Screen OS

So Juniper decided to kill off the entry level ScreenOS devices and offer us the SRX series (with Junos) as a replacement. Does this mean that (in the long run) ScreenOS is on the way out completely and no more development will take place? I personally consider Junos to be far inferior on the usability side compared to ScreenOS. It is a router OS after all, and the firewall / VPN features are just badly screwed on top of it. Can anyone shed some light on the future of ScreenOS?

I love ScreenOS.  The SSG series sovled so many problems for me when I discovered and deployed the solution several years ago.  And I really jumped in with both feet to master the platform.  They are a real workhorse and elegant in many ways.

But realistically, ScreenOS has been on the path to EOL since the purchase.  The intent all along was to migrate the features of ScreenOS into the Junos heirarchical system.  This announcement starts that process for the lowest end devices ending sale next year and support in 2020.

https://www.juniper.net/support/eol/ns_hw.html

On these products for me the biggest missing feature is an SRX100 with integrated wireless.  This will likely never happen.  There are clearly features still making their way into full production on the Junos side but for the most part I think the transition is complete.  The management web interface continues to improve.

Junos has brought some serious benefits to both capacity and routing for the firewall platform over ScreenOS.

On the data center side for me the biggest missing feature is a true replacement for vsys at scale.  This is supported to 250 per physical device in ScreenOS and only 32 in Junos.  I understand this is also under development.

Under the hood Junos is clearly the winner compared to ScreenOS, but i find the Web management UI(s) to be absolutely atrocious. A ScreenOS admin does 99% of all configuration on the WebUI. In Junos, maybe 50% are possible because the UI just sucks so bad:

- Firewall rules have no policy ID, sorting those rules is a guessing game. How am i supposed to build a reliable firewall ruleset based on such a foundation?

- The WebUI is awfully slow and the "commit" function only works reliably every other day. Besides, it is just incomplete and cluttered way worse than ScreenOS (which is no hero in this department either)

- Things that were quite simple in ScreenOS (DNAT, for example), take 10x the amount of commands in Junos, and then it doesn't even work as described in the manual. I want a change for the better, not the worse (and way more complex)

And before anybody jumps on the "nobody uses the WebUI to configure such a device" train, keep in mind: in ScreenOS, you DO use the WebUI, because you barely need the console. And it is 2014, not 1994. A decent, working Web UI for such a high end piece of hardware/software can't be treated like "addon" functionality, it has to be core functionality that just works. Like in ScreenOS, which had this since day one and it worked. And much of the competition also has way better WebUIs.

We will have to look for alternatives for ourselves and our customers in the future, because unfortunately Junos is not the solution but just a new problem. It is just not a good fit for an entry level firewall.