SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Trusted Contributor
Posts: 108
Registered: ‎09-13-2009
0 Kudos

SSG vs. SRX

Hi,

 

comming from ScreenOS and playing around on my on SRX210 box from about 3 month´s:

my opinion:

 

i´m verry frustrating about the webgui and the srx...   i know, better performance and bla bla bla...

but i have spend many time on my one to configure my own srx  box....

 

- the most thing you have to do with the cli, because the webgui simply does not work.

-  configuring on the webgui ... error on commit, on cli no problem ???!!!!

- nsm does not support junos 10....    and the new nsm 2009 is very slow!!!!!!!!!! - server and client - fw admins

complains the slowness every day....

- dynamic vpn ? haaa, i give access the whole world to my webui ??? what about manage-ip ?

- what about the track-ip feature ? i know scrpting ....

- changing from JunOS 9.6 to JunOS 10.0 they changed the whole factury-setup ???

   brigde-group is nice, but please put some interface in the untrust interface and let the webgui work for change

   the vlan-setup !!!!

- boot times of a srx210 with 4 -6 (access of the webuig) minutes are a joke ? my isg2000 with idp blades boots up in 3minutes ! and a netscreen 50 in 30 seconds !

 

so good performance, but lost of the most feature of ScreenOS and i have to read lot of documents and do troubleshooting....because the webgui does not work and i have to figure it out on my own  that i have to change the settings in the cli ? so, better remove the webgui.... if the most things does not work !

 

is this the idea of juniper ?

 

so if juniper want switch from the ssg to the srx they have to do many work, otherwise i  and my company who i`m working for, will  choose the ssg series or better switch to some other vendor...... , better spend time on other companys solutios that work !

 

i´m very fustrading of the srx series !, another day of spending my free time !

Please adjust the NSM 2009 Slowness also !

i`, comparing the gui from the checkpoint and juniper is a joke compare to them !

 

p.s. i hope some of the important juniper guys will take care of my post... or otherwise maybe fortigate or palo alto will be my choise for me and my company

 

Regards,

Piccolo

 

 

-PIccolo
Contributor
Posts: 47
Registered: ‎09-27-2009
0 Kudos

Re: SSG vs. SRX

[ Edited ]

Thanks for posting your experiences with the SRX210.  The SRX was a strong contender for my next firewall purchase but I may look elsewhere now that it seems the problems with JUNOS are getting out of hand.  One question for you though, have you had these problems with JUNOS 9.X, 10.X or both?  If only the latter perhaps I could run 9.X until 10.X matures enough to be a useable platform.

 

Thanks aidan.

Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: SSG vs. SRX

[ Edited ]

Junos 10 had a lot of focus on improving the web UI, boot times, etc and I think you'll find it a great improvement. That said, I've seen that the roadmap continues to focus on this area over the next several releases - we realize that this area needs more focus.

 

I'm also sharing this post internally - we have a new collaboration environment internally which helps us share this type of feedback more effectively.

 

BTW the change in factory config was for the better I think...you can plug an ethernet in and get a GUI without having to access the console and config first. As we make improvements there will be inevitable behavior changes.

 

Please do keep the feedback coming!

 

Thx

 

-Keith

Contributor
Posts: 93
Registered: ‎05-28-2008
0 Kudos

Re: SSG vs. SRX

Hello,

 

I would like also to give my feedback about SRX platform...

I deployed more than 100 Netscreen/SSG devices (cluster or not) since 5 years with great success.

This is one of my favorite platform...

 

Few time ago, junper platform was introduced...

 

1) Clustering (tested no JunOS 9.6R2)

 

Clustering is NOT stable. I have two cluster deployed. Both of them react differently. Sometimes one node is leaving the cluster without any reason.

 

2) GUI

That's the worst GUI I ever seen !

Slow.

Most of the command cannot be implemented in the GUI. Better to do it directly from the CLI

 

3) NSM integration (last version)

Policy push it not working

Sometimes, the log are not received...

 

4) UTM

AV is not working at all (test on JunOS 10)

It completely freeze the device.

 

5) VPN

Bug with VPN on JunOS 9.6R2

 

6) IDP

Because the RE engine is not active on the backup node (this config apply if you're in cluster only) cannot update the attack database...

 

Too much problem for me.

 

I took the decision to NOT sell this device anymore until all of these problems are solved !

 

Platform rating

SRX: 3/10

SSG: 8/10

Checkpoint: 8/10

 

Regards,

 

Hedi

 

 

 

 

 

 

Contributor
Posts: 57
Registered: ‎11-09-2009
0 Kudos

Re: SSG vs. SRX

1) I have the same issue with SRX240H and SRX240POE clusters running 9.6R1 So far the only suggestion from JTAC has been to change the patch leads for control link and fabric link. No improvement so far, I keep loosing nodes without any reason....

 

2) I only use the CLI, the GUI is to slow and misses most of the options.

 

3) NSM is a pain to work with, it is slow, not intuitive and always late. We had to wait more than a month after the 9.6R1 release for SRX running it to be added and managed in NSM. Same goes for 10.0R1, the DMI schema update came after the JunOS release. I can't understand why a company as Juniper is not able to schedule the firmware release and the management software release so there is no uncovered period...

Contributor
Posts: 47
Registered: ‎09-27-2009
0 Kudos

Re: SSG vs. SRX

For my own education, what sort of response times were you experiencing when using J-Web?  And what specific commands were you unable to perform?  Thanks!

Trusted Contributor
Posts: 108
Registered: ‎09-13-2009
0 Kudos

Re: SSG vs. SRX

[ Edited ]

i have bought on my own a srx210 with the goal to expand my skills on junos and for the "next" generation firewalls of juniper

 

starting from 9.5 until 10 i have to say that the webui has become faster, but the need of flash and all the "playing" stuff is very annoing and slowing down the configuration.... ! maybe some enduser will enjoy it, but i don`t !

 

even issues with junos10.... , some configurations made in the webui are not showing in the cli ? and vice versa... where are the rib groups for some examples ?

 

the cli commands are 3-4 times longer than in ScreenOS, lot of typing...

 

the changes in Junos 10 are not so nice for me..., resetting to the default and then wondering about what happened to che config.....  took me many time to remove the trust-vlans away with the cli, because in the webui this is not possible.. ..

 

for the other problems/ bugs there are enough postings in this forum.

 

very nice Smiley Mad, losing lots of my freetime

but the great thing :i HAVE HAD  a new hobby ! SRX Robot Mad

 

know i am very angry with the srx, i will used it now as a switch, nothing more. i have no more nerves with the srx series !

 

it`s a joke what juniper has given out... ok, 1-2 releases having problems, it`s ok, but not 3 Releases and so on !

 

i have spend many money,  blown in the air !, but this was my last juniper equipment, i have learnd with the srx series !

 

better juniper move the performance of the SRX to the SSG / ISG Series, and people would be happy.

Working as an Security Officer for a Datacenter, SRX will there never be deployed ! That´s now sure.

 

 

-PIccolo
Highlighted
Trusted Contributor
Posts: 254
Registered: ‎09-09-2009
0 Kudos

Re: SSG vs. SRX

HI Piccolo,

 

What bug did you have with the VPN on 9.6?

Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: SSG vs. SRX

[ Edited ]

Piccolo,

 

Sorry to hear about your frustrating experience. As I mentioned before, we hear you (and others) and are working hard to improve the user experience, quality, and features of the SRX branch products. As you note, there's been improvement, but more to do. I hope you have cases open for the issues you've experienced - they may not be well known yet and that will help us tackle them sooner.

 

Some other comments...

 

re: CLI commands - longer yes, but with auto-complete (?, space or tab, the former providing online help) should not be that much typing. 

 

Now, as someone who used to do remote deploy's of ScreenOS based firewalls in a past life, I would tolerate a lot of typing for one element of the Junos CLI - commit confirm. This simple feature has saved many a truck-roll.(for those not familiar - it works like changing screen resolution on a Windows PC - it requires an subsequent ack from the operator or it reverts to the last config)

 

This feature is enabled because of the same underlying architecture that makes the commands a litle longer - as one of the lead developers notes "Junos treats configuration data as first class content.  This seems like a minor point, but it turns into a great opportunity for creating interesting features".

 

The Junos automation features are another good example of how the architecture is used

 

The Junos CLI is a powerful tool - the web UI can never completely replace it and it is well worth learning more about how it can help reduce effort and increase reliability in your networks.

 

-Keith

Trusted Contributor
Posts: 108
Registered: ‎09-13-2009
0 Kudos

Re: SSG vs. SRX

hi,

 

i know that junos is verry powerfull and have lot of features.

i also know that the webui wan`t have all the features of the cli, but this webui is the worst that i have seen.

it would be nice that the features implemented in the webui will work, not to troubleshoot the webui also..

 

i find it strange that juniper put out products, that are in "beta" phase, sorry, but this is my opinion.

 

i have bought the device, spend money for the suscription to get the latest a versions and what did i get ? Smiley Surprised

 

so this is my freetime  and also my money spending on my own and open tickets so that juniper can fix it there products  ? Smiley Sad

 

this is not a choise for me, even not for my company.

 

 

-PIccolo
Contributor
Posts: 10
Registered: ‎03-19-2009
0 Kudos

Re: SSG vs. SRX

Keith,

 

i'm a big Junos fan myself but the SRX is really not ready for a production environment.  I put up with it with the understanding that this is a new platform and will take some time to work the bugs out.  But you have to understand it's difficult for us to continue to promote the SRX if these stability issues are not addressed real fast.

 

i'm hoping the next relase will put to rest the clustring and UTM issues.  We can live with the minor issues but not major ones.

 

-Polskino

Super Contributor
Posts: 206
Registered: ‎03-11-2008
0 Kudos

Re: SSG vs. SRX

I've got an SRX210 and I have found it to be very unstable. It has real issues reconnecting to an ADSL connection that has dropped. I've got a JTAC support ticket open but it has been about 2 months now and I they haven't been able to fix the problem.

 

The SSG range is great but I'm having issues liking the SRX devices, really buggy. I cannot recommend them to my clients which is a shame because they should be good...

 

I hope they fix these issues soon otherwise it is time to go to a different company.

Trusted Contributor
Posts: 254
Registered: ‎09-09-2009

Re: SSG vs. SRX

I am using an SRX240 and SRX210 live as we speak but I do have a simple network design with two offices

 

Let me talk about whats good

1. VPN's were easy to setup

2. Good hardware

3. Junos (is great when you get the hang of it)

4. So far its been reliable (knock on wood) I don't have any UTM and IDP policies in place as of yet

 

Before purchasing my SRX I was testing the SSG line of firewalls and they worked great! I decided to go with the SRX since my Juniper rep told me that its the best of both worlds firewall and routing and since its using Junos I assumed that it would be the future of the Juniper firewall line.

 

I also compared the hardware specs with the SRX to the SSG and it beat it bad. Plus it included a 16 port switch.

 

What I don't like about it is the little things for example

 

1. I cant assign my remote VPN clients into a different security zone

2. I can't assign a DHCP pool to my Remote VPN clients

3. I cant change the SSH management port from 22 to another port

4. I cant use MS CHAP or PEAP for remote VPN connectivity

5. Dissapointed with the licenses Dynamic VPN licenses is 10x a normal NS Remote Client license and since its 10 times more i hoped it was 10 times better but its not. I hope this are little tweaks lke adding the MTU etc on the client better logging etc but right now its version 1 - I hope they make alot of changes soon

6. I cant have a VPN group profile everybody needs their own IKE and IPSEC config

7. Configuring port forwarding is a pain only 8 rule-sets per destination and source NAT

8. I heard clustering and high availablity is a huge problem right now. I was considering a high availablity environment for next year but I guess I will wait it out

9. UTM and IDP are hardware hogs and crash the system considering a license for both is 3 grand. This is unacceptable and needs to be fixed ASAP.

 

Those are some of the features I came accross, and this firewall is still very young and I find it hard to get help. The documents are ok and the help menus on JWEB are pretty much useless. The support has been pretty good but I do have a ticket that hasn't been answered for 2 weeks.

 

What I would like to see is Juniper provide us customers with more road maps and future plans with the SRX series and the Network Access Manager.

 

The SRX is basically an SA, SSG, IDP and J-series router all in one device and has alot of potential I wish that Juniper would focus more on the UTM IDP HA and VPN issues since that is what we payed for

 

those are my 2 cents, atleast everyday i am learning something new and Junos is great!

pkc
Contributor
Posts: 111
Registered: ‎09-24-2008

Re: SSG vs. SRX

[ Edited ]

Looks like it's time for srx review, so here are my comments.

 

I purchased an srx100h to replace an old ns5gt to work from remote.

 

pppoe worked quite easily, but then I had really nightmares with nat (I tested the latest junos 10), so the box was not usable even for a single user.

 

I systematically had "dip allocation failed" messages in the debug trace, and found nothing in the kb about this.

 

jweb cannot be used, it would be really a good option to be able to disable completely jweb (ie stop the http daemon).

 

update time is also huge compared to screenos update, even on the smallest devices.

 

I also noticed with the top command there was a process called flowd_..; that consumes systematically 90% of more cpu. could it be possible to know what this process does ?

 

I had to put back my ns5gt, and I think I will put the srx100 behind the ns5gt to do some more tests.

 

Regarding the documentation, could it be possible to have an srx "concept and example guide" ?

this document is really good (even if there are some errors within, but as in every technical document that has this size).

Distinguished Expert
Posts: 2,053
Registered: ‎08-21-2009
0 Kudos

Re: SSG vs. SRX

Hello there,

Regarding disabling Jweb - does

 

set system processes web-management disable

 

- work for you?

Rgds

Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
Posts: 38
Registered: ‎11-23-2009
0 Kudos

Re: SSG vs. SRX

yemgi,

     I am evaluating the SRX platform.  I have a cluster setup with SRX240POE boxes and it seems stable.  Could you please elaborate on your experience with clustering the SRX240POE?  Do you have any special cluster configuration requirements?

 

thanks

____________
CCNP - GCFW
Visitor
Posts: 5
Registered: ‎12-09-2009
0 Kudos

Re: SSG vs. SRX

Hi Jodros,

 

currently I'm also running a cluster of 2 SRX 240H devices (not POE, but imho that doesn't matter). The cluster survived  my own tests (heavy loads (many new sessions, high throughput), failover, etc.). But as we planned to rollout, the cluster screwed up. Luckily this happened, before the system was live.

 

Currently I have to say, that the cluster features are completely unreliable.

Example: If we trigger a failover or restart, one node gets into state "disabled" (error message for example:  ...Failures: cold-sync-monitoring...). After this, also the second (active) node is unreachable. Funnily enough, it worked many times with my test configuration. And yes, now there's no special config.

 

I really like JUNOS, especially the CLI and the fact, that it's based on BSD. Therefore, I don't need J-WEB. If you know, howto use the CLI (e.g.. go to a deep level to avoid very long commands) you'll never use J-WEB. But nowadays, an easy to use web based interface is mandatory for most people. Due my bad experiences made with the SRX Series, i think you should wait at least 3-4 revisions before there's a chance, that this platform is mature enough for production use. <Joke> If I we're Juniper, i would donate one year subscriptions for free (especially because the JTAC has no known workarounds!!) ;-) </Joke>

Contributor
Posts: 38
Registered: ‎11-23-2009

Re: SSG vs. SRX

Tweety84,

     Thanks for the comments.  If we decide on Juniper, we would go with 2 SRX3400's with at least 2 SPC's and NPC's.  The evaluation is with 2 SRX240POE's.  I saw a few abnormal issues with the cluster at first, but it was due to a misconfiguration on my part.  The interesting thing about that is I was following a config guide from kb.juniper.net support.  The config guide has a typo when describing the set apply-groups.  It says to issue command: set apply-groups "${NODE.EN_US}" but it should read: apply-groups "${node}".  I left this command out and it caused some interesting results.  I finally spoke with someone and corrected it.  Since then, clustering has passed all tests that I have performed.  The more I read about the SRX, the more it worries me.  I recently discovered a bug while testing with reordering NAT rules.  If you have "overlapping" source NAT rules, they are processed in a top/down fashion.  I had to reorder the NAT rules so that the more specific ones were near the top, similar to an ACL.  I did so and then committed, however the SRX continued to process the NAT rules in the original order.  I had to completely remove all rules and enter them in the correct order.  This is a big concern for me, as I do NAT maintenance frequently and I cannot bring down NAT globally in order to perform routine NAT maintenance.  Any other opinions on the SRX would be appreciated.  I will also update with more findings as I continue testing.

____________
CCNP - GCFW
Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: SSG vs. SRX

@jodros,

 

Thanks for alerting on the typo - I've notified the author.

 

-Keith

Visitor
Posts: 5
Registered: ‎12-09-2009
0 Kudos

Re: SSG vs. SRX

Hi jodros,

 

as i've started with my tests, the mentioned guide was not available. I also had to figure out the fxp0 (...) stuff by myself. The node specific configuration also worked without any problems (apply-groups "${node}" is official documented). My tests also worked flawless but then, the troubles began ;-)

 

I think you can't compare SRX200 to SRX3000 completely, because the PFE is realised in software, in case of the SRX 200 Series. Therefore you could be affected by different bugs.

 

I think the SRX platform is/will be really powerful, but needs some fine-tuning in different cases. If you have to deploy the firewall cluster in the next months (and it has to be really reliable and you don't like to hit the roof) i would take the SSG/ISG series. Compared to other solutions, juniper is still (for some cases) my favorit.