Quite often, I teach courses on Junos. As I’m sure Juniper blog readers are well aware, Junos has the most powerful CLI an engineer can wish for. So when (and it happens during nearly every course) the question pops up, “Should we use CLI or GUI to configure the device?,” I’ve grown accustomed to giving my standard answer, “Real men don’t click.”
Sure, there have always been exceptions for specific tasks like configuring lots of policies on a SRX. Or, back when ScreenOS was the thing, it was okay to click for policies and VPN, but not on an SRX. I guess this is why, now, I’ve had to muster some courage to write this blog . . . and acknowledge that I may have been wrong.
My change of heart grew slowly over the last year. It started with the new, useful, and workable versions of Junos Space and its applications coming out. The more I looked into Space, the more I got over my “NSM and Junos” trauma. One of the past disadvantages of the SRX Series is disappearing—as central management is now possible in a nice way. Add to that the new pricing strategy (Junos Space/Security Director/Network Director are now affordable, even for smaller end users), and you’re there. The time to click is coming.
I recently started working on a project where an enterprise with two data centers—one in London and the other in Amsterdam—saw the light and decided to buy SRX 1400s. The London data center is the active one; Amsterdam is the backup. The policies on the two 1400 clusters should be synchronized. While the network engineer in charge of the SRXs would be very pleased to hand over some of the more standard policy maintenance task to the helpdesk, the helpdesk people have to work with lots of different devices from many vendorsand that’s just not feasible at this time.
My first suggestion had been to replace everything with Juniper. Unfortunately, and for reasons still unclear to me, they opted to stick with Cisco/HP switching. That’s when I started talking about Space and Security Designer. Since this company already uses VMware infrastructure, setting up a demo with Space was rather easy. It took them no time at all to decide to buy a license.
I do still believe you need to understand the CLI and the concepts of policies and VPNs when you are responsible for the administration of the device. But using Security Director can make your life easier, especially when dealing with larger numbers of devices and VPN connections. Using one set of address objects certainly reduces the possibility of mistakes in this area due to outdated objects on a device. Applying templates might make it way easier to add new devices with consistent configuration.
While we’re not all the way there yet with Space, I’m seeing progress. Logging and reporting, which are still separated from management, are being addressed, and I hope a link between log entries and policies will be made soon. It’d be nice to able to click on a log entry and switch to the policy that’s responsible for this entry. And I’d also like to have some reports on application tracking and firewalling . . . so we will see.
What’s more, and in addition to all this on security, I recently read some things about SDN and Contrail. It looks like the CLI will also get lots of competition in infrastructure as well. Junos Space might have to be renamed to JCCP soon–for Junos Central Clicking Point. In the meanwhile, it’s looking like I have to find another slogan in CLI/GUI discussions. Suggestions are welcome!