SRX Services Gateway
Reply
Trusted Contributor
piccolo78
Posts: 108
Registered: ‎09-13-2009
0

SSG vs. SRX

Hi,

 

comming from ScreenOS and playing around on my on SRX210 box from about 3 month´s:

my opinion:

 

i´m verry frustrating about the webgui and the srx...   i know, better performance and bla bla bla...

but i have spend many time on my one to configure my own srx  box....

 

- the most thing you have to do with the cli, because the webgui simply does not work.

-  configuring on the webgui ... error on commit, on cli no problem ???!!!!

- nsm does not support junos 10....    and the new nsm 2009 is very slow!!!!!!!!!! - server and client - fw admins

complains the slowness every day....

- dynamic vpn ? haaa, i give access the whole world to my webui ??? what about manage-ip ?

- what about the track-ip feature ? i know scrpting ....

- changing from JunOS 9.6 to JunOS 10.0 they changed the whole factury-setup ???

   brigde-group is nice, but please put some interface in the untrust interface and let the webgui work for change

   the vlan-setup !!!!

- boot times of a srx210 with 4 -6 (access of the webuig) minutes are a joke ? my isg2000 with idp blades boots up in 3minutes ! and a netscreen 50 in 30 seconds !

 

so good performance, but lost of the most feature of ScreenOS and i have to read lot of documents and do troubleshooting....because the webgui does not work and i have to figure it out on my own  that i have to change the settings in the cli ? so, better remove the webgui.... if the most things does not work !

 

is this the idea of juniper ?

 

so if juniper want switch from the ssg to the srx they have to do many work, otherwise i  and my company who i`m working for, will  choose the ssg series or better switch to some other vendor...... , better spend time on other companys solutios that work !

 

i´m very fustrading of the srx series !, another day of spending my free time !

Please adjust the NSM 2009 Slowness also !

i`, comparing the gui from the checkpoint and juniper is a joke compare to them !

 

p.s. i hope some of the important juniper guys will take care of my post... or otherwise maybe fortigate or palo alto will be my choise for me and my company

 

Regards,

Piccolo

 

 

-PIccolo
Contributor
AidanOS
Posts: 47
Registered: ‎09-27-2009
0

Re: SSG vs. SRX

[ Edited ]

Thanks for posting your experiences with the SRX210.  The SRX was a strong contender for my next firewall purchase but I may look elsewhere now that it seems the problems with JUNOS are getting out of hand.  One question for you though, have you had these problems with JUNOS 9.X, 10.X or both?  If only the latter perhaps I could run 9.X until 10.X matures enough to be a useable platform.

 

Thanks aidan.

Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007
0

Re: SSG vs. SRX

[ Edited ]

Junos 10 had a lot of focus on improving the web UI, boot times, etc and I think you'll find it a great improvement. That said, I've seen that the roadmap continues to focus on this area over the next several releases - we realize that this area needs more focus.

 

I'm also sharing this post internally - we have a new collaboration environment internally which helps us share this type of feedback more effectively.

 

BTW the change in factory config was for the better I think...you can plug an ethernet in and get a GUI without having to access the console and config first. As we make improvements there will be inevitable behavior changes.

 

Please do keep the feedback coming!

 

Thx

 

-Keith

Contributor
Hedia
Posts: 93
Registered: ‎05-28-2008
0

Re: SSG vs. SRX

Hello,

 

I would like also to give my feedback about SRX platform...

I deployed more than 100 Netscreen/SSG devices (cluster or not) since 5 years with great success.

This is one of my favorite platform...

 

Few time ago, junper platform was introduced...

 

1) Clustering (tested no JunOS 9.6R2)

 

Clustering is NOT stable. I have two cluster deployed. Both of them react differently. Sometimes one node is leaving the cluster without any reason.

 

2) GUI

That's the worst GUI I ever seen !

Slow.

Most of the command cannot be implemented in the GUI. Better to do it directly from the CLI

 

3) NSM integration (last version)

Policy push it not working

Sometimes, the log are not received...

 

4) UTM

AV is not working at all (test on JunOS 10)

It completely freeze the device.

 

5) VPN

Bug with VPN on JunOS 9.6R2

 

6) IDP

Because the RE engine is not active on the backup node (this config apply if you're in cluster only) cannot update the attack database...

 

Too much problem for me.

 

I took the decision to NOT sell this device anymore until all of these problems are solved !

 

Platform rating

SRX: 3/10

SSG: 8/10

Checkpoint: 8/10

 

Regards,

 

Hedi

 

 

 

 

 

 

Contributor
yemgi
Posts: 57
Registered: ‎11-09-2009
0

Re: SSG vs. SRX

1) I have the same issue with SRX240H and SRX240POE clusters running 9.6R1 So far the only suggestion from JTAC has been to change the patch leads for control link and fabric link. No improvement so far, I keep loosing nodes without any reason....

 

2) I only use the CLI, the GUI is to slow and misses most of the options.

 

3) NSM is a pain to work with, it is slow, not intuitive and always late. We had to wait more than a month after the 9.6R1 release for SRX running it to be added and managed in NSM. Same goes for 10.0R1, the DMI schema update came after the JunOS release. I can't understand why a company as Juniper is not able to schedule the firmware release and the management software release so there is no uncovered period...

Contributor
AidanOS
Posts: 47
Registered: ‎09-27-2009
0

Re: SSG vs. SRX

For my own education, what sort of response times were you experiencing when using J-Web?  And what specific commands were you unable to perform?  Thanks!

Trusted Contributor
piccolo78
Posts: 108
Registered: ‎09-13-2009
0

Re: SSG vs. SRX

[ Edited ]

i have bought on my own a srx210 with the goal to expand my skills on junos and for the "next" generation firewalls of juniper

 

starting from 9.5 until 10 i have to say that the webui has become faster, but the need of flash and all the "playing" stuff is very annoing and slowing down the configuration.... ! maybe some enduser will enjoy it, but i don`t !

 

even issues with junos10.... , some configurations made in the webui are not showing in the cli ? and vice versa... where are the rib groups for some examples ?

 

the cli commands are 3-4 times longer than in ScreenOS, lot of typing...

 

the changes in Junos 10 are not so nice for me..., resetting to the default and then wondering about what happened to che config.....  took me many time to remove the trust-vlans away with the cli, because in the webui this is not possible.. ..

 

for the other problems/ bugs there are enough postings in this forum.

 

very nice :smileymad:, losing lots of my freetime

but the great thing :i HAVE HAD  a new hobby ! SRX :robotmad:

 

know i am very angry with the srx, i will used it now as a switch, nothing more. i have no more nerves with the srx series !

 

it`s a joke what juniper has given out... ok, 1-2 releases having problems, it`s ok, but not 3 Releases and so on !

 

i have spend many money,  blown in the air !, but this was my last juniper equipment, i have learnd with the srx series !

 

better juniper move the performance of the SRX to the SSG / ISG Series, and people would be happy.

Working as an Security Officer for a Datacenter, SRX will there never be deployed ! That´s now sure.

 

 

-PIccolo
Trusted Contributor
groque1
Posts: 254
Registered: ‎09-09-2009
0

Re: SSG vs. SRX

HI Piccolo,

 

What bug did you have with the VPN on 9.6?

Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007
0

Re: SSG vs. SRX

[ Edited ]

Piccolo,

 

Sorry to hear about your frustrating experience. As I mentioned before, we hear you (and others) and are working hard to improve the user experience, quality, and features of the SRX branch products. As you note, there's been improvement, but more to do. I hope you have cases open for the issues you've experienced - they may not be well known yet and that will help us tackle them sooner.

 

Some other comments...

 

re: CLI commands - longer yes, but with auto-complete (?, space or tab, the former providing online help) should not be that much typing. 

 

Now, as someone who used to do remote deploy's of ScreenOS based firewalls in a past life, I would tolerate a lot of typing for one element of the Junos CLI - commit confirm. This simple feature has saved many a truck-roll.(for those not familiar - it works like changing screen resolution on a Windows PC - it requires an subsequent ack from the operator or it reverts to the last config)

 

This feature is enabled because of the same underlying architecture that makes the commands a litle longer - as one of the lead developers notes "Junos treats configuration data as first class content.  This seems like a minor point, but it turns into a great opportunity for creating interesting features".

 

The Junos automation features are another good example of how the architecture is used

 

The Junos CLI is a powerful tool - the web UI can never completely replace it and it is well worth learning more about how it can help reduce effort and increase reliability in your networks.

 

-Keith

Trusted Contributor
piccolo78
Posts: 108
Registered: ‎09-13-2009
0

Re: SSG vs. SRX

hi,

 

i know that junos is verry powerfull and have lot of features.

i also know that the webui wan`t have all the features of the cli, but this webui is the worst that i have seen.

it would be nice that the features implemented in the webui will work, not to troubleshoot the webui also..

 

i find it strange that juniper put out products, that are in "beta" phase, sorry, but this is my opinion.

 

i have bought the device, spend money for the suscription to get the latest a versions and what did i get ? :smileysurprised:

 

so this is my freetime  and also my money spending on my own and open tickets so that juniper can fix it there products  ? :smileysad:

 

this is not a choise for me, even not for my company.

 

 

-PIccolo
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.