02-23-2012 08:59 AM
Currently my company is using a CheckPoint Firewall (setup on a linux box) and its time to upgrade and get some Rendunancy.
After doing some research I had decided to go with Juniper SRX (210, 220 or 240). I was talking to a friend (who is more sales than technical) and he recommended that I check out SonicWALL.
I'm not sold and wanted to see what people here think. I really feel that Juniper is doing a good job of being forward looking. I like that it has APIs, virtual routers, etc.
Juniper seem to have a good grasp on the how things are moving towards the cloud.
I have read through reviews etc but most of them seem to be pretty high level, and some of them seem out of date. When I see things like people complaining about the GUI (which when I used it with a current firmware worked great), plus if you are focused on needing to use a GUI (thats not the scope or type of review I care about). Thats just frills to me.
While I don't have a ton of experience with Juniper, I have played a little with the SRX 210 (and coming from the Cisco world) have been impressed.
So basically I wanted some input from technical people.
Solved! Go to Solution.
02-23-2012 11:38 AM - edited 02-23-2012 01:10 PM
This, like many other questions similar to it, can only be answered by first defining your requirements.
There is no single answer to "Is Juniper better than SonicWALL" or "is Juniper better than Cisco" or "Is Cisco better than CheckPoint"... because every one of those vendors is going to have some strengths and deficiencies.
Only by defining your particular criteria can an informed decision truly be reached. I am *not* a fan of unwavering vendor loyalty. The best tool for the job is the best tool for the job, I don't care whose name is printed on the front of it.
Here are a few things to think about...
Are you looking to do "next-generation" firewall services, such as application ID/firewalling? SonicWALL has been doing this for a long time and has a very well-established technology. Juniper is just breaking into the AppID/AppFW segment, and it's kind of a kludge (if you ask me) on the SRX, *especially* the branch SRX.
Are you looking for robust enterprise features? Advanced routing and/or tunneling options? Both solutions will handle your typical IPsec scenarios, but with the SRX you have the flexibility of policy-based or route-based VPNs. SRX is going to handle things like BGP, GRE, virtual routers, even MPLS, where the SonicWALL is not.
How many firewalls are you looking at deploying? Do you need centralized management and reporting, etc. for multiple boxes from a single place? If so, SonicWALL's GMS product beats the pants off of NSM, no question about it.
As far as H/A goes -- the SRX and the SonicWALLs are going to approach that differently. Sonic is going to give you a good break on pricing for H/A pairs -- you typically only pay half for the H/A box. SRX has had some serious growing pains with clusters. They're better now, but it was never a "graceful" implementation by any means.
If you like GUIs, the SonicWALL has a darn good one. The web UI is very fast and responsive. J-Web, even with all the recent changes and improvements, is still extremely slow and clunky by comparison. SonicWALL really did a much better job of prioritizing management functions in Core 0 and it shows. However, if you don't care about GUIs and you want a CLI, then SRX is your choice -- the SonicWALLs don't even have a CLI (at least not one where you can configure the box as far as address objects, policies, security settings, etc.) The newest SonicOS is introducing a "real" CLI -- but this is in its infancy and is only barely available (if at all in general release. I've seen it on their "SuperMassive" boxes...) That being said, the SonicWALL was designed from day 1, from the ground-up, around their GUI. So, with J-Web, you get a box that's built around a CLI and the Web GUI is bolted on top, and there are constantly things where "you can't do that through J-Web, you have to go down to the CLI to do that"... with the SonicWALL, every function of the box's configuration is done through the GUI. Period. It's just a matter of preference there as to how you prefer to work.
Both the branch SRX and the SonicWALL systems are based on a similar hardware architecture, though not exactly the same. Both products use the Cavium multi-core CPUs for security services and traffic processing. I will say this -- SonicWALL has many more years of experience programming for those CPUs and their ability to write software that is tight and optimized on those platforms is obvious -- they achieve better throughput on the same class of chips compared to the SRX, and their management functions are WAY faster (they use Core 0 for this much more efficiently than the SRX).
Generally speaking, for similar performance, the SonicWALL is usually going to cost a little less, but the SRX is going to give you more "enterprise-class" features. Decide which of the features and functions are important for your particular implementation and focus on the needs that are applicable to you. Don't get hung up on features being in a product if you're not going to use them. That's a Cisco thing -- they'll sell you a product that will cook your breakfast, fix a flat tire on your car, navigate an airplane, and plant trees in third-world countries -- and oh, by the way, they route packets too. You end up paying for a whole LOT of stuff that most people never use.
Make yourself a requirements document. Categorize things into "must have" and "would be nice to have." Any criteria you can think of, write it down on that document. Possibly assign a weight to items. Most importantly, invite the vendors to come talk to you. Utilize the channels and resources that are there. Juniper and SonicWALL would both be happy to have a sales rep visit you, and they should bring an SE (Sales Engineer) with them. Use your requirements document and have the team answer your questions and tell you about their product, and why they feel it's a better solution for you. Always remember Keith's Law of IT: Vendors Lie. Don't get caught up in marketing hype -- take the information they give you and evaluate it and do some of your own research to validate it. Read third-party reviews and independent tests ("independent" is a bit of a stretch...). Check things like Gartner and NSS reports.
02-23-2012 12:32 PM
Thanks a lot for the info.
This is the type of stuff I was looking for. I agree that asking which one is better is normally a stupid question, its never going to be absolute. But I was looking for a more indepth comparison than I was finding around the Internet.
One of the hard parts of my decision is that as we stand right now, either would work and be and improvement (cause right now we have no fail-over). But I'm trying to be forward looking cause we are expecting a lot of growth over the next few years, and I don't want to purchase something only to realize in a year or 2 I need something that can't be done. We also might have to integrate with other networks (our company was recently purchased).
Coming from the cisco world I am comfortable learning CLIs, and don't put as much stock in GUI's as some other admins might. I would like bgp (cause that type of redundancy is something I'm trying to push, but don't know that we will want to spend the money for a GLB), and there is a really good chance we are going to deploy a private cloud (I have been testing/working with CloudStack) and they allow you to manage SRX firewallls b/c of the open API. Which is one reason I liked the Virtual Router capabilites as well.
Right now I am going to get 2 firewalls (just 1 extra for redundancy). I would like IPS, Web Filtering (I know SRX uses WebSense which would be fine with me). As far as management/reporting I have been using Zenoss (on a linux box) and am happy with that, especially since I can automate a lot of things with it (have certain events trigger scripts/etc), so I plan on sticking with Zenoss (and netflow/jflow should be enough for us). Last time I setup a monitoring tool, it was only used when there was a problem.
I'll continue researching some but I had a Sales Engineer (who is a friend) and he was really trying to push me away from Juniper but other than saying you get a little more bang for your buck couldn't really give me a compelling arguement. So this info was very helpful (and I thought you seemed really unbiased especially for being posted on a Juniper forum)!
02-23-2012 05:29 PM
Keith - awesome post as always. What a great comparison of two alternate solutions. I would add that I think Juniper does offer more in the automation realm than Sonicwall. The tools available with scripting and the library that exists to either use or build off of are, to me very valuable and create another differentiation point.