SRX

SRX users,

Our business has been a long term Screen OS user.... SRX arrived, we bought into the sales hype, the pricepoint and then struck an endless list of issues and problems that never got fixed. Worst networking product release Ive ever seen... ever ! To ensure we stayed in business and minimise the commerical bleeding, (to be fair this was a few years ago, and I realise things have come some way) we started selling and deploying other products. (Fortinet and more recently looking at some Palo.)

Thus Ive lost touch of where SRX is at ?..... apart from the odd entertaining reading of these forums. I dont really see anything that would encourage me to rush back either. NSM - dont get me started.  However, several ScreenOs clients are now ready to upgrade to something else and are fans of Juniper...well...Netscreen.  (nothing huge but networks of SSG 550s, some 140s, and the odd 20)

Whats the score these days on the latest releases on the SRX ? We only see it (and we havnt looked at the SRX since 9 something..?) as a router that does 'some' firewalling ..? And needs to be managed from CLI.

Does this AppSecure stuff do what the marketing says...? Whats happening with NSM...Is the dream of feature parity with ScreenOs closer.. ?

I know this is stuff an SE should be updating us on but they are few and far between in my part of the world, and I'm interested in real world feedback thats not diluted by spin, because someone is paying you to say it.

Cheers

Duncan.

Stopped the bleeding

Stayed in business.

Some things:

• No longer crash happy, pretty stable now. Yay!
• WebUI is still balls and slow. I just use the CLI. Juniper don't know how to write a good web interface.
• Still lacking IPv6 features.
• Still boots slowly, although somewhat better than older releases.
• IPsec VPNs work well.
• No mobile VPN support at all (are Juniper crazy??) for iOS devices.
• Stupid releasing of new devices, i.e SRX210HE and SRX240H2 (lame lame lame, just do it right from the start, with the ASA you don't need to replace the device just uprade the flash&ram yourself)
• WTF JunOS X releases. Seriously I wonder if Juniper has any clue at all.

So yeah still a bit lame.

I like the devices as the routing is good, IPsec site to site VPNs are good, SNMP works well and CLI is great.

Such a pain really, the lack of iOS VPN support means that many of my customers will stick to the Cisco ASAs as the VPN works well. I've thought about using an SRX for routing/site2site and then an ASA for mobile VPN, but for most of my clients buying two firewalls is crazy.

I hate love juniper. I really don't know what to think!! Hah.

Thanks mwdmeyer.

Anyone using AppSecure out there..? - looking at some of the notes and documentation it appears you need an STRM or similar to get this working ..?

it is much better and much more stable than it was for sure.

as a straight up ScreenOS replacement, I'd say it's up to par now (except maybe the GUI...I still only use CLI so GUI could be great now and I wouldn't know).  You can more or less translate a ScreenOS config to an SRX config without having to redo the entire architecture -- you can terminate VPNs into VRs now, no silly NAT limitations outside of box maximums, etc.

if all you need is an L4 firewall, VPN, and routing features then its pretty good (and cheap for mass branch office deployments).  Problem is, i'm seeing less and less of this as the "next gen" stuff is becoming more popular.  If you need a client VPN try to sell a MAG or something because user experience I think is still not very good on SRX in that regard (as others mentioned, no iOS / android client).

If you need any "Next Gen Firewall" stuff, I'd stick with Palo Alto or whatever vendor you prefer in that space (I only have experience with Palo Alto).  If requirements are IDP, URL filtering, etc we generally try our best not to sell an SRX - just not worth the potential pain.  Like you its been a while since we tried any of those features, but we got burned so bad in the beginning we pretty much swore the UTM type feature set off.

I've been very happy with SRX since 11.4, 12.1 is even better. However, I only put them where they'll be strong.

As others have already mentioned, they have become fantastic/stable L4 Firewall/VPN devices. Even IDP as of 12.1 (automatic syncing across cluster members) is more or less acceptable.

I've found AppSecure, and AppQoS specifically to work as intended (youtube throttling is handy). However, I would *absolutely not* ever use them for Antivirus or Antispam...they're still horrendous at that.

All in all I'd replace most ASA's with them at this point. Anything else that needs to really take advantage of L7+ UTM I'd go with Checkpoint/PAN/Fortinet.

HTH,

---

@mwdmeyer wrote:

Some things:

• Still boots slowly, although somewhat better than older releases.
• No mobile VPN support at all (are Juniper crazy??) for iOS devices.
• WTF JunOS X releases. Seriously I wonder if Juniper has any clue at all.

---

• Juniper isn't the only vendor to have devices that take a few minutes to boot!  And I can't say that I view it as a detriment considering that mature 11.x and 12.x releases run reliably with little or no intervention.
• I agree.  I'd like to see mobile VPN support outside of requiring a SA or MAG.
• It's been covered in another thread that the purpose of the Junos X releases are to allow the SRX team to further focus on development and improvement of the SRX series.  Juniper employees have stated that this is a temporary measure and the SRX code will eventually be reintegrated with the mainstream Junos-ES releases.

Cheers.

---

@mwdmeyer wrote:

Some things:

• No longer crash happy, pretty stable now. Yay!
• WebUI is still balls and slow. I just use the CLI. Juniper don't know how to write a good web interface.
• Still lacking IPv6 features.
• Still boots slowly, although somewhat better than older releases.
• IPsec VPNs work well.
• No mobile VPN support at all (are Juniper crazy??) for iOS devices.
• Stupid releasing of new devices, i.e SRX210HE and SRX240H2 (lame lame lame, just do it right from the start, with the ASA you don't need to replace the device just uprade the flash&ram yourself)
• WTF JunOS X releases. Seriously I wonder if Juniper has any clue at all.

 

---

• Agreed
• Agreed... both for WebUI, NSM, Space
• IPv6 has really come along as a "through" device.  There are some "endpoint" IPv6 features missing, but its actually very useful now as an IPv6 firewall.
• Agreed....Except I haven't seen ANY progress on boot-times.... Up to 30 minute boot times for clustered SRXs... I mean I just pop in a Family Guy rerun when I reboot a 3600.
• Agreed... Very Well.
• Agreed.....but I'm OK with not having these on DC firewalls and a dedicated appliance with a proper WebGUI (Mag)
• Agreed.... Do it right the first time.
• 100% AGREEED!!!.... X and D releases is like admitting you've turned into IOS.... the old .1,.2,.4 schedule was PERFECT and easily understandable.... Now I have to divide by 5 to find out if a release is a full release or an interim release....ugh

As far as AppSecure, it's ready if you want to use it exactly as configured with minimal customization it works fairly well... Once you get into massive customization per app, you'll start running into PR's.... I would guess it reaches "stable"-ness around 13.4... or whatever its undecipherable X release is called.

Expectations...

Well, maybe someone should set some benchmarking...

FYI the reason they take so long to boot is loading FreeBSD. It's worth the wait, though. Coming from someone whose worked extensively on checkpoint, fortinet, ASA, netscreen, palo alto the boot time is definitely worth the wait.

I've not had any issues with SRX in many different deployments. Either I'm the luckiest person in the world or everyone else is running peculiar versions or misconfiguring them or both. And I'm assuming it's the latter.

An analogy of SRX would be Juniper releasing a manual transmission after automatics had been around for decades. Suddenly no one knows how to drive them, and without the right driver it's a very bumpy ride. SRX will let you throw the car in reverse at 70MPH it is solely on you NOT to do that. That being said, with a capable driver they expose much more control than any other platform I've worked on, and there has been many (every platform mentioned in this thread so far), SRX have the lowest cost over ownership and offer the most scalability, again, with the right driver. 

If you go with SRX, run JTAC's recommended version, and make sure someone knows JUNOS well and you will be extremely happy with it. If you're going to use AppSecure, read the documentation in it's entirety first!

GLHF

I'm generally happy with it now, like the others have mentioned it's really good L4-wise. Did a large hub-spoke deployment with the new AutoVPN/Zero Touch Hub with certificates and iBGP feature and it's been rock solid so far. AppFW hasn't been too bad either. Haven't touched the UTM lately due to awful first experiences though.