SRX Services Gateway
SRX Services Gateway

Moving to SRX from SSG

[ Edited ]
‎06-19-2018 01:58 AM

Hi All,


We've had great service from our SSG's and now want to replace them - it's overdue.  We've made use of 2 x SSG140s in our head-office (active-passive HA) and single SSG20s in remote offices.  Our needs are pretty simple - decent firewall and good policies, a handful of VPNs, OSPF and RIP, good bandwidth control and shaping, plus only need to operate one remote office these days;  I've kind of settled on SRX340s and SRX320s - they seem to be postioned similarly to where our SSGs sat in the family and are within our budget.  We want to run two devices at both sites to achieve the same sort of HA.


As the boxes have just sat there for many years doing a great job we've become very rusty when it comes to where the latest Juniper devices are.  I've tried to trawl the internet for some answers to a couple of queries but have struggled to find info so wondered if anyone can advise at all?


1 - We run dedicated cloud email and web filtering solutions (Mimecast and Symantec Web Security service, itself a VPN from the SSGs) as well as Symantec Endpoint Protection for on-device security.  Bearing that in mind we are really looking at these devices to offer really good firewalling functionality - are they overkill if we don't use any sort of UTM features?  What are people's opinion of quality of firewall on these devices?

2 - Is the 300 series relatively new?  I haven't come across any EOL information to say they are going away any time soon (vs. the 200 series which looks to be EOL in a couple of years).

3 - We'd ideally like to somehow manage the firewall's outgoing policies across both sites centrally to save manually keeping complex rules (like bypassing the web filtering for Office 365 services) in sync.  Are there any tools or software from Juniper to help with this?

4 - One bugbear of ScreenOS is that we've never been able to use wildcard hostnames for firewall rule address book entries (again a real pig for Office 365).  Is that offered on the SRX's?  How to others manage this challenge?

5 - Our SSG's have operated brilliantly and have been very reliable.  For those who have moved from them to SRX can you say the same?

6 - The Enhanced Junos software only appears appears to offer Application Security (AppID, AppFW, AppQOS and AppRoute) features over base - is everything else equivilant across the software?  I'm struggling to find decent documentation on the App security features; can anyone point me in the right direction?  Would we benefit from these features bearing in mind our web filtering software?

7 - I'm finding the software licensing confusing.  I get that these are sold as a hardware first with a seperation from the software point-of-view (to aid hardware portability I believe).  I'm looking at the SRX340-SYS-JB part (unless Enhanced proves useful) and similar for the SRX320.  Would the -JB parts include the cost of software?  What ongoing support/licensing packages would we need to ensure ongoing use of the software and provide access future software updates?

8 - Broad, but is there anything that the SRX's don't do that the SSG's did well?


Apologies for length but if there's anything anyone could advise it would be really appreicated.


EDIT - I've also read some opinions that the IPS features on the SRX are pretty poor - can anyone provide some experience?



SRX Services Gateway

Re: Moving to SRX from SSG

‎06-19-2018 03:17 AM

I can contribute to a few of these.  But I use the SRX as a basic firewall and packet mode MPLS so don't have any experience with the rest.


1- The additional licensed features like IDP or web browsing are completely optional and not connected to the main functionality.  So you can skip them.


2- yes the 300 series is only a couple years old has a hardware upgrade with newer faster chips and speeds replacing the 200 series. 


3- central mgmt is via the Junos Space Security Directory platform.  This can be either a VM or hardware appliance.


4- same problem with wild cards on the SRX for standard firewall rules.  But there is a application firewall license to have application based rules applied and with these you can the permit office 365 as an applicaiton instead of managing ip address rules.  This starts to get into the licensed features I haven't used outside a lab.



Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)