SRX Services Gateway
Posts: 43
Registered: ‎08-04-2010

what to replace my SRX with?

What are some other good options to replace this flaming pile of **bleep**?  If you had the budget for two SRX650's and knew what you know now about how rank these things are... what would you buy instead?






Hopefully I will soon have my money, and sanity, back.

Super Contributor
Posts: 203
Registered: ‎04-14-2008

Re: what to replace my SRX with?

I would still buy an SRX personally. Pilot error?


Checkpoints are excellent firewalls but very expensive and can be complicated to manage if you're using your own server, although this is better since SPLAT came along.

Cisco firewalls have never been very good really, and are just picked up because of their sucess with routers and people tend to like farmilliar things.

Perhaps you could try a ScreenOS firewall like an SSG550, they are much simpler, but less capable routers and won't offer the same throughput or full IDP.

There is always the Fortinet range, just a ScreenOS firewall in a new tin with some nice enhancements like full IDP and SSL.




Posts: 3
Registered: ‎09-16-2010

Re: what to replace my SRX with?


I'm just to about to place an order for two SRX650s, this was a corporate decision. I pointed both Juniper and our solutions provider (one of the biggest juniper partners) at some of the threads on this forum and they assured me that 99.9% of the problems are down to misconfiguration, especially clustering.


If it was my decision I probably would have gone with Cisco ASA5550s, I don't necessarily agree with the above and I believe they are a VERY capable firewalls and also incredibly stable! I have installed dozens over the years and never had one problem be it hardware or software. I still think Checkpoint is (overall) the best firewall platform out there, although this is reflected in the cost and they don't offer great value for money IMO.


Good luck :smileytongue:

Posts: 45
Registered: ‎10-06-2008

Re: what to replace my SRX with?

which other firewall do you already have ?

which kind of network/security product are you already familiar with ?


what do you expect from your firewalls :

- performances are high ?

- management is easy ?

- reporting is good ?

- routing capabilities are good (ie dynamic routing, multiple routing environment).

- extra functionnalities like utm ?

- can work as virtual machine so you can do some testing out of the productive system ?


It also depends on your location, as some firewalls are quite successfull in their geography (astaro, stonesoft, netasq, arkoon), but not worldwide.


the best once again is to test some of the firewalls, but it depends on the time you have to do so.

Trusted Contributor
Posts: 89
Registered: ‎03-18-2010

Re: what to replace my SRX with?


vr46 wrote:


I'm just to about to place an order for two SRX650s, this was a corporate decision. I pointed both Juniper and our solutions provider (one of the biggest juniper partners) at some of the threads on this forum and they assured me that 99.9% of the problems are down to misconfiguration, especially clustering.



If by misconfiguration they mean not using the exact configuration that Juniper shows in the getting started guide, that might be true. But most of us actually need to use the features of the device and you will have lots of issues. If you get these and use anything beyond routing be prepared to open lots of JTAC cases and fight to get them escalated so that someone who actually knows something can look at it and get it fixed (it will take 2-5 months for each case btw). Look back at my post about problems, several are still not fixed even though Juniper has admited that it isn't working correctly. And if you plan on using Anti-virus be prepared for that to not work in a way that your users will call working. As far as the ASA devices they are much more stable, the VPN actually works well (SRX Dynamic VPN is a joke if you have to configure more than 1-2 users, I hope you never have to use it), they don't have all the features that the SRX series is supposed to have but  the additional features just don't work. So why should it matter if the SRX have more features?


My opinion is that if the spec sheet on the SRX branch devices was actually implemented in a sane way, these devices would be great, but they are not.

Posts: 3
Registered: ‎09-16-2010

Re: what to replace my SRX with?

Fair enough, there is no requirement in our solution for any of the content security features - not even VPN. They were purchased based on the throughput specs, although I'm hoping Juniper address all of the niggles as the thought of running these in a production environment does concern me - we require 99.99% uptime.


Your right though, I would(will?) be furious if they don't work as expected. I have made our solution provider put a bunch of deliverables in the Statement of Work to cover us, if they don't perform they will go back - simples.

Super Contributor
Posts: 205
Registered: ‎03-11-2008

Re: what to replace my SRX with?

The issue with the branch SRX devices is that you're meant to reboot both devices in a cluster when doing an upgrade. Thus network outage.


With the SSGs you could do each one separately.


I believe you can do this in the bigger SRXs?? But not the SRX650 and smaller, not 100% sure.


This was with 10.1, so there might be some improvements.

Trusted Contributor
Posts: 213
Registered: ‎07-14-2008

Re: what to replace my SRX with?

My .02 is that Juniper has addressed most of the issues in the SRX product family now, and they are the best platform out there for all they can do.  People will complain about not being able to do this or that, but the truth is there is not really anything else out there that can do the huge range of what people are trying to do with these boxes on a single platform, so there are bound to be some issues along the way.  Checkpoint may be a better pure firewall, Cisco may make a better Ethernet switch, McAfee might make a better network IPS, Juniper M-series may be a better MPLS box, Sophos may make a better AV scanner, Ironport may be a better SPAM appliance, etc., but for a box that can do every single one of these things, and be supported by a large vendor, I will stick with the SRX.  There will always be someone who will tout that you can do all of this with a UNIX box for free, and they are likely correct, but it is difficult for most corporations to have to rely on that as a supportable solution.



Super Contributor
Posts: 498
Registered: ‎03-29-2008

Re: what to replace my SRX with?

If you really want to switch away from SRX, here is my suggestion:


1.) Juniper SSG Firewalls. They are still an excellent choice, they have a much broader feature set when compared to SRX, they have a very large user base (thus, help is always available), they are powerful, easy to configure, and despite the rumors, they are to stay around for a couple of more years to come.


2.) Fortinet. They make great firewalls (those are the guys who developed Juniper's Netscreen firewalls in the first place and then created a new company, Fortinet). Very powerful, lot's of UTM features, high throughput.


And then of course, there is always Check Point, if you have the budget.


Cisco? They make great routing and switching gear, but I'd stay away from their firewalls. They suck.

Twitter: @cryptochrome
Trusted Contributor
Posts: 52
Registered: ‎12-22-2009

Re: what to replace my SRX with?

I have many srx firewalls in clusters. I have never had an issue with them. we run IDP and many other features. I have over 15 SRX firewalls deployed with not an issue. If you run your firewalls on the JTAC recommended release, you will not have an issue.


My .02 cents are that the SRX firewalls are some of the fastest and easiest to manage firewalls around. I am not a fan of checkpoint firewalls. If I could rip the last few I have out I would. The UTM appliances are garbage, single power supplies and they looks like soho toys. And god help you on checkpoint if something goes wrong. no simple text file to copy and past. Instead you have to do an upgrade import which can fail more often then you would think. I have nightmares from memories of some of the bigger checkpoint crashes we had. The checkpoint boxes also have pitiful excuses for routing protocols, don't do gre termination or other tunnels. don't even get me started about SPLAT or the premium version of SPLAT. The only good thing about checkpoint is the nokia appliances or the IP series appliances now after checkpoint bought them. Run on IPSO ( aka freebsd) just like Junos and they can handle gre tunnels and the like.


Cisco ASA boxes are nice boxes, they have an easy configuration to manage if you are used to cisco interfaces and the PIX firewalls in general. They have builtin SSL VPN which is something I wish the SRX firewalls had. However they are just underpowered. I have seen the boxes die in an ecommerce environment when hit with heavy traffic. On the other hand I have Netscreen ISG2000 firewalls that get hit with 2gbps traffic 24x7 365 99.999% uptime never had an issue in years of being in production



I really love the SRX firewalls. Are they good at everything?  No. For instance their site to site vpn configuration with third party vendors can be complex. Does the SRX have issues? of course, and there are issues with every other vendors firewalls as well. Are they getting better? every release they get better.


Most of the stability problems that were reported early on are resolved now, and alot of them had been related to people configuring trunked ports and l2 switching in a cluster environment which was not supported at the time and is shaky now.


The bottom line is if you are a security guy. These firewalls are not for you, you would not appreciate them nor realizxe the power and flexibility they give you. However if your background is networking, then you should realize the implications of putting a full router inside the best of breed firewall. the ability to run routing protocols with partners in multiple datacenters and introduce instant failover between datacenters when an mpls connection fails, and do it all with the full power of zone based firewall protection. Thiis is something you cannot do with just a firewall. There are so many abilities and options that are opened up to you to solve problems with the SRX device that you do not get with ASA or checkpoint.



Do yourself a favor give the devices a chance, leave your preconceptions at the door, and approach the device like the hybrid router / firewall that it is and it wont take you long to realize how pushing dynamic routing to the firewall can allow you to get a full nights sleep instead of being called in the middle of the night to change static routes, to point to a different data center because a partner mpls router failed in data center A, so now you have to remove the routes in datacenter A pointing to checkpoint A, and add the routes to datacenter B pointing to checkpoint B which leads to the backup partner mpls router.


John Burns
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.