11-23-2010 12:48 AM
I have to say I'm going to pile on the list of SRX complaints. We have been / were a Netscreen shop for YEARS prior to the Juniper acquisition. The ScreenOS devices have been generally rock solid since the Netscreen 5 days when that little hummer would bring a Cisco VPN 3015 to it's knees @ 10 Mbit 3DES IPSEC throughput.
A year ago, we were forced into a refresh cycle for our edge firewalls and VPN endpoints after an internal IT consolidation. We had a bake off between SSG, SRX, and ASA. SSG won for stability and required features, but lost out because we feared Juniper would effectively abandon the line within 3 years. SRX won for overall feature set, but lost out because it couldn't handle a simple firewall with NAT deployment at 9.6x code without core dumping every week or two during the evaluation. The ASA won by default, but it's a descendant of the PIX and still loaded with the crap that made me hate it 10 years ago.
The refresh cycle was Juniper's to win as the incumbent, but lost due to a combination of SRX instability and aggressive SRX marketing that made us fear the long term viability of the ScreenOS line of firewalls. We felt that ScreenOS would rapidly turn into Juniper's CatOS, Cisco's redheaded stepchild switching OS. As an aside, since we were painted into the ASA corner, I was forced to refresh VPN with ASA in lieu of the superior but more expensive Juniper Secure Access solution.
I hope that Juniper gets the SRX right, and sooner rather than later. Rant mode off...
01-10-2011 04:49 PM
New to the SRX family as of 1 month ago.
We had a project deadline in which we were going to deploy our first SRX firewall. I thought "no big deal, it's a firewall... packets in and packets out. I'll have it configured in a few minutes and be done with it." After hours of being amazed at how bad the user interface is and how non-intuitive the SRX is I scrapped it in favor of an SSG20.
I'm now back to the SRX (which is to replace to temporary SSG20) and my frustration continues.
The ScreenOS was fast and intuitive, the SRX GUI "looks good but doesn't do crap".
My latest battle is figuring out how to create a MIP, now referred to as a static NAT, which apparently is not possible in the GUI? Amazing, it's the second most used thing in a firewall, after policies, and it can't done in the GUI? It use to be a one line config item, but now requires 4 lines of code? Is anyone at Juniper paying attention to how they are screwing up what was an awesome simple to use firewall and turning it into something that only a specialist will be able to configure?
My latest mindset is to just forget EVERYTHING I know about ScreenOS and start all over.
I honestly hope my hatred for this product goes away since I'll be stuck using it going forward.
The first Netscreen we got (about 10 years ago) took me under a day to figure out and setup everything we need a firewall to do, and that was without having 15 KB articles opened up.
This document pretty much explains why I don't like it. Anything that took 1 command line to do now takes 3-4...
Juniper, here are tips to making your product better:
1. make the GUI more useful, intuitive, and faster (focus on more useful first )
2. make the commands simpler
01-11-2011 02:26 PM
You must be on an old version of code. Static NAT was added to the GUI. I recommend to move to JunOS 10.2r3 and go from there. Once 10.4 is stable, it'll be the next "go-to" release. 10.4r2, maybe. Time will tell.
I like the way the SRX is structured. Coming from a programming background, the indented way that the config is built is intuitive. I like commit. I LOVE rollback.
However, there are also a lot of gotchas. I don't love cluster management, not at all. I want my flow-based QoS back. I want my "multiple proxy IDs" from ScreenOS 6.3 back. I want the ability to run dual-ISP with static routing back. The list goes on.
In the end, it's a matter of seeing that the features you need are there, and if that's the case, then the SRX provides a very fast, very affordable firewall platform: Which, ever since 10.2r3, is also reasonably stable. Ongoing UTM drama notwithstanding.
Getting comfortable with the CLI will be a boon to you.
01-11-2011 02:59 PM
Thanks for the info re: static nat. I am on an older version (10.0r2) and have been working on gaining access to the downloads so I can update it. Hopefully by the end of the day I'll be running 10.2r3 or later.
04-03-2012 03:53 PM
April of 2012 and it still really sucks
If you don't have anything meaningful to contribute to the conversation then please don't do it. In this case meaningful could be "I dislike the SRX series because of x, y and/or z." It would also further the knowledge of the community and perhaps other members would have suggestions or workarounds for the issue.
04-03-2012 11:55 PM - edited 04-03-2012 11:56 PM
Flannigan is totaly right! Please do0zer :come with arguments.
05-15-2012 06:02 AM
Just purchased two SRX 650s to replace an aging SSG550M HA pair. Looking at the recommended release code, which is JUNOS 10.4R9.2, anyone know a reason why is this a ful 5 revs of code back? Is anyone using the 11.x or 12 series of code???
Any input is appreciated.
05-15-2012 01:50 PM - edited 05-15-2012 01:51 PM
the xx.4 releases are EEOL (Extended end of life releases) IE they are the combination of an entire years worth of new features and instead of having one year of patching support they have 5 years of r release support.
The Recomended release is always the release that Juniper has the fewest open issues on and has the most field testing...Thus in most enviroments it will be the most stable...
If you where looking for something newer I would watch 11.4, it is only on r2 so far.
JUNIPER just started recomending 11.4 for EX and some other platforms, SRX is probably comming soon... However my gut feeling is that a r3 will come out before that happens.
05-16-2012 06:01 AM
I think you'll also find that for a while, there were lots of bug and other stability complaints with the SRX line. Juniper seems to have taken that to heart recently and the 10.4Rx series is putting that behind them.
The 11.x and newer have some really nice features, but for most people the 10.4 line's features are "good enough" (the Juniper SRXs really can do a TON of things for a single box!)
08-14-2012 12:30 PM
Just FYI - if you are using a cluster and want to use JWeb don't bother updating to 11.x or 12.x. JWeb won't display cluster info (tells you that clustering is not enabled even though it is as verified from CLI), zones do not display at all and redundant interfaces don't disaply assocaited zones. There are known PRs for this in 11.x JWeb code - supposed to be resolved in 11.4R5. 12.x is supposed to include fixes for these issues, but sadly does not.