SRX Services Gateway
Reply
Contributor
skullbox
Posts: 13
Registered: ‎08-29-2010
0

Status of the SRX line

About a year ago, we looked at buying some SRX 240 models.  After reading some reviews and forums, we ended up choosing the SSG line.  Our Juniper rep admitted at the time the SRX platform was full of bugs and various things did not work correctly.  Off the top of my head things like non functional VPNs, poor web interface, and other various things people either didn't like or said did not work.

 

Fast foward to today, I know there have been may JunOS releases since.  How is the SRX platform now?  We are considering one for our lab.  Any feedback?

Contributor
Markw78
Posts: 49
Registered: ‎01-11-2011
0

Re: Status of the SRX line

I had the same concerns when we started firewall shopping.  Being new to Juniper all together... I like the SRX 240, but I'm trying to force myself to learn the CLI. 

 

I had the same conversation with pre-sales and they assured me that all function was in the GUI and all the old posts about the terrible GUI had been addressed.

 

I find the GUI combersom and anoying.  The use of Flash in a corperate firewall GUI is the worst idea I've ever heard and thats what the SRX uses, do you now have to manage flash updates on any box using the GUI.

 

I don't recall specifics, but I've run into a few items that did not work in the GUI or there just was no way to do it.  Release 10.0 was terrible, but since updating to 10.4 I like it a LOT better.   VPN, no issues so far other then the pain of setting up ALLL the policies which can be a huge pain when you need tight ACL's on VPN.

 

So far, overall, I'm fairly happy with the devices, like I said 10.0 to 10.4 was pretty huge in terms of the GUI's look/feel and ease of use.

 

Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: Status of the SRX line

Overall they have improved quite a lot, in both stability and WebUI. For the webUI you really need 10.4, which is a lot faster. The only thing really missing is a search address function when adding policies. Other than that, pretty much everything you need is available in the WebUI nowadays.

Learning the CLI doesn't hurt either. Its the same on the juniper routers and switches which is fantastic if you have to configure one of those.

 

The only thing about the platform to be aware of is that there are still some limitations, especially related to the use of virtual routers. Sometimes that can be an issue for people who are used to the all powerful netscreens.

 

I quite like them nowadays.. which hasn't always been the case :smileyhappy:

Contributor
Duga
Posts: 50
Registered: ‎10-11-2010
0

Re: Status of the SRX line

We used many equipments in the SRX line (210, 240, 650 and 3600) in a Datacenter environment with IPSEC connection.

WebUI is not the best point of Junos, but I think it would be better to learn the cli because it's the same on all Junos Platform. It is really easy to learn and the most powerfull way to administrate, troubleshoot or install the equipments.

 

It's obvious Junos is not a graphical UI platform oriented.

 

The actual version, used in our environment, are stable and really powerfull.

You have to don't use the latest version just released because there is always bug or sometimes some functionnality temporarily disable.

 

I regret some limitation when installed in HA mode like "commit confirm"  or  GRE tunnel.

 

 

Contributor
dark1587
Posts: 79
Registered: ‎08-01-2008
0

Re: Status of the SRX line

I think I replied to your previous thread here, but here have been my experiences with the SRX:

 

Honestly it depends on what your needs are from the platform. Are you looking for a solid firewall? VPN Solution? IDP/UTM? What about high availibility? Centralized Management/Reporting?

 

There are many things the SRX does right, and many more things it does poorly. 

 

As a basic firewall the SRX is awesome. The throughput beats just about any competitor dollar for dollar, as well as the routing background of JUNOS makes the SRX a real treat to work with. The CLI beats the pants off ScreenOS as well as IOS. For me personally it was hard at first to wrap my head around things like static NAT and destination NAT (especially when the security polices point to the private address of your system as opposed to a MIP), but you will love the CLI if you can get used to it. In 10.4 the WebUI appears to be much quicker, but I don't have many comments about its speed/stability as I barely use it.

 

VPN configuration is pretty good, but only until recently (JUNOS 10.4) could you terminate tunnel interfaces into anything but the inet.0 default VR. Add to that the inability to set an unnumbered tunnel interface in its own security zone without some other interface having an IP in the same zone broke some of our customer's VPN's; we simply converted all the tunnel interfaces to numbered interfaces and the SRX took off.

 

IDP/UTM - just don't do it. It is simply not ready for prime time, especially compared to the full-blown IDP's or even AV/DI on ScreenOS. The integration within NSM is horrible, such as logs not getting parsed correctly (same src and dst IP's show in IDP logs; critical alerts showing up as informational). Stability-wise I can make the IDP engine fail by browsing a few HTTPS sites. Our team has multiple cases to address these issues.

 

HA - It's unusual, to say the least. I'm sure you can find multiple posts about the pros and woes of Clustering, but my opinion is that it works great to be able to synchronize configurations between two systems, but it comes at a high cost for what you give up in configuration options (no GRE Tunnels, no Active/Active Clusters) and management (no manage-ip like ScreenOS, fxp0 interface is in the same VR as the default routing table, losing 3 interfaces on each system, no commit confirmed). If you're looking to use HA in the core of a large network, use other methods to provide HA (OSPF, VRRP, etc); the last thing you'll need is for both systems to stop forwarding traffic because of an interface flap and throw the units into a tizzy.

---
JNCIE-SEC #69, JNCIP-ENT, JNCSP-SEC, JNCIS-SA, JNCIS-AC, JNCIA-IDP, JNCIA-WX
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.