, but I guess they are using things like AJAX or HTML5. You do have right-click context menus everywhere. The only thing that is missing compared to a native GUI client is drag and drop support. Maybe that's coming at a later date, who knows (and it never really worked in NSM anyways).

 

Note that these observations were made in a lab and not in a production environment. I can't say much about actual device management, although the process of pushing firewall and NAT policies to devices seemed straight forward.

 

There are a couple of things that I am missing though:

 

Space does not have a logging module, which is a huge drawback in my eyes. People with high end SRXes are probably logging to STRM or something else anyways, but as usual, Juniper does not seem to have the small to mid-size business in mind who have limited ressources and need an integrated solution. In my eyes, that's something Juniper really needs to address. Sooner than later.

 

The other thing I didn't quite like was the fact that you can not manage "legacy" firewalls, e.g. ScreenOS (SSGs). There is a huge SSG install base out there and those devices are left in the dust. I really don't understand that move, given the fact that at least in Space 11.2 there was a ScreenOS adapter which let you manage those beloved "netscreens". I hope Juniper will allow this in future updates (the DMI schema repository in Space 12.1 still lists ScreenOS 6.3 so who knows....). ScreenOS support would also mean that migrations from ScreenOS to Junos could be made easier.

 

One other thing I believe needs improvement is device configuration outside of Security Design. If you open a device in Space you are basically presented with a raw XML tree of the device configuration. Not very intuitive and very tedious to work with. Need to change the IP address of 15 interfaces? You're in for a bad afternoon. That part basically looks the same as on NSM (although it is much faster in terms of interface resposivness).

 

Oh and one more little thing. It's really not important, but the design of Space looks a little dated in some areas. For example, you have dashboards wth widgets that you can drag around like windows. The window borders are blown up and use fat gradient colors. This could use some cleanup. Make the whole design less fat, flatten it. But again, this is just eye candy so it's not important.

 

All in all I can say I am very impressed so far and despite the lack of logging and ScreenOS support, Space SD is a huge step up compared to NSM. In it's current state (12.1) it already has the potential to completely replace NSM if you have a separate logging solution. In other words: I love it so far.

 

To Juniper: If you will offer some sort of upgrade path for NSM users in terms of "special pricing", I think you can win back a lot of customers. I think NSM users deserve to get an upgrade to Space as in free beer. *hint*.

 

Cheers

Sascha

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Re: Want some examples why NSM is a piece of junk?

Thanks for the feedback, cryptochrome.  Your analysis is helpful, and luckily the drawbacks you mentioned aren't relevant to my installation (no legacy ScreenOS, and logging is taken care of). 

Super Contributor
cryptochrome
Posts: 496
Registered: ‎03-29-2008
0

Re: Want some examples why NSM is a piece of junk?

it's worth checking out in any case. the virtual appliance version is set up in less than 10 minutes, if you have ESX.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Visitor
guillermfr
Posts: 2
Registered: ‎01-21-2010
0

Re: Want some examples why NSM is a piece of junk?

Tried to use the Space 12.1 space-12.1R1.8.ova virtual appliance from VMWare Workstation 6 (on a Windows XP station) ;

 

when trying to open this .ova from VMWare Workstation, I got the following error message "Failed to query source for information" ;

 

Questions :

1) Can this VA run on VMWare Workstation  ?

2) any idea about this error message ?

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.