SRX Services Gateway
Reply
j-t
Contributor
j-t
Posts: 16
Registered: ‎11-20-2010
0

Re: what to replace my SRX with?

This is en open forum and I really hope all people publish all the issues they have with Junipers products, how else are the rest of us to know what we can promise customers. Also if you ask Juniper then there are no issues at all with SRX, wish is obliviously a lie, and they also market it very aggressively. So if you promise a customer that there are no issues and everything should be fine and on D day it is not, then both the resellers and Junipers rep will be out the door, that is lousy business for all parts.

 

I like Junipers products, especially the SRX, but if they do not match up with the rest that is out there then they better get focused and resolve it or I and many others will go elsewhere. Have done so before, and obviously a lot of other people here as well...

Super Contributor
colemtb
Posts: 313
Registered: ‎09-30-2009
0

Re: what to replace my SRX with?

I'd personally replace all my SRXs with MGW ICSs, oh wait, that's an SRX too!  144 free sip terminating end-points?!?!?!  Oh yeah!  FYI Replaced all my ASAs with SRXs, any problem I find is either well documented in forums as Im not the only one doing this stuff, or JTAC has been able to assist with.  

Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007
0

Re: what to replace my SRX with?

All,

 

Reminder to keep comments on a professional level. We are not editing or deleting posts that are product focused - even when competitors products are named favorably. It is our job to address the issues and win your business and these forums provide an important avenue to expose the issues.

 

There are better ways to address account management issues.

 

Regards,

 

-Keith

 

 

 

Qin
Contributor
Qin
Posts: 12
Registered: ‎01-12-2011
0

Re: what to replace my SRX with?

If I had to redo it, I would of have gone with the ASA, much better support for VPN.   If I knew 1 year ago that the SRX client VPN was this bad, would of never considered it.   1 year later still can't roll it out to clients.

Trusted Contributor
SomeITGuy
Posts: 330
Registered: ‎01-08-2010
0

Re: what to replace my SRX with?

 


Qin wrote:

If I had to redo it, I would of have gone with the ASA, much better support for VPN.   If I knew 1 year ago that the SRX client VPN was this bad, would of never considered it.   1 year later still can't roll it out to clients.


 

I have an ASA, JUST for remote access VPN.. AnyConnect is a mess, and I have been through at least 2 interim releases (special support dowloads) for the ASA, a FORCED memory upgrade to get to a release with windows 7 support, and the endpoint assesment features are about 6months behind when it comes to detecting various AV products. Cisco is no better, and in some cases worse. Being modular you can upgrade various parts, however this also means you need to keep track of about 6 components and their compatiblity with each other, not to mention fight with support while they blame different components.

 

Running 10.2r3 on all of my SRX systems right now and things are good...

Regular Visitor
William Turner
Posts: 3
Registered: ‎11-05-2010
0

Re: what to replace my SRX with?

Seems to be a grass is always greener type question.

 

Why?  A year ago we where asking, what to replace our aging Check Point hardware running NGX R65?

 

With the bake offs and reviews of the different product offerings, we'd selected the SRX 3400's in our primary data centers and 240 and 210's in the field.

 

It's amazing that one can purchase a 240 for less what a Check Point Edge X Unlimited costs.  

 

Granted, it's taken some work to get used to using Junos than the Check Point SmartDashboard, but the results have been worth it.    VPN performance and reliability has gone up for us.

 

Enabling the FTP archives of each units configuration also makes me feel much better.    The backup process of Check Point was tedious and we'd frequently need to recover it due to policy corruption.    

 

Using templates and careful monitoring of the configurations helps us to have solid policies at our locations, but again the Check Point management did simplify that to a great degree.   I do have to say that the centralized reporting was truely king.    We are getting close, but still not the same using logging to SPLUNK.

 

However, between corrupted policies and the overall performance of the hardware for the price, we'd decided to switch to Juniper SRX.

 

Sorry to hear it's not working out for you, but I'd not switch back at this time in my environment.

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: what to replace my SRX with?

I've been trying to deploy SRXs to 3 different customers now, and for the most part, we had very bad experiences. Especially if you have to do management with NSM. The latter is just a bad joke at the current state. 

 

As much as I love the SRX and Junos on paper, in reality, they are not ready for prime time yet.

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
tbehrens
Posts: 349
Registered: ‎04-30-2010
0

Re: what to replace my SRX with?

[ Edited ]

What were the issues you encountered, crypto?

 

In our field deployments, we've quickly learned that a customer that relies very heavily on a web ui will need at the very least 10.4r3, and will need to be shown the web ui before the sale so there is no expectation gap.

 

As a layer 4 firewall with strong routing / VPN support, the SRX works great, and offers amazing performance at the right price point.

 

SRX is not a fit for dual-ISP without dynamic routing, at least not yet. That configuration is too complex and too restrictive (ike, dhcp restrictions in VR; overall complexity). We'll re-assess that judgment around the 11.4 time frame.

 

Clustering needs careful design due to fxp0 routing. This is manageable, but does need to be managed.

 

Central management needs work, as you pointed out. Probably also a 2H2011 thing,

 

We've had troubles with UAC integration, which look resolved with 10.4S3

 

Clustered UTM needs improvement. The "both RGs on the same member" requirement plays merry hell with RG1 failover.

 

Bottom line: The SRX is a great firewall - with limitations. The exact use case definitely needs to be vetted during the sales cycle and compared to the current strengths and weaknesses of the SRX line.

 

Contributor
versello
Posts: 60
Registered: ‎12-21-2009
0

Re: what to replace my SRX with?

tbehrens - Can you elaborate on why the SRX isn't fit for dual ISPs without static routing? I am planning on having a second carrier provide ethernet services to me and will dualhome with BGP. I have my configuration set up in a lab with JUNOS olives... hoping it will carry over to the SRX without much problem.

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: what to replace my SRX with?

the most trouble we had was with clustering (fxp0 limitations, give me a break here) and NSM management: policy not being locked, NSM not getting the status of the device, e.g. the device is changed or even disconnected and NSM reports the device is unchanged or up.

 

Every tried to get a list of interfaces and their IP addresses of a single SRX using NSM? Good luck with that.

 

Pardon my french, but it just sucks. Period.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.