SRX Services Gateway
Reply
Super Contributor
mwdmeyer
Posts: 200
Registered: ‎03-11-2008
0

Re: SSG vs. SRX

@CrytpoManiac

 

It hasn't dropped out yet (so it has been up 2 weeks).

 

Sometimes it might last a few weeks though. So I'll let you know if it does it again.

Contributor
CrytpoManiac
Posts: 16
Registered: ‎05-20-2009
0

Re: SSG vs. SRX

Well, even the Cisco ISRs drop connections at that interval, so that's not too bad :-)

Visitor
BruceCampbell
Posts: 3
Registered: ‎08-14-2010

Re: SSG vs. SRX

 

Around Aug 14 I had posted our issues on a pair of SRX 650's and SRX 3600's, used

at the University of Waterloo, for main campus wireless NAT, and data centre firewall.,

respectively.

 

The pair of 650's have been problem free since about April 27, after upgrade to  10.0R3.10.

 

The pair of 3600's have been essentially problem free since about Aug 19, after upgrade to 10.0R3.10

 

We use stateful firewall and/or NAT features only. 

 

I say "essentially" for the data centre firewall, as we twice we cannot figure out protocol/timeout

issues between specific clients/servers where traffic passes through firewall.  e.g. we set "allow all" in both

directions, set timeouts to infinite or very long, turn off strict tcp checks, and still issues, until we

move host outside firewall, or move everything to same side of firewall.   Wireshark will show tcp

session breaking and re-establishing.  But hundreds of other servers, and thousands of services working fine.  

One such issue appears to be Microsoft RPC, we've been advises there is protocol awareness in a later

version.   We just moved hosts as we don't want to upgrade right now.  Another issue was Hirsch door

controllers, we never opened a case, and moved host.

 

What might help is something like Cisco ASA "TCP Bypass" which I understand to blindly

forward traffic with no protocol, sequence, or any other checks, when configured.  This could

help immensely to prove/disprove firewall is issue when needed.

 

 

 

 

Bruce Campbell
Director, Network Services
Information Systems and Technology
MC 1018
(519)888-4567 x38323
University of Waterloo, Waterloo, ON
Contributor
CrytpoManiac
Posts: 16
Registered: ‎05-20-2009
0

Re: SSG vs. SRX

Regarding Cisco ASA "TCP Bypass," couldn't you use packet-based processing instead of flow-based processing?

 

I've never used it or needed it myself, but it sounds like what you're looking for?

Super Contributor
tbehrens
Posts: 348
Registered: ‎04-30-2010

Re: SSG vs. SRX

Bruce,

 

fwiw, in our testing, JunOS 10.2r3 works well w/ MSRPC applications such as Exchange and AD replication. JunOS 10.3r2 has been promised to have the same stability. As none of the features in 10.3 are all that compelling to us, we're sticking with 10.2r3 as the "go to" release for now, and we'll likely move to 10.4rx (1 or 2 depending on how brave we feel :smileyhappy:) as the next "go to" release when that has been released.

 

It's not been all that long for 10.2r3. So far, it's been stable. 10.2r2 was stable w/ regards to clustering, it just had some massive ALG issues and an annoying memory leak in web filtering.

 

Visitor
jimsiff
Posts: 3
Registered: ‎12-05-2008
0

Re: SSG vs. SRX

I have to say I'm going to pile on the list of SRX complaints.  We have been / were a Netscreen shop for YEARS prior to the Juniper acquisition.  The ScreenOS devices have been generally rock solid since the Netscreen 5 days when that little hummer would bring a Cisco VPN 3015 to it's knees @ 10 Mbit 3DES IPSEC throughput.

 

A year ago, we were forced into a refresh cycle for our edge firewalls and VPN endpoints after an internal IT consolidation.  We had a bake off between SSG, SRX, and ASA.  SSG won for stability and required features, but lost out because we feared Juniper would effectively abandon the line within 3 years.  SRX won for overall feature set, but lost out because it couldn't handle a simple firewall with NAT deployment at 9.6x code without core dumping every week or two during the evaluation.  The ASA won by default, but it's a descendant of the PIX and still loaded with the crap that made me hate it 10 years ago.

 

The refresh cycle was Juniper's to win as the incumbent, but lost due to a combination of SRX instability and aggressive SRX marketing that made us fear the long term viability of the ScreenOS line of firewalls.  We felt that ScreenOS would rapidly turn into Juniper's CatOS, Cisco's redheaded stepchild switching OS.  As an aside, since we were painted into the ASA corner, I was forced to refresh VPN with ASA in lieu of the superior but more expensive Juniper Secure Access solution.

 

I hope that Juniper gets the SRX right, and sooner rather than later.  Rant mode off...

Contributor
foodandbikes
Posts: 17
Registered: ‎01-10-2011
0

Re: SSG vs. SRX

New to the SRX family as of 1 month ago.

We had a project deadline in which we were going to deploy our first SRX firewall. I thought "no big deal, it's a firewall... packets in and packets out. I'll have it configured in a few minutes and be done with it." After hours of being amazed at how bad the user interface is and how non-intuitive the SRX is I scrapped it in favor of an SSG20.

I'm now back to the SRX (which is to replace to temporary SSG20) and my frustration continues.

The ScreenOS was fast and intuitive, the SRX GUI "looks good but doesn't do crap".

My latest battle is figuring out how to create a MIP, now referred to as a static NAT, which apparently is not possible in the GUI? Amazing, it's the second most used thing in a firewall, after policies, and it can't done in the GUI? It use to be a one line config item, but now requires 4 lines of code? Is anyone at Juniper paying attention to how they are screwing up what was an awesome simple to use firewall and turning it into something that only a specialist will be able to configure?

 

My latest mindset is to just forget EVERYTHING I know about ScreenOS and start all over.

I honestly hope my hatred for this product goes away since I'll be stuck using it going forward.

 

The first Netscreen we got (about 10 years ago) took me under a day to figure out and setup everything we need a firewall to do, and that was without having 15 KB articles opened up.

 

This document pretty much explains why I don't like it. Anything that took 1 command line to do now takes 3-4...

http://www.juniper.net/us/en/local/pdf/app-notes/3500152-en.pdf

 

Juniper, here are tips to making your product better:

1. make the GUI more useful, intuitive, and faster (focus on more useful first :smileywink: )

2. make the commands simpler

 

 

Super Contributor
tbehrens
Posts: 348
Registered: ‎04-30-2010
0

Re: SSG vs. SRX

You must be on an old version of code. Static NAT was added to the GUI. I recommend to move to JunOS 10.2r3 and go from there. Once 10.4 is stable, it'll be the next "go-to" release. 10.4r2, maybe. Time will tell.

 

I like the way the SRX is structured. Coming from a programming background, the indented way that the config is built is intuitive. I like commit. I LOVE rollback.

 

However, there are also a lot of gotchas. I don't love cluster management, not at all. I want my flow-based QoS back. I want my "multiple proxy IDs" from ScreenOS 6.3 back. I want the ability to run dual-ISP with static routing back. The list goes on.

 

In the end, it's a matter of seeing that the features you need are there, and if that's the case, then the SRX provides a very fast, very affordable firewall platform: Which, ever since 10.2r3, is also reasonably stable. Ongoing UTM drama notwithstanding.

 

Getting comfortable with the CLI will be a boon to you.

 

Contributor
foodandbikes
Posts: 17
Registered: ‎01-10-2011
0

Re: SSG vs. SRX

Thanks for the info re: static nat. I am on an older version (10.0r2) and have been working on gaining access to the downloads so I can update it. Hopefully by the end of the day I'll be running 10.2r3 or later.

Super Contributor
tbehrens
Posts: 348
Registered: ‎04-30-2010
0

Re: SSG vs. SRX

You'll see a big difference. 10.0r2 was no fun at all. Not only is J-Web slow, it's also not a stable build. 10.2r3 will treat you a lot better.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.