SRX Services Gateway
Reply
Trusted Contributor
rfrederick
Posts: 213
Registered: ‎07-14-2008
0

Re: what to replace my SRX with?

I believe McAfee bought that product, so now it should be Intel, right?

 

Ron

Contributor
Manny
Posts: 19
Registered: ‎04-17-2010
0

Re: what to replace my SRX with?

[ Edited ]

We purchased two srx650s and clustered them. At first, I was at little apprehensive being a ScreenOS guru, but after working with the SRX's for about two months now, I cannot think of a better OS to run. The SRX comes with Zone based policies (adopted from ScreenOS), the NATing more flexible, and all the routing capabilities of the best routers money can buy. Its not perfect, but I don't know any other firewall that comes close in any category.

 

Checkpoint??? Checkpoint sucks, implied rules, never met a protocol it liked without major tweaking.

PaloAlto????? Just because the guy who founded it was the CTO at Netscreen doesn't mean they are any good.

Cisco??????? Over priced, half the performance and TERRIBLE HORRIBLE IOS or what ever they call it now. By the way support from Cisco is horrible and you're lucky if you can meet your project deadlines since Cisco can't deliver hardware.

 

I like the term "Pilot Error" 

Contributor
devol
Posts: 23
Registered: ‎06-22-2008
0

Re: what to replace my SRX with?

Just curious, how are you managing logging for your SRX650 cluster? Do you really find it as nice as the netscreens were?

 

Also, how are you managing NTP sync for your cluster?

 

Are you using fxp0 for any of this? If not, how are you managing not in cluster mode.

 

Palo Alto: Just because you haven't evaluated the product, doesn't mean its bad. 

 

Cisco: Yeah we won't go there.

Contributor
Manny
Posts: 19
Registered: ‎04-17-2010
0

Re: what to replace my SRX with?

I use Juniper STRM to log the SRX. No I do not find it as nice as ScreenOS, I am getting used to it, but not there yet. 

 

In the SRX cluster, yes NTP sync very annoying.

 

I do not use fxp0 to manage, I don't like how the OoB interface, is not really our of band in the traditional sense. I either use the RETH to access and switch between RE's or serial remote console. If we had a larger environment I probably would not have gone to SRX yet, but for now it does exactly what we need. In time annoyances will be corrected. We are a ScreenOS shop with NSM, I have no issues what so ever with those.

 

I have had limited contact with Palo Alto, I didn't say they were bad, its just that every time we tell a vendor that we use Netscreens, they come back with the CTO thing....which means nothing. Actually, Fortinet's are quite nice, if they don't come around to making the SRX as solid as ScreenOS, we will seriously consider Fortinet.

 

Are you a Cisco shop?I noticed you had another string talking about Nexus.

Contributor
dark1587
Posts: 70
Registered: ‎08-01-2008
0

Re: what to replace my SRX with?

Yeah that's the one.  And that is still not as bad as the many months it took Juniper to fix the SSG320's ScreenOS 6.0 bug of applying AV, DI, Anti-spam, or logging on a VIP on a loopback interface.  Or the near full-year it took me to get Websense/SurfControl to fix a bug in how their Juniper Integration. If you had more than 2 or 3 ScreenOS-based firewalls connecting to it SurfControl would send TCP resets to the Junipers, effectively stopping filtering until you manually restarted the services.  I tend to be a pretty patient guy when it comes to bugs and show-stoppers, but even my patience is wearing thin when it comes the SRX for the reasons I listed in my previous post (and then some).

---
JNCIE-SEC #69, JNCIP-ENT, JNCSP-SEC, JNCIS-SA, JNCIS-AC, JNCIA-IDP, JNCIA-WX
Contributor
laurentius
Posts: 11
Registered: ‎09-12-2010
0

Re: what to replace my SRX with?

[ Edited ]

We are also considering dropping the SRX. Frankly, I am very unhappy with the box. We have already tried to return the box, but the dealer wasn't too understanding on that matter. So, what to replace it with? Well, I was very happy with NetScreen so one of the SSG-boxes would be the obvious choice. But then again, Juniper is moving away from NetScreen, so maybe it is time to move away from Juniper all together. I think they make all the wrong decisions, at least from my point of view.

 

Why can't they just continue and improve the excellent NetScreen OS? It is close to perfect. OK, I gather JUNOS is brilliant for routing and switching, but I need a proper stable firewall and VPN-gateway. I don't want a box I have to reboot every other day, I don't want a box I have to set up a RADIUS server for simple road warrior VPN. I want to be able to run any third-party IPsec client (cross-platform Linux, OSX, Windows), etc. etc. SRX/JUNOS is not a mature product in that sense yet and it is probably years away.

 

A dream scenario for me would be if I could run Netscreen on SRX, not the other way around, i.e. JUNOS on SSG.

Contributor
devol
Posts: 23
Registered: ‎06-22-2008
0

Re: what to replace my SRX with?

Didn't realize there was a reply in here.

 

I still haven't found a good solution to ntp sync either. Not fun.

 

STRM is just the Q1 labs product correct? I haven't had a chance to look at that yet.

 

I need to try retooling our management setup to just use RETH interfaces instead of fxp0. We'll see how that goes. Its really frustrating even trying to do a software update with the current setup here. I too am using a dedicated serial console box to actually manage the units. I'm also considering just getting a dedicated box for ipsec VPN running, since I can't do IPSEC outside of inet.0.

 

If you have the right environment, the palo alto is definitely worth checking out. Its definitely focused on users and application recognition. Not nearly as colo/service provider focused. Their application and user recognition is excellent though. They have also been able to build a responsive web interface for their product, even with the octeon processors in the box. 

 

We used to be a cisco shop, we started changing things up a few years back. I ended up ditching the nexus gear after a trial and going with arista 10gig switches for our storage networking. Been very happy with it. Thats actually what got us to try the juniper switching gear, and we've been happy with it for our uses so far. If they ever get ISSU working on chassis cluster with the EX-4200 line, that will be fantastic. I wish SRX cluster upgrades worked like the EX chassis cluster stuff does. 

 

I was planning on replacing our ssg-320's with srx-650's, and converting the ssg's to j-series units for other uses. I have not been able to do that yet though. Maybe 2011 will be there year. Very expensive paperweights to far. Lots of missing features right now. At least stability is getting better though.

 

It still amazes me that my loaded J4350's web interface (which never gets used) is responsive, and the srx-650 cluster I have sitting idle acts like its a fully loaded box. Over a minute to log in. I'm thinking I probably should just give up on hoping to view logs, etc like I do on the SSG's and get some external solution working (like strm, or splunk, or something) so that when I get DNS-PROXY/working ntp I can actually transition.

Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007
0

Re: what to replace my SRX with?

It would definitely be worth waiting for Junos 10.4 to have a look. I just got a presentation from the engineering team on it, and am really impressed with all the work that's gone into it and the confidence they have about it's performance. I know in partcular that there was a lot of work on the HA code and I would bet that the sluggishness you're seeing will be resolved.

 

Regards,

 

-Keith

j-t
Contributor
j-t
Posts: 16
Registered: ‎11-20-2010
0

Re: what to replace my SRX with?

I ran alot of Checkpoints about 5 years back, was the NGX series, basicly ran Checkpoints Linux based (RedHat) OS and on that the Checkpoint products in a normal server. Worked like a charm, extremly stabel and high throughtput but a huge pricetag to it! So if money is no object and all you need is a firewall then I'de go with a software based checkpoint (think they call the product blade or something now?). Also it has a very strong GUI and log analyzer, take that with tcpdump on the OS and there is nothing you cant debug easily on these! If you are after other features and need sites with less power in them, then Checkpoint will be to expensive for what you get for your money, also never touch the Edge products since they are garbage.

 

Cisco is just expensive and complicated, unless you are a Cisco person working with these day to day and have been so for years. Have anyone tried generating a csr in a ASA and import the certificat ones its done? Have a look at how you do this and try to in the gui, a proper pain. An all Cisco enviroment, sure why not go for the ASA55**, otherwise no thanks!

 

Juniper SRX can not compete with the Checkpoint as a firewall but it is the best one out there on VPN, as a all arounder and for for a fairly good price. Also they scale from the SRX100 up to the big chassie based ones, you can add on IDP, Webfiltering ect (this does not work as well on a Checkpoint as on the SRX, last I heard anyway). Sure the SRX is a young product and there are some glitches but if you look at the big picture, iti's a realy nice OS and good hardware, easy to work with the zones and so on. I just love them for the VPN capabilities, working with outers as Cisco is a little tricky but ones you know how to solve it then its no a to big deal (for instance, you need one tunnel per proxy-id on the Cisco/Checkpoint side, ie one per subnet you want to tunnel).

 

Tahts my 5 eurocents on the subject...

Contributor
Victorhud
Posts: 30
Registered: ‎02-02-2008
0

Re: what to replace my SRX with?

Please dont post these sad stories about SRX, you are damaging the resellers and JN efforts for selling SRX products.

 

You can review in internet whats happening with Checkpoint and Cisco, Chkp customers are migrating to Fortinet and PaloAlto Networks, why?, price and performance, i know a customer that are trying to resolve MX registers trouble with Checkpoint 2 months ago, i believe that Checkpoint its over (you can review the competitive upgrade of Fortinet or PAN


j-t wrote:

I ran alot of Checkpoints about 5 years back, was the NGX series, basicly ran Checkpoints Linux based (RedHat) OS and on that the Checkpoint products in a normal server. Worked like a charm, extremly stabel and high throughtput but a huge pricetag to it! So if money is no object and all you need is a firewall then I'de go with a software based checkpoint (think they call the product blade or something now?). Also it has a very strong GUI and log analyzer, take that with tcpdump on the OS and there is nothing you cant debug easily on these! If you are after other features and need sites with less power in them, then Checkpoint will be to expensive for what you get for your money, also never touch the Edge products since they are garbage.

 

Cisco is just expensive and complicated, unless you are a Cisco person working with these day to day and have been so for years. Have anyone tried generating a csr in a ASA and import the certificat ones its done? Have a look at how you do this and try to in the gui, a proper pain. An all Cisco enviroment, sure why not go for the ASA55**, otherwise no thanks!

 

Juniper SRX can not compete with the Checkpoint as a firewall but it is the best one out there on VPN, as a all arounder and for for a fairly good price. Also they scale from the SRX100 up to the big chassie based ones, you can add on IDP, Webfiltering ect (this does not work as well on a Checkpoint as on the SRX, last I heard anyway). Sure the SRX is a young product and there are some glitches but if you look at the big picture, iti's a realy nice OS and good hardware, easy to work with the zones and so on. I just love them for the VPN capabilities, working with outers as Cisco is a little tricky but ones you know how to solve it then its no a to big deal (for instance, you need one tunnel per proxy-id on the Cisco/Checkpoint side, ie one per subnet you want to tunnel).

 

Tahts my 5 eurocents on the subject...


for capturing the Checkpoint Firewalls).

 

 

Cisco?, is an excellent enterprise switch and router company, forget it for security, we replaced a Cisco ASA5520 with Fortigate Unit and the Cisco ASA is very dumb, really very dumb and the performance its very poor. Please Cisco return to your routers and switches dont leave from there.

 

PaloAlto Networks, is a NG Firewall, a true NG, with SP3 you can have high throughput and super apps monitoring, you can review the NSS labs about the IPS of PAN (impresive tests), but, allways but is not a UTM (dont have email control), is a small company with limited services resources, you will not have support services as Juniper or Cisco.

 

Please dont post sad stories about SRX, is very hard to read these stories about Who was the Firewall Leader in the past (Netscreen).

 

 

 

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.