This feature is pretty new to the smaller line of SRX firewalls. I would be surprised if it worked very well yet. Juniper is pretty far behind on the application firewall features on the smaller products. I believe they will catch-up and have a good product, but I would not use it in a production environment yet. Ron

Hello,

 

Keep dreaming of you want the same feature set like Palo Alto in this area...

 

PS : It seems that Juniper put AppSecure on top of IDP which is already a nightmare. 

PS : As far as I kown, Appsecure is NOT supported on low end (including SRX 240) platform.

 

Hegards,

 

Hedi

Thank you very much Ron for your reply. I was actually able to block http and ftp ONLY, which is surprising that Juniper would make such a fuzz out of something that is not working properly! Do you know if the AppSecure works properly on the Highend models (1400, 3000s, and 5000s)?

 

Hedia,

 

That is very frustrating man, but AppSecure is "officially" supported on the branch models (100, 200, 500, 600s), it is on the pricelist and they issued a datasheet for it too (http://www.juniper.net/elqNow/elqRedir.htm?ref=http://www.juniper.net/us/en/local/pdf/datasheets/100...

 

Thanks anyway...

Hello,

You are right ! After playing with Srx with more than 2 years (opening more tickets than all the brand together), I give up with this platform...
By the way, ALL my PA firewalls are able to block ALL kind of traffic on ANY port number...
It seems that you CANNOT speak bout the same story...

Regards,

Hedi

---

khaled.kamal wrote:

I was actually able to block http and ftp ONLY

 

---

Can you elaborate?  Do you mean all the AppFW policies only work on port 80 and 21?  We are looking at the SRX line and at this point we are getting very gunshy as it seems everyone here hates them.  I've seen only a fwe positive responses and it's only when you are doing basic port firewalling.  We've got that now with our ASAs.

 

Our initial thoughts were keeping SSL VPN, NAC and Firewall all Juniper would allow us to do some really slick rules across devices, but now I am thinking SSL VPN and NAC may be the limit of what we want to integrate. 

In the application firewalling department, Palo Alto is certainly king. I do still like the SRX for standard port-based firewalling, and as an IPSec VPN platform. With the ability to do multiple routing-instances, plenty of interfaces, and a great CLI, they do make a nice platform for some applications. Ron

---

jspanitz wrote:

---

khaled.kamal wrote:

I was actually able to block http and ftp ONLY

 

---

Can you elaborate?  Do you mean all the AppFW policies only work on port 80 and 21?

 

---

I mean when I apply AppFW on "Junos-http" or "Junos-ftp" it actually blocks all the http and all the ftp traffic. However, any other application block rule does not block that specific application. For example and this is really basic, blocking the video streaming does not work. Blocking the "Skype" also does not work...!!!

 

I can't believe that this is it for Juniper, how can I buy AppSecure license and not get my money value for that!!!!

 

I have been trying Cyberoam for Application blocking, and it is surprisingly working just fine till now! Did anyone tried Cyberoam?