08-31-2010 10:10 AM
So what is the most stable version of the linux based NSM and SRX (650 and 3000 series platforms)?
Also...anyone using the above combo with the STRM?
What are your likes/dislikes of the system?
08-31-2010 10:40 AM
1. You need STRM if you want to do any sort of serious logging with an SRX, if you send the logs to NSM you will encounter problems as it causes a build up of logs on the SRX device.. Streaming logs to STRM is the official sollution.
2. You want to have the LATEST NSM you can get 2010.3 is supposed to be the most stable and most compatible with SRX, also you need to keep your schema up to date, note that there are issues with installing the latest schema 147 through.
3. If your enviroment will be PURE JUNOS with no ScreenOS devices you may want to hold off until SPACE is released.. SPACE + STRM are the official "Native" managment solutions for JUNOS... NSM was designed for ScreenOS and they have added JUNOS/SRX support but it isn't as reliable with SRX devices as it is with older ScreenOS devices.
08-31-2010 11:06 AM
Well....I wouldn't have too much a problem with using the SPACE product...but is it available and if so, what SPACE/SRX version are recommended.
Thanks for the quick response.
08-31-2010 03:15 PM
Space hasn't been released yet... however it was announced.. Not sure when it will really be available.. Rumor has it they are adding ScreenOS support to it to ease the transission.. but not sure about it..
I have had several problems using NSM with SRX units... the fact that logs are not STREAMED being the biggest problem.. However it is still Extremely useful for managing configuration changes and keepsing configurations consitant..
08-31-2010 03:42 PM
See...the problem is, we are currently a Juniper/NetScreen shop and we need to purchase quite a few firewalls for a major project. I don't feel comforatable with vaporware so I have to to with what is available. I feel that selecting the current NetScreen platform would be a mistake since I need to be looking into the what is coming my for the next 3-5 years. I don't beleive much develpment will be going on with the NetScreen OS so that is why I am looking hard at the SRX platform.
Now I have to have a different logging appliance in fear of over-runing the NSM logging capabilities. The STRM isn't easy to steer...just haven't been too impressed with it...plus it is not cheap.The SRX also comes with a large learning curve (not that I have too much of a problem learning new stuff...but I am not the only one that needs to support this stuff).
I am pretty familiar with Check Point and Provider-1. Now I have no choice but to look very hard at going back to Check Point.
08-31-2010 09:48 PM
It isn't the NSM that fails it is the SRX if the logging is set for NSM and there are too many logs, you don't need STRM you can use any syslog server to stream the logs..
Also depending what you are doing ScreenOS might actually have better / more features than SRX does... For example DSCP tagging is super easys to do on an ISG with a policy, but on an SRX under junos you are currently limited to firewall filters or going up to the full IDP licence to tag traffic... Over all ScreenOS devices are currently more reliable as well...
JUNOS however is getting many new features each release so yes, in the long term it is probably the way to go, howver there may still be bumps to iron out if you jump in now.
09-03-2010 01:26 AM
If you are considering CheckPoint, look long and hard at features beyond management. Last I looked, UTM-1 didn't have I/O options, leaving you with either needing to go much larger (Power-1) or go with the IP platform.
The IP platform is going to go through a disruptive change away from IPSO, towards some form of combined SPLAT.
Historically, performance on CheckPoint can be an issue, particularly when heavy NAT and session establishment are needed. Some of the IP platforms have hw acceleration, but the UTM-1/Power-1 platforms don't.
On the Juniper side, you have the JunOS story: Separation of control and forwarding plane, ASICs in the higher-end devices, multiple cores in the Branch SRX devices (excepting the really small ones, they rely on the RTOS instead. Works for J-Series, so why not ).
SRX has amazing performance for the buck. It's a very solid router - the SRX650 and up can take full BGP routes, and the large-scale OSPF issues seen on ScreenOS are not an issue with SRX. There are voice-enabled versions (SIP only) which will be trumpeted a bit more in a little while, that's a really nice synergy right there if you have a lot of small branches where you don't want to place additional media gateways, but you want local survivability and maybe some local PSTN for fax and 911 and such.
The "bumps" currently are in the feature set more than anything else, particularly when clustering. This is a matter of knowing what you need from your firewall, and checking that it can deliver. Stability as of 10.0r3 and 10.2r2 is good, we haven't seen any cluster shenanigans like we had seen before those releases.
As for the ScreenOS devices - they won't go EOL for another 6 to 7 years, depending. They will remain supported for 5 years from the day they go EOS, and they won't go EOS until SRX has feature parity. They're a conservative choice. Very proven OS, decent performance, a feature set that fits small to medium enterprise well.
The management situation on SRX is unfortunate, I agree. SPACE can't come soon enough.
If high-volume logging is required - that is, logging a lot of the accept traffic - then Splunk is an excellent solution for that at this point in time. It'll also make creating pretty graphs a breeze, and can receive logs from all your other devices in the network and allow you to graph / report against those.