Management
Showing results for 
Search instead for 
Do you mean 
Reply
Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: Want some examples why NSM is a piece of junk?

No dates yet on the NSM releases mentioned, but I'll provide updates as they are available.

 

Security Design is an existing product - see http://www.juniper.net/techpubs/en_US/junos-space11.1/junos-space-security-design-sub-index.html but will not be part of the Space 11.2 or 11.3 releases. We are working on some significant enhancements to that product, but the link provided will give you some insight into it. 

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?


KB_Fan wrote:

No dates yet on the NSM releases mentioned, but I'll provide updates as they are available.

 

Security Design is an existing product - see http://www.juniper.net/techpubs/en_US/junos-space11.1/junos-space-security-design-sub-index.html but will not be part of the Space 11.2 or 11.3 releases. We are working on some significant enhancements to that product, but the link provided will give you some insight into it. 


Thanks. It won't be part of 11.2 or 11.3 because of the redesign?

 

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

Re: Want some examples why NSM is a piece of junk?

@crypto: That'd be my assumption. Security Design <= 11.1 is a nightmare from a usability perspective. Juniper have, very wisely, decided to re-tool it based on feedback from people who actually have to use firewall management on a day-to-day basis.

 

Personally, I'd rather they put their available resources into a good design from the ground up than into QAing and releasing something based on the old design. The old design needed to be led behind the shed, and Juniper have, thankfully, done that.

 

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?


tbehrens wrote:

@crypto: That'd be my assumption. Security Design <= 11.1 is a nightmare from a usability perspective. Juniper have, very wisely, decided to re-tool it based on feedback from people who actually have to use firewall management on a day-to-day basis.

 

Personally, I'd rather they put their available resources into a good design from the ground up than into QAing and releasing something based on the old design. The old design needed to be led behind the shed, and Juniper have, thankfully, done that.

 


That sounds aweful. You could assume they've learnt something from the mess with NSM and make it all better in Space, but from what I read, it sounds like they haven't learnt a thing. 

 

I really really don't understand how their software can be soooo far off of what people actually need. Instead of streamlined, modern and easy to use software, you get complicated and slow monsters like NSM, and now Space.

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Well, I'm not ready to condem SPACE until I've seen the re-designed Security Design app. In the meantime, I'm pretty much treating SRX as not having a central management platform. Or let's say a very limited one, through NSM.

 

Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: Want some examples why NSM is a piece of junk?

By coincidence, I had a chance to attend a brief presentation by the new development team for Security Design yesterday. Very sharp veterans of the firewal world - they "get" it IMHO and I think have a good handle on how to take some of the innnovative (perhaps too innovative...) , policy-based features of the earlier product and blend that with better device-level management.

 

Space is, BTW a free download* (demo mode, but the Service Automation features - automated incident detection, case management, etc can be activated for free by those with support contracts): http://www.juniper.net/support/products/space/

 

-Keith

 

*requires ESX host

 

 

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?


KB_Fan wrote:

By coincidence, I had a chance to attend a brief presentation by the new development team for Security Design yesterday. Very sharp veterans of the firewal world - they "get" it IMHO and I think have a good handle on how to take some of the innnovative (perhaps too innovative...) , policy-based features of the earlier product and blend that with better device-level management.

 

Space is, BTW a free download* (demo mode, but the Service Automation features - automated incident detection, case management, etc can be activated for free by those with support contracts): http://www.juniper.net/support/products/space/

 

-Keith

 

*requires ESX host

 

 


It's nice to hear that. Why can't Juniper share more of this kind of information? They know they have a lot of upset customers, who - if they don't happen to check forums like this - are kept in the dark and might be looking elsewhere.

 

Juniper needs to become much more open in this regards. Make announcements, share their vision (not on a meta-marketing-level), mabye offer beta programs, tease the customer base with screenshots, things like that. Juniper needs to stop being abstract and secretive.

 

So... when will we see the new Security Designer? 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Some of that is cultural, some dictated by accounting rules (for example, if I told you SD would wash dishes in the next version, and it didn't, all revenue from the time I said that would be invalidated until it did, in fact wash dishes).

 

There is also the issue of credibility - I suspect you'll trust my opinion of SD more than say, the product manager's...but the opinion of other customers is far more important since there's no implicit bias.That's part of the purpose of these forums (and why, even with painful threads such as this one we don't censor product complaints)

 

I tend to be an "ask forgiveness not permission" type of person, and also tend to agree with you that we could be more open in public discourse. Hopefully that's covered in good meetings with your SE's (and down the chain with resellers, etc), but I know that in practice it's not always the case. Meanwhile I try to fill the gaps when they become apparent.

 

-Keith

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos

Re: Want some examples why NSM is a piece of junk?


KB_Fan wrote:

 

Hopefully that's covered in good meetings with your SE's (and down the chain with resellers, etc),


That would be fantastic, excpet that I hope I'm not the only customer out there whose sales team seems to be non-existent for the most part, because then I would take it personally.  I haven't heard from our rep in months.  I think he's even left the company, as the last time I tried to email him it bounced.  I don't even know if we have the same SE.  This is not the first time this has happened, either.  We've had our team changed numerous times, and we're never notified, called, emailed, or even sent smoke signals to say "Hey, here's what's going on."

 

Lack of communication and lack of connection to the customers is, and has been, Juniper's #1 failure for years.  Juniper is downright TERRIBLE at communication -- with product vision, with known bugs or problems and projected timelines for fixes (even ADMITTING there's a problem most of the time), and especially with keeping customers connected and feeling like we're part of the process, that we're in-the-loop, and that our business actually matters to the company.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

[ Edited ]

 

So... NSM kicked my ass again today. I hope it is at least having some fun doing so.

 

Customer got himself a couple of those sweet little SRX100s. Initial installation is good, created a policy on NSM and pushed it over to the device. Worked fine. The policy was using some address objects that use hostnames instead of IP addresses ("dns-name"). 

 

Pushing the policy a second time (first time worked) without even changing anything, you can see in the delta-confid that NSM is trying to delete those dns-name statements. Why it's trying to do this is beyond me. And while it is doing this, it throws some errors about rpc-error and syntax-errors and what not:

 

<rpc-error>
<error-severity>error</error-severity>
<error-info>
<bad-element>dns-name</bad-element>
</error-info>
<error-message>syntax error</error-message>
</rpc-error>
</rpc-reply>

 

Yes, the Junos version we use is supported by the NSM version we use, schema is up to date and in sync with the Junos version.

 

Detaching that very policy from the device, update device, attach the policy back to it and update again WORKS.

 

As I said in my first post in this thread, not a single day passes without having to deal with this bull**bleep**.

 

What's next? Open JTAC case, do research, have secure meeting with JTAC, bla bla bla.... costing me many hours of my life. I can't even tell how much I've had it with you, Juniper. 

 

Never ever will I recommend any **bleep**ing Juniper product to any of my customers again.

 

Pardon my french, but there it is. And you earned it.

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: Want some examples why NSM is a piece of junk?

(Boy, tough crowd..)

 

@keithr

 

I've passed your comments (actually this whole thread) on to our customer experience team. A good account team can make up for almost any deficiencies at the corporate level, and it doesn't appear yours did - I'm sorry for that and I will make sure someone contacts you to re-establish the relationship. My guess is your comments will feature prominently (and anonymously) in the next batch of powerpoints seen by exec staff. We know we've got challenges in each of the areas you touched on and there are several inititatives underway to improve that, but never hurts to introduce a dose of reality.

 

 - known bugs: This one I have some direct experience and even control over as someone on my team is leading a major initiative to improve this very situation. We had some well-intentioned but patently bad policies around "confidential" - that was a default state for all bugs and someone had to manually flip them to non-confidential (and we all know what happens with do-nothing defaults...).

 

The intent was to prevent inadvertent leakage of product vulnerabilities - sounds good on paper right?. We've recently reversed that - anything seen in the wild (attached to a case) is marked non-confidential, and a process kicks off to ensure it's documented in a timely fashion. It's part of MBO's, scorecards, etc to drive the percentage as high as practical. Lot's of other changes as well (for example, I'm getting a demo of our new PR search tool today - should be out in Q4)

 

Unfortunately, this is not going to be an ovbvious overnight improvement as it's a northbound initiative - only new bugs are going to get the royal treatment. (my PR for thousands of trained cockroaches has not yet been approved). That said - you should have already seen some significant improvement with Junos 10.4 Release Notes - we made some special effort there and a large slug of previously "hidden" bugs are now in there.

 

Roadmaps with specifics have to be NDA (accounting rules) - so the account team has to lead there. I'll make sure you get hooked up. Vision, etc - the J-Net blogs are intended to help there - if they're not, some well-placed feedback in the blogs should help.

 

-Keith

Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: Want some examples why NSM is a piece of junk?

@cryptochrome

 

I know this is a "death-by-a-thousand-cuts" situation. I've been there myself and know how frustrating it is - so can't really blame you for your perspective. [In fact , I sometimes suspect I'm employed here because my boss knows what an awful customer I'd be Smiley Happy ] We make mistakes, and frankly the current situation with NSM qualifies. But we also listen (I got more C-level attention to it yesterday) and admit mistakes.

 

We also make things better. Not overnight, but you've seen that improivement yourself on the SRX. Not perfect, no product is, but 10.4 and later releases are pretty solid (even JTAC agrees and they see everything. 

 

We'll do the same with NSM. I'm trying to confirm dates for those "safeharbor" releases mentioned earlier, but should be in a few weeks. I don't know if they'll fix everything you've hit - there are always corner cases - but the focus on those releases is completely on bug-fixes, better QA and user experience.  The date is fuzzy in part because we don't want to be held accountable to it -- that's how quality compromises occur. "Serve no wine before it's time", etc

 

I'll update for dates as I know more and will try to get the list of fixes published in advance.

 

Regards,

 

-Keith

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?


 

We also make things better. Not overnight, but you've seen that improivement yourself on the SRX. Not perfect, no product is, but 10.4 and later releases are pretty solid (even JTAC agrees and they see everything. 

 


Hahaha.... good joke there Keith. Made me laugh.
10.4 and later releases pretty solid, HAHAHAHA. Great.

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Just had a chat with a JTAC engineer about the forementioned issue. She was also a Space engineer. I asked her if Space was much better than NSM. She said it still has a lot of bugs and issues and that they can't really support it at the current state and they would have to forward most cases to AJTAC.

Go figure.

Another fine example of how Juniper customers are being used as cheap beta testers.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: Want some examples why NSM is a piece of junk?

[ Edited ]

@cryptochrome,

Please state exactly what you expect vs un-professional mocking of earnest replies. The conversation will move ahead much more rapidly, and your comments less likely to be ignored by others. I don't mind at all professional and adult discussion about the products, but your behavior is frankly not helping your position.

-Keith

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

[ Edited ]

KB_Fan wrote:
@cryptochrome,

Please state exactly what you expect vs un-professional mocking of earnest replies. The conversation will move ahead much more rapidly, and your comments less likely to be ignored by others. I don't mind at all professional and adult discussion about the products, but your behavior is frankly not helping your position.

-Keith

-Keith

I understand you don't like me being sarcastic but you know, whatever I say and however I say it won't help anyways. We all know NSM is broken and if I see Juniper people still saying that their releases are pretty solid, I just can't help getting sarcastic. Because your products are NOT solid. 

 

You said 10.4 and onwards is solid. We just had a major defect in Junos 11.1 that made us stop a project, roll back to Cisco Pix and postpone the deployment of Juniper hardware to next year. There is a thread about it in the SRX subforum. The bug we were facing is present in all current Junos trunks, 10.4, 11.1 and 11.2. It was a SYN attack protection memory leak, crashing flowd, disabling the whole cluster. 

 

Call that stable? Those are MAJOR bugs and I am asking: Where is QA control? Where is the stability? How exactly is that solid?

 

Today I received a JTAC email, one of those notifications, saying that if you issue a simple operational command on 10.4 it'll make flowd crash the HE SRXes. Where is that stable? What is solid about that?

 

Two days ago I had the issue with the SRX100 and NSM not being able to update them (see this thread). Turns out it's a known issue. Documented publicly? No. Of course not. Fix available? Yes. Why let customers run into the issue if you know about it? 

 

We have to deal with these issues EVERY SINGLE DAY. How can you say it is pretty solid? 

 

Last week I was in a meeting with a new customer and Juniper sales people. The customer was interested in new Firewalls. The sales people told the customer the best thing to do is buy those awesome Juniper SRX with a perfect management companion, NSM. They lied the customer straigt to their faces. You call that adult behavior?

 

The whole situation has cost me countless work hours, mass amounts of money, and it has cost me customers who abandoned Juniper after not being able to get it working or who were just not willing enough to deal with workarounds and bugs. I have customers who say they don't trust their SRXes anymore.

 

I know I am going on your nerves and you previously mentioned this thread is very painful. Good. Because what's going on here is painful to me and my customers too. 

 

What I expect? I thought I made that clear. I expect Juniper to be more open and honest. I expect a rapid solution to the problems and I expect Juniper sales reps to not sell unfinished products to my customers. SRX/NSM is a mess. Period. Keep selling SSGs. Those are stable. And let us know once the SRX has grown up. But please, don't make us paying beta testers in the meantime.

 

Oh and one more thing: If you think your customers are mocking you, then you should think about that. There might be a reason for it.

 

There is always a point where you lose patience. I did.

 

I don't mean no harm to anyone personally and especially not you, because I know you try to help. And as I have told you personally, I appreciate that. Thing is, those SRXes still keep crashing and NSM is still a major pain. So don't tell me that stuff is solid, or you might find me laughing out loud.

 

Good day.

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: Want some examples why NSM is a piece of junk?


cryptochrome wrote:

What I expect? I thought I made that clear. I expect Juniper to be more open and honest. I expect a rapid solution to the problems and I expect Juniper sales reps to not sell unfinished products to my customers. SRX/NSM is a mess. Period. Keep selling SSGs. Those are stable. And let us know once the SRX has grown up. But please, don't make us paying beta testers in the meantime.


I am here being open and honest, but I will continue to insist on professional dialog. You are welcome to disagree with my assertions, but there are ways to do that without resorting to grade-school behaviour. I have *objective* data about SRX and Junos quality - incoming defect rates, inbound JTAC cases, the JTAC recommended releases document, etc. You have the subjective pain of dealing with specific defects that are affecting your installations and believe me I empathize. But, those are very different perspectives, and both of us can be "right" so let's move on.

 

There are 10's of thousands (maybe 100's at this point) of successfully deployed SRX's and in many cases they need an element management platform. NSM, for better or worse, is the only option right now. So it's up to us to fix it, and what we can't fix right away must be better documented. I will be holding the product team accountable to that, and the next action item due this thread is an accounting of what will and will not be fixed in the upcoming releases.  I'll post it as soon as it's available. 

 

The defect you hit about SRX status not being updated (PR530719)already has fixes applied to the branch. I just flipped it to non-confidential (confidential is our current default - that policy changes in a couple of weeks as mentioned earlier) and it should show up in the next release-notes. BTW, it was first reported June 7th but the description is not a strict match to what you saw, and I believe that's why it took JTAC a while to ID it for you.

 

-Keith

 

 

 

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

[ Edited ]
You're upset because I laughed, I get it. Point taken. My appologies for being rude.
Not sure how these 100's of thousands of successfull deployments went so well. I must be doing something wrong I guess. Or I might just be of the ill-fated type who always have problems. All my customers then probably also belong to that group. It's nice to hear though that no one else has problems with the SRX.
I just had to open yet another JTAC case because DHCP is broken on the SRX since 11.1R2. Fix available? No. ETA for fix? None provided. Workaround? Disable IP spoofing protection.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 353
Registered: ‎04-30-2010

Re: Want some examples why NSM is a piece of junk?

I have a number of successful SRX deployments. Some common threads have emerged:

 

- L3/L4 deployments are more stable than UTM (L7) deployments. "By a lot" until 10.4r4, when the few UTM deployments we have simmered down.

 

- An ultra-conservative approach to JunOS releases helps, a lot. We used to deploy on 10.2r3, and then 10.4r4 (and onwards, r5, r6, r7 to come). We had a few 10.0 deployments, which however were not as stable as desired. We completely skipped 10.1, 10.3, 11.1, and will evaluate 11.2r2. We will likely skip 11.3 and then evaluate 11.4rX (3, 4? We'll see). If a new release offers a feature, but we haven't evaluated the release, we'll most strongly discourage the customer from using that release and that feature.

 

- A conservative approach to features helps, too. We don't use dynamic VPN at all, although I now consider it useable within its constraints (no SecurID support, for example) since 10.4r4. We won't ever deploy in dual-ISP w/ static routing, at least not until SRX has feature parity w/ ScreenOS in that regard (ECMP). We stay away from VRs for the most part - I have one VR deployment and the customer accepted the implications (no DHCP, no IKE, &c). We don't deploy SRX as an Avaya VPN phone headend. We make sure the customer is either a CLI hound or accepts J-Web as-is. We make sure the customer understands the limitations of NSM w/ regards to JunOS. The list goes on for a bit.

 

What it all boils down to is: SRX can be successful and a good fit. At the same time, it takes a ton of pre-qualification today. It's not at the state yet where it can be sold into just about any environment and be successful. If the environment and SRX feature set have been vetted beforehand for compatibility, and a very conservative approach has been taken as outlined above, then we are now (as of 10.4r4 and later) successful w/ SRX deployments.

 

And in all those caveats, you can glimpse the pain that we, too, have gone through.

 

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?


tbehrens wrote:

 

What it all boils down to is: SRX can be successful and a good fit. At the same time, it takes a ton of pre-qualification today. It's not at the state yet where it can be sold into just about any environment and be successful. 

 


 

 

Thank you. 

 

Funny thing is (and I stated that previously) that if you ask any of the Juniper sales reps about the state of the SRX, they will tell you a completely different story than the one you impressively depicted above. And that's one of those points where I get upset. 

 

Only if you directly pinpoint them to problems and show them that you've had your share of experience with them, they start to admit and come up with roadmaps and promises. However, if you have no clue about the situation and you invite Juniper to a first sales meeting, they will sell you NSM+SRX.

 

 

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860