SRX

Background - We are a smaller company with SSG 550 firewalls at our larger sites and a mix of SSG 5 - 140s at our smaller sites.  We are having a lot of the SSG 550s fail after reboot.  We were an early adopter of the SRX 240 and SRX 650s back in the 10.x days.  Needless to say, I pulled them from production and relegated them to the lab for study.  The bugs were terrible and it impacted production so I lost confidence.

Today - We are needing an integrated IPS solution.  AD integration and AV is nice but isnt a hard requirement at this point.  I am a Junos fan but the SRX bit me once.  NSS labs has given Fortinet some glowing reviews and the price/performance is great.  However, I have not had any experience with their boxes other than the test units they sent me to demo.  I dont know how good/poor their TAC is or their overall customer support and software support.  I am betting the farm if we role to a new vendor; however, in their defense, Juniper put the screws to me on a fairly large (for my sized company) SRX order early on.

Palo Alto is a consideration, but I find them very expensive for the performance.  I also don't like their CEO, reminds me of a shaddy car salesman.  Not that it should matter, but the guy steps on my nerves which is a bad thing.

Any input pros/cons of both is appreciated.  Please keep the fan boy stuff out of this thread.  This is a decision that could be employment imacting for me. 

Thanks all......

Do you still have any SRXs in the lab to experiment with?  Or perhaps depending on the size of your rollout you could convince Juniper to give you a demo box or two to experiment with.  The 11.4 builds are a far cry from the dark days of 10.x.

I would suggest you make a list of criteria (throughput, sessions, administrative interface, IPS configuration / updates, application firewall, automatic database updates vs. manual, dollars per MB, etc.) and rank them by importance (must have, nice to have, etc.) and/or assign them a weight and a score range (1-10 or 1-5, etc.)

From there, bring in the vendors and have them show you their products.  Have the SEs run the show -- that's their job.  Let them demo the features to you that you have in your criteria list.  Have them show you live demos of the features in action, not just sales slides or controlled / scripted demos in offsite labs.  Vendors Lie.  Never takes a sales weasel's word for anything (sorry to all you sales weasels out there).  Put your hands on demo boxes and see how they feel for your day-to-day tasks that you're going to be doing.

After you have a chance to test drive things, put your feedback into your criteria sheet and tally up the scores.

All of the vendors you mentioned make good products -- but they're all very different and can't really be compared in a simple "who is better than the other" way.  It's all going to depend on what criteria matter most in your environment.

Seperation of control plane and data plane, rollback feature, candidate config among others. That is it right there. See the comparison guides for specs and performance. Also, a lot of issues have been resolved with the 12.1R1.9 and there is still newer versions out. The SRX are the way to go. They intergrate with all of Juniper servces. Now with the Pulse Access Spotlight, etc, you can get the complete solution. Additionally, there are unique things that only Juniper can do right now that others cannot do. I can understand when you have problems with the trusted devices. Juniper tends to deliver better ROI. and performance. But if you have laid out exactly what you want from the devices, and what you expect, compare that to what others deliver ad you should be able to make a good decision. The most important thing is to assess the expected number of concurrent users, the expected demand and still have room for growth and expansion, services etc and then get the right box with the right features that you need. High mem vs base, redundancy etc. In your case you need the high mem versions. I do believe the active users would be very helpful to your case though if you can get their input.

Attachment(s)

SRX Comparison Guide-en.pdf   733 KB 1 version

Do not do IPS on the SRX. I don't know about the lower end models but we are having so many issues with the IPS on 1400s. We had memory leak where we had to shut down the IPS all-together.  After waiting for few months Juniper came out with the a service release to fix it. It fixed one thing a broke another. 

I would stay away from SRX as an IPS or even UTM device. I like them for plain FW and may be IPSEC and thats because  of JUNOS.

Hello,

I have experience with Juniper (SSG and SRX), Fortinet, Palo Alto and Checkpoint.

I deployed a lot (more than 100) of SSG firewalls. Was working fine but it seems that Juniper has stopped development (screens OS 6.4 will be probably never released...)

I installed two cluster of SRX240. A complete disaster ! See some post from myself on this forum. I stop here...

PA is a wonderful platform but price is high...

Now Fortinet...

I used them since 3 years. Deployed around 50 devices.

PA is better in User Authentication and in Application Control (you cannot beat them !).

Fortinet UTM is also VERY good.

Fortinet uses the same concept as ScreenOS (zone, etc). The founder of Fortinet is also the founder of Netscreen... 

For managment, you need two appliances. One for policy managment and one for logging.

In this area you cannot beat Checkpoint but it's not worst as NSM...

For IPS, PA and Fortinet are also very good. See NSS labs result.

It's not a bad choice to go with Fortinet...

Support. Juniper is better than Fortinet but the number of ticket I opened with Fortinet is very limited. I can count them on one hand...

HA

CCIE #13029 (R/S and Security)

Hi Hedia,

it would be nice if you could detail out the Juniper Cluster environment which you did mention:

Junos Release:
Plattform:
UTM Activated:
IPS Activated:

Best regards
Null

Thanks for the feedback thus far.

 Our environment has a datacenter in Santa Clara and a DR in San Antonio with 30ish remote sites around the globe.  We migrated from MPLS to VPN last year so everything is ISP based.  We currently only have firewalls at the front door with a standalone SourceFire IPS at the datacenter.  We want to find a product that has a good integrated IPS to reduce the time it takes to fiddle with the SourceFire with all of the complexities of that product.  Also having IPS, App control. and URL filtering at all of the remote sites is a huge plus.  AD integration is also a big need.  

I am a one man shop for this company so management is key.  We need at least 5gb of throughput with NGFW services enabled because we are going to put the datacenter cores on an interface of the firewall with the new deployment.  The largest base of users is at the datacenter location so I need to account for 200 users hitting those servers during working hours since the firewall will now be introduced between the LAN and the servers.  The other sites dont require more throughput than what their ISP speeds are.  Our applications are centralized at the datacebter with very few apps being housed at remote locations.

The datacenter has two ISP links with one being 250mb and the other being 100mb.  A few of the larger sites have 100mb ISP circuits but the majority of the others are 6-10mb connections.  Employee size is around 1000 with network loads being spread throughout the day due to global footprint of the company.  Applications are the typical email, Oracle, file transfers, etc.  We do run Lync but that application works great even in the worst of conditions.  Thank goodness we aren't a Cisco VOIP shop...lol.

Hi:

4 years ago i pre-sold a SRX650 for a customer. But by the nightmare stories in J-net , i decided before to ship migrate to FG1240B Fortinet(3000 users). This customer had bought FG1000C also, and the customer is happy with Fortinet(its a great product)

The customer is very happy, the TAC support of Fortinet is 5 stars.

The other customer (a bank) have nightmares with support and troubles with SRX650(this year will migrate to Fortinet).

I had installed Juniper SSG, but the UTM of Juniper is very bad if you compare with Fortinet.

The Gartner, NSS, Forrester are right, Fortinet is very competitive price and performance.

Palo alto is higher price, but the appcontrol is very powerful.

I love Juniper because was the leader of Firewalls but if you read the Magic Quadrant Garner 2013, Juniper and Cisco are firewalls with high% of probability to be migrated.

The only issue of Fortinet (if you compare with PAloAlto) is that SSL detection is not powerful and the UTM performance will down if you enable many apps (deep scanning, DLP, App control, Antivirus).

Victor

FCNSP/FCNSA 4.x

Isn't Gartner more or less a sales tool?  🙂 At least sales people I talk to love throwing Gartner reports around if their company is featured.  If a product does what you need it to, and does it well, then that's good enough for me, IMHO.

If only your boss, your bosses boss etc. followed the same logic.  But Gartner Forrester are very handy

at provideinga baseline for your investigations. Pick the three that are the closest match and take it from there.

My throw away thoughts ...

Junipers are simple and elegant to operate - can't knock that in security, less chance of erring. NSM needs work

Checkpoints are the swiss army knife of firewalls - their centralised mgt. is brilliant but  not 'simple and elegant'.

Cisco are basic,  it's a router with ACL's, if you can't visualise the policy it better be a small policy.

Palo Alto are the new guys on the block, time will tell is theyve got the model right.

at this stage i wouldn't do IPS in any of them - there are others that do it better.

get a solid handle on your requirements and match it ....

I've worked with just about every firewall brand except Fortinet. Here's my 2 cents:

Juniper - Can be tough to set up first time but once its up, it's fast, reliable, and cheap. I once heard someone say, let the firewall firewall. In other words, it's very good at its core functionality. NSM leaves a lot lacking but its really one of the better management platforms. The VPN capabilities with their smaller boxes is very compelling. Route based VPNs are where its at for sure.

Palo Alto - Innovative, their app-id and malware detection is second to none. Their GUI is horrible. The Panorama product is junk and they tend to offer some really bad add-ons like their VPN, their URL Filtering service, their DLP service, etc.

NOTE: We currrently run Junipers on the edge and PAs just inside in transparent mode. Its a nice combination if you can afford it. Vendor diversity is a good thing.

Cisco - Still too tied to access-lists. Seems weak in alot of managability areas. Also, most companies have a ton of Cisco which run very similar operating systems. My fear is that an IOS bug could create an exposure in our routers, switches, and firewalls. Again, Vendor diversity is important.

Checkpoint - This was the first firewall I worked on and I tend to miss it. No one has a better GUI or a better log viewer. Very solid all around. Back when I worked on them they didnt have zone based filtering or route based VPNs. The policy based VPNs were a major hassle but Im sure thats probably fixed. They also use to have an issue with hardware, you had to run one OS for the Nokia Hardware and one for the firewall. Patching was a nightmare. Again, thats probably fixed.

Our sister company has Fortinet and have told me that they have been buggy at times. Good luck in whatever you chose and please post your experiences.

Hi all,

First of all: This thread is amazing! A lot of experience condensed in a few lines. The best thread I have found here.

The trouble: SRX has lost your confidence

The past: A lot of costumers has a lot of confidence in the ScreenOS boxes

The recent past: Juniper released the SRX boxes mixing JunOS and ScreenOS code and I will never forgot. They have lost a huge amount of money due to this. The problems they have caused to the confidence of their customers have not ended yet.

The present: SRX works... more or less. You can find stupid things as one branch SRX (and 650 is one of this) does not support DHCP server or DHCP relay in cluster configuration (it works in normal conditions, but Juniper does not support this configuration, probably because in a transition from passive to active we'll have some problems) . This situation has not sense and Juniper knows it.

Alternatives that I know directly:

PA: it's a bit pricey but their app oriented way of doing the job has not competitors (may be the last CheckPoint movements). It was the same than when CP broke the market with their session-oriented boxes in the nineties (anybody with more than 30 years old here? 😉 ). PA has broken the marked and everybody is following their steps. And, of course, as in the Antivirus market: their are selling subscriptions better than boxes. One no-updated-to-the-last-definition-box is a less-secure box... It is the wet-dream of every CEO in the market.

Alternatives that other colleagues know directly:

Checkpoint

Fortinet

Cisco

Have you taken your decision?

Regards,

R.

Hey csnow, I'm wondering what direction you went here and how its going.

We've been a netscreen/NSM shop for about 5 yrs now and while NSM has its benefits, its SLOOOOW for us.  Granted we've got 800+ firewalls globally in there and its not the best central management architecture from a server perspective (clustering, logging, client, etc).  Central management is absolutely key for us as well.

As far as netscreen goes, the bugs have been annoying to say the least, but it offers easy web management and a pretty solid CLI in my opinion.  I hear SRX was VERY buggy in its early stages but has been stabilized.  

I feel that Juniper's support is TERRIBLE!  I've called them 4-5 times over the years for some not-so-standard config items (crazy NATs, RSA VPN configs, advanced debugging, etc) and I've literally had to figure out every configuration on my own without them being able to tell me how.  Multiple times they told me "it can't be done" and I managed to figure out how to make it work.  They actually told me there was no way to reboot a firewall from the web gui...UGH!

We've got the current deployment tied in to Websense as well, which we're also replacing for more current internet security & filtering. 

I'm currently running an RFI between Juniper (SRX), Stonesoft (McAfee/Intel), Checkpoint, Palo Alto, Fortinet and Cisco (more to see where Cisco's at these days....; still lacking...).  We're in the middle of presentations now with all of them and I stumbled on this article walking the web for feedback.

We deploy both SRX and FortiGate.

The main issue with the FG is that the fantastic datasheet numbers are based on all ASIC 'processed' traffic - but at the same time they have no good load balancing between ASICs. In other words, you need to keep an eye on between what ports your traffic is running. Have a look at this

http://docs-legacy.fortinet.com/fgt/handbook/50/5-0-4/fortigate-hardware-accel-50.pdf

I would not say that FG has less bugs than Juniper, but FG are quite quick in resolving theirs.

FG is probably "easier" to manage, but it is mainly because each feature is "on or off", while Juniper has 15 ways to tune the feature.

On-box GUI and reporting of FG is also much appreciated by customers and engineers.

Once you are in CLI, the Juniper is clearly better, but we all know that.

Sept 2014.

The Fw leader of sales is Cisco, ChKP, Fortinet, Paloalto, IntelMcAffe and JuniperNetw (lost 3 places).

In Gartner (yes, Gartner is not full true), the NG FW leader is Palo Alto, Chkp, and third Fortinet.

In Gartner again, the UTM leader is Fortinet, CHKP.

Sales quarter up for PANW is 56%, FTNT 24%.

Cisco bought SourceFire and Q2014 sales are up, i believe Juniper Networks have to acquire  a NG FW brand, because the gartner report that CSCO and JNPR are the equipments that the sec admins will migrate to other brand(PANW, CHKP, FTNT)

I would like to know if the customer that ask about SRX vs Fortinet, can to tell the SRX experience?.

 I would like to read the honest input about SRX experience, is SRX already runing?

We use SRX for 4 years, until now.

SRX is a very good router with a Firewall role above (as for now, we deploy SRX100 as CPE, and even some SRX240 with MPLS activated).

But when confronted to user experience, SRX is not as good as a Fortigate or a PaloAlto.

The geek will like the JUNOS-CLI approach of the SRX for configuring, but when you have 500+ rules, CLI is not that easy.

GUI on SRX ? Bitch please. 

GUI with Junospace ? Nope. We tried to settle Junospace for managing a cluster of SRX1400 with 5 Ldom, and ... nope, just no way to configure that with the results we wanted (compare to Fortigate VDOM <=> Fortimanager ADOM) 

Another hudge difference 

- SRX3200 = max 32 LDOM

- PaloAlto 5060 = 250 VSYS

- Fortigate 1500D = 250 VDOM

- Fortigate 3700D = 500 VDOM

As a service provider, a mechanism for "virtualising" the firewall was mandatory. Goodbye Juniper, not adapted to service provider needs in 2015.

Another flaw in Juniper stack is the non multithreaded Junos (in version lower than 13 at least) : look at the MX performance in OSPF convergence and think that it runs on a very old FreeBSD (6) and it suddenly get clear.

Juniper will try to do the big jump between FreeBSD 6 and 10 on Junos 14/15. I will wait a looooooong time to migrate on those versions !

at Victorhud,

I noticed the slide in the almighty Magic Quadrant as well for Juniper and I dont know how to feel about it. For all its problems I find myself defending Juniper more then not. They are still in use in a lot of shops. Dinosaurs like myself remember the Netscreen days fondly when we first learned about zone based firewalls.

I've seen Juniper gain some major ground in the switching and routing space. We just did a big project here and if the gear was Cisco it would have costs us 3-4 times as much. There is no more magic to routing and switching. Its commoditized. I'd argue that the support is still pretty good. I'm hoping that sales of routing and switching drives improvements in SRX and Space. Another slide like that in the Quadrant would send me back to Checkpoint for my other layer of firewall. We'll probably continue to have PA as I need to keep some Nir Zuk in my network.