SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 43
Registered: ‎08-04-2010
0

what to replace my SRX with?

What are some other good options to replace this flaming pile of **bleep**?  If you had the budget for two SRX650's and knew what you know now about how rank these things are... what would you buy instead?

 

Cisco?

Checkpoint?

?

 

Hopefully I will soon have my money, and sanity, back.

Super Contributor
Posts: 203
Registered: ‎04-14-2008

Re: what to replace my SRX with?

I would still buy an SRX personally. Pilot error?

 

Checkpoints are excellent firewalls but very expensive and can be complicated to manage if you're using your own server, although this is better since SPLAT came along.

Cisco firewalls have never been very good really, and are just picked up because of their sucess with routers and people tend to like farmilliar things.

Perhaps you could try a ScreenOS firewall like an SSG550, they are much simpler, but less capable routers and won't offer the same throughput or full IDP.

There is always the Fortinet range, just a ScreenOS firewall in a new tin with some nice enhancements like full IDP and SSL.

 

Sam.

JNCIS-SEC, JNCIS-ER, JNCIS-FWV, JNCIS-FWV

Visitor
Posts: 3
Registered: ‎09-16-2010
0

Re: what to replace my SRX with?

 

I'm just to about to place an order for two SRX650s, this was a corporate decision. I pointed both Juniper and our solutions provider (one of the biggest juniper partners) at some of the threads on this forum and they assured me that 99.9% of the problems are down to misconfiguration, especially clustering.

 

If it was my decision I probably would have gone with Cisco ASA5550s, I don't necessarily agree with the above and I believe they are a VERY capable firewalls and also incredibly stable! I have installed dozens over the years and never had one problem be it hardware or software. I still think Checkpoint is (overall) the best firewall platform out there, although this is reflected in the cost and they don't offer great value for money IMO.

 

Good luck Smiley Tongue

Contributor
Posts: 45
Registered: ‎10-06-2008

Re: what to replace my SRX with?

which other firewall do you already have ?

which kind of network/security product are you already familiar with ?

 

what do you expect from your firewalls :

- performances are high ?

- management is easy ?

- reporting is good ?

- routing capabilities are good (ie dynamic routing, multiple routing environment).

- extra functionnalities like utm ?

- can work as virtual machine so you can do some testing out of the productive system ?

 

It also depends on your location, as some firewalls are quite successfull in their geography (astaro, stonesoft, netasq, arkoon), but not worldwide.

 

the best once again is to test some of the firewalls, but it depends on the time you have to do so.

Trusted Contributor
Posts: 89
Registered: ‎03-18-2010
0

Re: what to replace my SRX with?

 


vr46 wrote:

 

I'm just to about to place an order for two SRX650s, this was a corporate decision. I pointed both Juniper and our solutions provider (one of the biggest juniper partners) at some of the threads on this forum and they assured me that 99.9% of the problems are down to misconfiguration, especially clustering.

 


 

If by misconfiguration they mean not using the exact configuration that Juniper shows in the getting started guide, that might be true. But most of us actually need to use the features of the device and you will have lots of issues. If you get these and use anything beyond routing be prepared to open lots of JTAC cases and fight to get them escalated so that someone who actually knows something can look at it and get it fixed (it will take 2-5 months for each case btw). Look back at my post about problems, several are still not fixed even though Juniper has admited that it isn't working correctly. And if you plan on using Anti-virus be prepared for that to not work in a way that your users will call working. As far as the ASA devices they are much more stable, the VPN actually works well (SRX Dynamic VPN is a joke if you have to configure more than 1-2 users, I hope you never have to use it), they don't have all the features that the SRX series is supposed to have but  the additional features just don't work. So why should it matter if the SRX have more features?

 

My opinion is that if the spec sheet on the SRX branch devices was actually implemented in a sane way, these devices would be great, but they are not.

Visitor
Posts: 3
Registered: ‎09-16-2010
0

Re: what to replace my SRX with?

Fair enough, there is no requirement in our solution for any of the content security features - not even VPN. They were purchased based on the throughput specs, although I'm hoping Juniper address all of the niggles as the thought of running these in a production environment does concern me - we require 99.99% uptime.

 

Your right though, I would(will?) be furious if they don't work as expected. I have made our solution provider put a bunch of deliverables in the Statement of Work to cover us, if they don't perform they will go back - simples.

Super Contributor
Posts: 206
Registered: ‎03-11-2008
0

Re: what to replace my SRX with?

The issue with the branch SRX devices is that you're meant to reboot both devices in a cluster when doing an upgrade. Thus network outage.

 

With the SSGs you could do each one separately.

 

I believe you can do this in the bigger SRXs?? But not the SRX650 and smaller, not 100% sure.

 

This was with 10.1, so there might be some improvements.

Trusted Contributor
Posts: 213
Registered: ‎07-14-2008
0

Re: what to replace my SRX with?

My .02 is that Juniper has addressed most of the issues in the SRX product family now, and they are the best platform out there for all they can do.  People will complain about not being able to do this or that, but the truth is there is not really anything else out there that can do the huge range of what people are trying to do with these boxes on a single platform, so there are bound to be some issues along the way.  Checkpoint may be a better pure firewall, Cisco may make a better Ethernet switch, McAfee might make a better network IPS, Juniper M-series may be a better MPLS box, Sophos may make a better AV scanner, Ironport may be a better SPAM appliance, etc., but for a box that can do every single one of these things, and be supported by a large vendor, I will stick with the SRX.  There will always be someone who will tout that you can do all of this with a UNIX box for free, and they are likely correct, but it is difficult for most corporations to have to rely on that as a supportable solution.

 

Ron

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0

Re: what to replace my SRX with?

If you really want to switch away from SRX, here is my suggestion:

 

1.) Juniper SSG Firewalls. They are still an excellent choice, they have a much broader feature set when compared to SRX, they have a very large user base (thus, help is always available), they are powerful, easy to configure, and despite the rumors, they are to stay around for a couple of more years to come.

 

2.) Fortinet. They make great firewalls (those are the guys who developed Juniper's Netscreen firewalls in the first place and then created a new company, Fortinet). Very powerful, lot's of UTM features, high throughput.

 

And then of course, there is always Check Point, if you have the budget.

 

Cisco? They make great routing and switching gear, but I'd stay away from their firewalls. They suck.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Contributor
Posts: 52
Registered: ‎12-22-2009

Re: what to replace my SRX with?

I have many srx firewalls in clusters. I have never had an issue with them. we run IDP and many other features. I have over 15 SRX firewalls deployed with not an issue. If you run your firewalls on the JTAC recommended release, you will not have an issue.

 

My .02 cents are that the SRX firewalls are some of the fastest and easiest to manage firewalls around. I am not a fan of checkpoint firewalls. If I could rip the last few I have out I would. The UTM appliances are garbage, single power supplies and they looks like soho toys. And god help you on checkpoint if something goes wrong. no simple text file to copy and past. Instead you have to do an upgrade import which can fail more often then you would think. I have nightmares from memories of some of the bigger checkpoint crashes we had. The checkpoint boxes also have pitiful excuses for routing protocols, don't do gre termination or other tunnels. don't even get me started about SPLAT or the premium version of SPLAT. The only good thing about checkpoint is the nokia appliances or the IP series appliances now after checkpoint bought them. Run on IPSO ( aka freebsd) just like Junos and they can handle gre tunnels and the like.

 

Cisco ASA boxes are nice boxes, they have an easy configuration to manage if you are used to cisco interfaces and the PIX firewalls in general. They have builtin SSL VPN which is something I wish the SRX firewalls had. However they are just underpowered. I have seen the boxes die in an ecommerce environment when hit with heavy traffic. On the other hand I have Netscreen ISG2000 firewalls that get hit with 2gbps traffic 24x7 365 99.999% uptime never had an issue in years of being in production

 

 

I really love the SRX firewalls. Are they good at everything?  No. For instance their site to site vpn configuration with third party vendors can be complex. Does the SRX have issues? of course, and there are issues with every other vendors firewalls as well. Are they getting better? every release they get better.

 

Most of the stability problems that were reported early on are resolved now, and alot of them had been related to people configuring trunked ports and l2 switching in a cluster environment which was not supported at the time and is shaky now.

 

The bottom line is if you are a security guy. These firewalls are not for you, you would not appreciate them nor realizxe the power and flexibility they give you. However if your background is networking, then you should realize the implications of putting a full router inside the best of breed firewall. the ability to run routing protocols with partners in multiple datacenters and introduce instant failover between datacenters when an mpls connection fails, and do it all with the full power of zone based firewall protection. Thiis is something you cannot do with just a firewall. There are so many abilities and options that are opened up to you to solve problems with the SRX device that you do not get with ASA or checkpoint.

 

 

Do yourself a favor give the devices a chance, leave your preconceptions at the door, and approach the device like the hybrid router / firewall that it is and it wont take you long to realize how pushing dynamic routing to the firewall can allow you to get a full nights sleep instead of being called in the middle of the night to change static routes, to point to a different data center because a partner mpls router failed in data center A, so now you have to remove the routes in datacenter A pointing to checkpoint A, and add the routes to datacenter B pointing to checkpoint B which leads to the backup partner mpls router.

.

John Burns
Trusted Contributor
Posts: 330
Registered: ‎01-08-2010
0

Re: what to replace my SRX with?

 


bufo333 wrote:

I have many srx firewalls in clusters. I have never had an issue with them. we run IDP and many other features. I have over 15 SRX firewalls deployed with not an issue. If you run your firewalls on the JTAC recommended release, you will not have an issue.

.


 

What size of office? and did you do HA on any of them... all of the recent release notes state that UTM features are not recommended or supported in clustering.. Also 10.0r3 has some bugs that simply do not appear under location size work loads found on the 100, 210, 240 units but on the 650s. Also some known bugs with UTM only impact cluster configs.

 

Trusted Contributor
Posts: 52
Registered: ‎12-22-2009

Re: what to replace my SRX with?

[ Edited ]

I have several srx-240 clusters running IDP. I never run UTM in a cluster environment. I also do not run dot1Q trunks, or vlan interfaces in a clustered environment. I have several srx-210's in non clustered setup at remote offices running UTM. But I mostly uses the antispam features. Early on the devices had issues where the antivirus filtering on HTTP traffic would randomly stop forwarding http traffic and the you had to restart the utm service to remedy the issue.

 

As for the office size. I have over 60 small offices of 5 to 100 users. And then we have very large datacenters hosted around the world. Different size boxes for different environments. Out large datacenters do not aggrigate UTM and IDP functions on the firewall device. I have not drank the IDP/UTM coolaid yet. Not from checkpoint or juniper. I think UTM is fine for small offices, but that configuration does not belong in the datacenter.

John Burns
Regular Visitor
Posts: 2
Registered: ‎05-23-2008
0

Re: what to replace my SRX with?

[ Edited ]

Palo Alto makes a nice line as well if you are looking at NextGen. 

Contributor
Posts: 79
Registered: ‎09-15-2010
0

Re: what to replace my SRX with?

My only additions to bufo333's post would be:

 

1. Don't do full (global internet) BGP on branch SRX

2. Look at if you actually need clustering, and if you do, do you actually need redundent ethernet

 

It's true a 650 more then has the grunt to run BGP, it just can't do so stabily if it's also performing security functions at the same time (the same goes for the bigger J-series units).

 

As for the redundent ethernet, if all you have is P2P links with a dynamic routing protocol on it you probably don't need it, just run two links at L3.

 

My only need for clustering would be an RE failure, and am hoping that Juniper release the ability to have a backup RE and M-series level of RE failover.

Highlighted
Contributor
Posts: 16
Registered: ‎05-20-2009
0

Re: what to replace my SRX with?

 


There is always the Fortinet range, just a ScreenOS firewall in a new tin with some nice enhancements like full IDP and SSL.

 


Interesting... I never knew Fortinet's executive leader (Ken Xie) was also the founder of Netscreen. Thanks for that info.

 

A similar spin-off of course is Palo Alto Networks, whose core team of engineers were originally Juniper guys. Perhaps even Netscreen guys from the "early days."

 

 

Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0

Re: what to replace my SRX with?

If you don't need all the hardware features of the SRX another option would be one the larger SSG boxes running the venerable ScreenOS - these can all be converted to Junos-based devices whenever you feel comfortable with the features as per the table below taken from http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-migration/junos-es-migration.p... :

 

Table 8: Convertible SSG Hardware and Software
SSG Security Device with
ScreenOS 5.4 or Later Conversion Kit Resulting Services Router
SSG 320M SSG-320M-J-CONV-S J2320
SSG 350M SSG-350M-J-CONV-S J2350
SSG 520M SSG-520M-J-CONV-S J4350
SSG 550M SSG-550M-J-CONV-S J6350

 

Again - if you don't need all of the "all in one" capabilities the SRX provides this gets you on a path to Junos.

 

Cheers,

 

-Keith

 

p.s. at the risk of sounding like a broken record...the SRX issues reported are (virtually all) software issues...and the software gets a major feature update every quarter and maintenance releases even more often. I am not going to promise perfection, but every release has been improving the product and we've made major changes to both our development and test methodologies (the upcoming 10.4 being a good example) to further improve product quality.

 

Contributor
Posts: 23
Registered: ‎06-22-2008
0

Re: what to replace my SRX with?

I would agree with grosshong here. Check out palo alto. 

 

We have two SRX650's here, still not in production. 

 

I've been trialing a palo alto box recently, and I've been very impressed. The routing functionality is not nearly as complete as the SRX, but for the actual, real, firewall things you want to do there is no comparison. The logging / interface / application recognition, etc is far far far better than the SRX.

Contributor
Posts: 54
Registered: ‎03-19-2010
0

Re: what to replace my SRX with?

srx is in constant growth and improvement.

actually have had many problems, but equally has presented the solutions.

the expectation of SRX is to be equal to or better than the netscreen, I think they have everything to do it.

each client is different, therefore their security solutions, so there will be things that some customers are affected and others not.

I like SRX that is flexible, it is difficult to understand but when it gets to the point that it knows it's easy to love.

each new release improves or solves the above problems.

I have difficulties like

the use of Active / Active cluster with UTM.
The use of VPN client groups and assign private address DNS, WINS at remote vpn. Some of these will be supported in 10.4.
knowledge of TAC about SRX

use licencing for dynamic-vpn

as they say, is a flexible and growth in cash, I hope that in the months closest we have a better perspective regarding these teams.

if you wanted to change the SRX my advise is netscreen firewalls.becouse the best of the best is netscreen "for me", it hurts to think out of business.

edgart

Trusted Contributor
Posts: 96
Registered: ‎08-01-2008
0

Re: what to replace my SRX with?

[ Edited ]

I don't have much nice to say about the SRX'es other than the dynamic routing and CLI management is excellent.  I definitely prefer JUNOS's CLI to ScreenOS any day of the week.  That being said after working with these boxes since 9.5 and 9.6, dealing with the massive headache that was 10.0R2, and running into limitation after limitation on both chassis clusters and non-clustered devices I'm not exactly raving about these devices either.  But I can't recommend a ScreenOS-based box because a majority of the hardware will be EOL'ed sooner than later.

 

Current Limitations I've noticed:

GRE Tunnels not supported in clusters

GRE Keepalives not supported at all standalone/cluster

Multicast traffic not working in chassis cluster (Yes it's addressed in 10.2, but that's not the recommended release atm)

VPN Clients requiring an external authentication server (RADIUS)

Firewall filters (protect_RE) preventing the SRX from getting updates for UTM

Updating UTM on the secondary SRX in a cluster

Managing an SRX in a cluster individually in an environment where I am accessing the SRX from the outside world.

Level 1 JTAC not knowing how to navigate the CLI, much less troubleshoot.

 

Whatever happened to Sidewinder?

---
JNCIE-SEC #69, JNCIE-ENT #492, JNCSP-SEC, JNCIS-SA, JNCIS-AC
Contributor
Posts: 23
Registered: ‎06-22-2008
0

Re: what to replace my SRX with?

Are you referring to Secure Computing's Sidewinder product? The one that team that took 9 months to release a patch so that smtp would work through their box properly?

 

No thanks. Never dealing with that product ever again. Had to reboot it all the time to workaround issues.