SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Trusted Contributor
Posts: 213
Registered: ‎07-14-2008
0 Kudos

Re: what to replace my SRX with?

I believe McAfee bought that product, so now it should be Intel, right?

 

Ron

Contributor
Posts: 19
Registered: ‎04-17-2010
0 Kudos

Re: what to replace my SRX with?

[ Edited ]

We purchased two srx650s and clustered them. At first, I was at little apprehensive being a ScreenOS guru, but after working with the SRX's for about two months now, I cannot think of a better OS to run. The SRX comes with Zone based policies (adopted from ScreenOS), the NATing more flexible, and all the routing capabilities of the best routers money can buy. Its not perfect, but I don't know any other firewall that comes close in any category.

 

Checkpoint??? Checkpoint sucks, implied rules, never met a protocol it liked without major tweaking.

PaloAlto????? Just because the guy who founded it was the CTO at Netscreen doesn't mean they are any good.

Cisco??????? Over priced, half the performance and TERRIBLE HORRIBLE IOS or what ever they call it now. By the way support from Cisco is horrible and you're lucky if you can meet your project deadlines since Cisco can't deliver hardware.

 

I like the term "Pilot Error" 

Contributor
Posts: 23
Registered: ‎06-22-2008
0 Kudos

Re: what to replace my SRX with?

Just curious, how are you managing logging for your SRX650 cluster? Do you really find it as nice as the netscreens were?

 

Also, how are you managing NTP sync for your cluster?

 

Are you using fxp0 for any of this? If not, how are you managing not in cluster mode.

 

Palo Alto: Just because you haven't evaluated the product, doesn't mean its bad. 

 

Cisco: Yeah we won't go there.

Contributor
Posts: 19
Registered: ‎04-17-2010
0 Kudos

Re: what to replace my SRX with?

I use Juniper STRM to log the SRX. No I do not find it as nice as ScreenOS, I am getting used to it, but not there yet. 

 

In the SRX cluster, yes NTP sync very annoying.

 

I do not use fxp0 to manage, I don't like how the OoB interface, is not really our of band in the traditional sense. I either use the RETH to access and switch between RE's or serial remote console. If we had a larger environment I probably would not have gone to SRX yet, but for now it does exactly what we need. In time annoyances will be corrected. We are a ScreenOS shop with NSM, I have no issues what so ever with those.

 

I have had limited contact with Palo Alto, I didn't say they were bad, its just that every time we tell a vendor that we use Netscreens, they come back with the CTO thing....which means nothing. Actually, Fortinet's are quite nice, if they don't come around to making the SRX as solid as ScreenOS, we will seriously consider Fortinet.

 

Are you a Cisco shop?I noticed you had another string talking about Nexus.

Trusted Contributor
Posts: 106
Registered: ‎08-01-2008
0 Kudos

Re: what to replace my SRX with?

Yeah that's the one.  And that is still not as bad as the many months it took Juniper to fix the SSG320's ScreenOS 6.0 bug of applying AV, DI, Anti-spam, or logging on a VIP on a loopback interface.  Or the near full-year it took me to get Websense/SurfControl to fix a bug in how their Juniper Integration. If you had more than 2 or 3 ScreenOS-based firewalls connecting to it SurfControl would send TCP resets to the Junipers, effectively stopping filtering until you manually restarted the services.  I tend to be a pretty patient guy when it comes to bugs and show-stoppers, but even my patience is wearing thin when it comes the SRX for the reasons I listed in my previous post (and then some).

---
JNCIE-SEC #69, JNCIE-ENT #492, JNCSP-SEC, JNCSP-ENT, JNCIS-SP, JNCDS-DC, JNCDS-SEC
Contributor
Posts: 12
Registered: ‎09-12-2010
0 Kudos

Re: what to replace my SRX with?

[ Edited ]

We are also considering dropping the SRX. Frankly, I am very unhappy with the box. We have already tried to return the box, but the dealer wasn't too understanding on that matter. So, what to replace it with? Well, I was very happy with NetScreen so one of the SSG-boxes would be the obvious choice. But then again, Juniper is moving away from NetScreen, so maybe it is time to move away from Juniper all together. I think they make all the wrong decisions, at least from my point of view.

 

Why can't they just continue and improve the excellent NetScreen OS? It is close to perfect. OK, I gather JUNOS is brilliant for routing and switching, but I need a proper stable firewall and VPN-gateway. I don't want a box I have to reboot every other day, I don't want a box I have to set up a RADIUS server for simple road warrior VPN. I want to be able to run any third-party IPsec client (cross-platform Linux, OSX, Windows), etc. etc. SRX/JUNOS is not a mature product in that sense yet and it is probably years away.

 

A dream scenario for me would be if I could run Netscreen on SRX, not the other way around, i.e. JUNOS on SSG.

Contributor
Posts: 23
Registered: ‎06-22-2008
0 Kudos

Re: what to replace my SRX with?

Didn't realize there was a reply in here.

 

I still haven't found a good solution to ntp sync either. Not fun.

 

STRM is just the Q1 labs product correct? I haven't had a chance to look at that yet.

 

I need to try retooling our management setup to just use RETH interfaces instead of fxp0. We'll see how that goes. Its really frustrating even trying to do a software update with the current setup here. I too am using a dedicated serial console box to actually manage the units. I'm also considering just getting a dedicated box for ipsec VPN running, since I can't do IPSEC outside of inet.0.

 

If you have the right environment, the palo alto is definitely worth checking out. Its definitely focused on users and application recognition. Not nearly as colo/service provider focused. Their application and user recognition is excellent though. They have also been able to build a responsive web interface for their product, even with the octeon processors in the box. 

 

We used to be a cisco shop, we started changing things up a few years back. I ended up ditching the nexus gear after a trial and going with arista 10gig switches for our storage networking. Been very happy with it. Thats actually what got us to try the juniper switching gear, and we've been happy with it for our uses so far. If they ever get ISSU working on chassis cluster with the EX-4200 line, that will be fantastic. I wish SRX cluster upgrades worked like the EX chassis cluster stuff does. 

 

I was planning on replacing our ssg-320's with srx-650's, and converting the ssg's to j-series units for other uses. I have not been able to do that yet though. Maybe 2011 will be there year. Very expensive paperweights to far. Lots of missing features right now. At least stability is getting better though.

 

It still amazes me that my loaded J4350's web interface (which never gets used) is responsive, and the srx-650 cluster I have sitting idle acts like its a fully loaded box. Over a minute to log in. I'm thinking I probably should just give up on hoping to view logs, etc like I do on the SSG's and get some external solution working (like strm, or splunk, or something) so that when I get DNS-PROXY/working ntp I can actually transition.

Highlighted
Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: what to replace my SRX with?

It would definitely be worth waiting for Junos 10.4 to have a look. I just got a presentation from the engineering team on it, and am really impressed with all the work that's gone into it and the confidence they have about it's performance. I know in partcular that there was a lot of work on the HA code and I would bet that the sluggishness you're seeing will be resolved.

 

Regards,

 

-Keith

j-t
Contributor
Posts: 16
Registered: ‎11-20-2010
0 Kudos

Re: what to replace my SRX with?

I ran alot of Checkpoints about 5 years back, was the NGX series, basicly ran Checkpoints Linux based (RedHat) OS and on that the Checkpoint products in a normal server. Worked like a charm, extremly stabel and high throughtput but a huge pricetag to it! So if money is no object and all you need is a firewall then I'de go with a software based checkpoint (think they call the product blade or something now?). Also it has a very strong GUI and log analyzer, take that with tcpdump on the OS and there is nothing you cant debug easily on these! If you are after other features and need sites with less power in them, then Checkpoint will be to expensive for what you get for your money, also never touch the Edge products since they are garbage.

 

Cisco is just expensive and complicated, unless you are a Cisco person working with these day to day and have been so for years. Have anyone tried generating a csr in a ASA and import the certificat ones its done? Have a look at how you do this and try to in the gui, a proper pain. An all Cisco enviroment, sure why not go for the ASA55**, otherwise no thanks!

 

Juniper SRX can not compete with the Checkpoint as a firewall but it is the best one out there on VPN, as a all arounder and for for a fairly good price. Also they scale from the SRX100 up to the big chassie based ones, you can add on IDP, Webfiltering ect (this does not work as well on a Checkpoint as on the SRX, last I heard anyway). Sure the SRX is a young product and there are some glitches but if you look at the big picture, iti's a realy nice OS and good hardware, easy to work with the zones and so on. I just love them for the VPN capabilities, working with outers as Cisco is a little tricky but ones you know how to solve it then its no a to big deal (for instance, you need one tunnel per proxy-id on the Cisco/Checkpoint side, ie one per subnet you want to tunnel).

 

Tahts my 5 eurocents on the subject...

Contributor
Posts: 31
Registered: ‎02-02-2008
0 Kudos

Re: what to replace my SRX with?

Please dont post these sad stories about SRX, you are damaging the resellers and JN efforts for selling SRX products.

 

You can review in internet whats happening with Checkpoint and Cisco, Chkp customers are migrating to Fortinet and PaloAlto Networks, why?, price and performance, i know a customer that are trying to resolve MX registers trouble with Checkpoint 2 months ago, i believe that Checkpoint its over (you can review the competitive upgrade of Fortinet or PAN


j-t wrote:

I ran alot of Checkpoints about 5 years back, was the NGX series, basicly ran Checkpoints Linux based (RedHat) OS and on that the Checkpoint products in a normal server. Worked like a charm, extremly stabel and high throughtput but a huge pricetag to it! So if money is no object and all you need is a firewall then I'de go with a software based checkpoint (think they call the product blade or something now?). Also it has a very strong GUI and log analyzer, take that with tcpdump on the OS and there is nothing you cant debug easily on these! If you are after other features and need sites with less power in them, then Checkpoint will be to expensive for what you get for your money, also never touch the Edge products since they are garbage.

 

Cisco is just expensive and complicated, unless you are a Cisco person working with these day to day and have been so for years. Have anyone tried generating a csr in a ASA and import the certificat ones its done? Have a look at how you do this and try to in the gui, a proper pain. An all Cisco enviroment, sure why not go for the ASA55**, otherwise no thanks!

 

Juniper SRX can not compete with the Checkpoint as a firewall but it is the best one out there on VPN, as a all arounder and for for a fairly good price. Also they scale from the SRX100 up to the big chassie based ones, you can add on IDP, Webfiltering ect (this does not work as well on a Checkpoint as on the SRX, last I heard anyway). Sure the SRX is a young product and there are some glitches but if you look at the big picture, iti's a realy nice OS and good hardware, easy to work with the zones and so on. I just love them for the VPN capabilities, working with outers as Cisco is a little tricky but ones you know how to solve it then its no a to big deal (for instance, you need one tunnel per proxy-id on the Cisco/Checkpoint side, ie one per subnet you want to tunnel).

 

Tahts my 5 eurocents on the subject...


for capturing the Checkpoint Firewalls).

 

 

Cisco?, is an excellent enterprise switch and router company, forget it for security, we replaced a Cisco ASA5520 with Fortigate Unit and the Cisco ASA is very dumb, really very dumb and the performance its very poor. Please Cisco return to your routers and switches dont leave from there.

 

PaloAlto Networks, is a NG Firewall, a true NG, with SP3 you can have high throughput and super apps monitoring, you can review the NSS labs about the IPS of PAN (impresive tests), but, allways but is not a UTM (dont have email control), is a small company with limited services resources, you will not have support services as Juniper or Cisco.

 

Please dont post sad stories about SRX, is very hard to read these stories about Who was the Firewall Leader in the past (Netscreen).

 

 

 

 

 

j-t
Contributor
Posts: 16
Registered: ‎11-20-2010
0 Kudos

Re: what to replace my SRX with?

This is en open forum and I really hope all people publish all the issues they have with Junipers products, how else are the rest of us to know what we can promise customers. Also if you ask Juniper then there are no issues at all with SRX, wish is obliviously a lie, and they also market it very aggressively. So if you promise a customer that there are no issues and everything should be fine and on D day it is not, then both the resellers and Junipers rep will be out the door, that is lousy business for all parts.

 

I like Junipers products, especially the SRX, but if they do not match up with the rest that is out there then they better get focused and resolve it or I and many others will go elsewhere. Have done so before, and obviously a lot of other people here as well...

Super Contributor
Posts: 313
Registered: ‎09-30-2009
0 Kudos

Re: what to replace my SRX with?

I'd personally replace all my SRXs with MGW ICSs, oh wait, that's an SRX too!  144 free sip terminating end-points?!?!?!  Oh yeah!  FYI Replaced all my ASAs with SRXs, any problem I find is either well documented in forums as Im not the only one doing this stuff, or JTAC has been able to assist with.  

Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: what to replace my SRX with?

All,

 

Reminder to keep comments on a professional level. We are not editing or deleting posts that are product focused - even when competitors products are named favorably. It is our job to address the issues and win your business and these forums provide an important avenue to expose the issues.

 

There are better ways to address account management issues.

 

Regards,

 

-Keith

 

 

 

Qin
Contributor
Posts: 12
Registered: ‎01-12-2011
0 Kudos

Re: what to replace my SRX with?

If I had to redo it, I would of have gone with the ASA, much better support for VPN.   If I knew 1 year ago that the SRX client VPN was this bad, would of never considered it.   1 year later still can't roll it out to clients.

Trusted Contributor
Posts: 330
Registered: ‎01-08-2010
0 Kudos

Re: what to replace my SRX with?

 


Qin wrote:

If I had to redo it, I would of have gone with the ASA, much better support for VPN.   If I knew 1 year ago that the SRX client VPN was this bad, would of never considered it.   1 year later still can't roll it out to clients.


 

I have an ASA, JUST for remote access VPN.. AnyConnect is a mess, and I have been through at least 2 interim releases (special support dowloads) for the ASA, a FORCED memory upgrade to get to a release with windows 7 support, and the endpoint assesment features are about 6months behind when it comes to detecting various AV products. Cisco is no better, and in some cases worse. Being modular you can upgrade various parts, however this also means you need to keep track of about 6 components and their compatiblity with each other, not to mention fight with support while they blame different components.

 

Running 10.2r3 on all of my SRX systems right now and things are good...

Regular Visitor
Posts: 3
Registered: ‎11-05-2010
0 Kudos

Re: what to replace my SRX with?

Seems to be a grass is always greener type question.

 

Why?  A year ago we where asking, what to replace our aging Check Point hardware running NGX R65?

 

With the bake offs and reviews of the different product offerings, we'd selected the SRX 3400's in our primary data centers and 240 and 210's in the field.

 

It's amazing that one can purchase a 240 for less what a Check Point Edge X Unlimited costs.  

 

Granted, it's taken some work to get used to using Junos than the Check Point SmartDashboard, but the results have been worth it.    VPN performance and reliability has gone up for us.

 

Enabling the FTP archives of each units configuration also makes me feel much better.    The backup process of Check Point was tedious and we'd frequently need to recover it due to policy corruption.    

 

Using templates and careful monitoring of the configurations helps us to have solid policies at our locations, but again the Check Point management did simplify that to a great degree.   I do have to say that the centralized reporting was truely king.    We are getting close, but still not the same using logging to SPLUNK.

 

However, between corrupted policies and the overall performance of the hardware for the price, we'd decided to switch to Juniper SRX.

 

Sorry to hear it's not working out for you, but I'd not switch back at this time in my environment.

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: what to replace my SRX with?

I've been trying to deploy SRXs to 3 different customers now, and for the most part, we had very bad experiences. Especially if you have to do management with NSM. The latter is just a bad joke at the current state. 

 

As much as I love the SRX and Junos on paper, in reality, they are not ready for prime time yet.

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

Re: what to replace my SRX with?

[ Edited ]

What were the issues you encountered, crypto?

 

In our field deployments, we've quickly learned that a customer that relies very heavily on a web ui will need at the very least 10.4r3, and will need to be shown the web ui before the sale so there is no expectation gap.

 

As a layer 4 firewall with strong routing / VPN support, the SRX works great, and offers amazing performance at the right price point.

 

SRX is not a fit for dual-ISP without dynamic routing, at least not yet. That configuration is too complex and too restrictive (ike, dhcp restrictions in VR; overall complexity). We'll re-assess that judgment around the 11.4 time frame.

 

Clustering needs careful design due to fxp0 routing. This is manageable, but does need to be managed.

 

Central management needs work, as you pointed out. Probably also a 2H2011 thing,

 

We've had troubles with UAC integration, which look resolved with 10.4S3

 

Clustered UTM needs improvement. The "both RGs on the same member" requirement plays merry hell with RG1 failover.

 

Bottom line: The SRX is a great firewall - with limitations. The exact use case definitely needs to be vetted during the sales cycle and compared to the current strengths and weaknesses of the SRX line.

 

Contributor
Posts: 60
Registered: ‎12-21-2009
0 Kudos

Re: what to replace my SRX with?

tbehrens - Can you elaborate on why the SRX isn't fit for dual ISPs without static routing? I am planning on having a second carrier provide ethernet services to me and will dualhome with BGP. I have my configuration set up in a lab with JUNOS olives... hoping it will carry over to the SRX without much problem.

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: what to replace my SRX with?

the most trouble we had was with clustering (fxp0 limitations, give me a break here) and NSM management: policy not being locked, NSM not getting the status of the device, e.g. the device is changed or even disconnected and NSM reports the device is unchanged or up.

 

Every tried to get a list of interfaces and their IP addresses of a single SRX using NSM? Good luck with that.

 

Pardon my french, but it just sucks. Period.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860