SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 58
Registered: ‎10-09-2014
0 Kudos

replacement for srx100 and srx110

With the SRX100 and 110 reaching end of life what is the next option for replacing the srx 100?  We liked the smaller 100 for use within atms.

Highlighted
Distinguished Expert
Posts: 648
Registered: ‎06-22-2011
0 Kudos

Re: replacement for srx100 and srx110

Recognized Expert
Posts: 172
Registered: ‎01-06-2016
0 Kudos

Re: replacement for srx100 and srx110

rselbert is right about the hardware platform but I would like to add a comment about the software license you need on top.

 

There are three licenses: JSB, JSB-L and JSE.

JSB is what you know from SRX100/200 series, JSE add "application security" where you can block applications instead of ports. JSB-L gives you same features as JSB but limits the device to 200 Mbps throughput and 40 Mbps IPSec VPN / NGFW - well within the performance specs of the previous platforms :-)

 

JSB-L has been introduced to provide af replacement for SRX100/110 within the same price range.

 

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)
Contributor
Posts: 17
Registered: ‎04-13-2017
0 Kudos

Re: replacement for srx100 and srx110

[ Edited ]

Do not make any assumptions about the SRX300's capabilities as a switch - they appear to be a work in progress. Also, if you need the capabilities of JSB, it can no longer be considered a budget option.

It is promoted as a small branch device. Which is fine if the branch is a component of a large and sophisticated network, less so for small standalone deployments.

Recognized Expert
Posts: 172
Registered: ‎01-06-2016
0 Kudos

Re: replacement for srx100 and srx110

SRX300's switching capabilities has improved dramatically in the latest maintenance releases - only Q-in-Q is missing after 15.1X49-D70 which is a couple of months old.

 

 

I do not understand your comment regarding the capabilities of JSB and budget option. SRX300 and SRX300-JSB-L gives a net cost just around the same as the SRX100. If you buy SRX300 + SRX300-JSB you will get a firewall providing more performance than the SRX220 at a list price of 995 where the SRX220 is around 1600 USD list.

 

Agreed that the UTM/NGFW features is better in a large network than as a standalone device.

 

 

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)
Contributor
Posts: 58
Registered: ‎10-09-2014
0 Kudos

Re: replacement for srx100 and srx110

We do have 1 srx300 in production at a new branch we opened but we had a lot of trouble translating configurations from our 210s that we use at other branches to the srx300.  Does anyone have some good advice going forward on how to be consistent with migrating from the EOL srxs to the srx300?

Contributor
Posts: 17
Registered: ‎04-13-2017
0 Kudos

Re: replacement for srx100 and srx110


jonashauge wrote:

 

. . . 

I do not understand your comment regarding the capabilities of JSB and budget option.

 

 


Applying the same discount I negotiated for JSB-LITE plus VAT (private purchase), then a JSE subscription is about 661,00 € which makes the SRX300 not very price competitive, even at the premium end of the market.

 

Every time I want to implement a capability, it appears to be an enhanced feature covered by JSE or even an additional licenced product. See SRX300 Datasheet top of page 4 for details. It would be reasonable to have anti-virus/anti-spam at the basic level. Yet on the SRX300 these require an additional subscription beyond JSE.

 

Also, unless I'm missing something, a task as straightforward as updating address books from a RSS feed requires quite involved additional infrastructure. Why would a small user need this? Because services such as Exchange, Azure, Office 365, Skype, Teams, etc. have lots of IPs around the world, and the list is sufficiently dynamic that a feed has been set up dedicated to providing this information. I certainly do not wish to do this on a monthly basis by hand. Hopefully, I've missed something and it is simple.

 

R+C

 

Contributor
Posts: 58
Registered: ‎10-09-2014
0 Kudos

Re: replacement for srx100 and srx110

We do have 1 srx300 in production at a new branch we opened but we had a lot of trouble translating configurations from our 210s that we use at other branches to the srx300.  Does anyone have some good advice going forward on how to be consistent with migrating from the EOL srxs to the srx300?

 

bump

Recognized Expert
Posts: 172
Registered: ‎01-06-2016
0 Kudos

Re: replacement for srx100 and srx110

Sorry for my late reply;

 

The only thing you need JSE for is a permanent license for application tracking. If you need Antivirus/Webfiltering you will need a subscription license just a every other vendor... but this subscription just have to be added on top of JSB/JSB-L... and you will then also get the application tracking functionality.

 

All other firewall vendors (eg. Palo Alto, Check Point, Watchguard and even Zyxel - and probably all the others) requires a subscription/support agreement for you to use IPS, Antivirus and content filtering - and this is no different on the Juniper SRX solutions.

 

Dynamic address book update is not present but with application tracking you should be able to do AppFW, allowing eg. "Gmail" without defining IP-ranges.

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)