10-17-2010 08:33 AM
Around Aug 14 I had posted our issues on a pair of SRX 650's and SRX 3600's, used
at the University of Waterloo, for main campus wireless NAT, and data centre firewall.,
The pair of 650's have been problem free since about April 27, after upgrade to 10.0R3.10.
The pair of 3600's have been essentially problem free since about Aug 19, after upgrade to 10.0R3.10
We use stateful firewall and/or NAT features only.
I say "essentially" for the data centre firewall, as we twice we cannot figure out protocol/timeout
issues between specific clients/servers where traffic passes through firewall. e.g. we set "allow all" in both
directions, set timeouts to infinite or very long, turn off strict tcp checks, and still issues, until we
move host outside firewall, or move everything to same side of firewall. Wireshark will show tcp
session breaking and re-establishing. But hundreds of other servers, and thousands of services working fine.
One such issue appears to be Microsoft RPC, we've been advises there is protocol awareness in a later
version. We just moved hosts as we don't want to upgrade right now. Another issue was Hirsch door
controllers, we never opened a case, and moved host.
What might help is something like Cisco ASA "TCP Bypass" which I understand to blindly
forward traffic with no protocol, sequence, or any other checks, when configured. This could
help immensely to prove/disprove firewall is issue when needed.
10-26-2010 01:58 PM
Regarding Cisco ASA "TCP Bypass," couldn't you use packet-based processing instead of flow-based processing?
I've never used it or needed it myself, but it sounds like what you're looking for?
10-27-2010 01:58 PM
fwiw, in our testing, JunOS 10.2r3 works well w/ MSRPC applications such as Exchange and AD replication. JunOS 10.3r2 has been promised to have the same stability. As none of the features in 10.3 are all that compelling to us, we're sticking with 10.2r3 as the "go to" release for now, and we'll likely move to 10.4rx (1 or 2 depending on how brave we feel ) as the next "go to" release when that has been released.
It's not been all that long for 10.2r3. So far, it's been stable. 10.2r2 was stable w/ regards to clustering, it just had some massive ALG issues and an annoying memory leak in web filtering.
11-23-2010 12:48 AM
I have to say I'm going to pile on the list of SRX complaints. We have been / were a Netscreen shop for YEARS prior to the Juniper acquisition. The ScreenOS devices have been generally rock solid since the Netscreen 5 days when that little hummer would bring a Cisco VPN 3015 to it's knees @ 10 Mbit 3DES IPSEC throughput.
A year ago, we were forced into a refresh cycle for our edge firewalls and VPN endpoints after an internal IT consolidation. We had a bake off between SSG, SRX, and ASA. SSG won for stability and required features, but lost out because we feared Juniper would effectively abandon the line within 3 years. SRX won for overall feature set, but lost out because it couldn't handle a simple firewall with NAT deployment at 9.6x code without core dumping every week or two during the evaluation. The ASA won by default, but it's a descendant of the PIX and still loaded with the crap that made me hate it 10 years ago.
The refresh cycle was Juniper's to win as the incumbent, but lost due to a combination of SRX instability and aggressive SRX marketing that made us fear the long term viability of the ScreenOS line of firewalls. We felt that ScreenOS would rapidly turn into Juniper's CatOS, Cisco's redheaded stepchild switching OS. As an aside, since we were painted into the ASA corner, I was forced to refresh VPN with ASA in lieu of the superior but more expensive Juniper Secure Access solution.
I hope that Juniper gets the SRX right, and sooner rather than later. Rant mode off...
01-10-2011 04:49 PM
New to the SRX family as of 1 month ago.
We had a project deadline in which we were going to deploy our first SRX firewall. I thought "no big deal, it's a firewall... packets in and packets out. I'll have it configured in a few minutes and be done with it." After hours of being amazed at how bad the user interface is and how non-intuitive the SRX is I scrapped it in favor of an SSG20.
I'm now back to the SRX (which is to replace to temporary SSG20) and my frustration continues.
The ScreenOS was fast and intuitive, the SRX GUI "looks good but doesn't do crap".
My latest battle is figuring out how to create a MIP, now referred to as a static NAT, which apparently is not possible in the GUI? Amazing, it's the second most used thing in a firewall, after policies, and it can't done in the GUI? It use to be a one line config item, but now requires 4 lines of code? Is anyone at Juniper paying attention to how they are screwing up what was an awesome simple to use firewall and turning it into something that only a specialist will be able to configure?
My latest mindset is to just forget EVERYTHING I know about ScreenOS and start all over.
I honestly hope my hatred for this product goes away since I'll be stuck using it going forward.
The first Netscreen we got (about 10 years ago) took me under a day to figure out and setup everything we need a firewall to do, and that was without having 15 KB articles opened up.
This document pretty much explains why I don't like it. Anything that took 1 command line to do now takes 3-4...
Juniper, here are tips to making your product better:
1. make the GUI more useful, intuitive, and faster (focus on more useful first )
2. make the commands simpler
01-11-2011 02:26 PM
You must be on an old version of code. Static NAT was added to the GUI. I recommend to move to JunOS 10.2r3 and go from there. Once 10.4 is stable, it'll be the next "go-to" release. 10.4r2, maybe. Time will tell.
I like the way the SRX is structured. Coming from a programming background, the indented way that the config is built is intuitive. I like commit. I LOVE rollback.
However, there are also a lot of gotchas. I don't love cluster management, not at all. I want my flow-based QoS back. I want my "multiple proxy IDs" from ScreenOS 6.3 back. I want the ability to run dual-ISP with static routing back. The list goes on.
In the end, it's a matter of seeing that the features you need are there, and if that's the case, then the SRX provides a very fast, very affordable firewall platform: Which, ever since 10.2r3, is also reasonably stable. Ongoing UTM drama notwithstanding.
Getting comfortable with the CLI will be a boon to you.
01-11-2011 02:59 PM
Thanks for the info re: static nat. I am on an older version (10.0r2) and have been working on gaining access to the downloads so I can update it. Hopefully by the end of the day I'll be running 10.2r3 or later.