Management
Reply
Trusted Contributor
markpr
Posts: 70
Registered: ‎01-23-2008

Re: Want some examples why NSM is a piece of junk?

The best thing would be to upgrade to NSM 2011.1 with the latest schema and see where things stand for you. It's not going to introduce major functional changes like object management (bulk deletes etc) but it is now managing JunOS devices almost as well as ScreenOS based devices. There are still a quirks but they are minor annoyances rather than major problems that we saw with the NSM releases 2009-2010.

 

For performance, higher spec hardware does help - especially as logging and device counts increase. If you are on the appliance, it could help by moving the logging onto a mounted external storage array. If you are on the software version, move logging onto an external storage array and allocate 4-8 processor cores to NSM. (hyperthreading should be off).

 

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Want some examples why NSM is a piece of junk?

So with the last couple of NSM/SRX integrations I found out that NSM would not recognize if a SRX had changed (e.g. changed config through Junos CLI or device being shut down). So I checked with JTAC and they told me this is normal. Say what? MY device monitoring feature doesn't actually monitor the devices? I can have a major breakdown in my datacenter that causes my SRXs to disappear from the network and NSM wouldn't even see that, and instead tell me the devices are up and in sync?

 

JTAC say it's normal. NSM can't detect device changes on SRX. Yes folks, that's right. 

 

What's with all this Junos automation power? Why not simply poll the device status at regular intervals?

 

Are you serious?

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007
0

Re: Want some examples why NSM is a piece of junk?

@cryptochrome

 

We will validate whether that is WAD (working as designed). I'm not sure it is since it appears JTAC was unable to reproduce the issue you reported. If it is the case then clearly we need to caveat the documentation better to indicate this.

 

Regards,

 

-Keith

 

 

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Want some examples why NSM is a piece of junk?

Here is another example:
http://forums.juniper.net/t5/SRX-Services-Gateway/Stream-mode-logging-to-clustered-NSM/m-p/102230/me...

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Want some examples why NSM is a piece of junk?

Keith, when will we see that statement we discussed?

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Want some examples why NSM is a piece of junk?

and some more fun:
http://forums.juniper.net/t5/Security-Management/Unable-to-update-the-attack-DB-from-NSM-gt-SRX240-V...
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Want some examples why NSM is a piece of junk?

So this is how Juniper deals with customer comments like these? They just keep silent?
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007
0

Re: Want some examples why NSM is a piece of junk?

[ Edited ]

Patience is a virtue...

 

The product team is working on an update I'll post here detailing the "get well" plan for the issues described here and elsewhere. Should have something in a week or so.

 

-Keith

Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007
0

Re: Want some examples why NSM is a piece of junk?

Here's the update from the product team.

 

"We acknowledge that NSM management for Junos devices has had some challenges. Juniper is committed to delivering quality products to our customers, and we are working on  two focused programs to alleviate these concerns. The first program includes a significant engineering investment to improve the quality of NSM. To that end, there will be two NSM releases this year, one targeting NSM 2010.x customers and one for 2011.x customers. These releases will contain bug fixes, targeted improvements for improving stability and performance, as well as extensive testing. The second program will deliver a security management solution called Security Design that runs on our Junos Space platform. This will provide a transition path for NSM customers and will serve as Juniper’s long-term security management platform."



Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Want some examples why NSM is a piece of junk?

Thank you Keith.

 

Is there any information available for Space's "Security Design" yet? Is that an existing product?

 

As for the NSM updates that are supposed to significantly improve stability and performance, are there any ETA dates on when to expect these releases?

 

Thanks

Sascha

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.