09-20-2010 02:10 PM
I have many srx firewalls in clusters. I have never had an issue with them. we run IDP and many other features. I have over 15 SRX firewalls deployed with not an issue. If you run your firewalls on the JTAC recommended release, you will not have an issue.
What size of office? and did you do HA on any of them... all of the recent release notes state that UTM features are not recommended or supported in clustering.. Also 10.0r3 has some bugs that simply do not appear under location size work loads found on the 100, 210, 240 units but on the 650s. Also some known bugs with UTM only impact cluster configs.
09-20-2010 07:03 PM - edited 09-20-2010 07:05 PM
I have several srx-240 clusters running IDP. I never run UTM in a cluster environment. I also do not run dot1Q trunks, or vlan interfaces in a clustered environment. I have several srx-210's in non clustered setup at remote offices running UTM. But I mostly uses the antispam features. Early on the devices had issues where the antivirus filtering on HTTP traffic would randomly stop forwarding http traffic and the you had to restart the utm service to remedy the issue.
As for the office size. I have over 60 small offices of 5 to 100 users. And then we have very large datacenters hosted around the world. Different size boxes for different environments. Out large datacenters do not aggrigate UTM and IDP functions on the firewall device. I have not drank the IDP/UTM coolaid yet. Not from checkpoint or juniper. I think UTM is fine for small offices, but that configuration does not belong in the datacenter.
09-23-2010 05:56 AM
My only additions to bufo333's post would be:
1. Don't do full (global internet) BGP on branch SRX
2. Look at if you actually need clustering, and if you do, do you actually need redundent ethernet
It's true a 650 more then has the grunt to run BGP, it just can't do so stabily if it's also performing security functions at the same time (the same goes for the bigger J-series units).
As for the redundent ethernet, if all you have is P2P links with a dynamic routing protocol on it you probably don't need it, just run two links at L3.
My only need for clustering would be an RE failure, and am hoping that Juniper release the ability to have a backup RE and M-series level of RE failover.
09-23-2010 09:44 AM
There is always the Fortinet range, just a ScreenOS firewall in a new tin with some nice enhancements like full IDP and SSL.
Interesting... I never knew Fortinet's executive leader (Ken Xie) was also the founder of Netscreen. Thanks for that info.
A similar spin-off of course is Palo Alto Networks, whose core team of engineers were originally Juniper guys. Perhaps even Netscreen guys from the "early days."
09-23-2010 01:46 PM
If you don't need all the hardware features of the SRX another option would be one the larger SSG boxes running the venerable ScreenOS - these can all be converted to Junos-based devices whenever you feel comfortable with the features as per the table below taken from http://www.juniper.net/techpubs/software/junos-es/
Table 8: Convertible SSG Hardware and Software
SSG Security Device with
ScreenOS 5.4 or Later Conversion Kit Resulting Services Router
SSG 320M SSG-320M-J-CONV-S J2320
SSG 350M SSG-350M-J-CONV-S J2350
SSG 520M SSG-520M-J-CONV-S J4350
SSG 550M SSG-550M-J-CONV-S J6350
Again - if you don't need all of the "all in one" capabilities the SRX provides this gets you on a path to Junos.
p.s. at the risk of sounding like a broken record...the SRX issues reported are (virtually all) software issues...and the software gets a major feature update every quarter and maintenance releases even more often. I am not going to promise perfection, but every release has been improving the product and we've made major changes to both our development and test methodologies (the upcoming 10.4 being a good example) to further improve product quality.
09-30-2010 12:13 PM
I would agree with grosshong here. Check out palo alto.
We have two SRX650's here, still not in production.
I've been trialing a palo alto box recently, and I've been very impressed. The routing functionality is not nearly as complete as the SRX, but for the actual, real, firewall things you want to do there is no comparison. The logging / interface / application recognition, etc is far far far better than the SRX.
10-01-2010 08:00 AM
srx is in constant growth and improvement.
actually have had many problems, but equally has presented the solutions.
the expectation of SRX is to be equal to or better than the netscreen, I think they have everything to do it.
each client is different, therefore their security solutions, so there will be things that some customers are affected and others not.
I like SRX that is flexible, it is difficult to understand but when it gets to the point that it knows it's easy to love.
each new release improves or solves the above problems.
I have difficulties like
the use of Active / Active cluster with UTM.
The use of VPN client groups and assign private address DNS, WINS at remote vpn. Some of these will be supported in 10.4.
knowledge of TAC about SRX
use licencing for dynamic-vpn
as they say, is a flexible and growth in cash, I hope that in the months closest we have a better perspective regarding these teams.
if you wanted to change the SRX my advise is netscreen firewalls.becouse the best of the best is netscreen "for me", it hurts to think out of business.
10-01-2010 05:13 PM - edited 10-01-2010 05:25 PM
I don't have much nice to say about the SRX'es other than the dynamic routing and CLI management is excellent. I definitely prefer JUNOS's CLI to ScreenOS any day of the week. That being said after working with these boxes since 9.5 and 9.6, dealing with the massive headache that was 10.0R2, and running into limitation after limitation on both chassis clusters and non-clustered devices I'm not exactly raving about these devices either. But I can't recommend a ScreenOS-based box because a majority of the hardware will be EOL'ed sooner than later.
Current Limitations I've noticed:
GRE Tunnels not supported in clusters
GRE Keepalives not supported at all standalone/cluster
Multicast traffic not working in chassis cluster (Yes it's addressed in 10.2, but that's not the recommended release atm)
VPN Clients requiring an external authentication server (RADIUS)
Firewall filters (protect_RE) preventing the SRX from getting updates for UTM
Updating UTM on the secondary SRX in a cluster
Managing an SRX in a cluster individually in an environment where I am accessing the SRX from the outside world.
Level 1 JTAC not knowing how to navigate the CLI, much less troubleshoot.
Whatever happened to Sidewinder?
10-02-2010 02:16 PM
Are you referring to Secure Computing's Sidewinder product? The one that team that took 9 months to release a patch so that smtp would work through their box properly?
No thanks. Never dealing with that product ever again. Had to reboot it all the time to workaround issues.