12-04-2009 05:45 PM
comming from ScreenOS and playing around on my on SRX210 box from about 3 month´s:
i´m verry frustrating about the webgui and the srx... i know, better performance and bla bla bla...
but i have spend many time on my one to configure my own srx box....
- the most thing you have to do with the cli, because the webgui simply does not work.
- configuring on the webgui ... error on commit, on cli no problem ???!!!!
- nsm does not support junos 10.... and the new nsm 2009 is very slow!!!!!!!!!! - server and client - fw admins
complains the slowness every day....
- dynamic vpn ? haaa, i give access the whole world to my webui ??? what about manage-ip ?
- what about the track-ip feature ? i know scrpting ....
- changing from JunOS 9.6 to JunOS 10.0 they changed the whole factury-setup ???
brigde-group is nice, but please put some interface in the untrust interface and let the webgui work for change
the vlan-setup !!!!
- boot times of a srx210 with 4 -6 (access of the webuig) minutes are a joke ? my isg2000 with idp blades boots up in 3minutes ! and a netscreen 50 in 30 seconds !
so good performance, but lost of the most feature of ScreenOS and i have to read lot of documents and do troubleshooting....because the webgui does not work and i have to figure it out on my own that i have to change the settings in the cli ? so, better remove the webgui.... if the most things does not work !
is this the idea of juniper ?
so if juniper want switch from the ssg to the srx they have to do many work, otherwise i and my company who i`m working for, will choose the ssg series or better switch to some other vendor...... , better spend time on other companys solutios that work !
i´m very fustrading of the srx series !, another day of spending my free time !
Please adjust the NSM 2009 Slowness also !
i`, comparing the gui from the checkpoint and juniper is a joke compare to them !
p.s. i hope some of the important juniper guys will take care of my post... or otherwise maybe fortigate or palo alto will be my choise for me and my company
12-05-2009 06:48 AM - edited 12-05-2009 06:49 AM
Thanks for posting your experiences with the SRX210. The SRX was a strong contender for my next firewall purchase but I may look elsewhere now that it seems the problems with JUNOS are getting out of hand. One question for you though, have you had these problems with JUNOS 9.X, 10.X or both? If only the latter perhaps I could run 9.X until 10.X matures enough to be a useable platform.
12-05-2009 07:10 AM - edited 12-05-2009 07:24 AM
Junos 10 had a lot of focus on improving the web UI, boot times, etc and I think you'll find it a great improvement. That said, I've seen that the roadmap continues to focus on this area over the next several releases - we realize that this area needs more focus.
I'm also sharing this post internally - we have a new collaboration environment internally which helps us share this type of feedback more effectively.
BTW the change in factory config was for the better I think...you can plug an ethernet in and get a GUI without having to access the console and config first. As we make improvements there will be inevitable behavior changes.
Please do keep the feedback coming!
12-05-2009 10:01 AM
I would like also to give my feedback about SRX platform...
I deployed more than 100 Netscreen/SSG devices (cluster or not) since 5 years with great success.
This is one of my favorite platform...
Few time ago, junper platform was introduced...
1) Clustering (tested no JunOS 9.6R2)
Clustering is NOT stable. I have two cluster deployed. Both of them react differently. Sometimes one node is leaving the cluster without any reason.
That's the worst GUI I ever seen !
Most of the command cannot be implemented in the GUI. Better to do it directly from the CLI
3) NSM integration (last version)
Policy push it not working
Sometimes, the log are not received...
AV is not working at all (test on JunOS 10)
It completely freeze the device.
Bug with VPN on JunOS 9.6R2
Because the RE engine is not active on the backup node (this config apply if you're in cluster only) cannot update the attack database...
Too much problem for me.
I took the decision to NOT sell this device anymore until all of these problems are solved !
12-07-2009 12:57 AM
1) I have the same issue with SRX240H and SRX240POE clusters running 9.6R1 So far the only suggestion from JTAC has been to change the patch leads for control link and fabric link. No improvement so far, I keep loosing nodes without any reason....
2) I only use the CLI, the GUI is to slow and misses most of the options.
3) NSM is a pain to work with, it is slow, not intuitive and always late. We had to wait more than a month after the 9.6R1 release for SRX running it to be added and managed in NSM. Same goes for 10.0R1, the DMI schema update came after the JunOS release. I can't understand why a company as Juniper is not able to schedule the firmware release and the management software release so there is no uncovered period...
12-08-2009 02:05 AM - edited 12-08-2009 02:15 AM
i have bought on my own a srx210 with the goal to expand my skills on junos and for the "next" generation firewalls of juniper
starting from 9.5 until 10 i have to say that the webui has become faster, but the need of flash and all the "playing" stuff is very annoing and slowing down the configuration.... ! maybe some enduser will enjoy it, but i don`t !
even issues with junos10.... , some configurations made in the webui are not showing in the cli ? and vice versa... where are the rib groups for some examples ?
the cli commands are 3-4 times longer than in ScreenOS, lot of typing...
the changes in Junos 10 are not so nice for me..., resetting to the default and then wondering about what happened to che config..... took me many time to remove the trust-vlans away with the cli, because in the webui this is not possible.. ..
for the other problems/ bugs there are enough postings in this forum.
very nice , losing lots of my freetime
but the great thing :i HAVE HAD a new hobby ! SRX
know i am very angry with the srx, i will used it now as a switch, nothing more. i have no more nerves with the srx series !
it`s a joke what juniper has given out... ok, 1-2 releases having problems, it`s ok, but not 3 Releases and so on !
i have spend many money, blown in the air !, but this was my last juniper equipment, i have learnd with the srx series !
better juniper move the performance of the SRX to the SSG / ISG Series, and people would be happy.
Working as an Security Officer for a Datacenter, SRX will there never be deployed ! That´s now sure.
12-08-2009 08:31 AM - edited 12-08-2009 09:32 AM
Sorry to hear about your frustrating experience. As I mentioned before, we hear you (and others) and are working hard to improve the user experience, quality, and features of the SRX branch products. As you note, there's been improvement, but more to do. I hope you have cases open for the issues you've experienced - they may not be well known yet and that will help us tackle them sooner.
Some other comments...
re: CLI commands - longer yes, but with auto-complete (?, space or tab, the former providing online help) should not be that much typing.
Now, as someone who used to do remote deploy's of ScreenOS based firewalls in a past life, I would tolerate a lot of typing for one element of the Junos CLI - commit confirm. This simple feature has saved many a truck-roll.(for those not familiar - it works like changing screen resolution on a Windows PC - it requires an subsequent ack from the operator or it reverts to the last config)
This feature is enabled because of the same underlying architecture that makes the commands a litle longer - as one of the lead developers notes "Junos treats configuration data as first class content. This seems like a minor point, but it turns into a great opportunity for creating interesting features".
The Junos automation features are another good example of how the architecture is used
The Junos CLI is a powerful tool - the web UI can never completely replace it and it is well worth learning more about how it can help reduce effort and increase reliability in your networks.
12-08-2009 09:38 AM
i know that junos is verry powerfull and have lot of features.
i also know that the webui wan`t have all the features of the cli, but this webui is the worst that i have seen.
it would be nice that the features implemented in the webui will work, not to troubleshoot the webui also..
i find it strange that juniper put out products, that are in "beta" phase, sorry, but this is my opinion.
i have bought the device, spend money for the suscription to get the latest a versions and what did i get ?
so this is my freetime and also my money spending on my own and open tickets so that juniper can fix it there products ?
this is not a choise for me, even not for my company.
12-08-2009 01:31 PM
i'm a big Junos fan myself but the SRX is really not ready for a production environment. I put up with it with the understanding that this is a new platform and will take some time to work the bugs out. But you have to understand it's difficult for us to continue to promote the SRX if these stability issues are not addressed real fast.
i'm hoping the next relase will put to rest the clustring and UTM issues. We can live with the minor issues but not major ones.
12-08-2009 03:34 PM
I've got an SRX210 and I have found it to be very unstable. It has real issues reconnecting to an ADSL connection that has dropped. I've got a JTAC support ticket open but it has been about 2 months now and I they haven't been able to fix the problem.
The SSG range is great but I'm having issues liking the SRX devices, really buggy. I cannot recommend them to my clients which is a shame because they should be good...
I hope they fix these issues soon otherwise it is time to go to a different company.
12-08-2009 05:49 PM
I am using an SRX240 and SRX210 live as we speak but I do have a simple network design with two offices
Let me talk about whats good
1. VPN's were easy to setup
2. Good hardware
3. Junos (is great when you get the hang of it)
4. So far its been reliable (knock on wood) I don't have any UTM and IDP policies in place as of yet
Before purchasing my SRX I was testing the SSG line of firewalls and they worked great! I decided to go with the SRX since my Juniper rep told me that its the best of both worlds firewall and routing and since its using Junos I assumed that it would be the future of the Juniper firewall line.
I also compared the hardware specs with the SRX to the SSG and it beat it bad. Plus it included a 16 port switch.
What I don't like about it is the little things for example
1. I cant assign my remote VPN clients into a different security zone
2. I can't assign a DHCP pool to my Remote VPN clients
3. I cant change the SSH management port from 22 to another port
4. I cant use MS CHAP or PEAP for remote VPN connectivity
5. Dissapointed with the licenses Dynamic VPN licenses is 10x a normal NS Remote Client license and since its 10 times more i hoped it was 10 times better but its not. I hope this are little tweaks lke adding the MTU etc on the client better logging etc but right now its version 1 - I hope they make alot of changes soon
6. I cant have a VPN group profile everybody needs their own IKE and IPSEC config
7. Configuring port forwarding is a pain only 8 rule-sets per destination and source NAT
8. I heard clustering and high availablity is a huge problem right now. I was considering a high availablity environment for next year but I guess I will wait it out
9. UTM and IDP are hardware hogs and crash the system considering a license for both is 3 grand. This is unacceptable and needs to be fixed ASAP.
Those are some of the features I came accross, and this firewall is still very young and I find it hard to get help. The documents are ok and the help menus on JWEB are pretty much useless. The support has been pretty good but I do have a ticket that hasn't been answered for 2 weeks.
What I would like to see is Juniper provide us customers with more road maps and future plans with the SRX series and the Network Access Manager.
The SRX is basically an SA, SSG, IDP and J-series router all in one device and has alot of potential I wish that Juniper would focus more on the UTM IDP HA and VPN issues since that is what we payed for
those are my 2 cents, atleast everyday i am learning something new and Junos is great!
12-09-2009 12:19 AM - edited 12-09-2009 12:47 AM
Looks like it's time for srx review, so here are my comments.
I purchased an srx100h to replace an old ns5gt to work from remote.
pppoe worked quite easily, but then I had really nightmares with nat (I tested the latest junos 10), so the box was not usable even for a single user.
I systematically had "dip allocation failed" messages in the debug trace, and found nothing in the kb about this.
jweb cannot be used, it would be really a good option to be able to disable completely jweb (ie stop the http daemon).
update time is also huge compared to screenos update, even on the smallest devices.
I also noticed with the top command there was a process called flowd_..; that consumes systematically 90% of more cpu. could it be possible to know what this process does ?
I had to put back my ns5gt, and I think I will put the srx100 behind the ns5gt to do some more tests.
Regarding the documentation, could it be possible to have an srx "concept and example guide" ?
this document is really good (even if there are some errors within, but as in every technical document that has this size).
12-09-2009 08:20 AM
Regarding disabling Jweb - does
set system processes web-management disable
- work for you?