Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

Juniper firewalls - SSG or SRX

 

 

NANOG users RSS feed   Index | Next | Previous | View Threaded


jnegro at billtrust

Apr 19, 2010, 5:32 PM

Post #1 of 13 (2371 views)
Permalink
Juniper firewalls - SSG or SRX

Has anyone on Nanog had any hands on experience with the lower end of the
new SRX series Junipers? We're looking to purchase two new firewalls, and
I'm debating going with SSG series or to make the jump to the SRX line. Any
input, especially about the learning curve jumping from ScreenOS to JunOS
would be greatly appreciated. Thank you in advance.

Jeffrey


mehmet at icann

Apr 19, 2010, 6:48 PM

Post #2 of 13 (2321 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

SRX seems very new and many comment it as unstable, this includes some of
Juniper engineers I know in person. SSG though is phasing out. 8months ago
while I was looking for these solutions more closely, I had decided to stay
with SSG, which was good for next 3-4 years. However I believe probabyl SRX
is more reliable now, and moving from ScreenOS to Junos definitely is a
learning curve but something that worth in long term.

Mehmet


On 4/19/10 5:32 PM, "Jeffrey Negro" <jnegro [at] billtrust> wrote:

> Has anyone on Nanog had any hands on experience with the lower end of the
> new SRX series Junipers? We're looking to purchase two new firewalls, and
> I'm debating going with SSG series or to make the jump to the SRX line. Any
> input, especially about the learning curve jumping from ScreenOS to JunOS
> would be greatly appreciated. Thank you in advance.
>
> Jeffrey


pstewart at nexicomgroup

Apr 19, 2010, 6:54 PM

Post #3 of 13 (2319 views)
Permalink
RE: Juniper firewalls - SSG or SRX [In reply to]

We've had GREAT success with SRX210, SRX240 and SRX650 boxes in the past
3-4 months. There has been some issues I'll admit but they were all
fixed either in service releases or actual JunOS upgrades.

I believe that most of the issues you hear about were in the 9.x JunOS
releases or at least that was my experience...

Paul



-----Original Message-----
From: Mehmet Akcin [mailto:mehmet [at] icann]
Sent: April-19-10 9:48 PM
To: Jeffrey Negro; nanog [at] nanog
Subject: Re: Juniper firewalls - SSG or SRX

SRX seems very new and many comment it as unstable, this includes some
of
Juniper engineers I know in person. SSG though is phasing out. 8months
ago
while I was looking for these solutions more closely, I had decided to
stay
with SSG, which was good for next 3-4 years. However I believe probabyl
SRX
is more reliable now, and moving from ScreenOS to Junos definitely is a
learning curve but something that worth in long term.

Mehmet


On 4/19/10 5:32 PM, "Jeffrey Negro" <jnegro [at] billtrust> wrote:

> Has anyone on Nanog had any hands on experience with the lower end of
the
> new SRX series Junipers? We're looking to purchase two new firewalls,
and
> I'm debating going with SSG series or to make the jump to the SRX
line. Any
> input, especially about the learning curve jumping from ScreenOS to
JunOS
> would be greatly appreciated. Thank you in advance.
>
> Jeffrey


owen at delong

Apr 19, 2010, 8:05 PM

Post #4 of 13 (2315 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

Much.. Go SRX over SSG every time. For anything that doesn't have an
SRX analog, consider the J-series.

SRX/J-Series == JunOS == Good.
SSG Series == ScreenOS == @)#$*#@)$(*!)(@$!@$

Just my $0.02 having dealt extensively with both environments over the
years.

Owen

On Apr 19, 2010, at 5:32 PM, Jeffrey Negro wrote:

> Has anyone on Nanog had any hands on experience with the lower end of the
> new SRX series Junipers? We're looking to purchase two new firewalls, and
> I'm debating going with SSG series or to make the jump to the SRX line. Any
> input, especially about the learning curve jumping from ScreenOS to JunOS
> would be greatly appreciated. Thank you in advance.
>
> Jeffrey


seph at directionless

Apr 19, 2010, 9:39 PM

Post #5 of 13 (2318 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

I'm with Owen. I have nothing good to say about ScreenOS. In contrast
JunOS has been great.

seph

Owen DeLong <owen [at] delong> writes:

> Much.. Go SRX over SSG every time. For anything that doesn't have an
> SRX analog, consider the J-series.
>
> SRX/J-Series == JunOS == Good.
> SSG Series == ScreenOS == @)#$*#@)$(*!)(@$!@$
>
> Just my $0.02 having dealt extensively with both environments over the
> years.
>
> Owen
>
> On Apr 19, 2010, at 5:32 PM, Jeffrey Negro wrote:
>
>> Has anyone on Nanog had any hands on experience with the lower end of the
>> new SRX series Junipers? We're looking to purchase two new firewalls, and
>> I'm debating going with SSG series or to make the jump to the SRX line. Any
>> input, especially about the learning curve jumping from ScreenOS to JunOS
>> would be greatly appreciated. Thank you in advance.
>>
>> Jeffrey


nanog at maunier

Apr 20, 2010, 12:54 AM

Post #6 of 13 (2335 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

I prefer Junos as screenOS except for one thing :
HA is a hell to configure with Junos whereas it's really easy to do it with
screenOS, at least last time I tried a couple of months ago.

Anyway, ScreenOS cli really sucks compared to JunOS cli.

Pierre-Yves

2010/4/20 seph <seph [at] directionless>

> I'm with Owen. I have nothing good to say about ScreenOS. In contrast
> JunOS has been great.
>
> seph
>
> Owen DeLong <owen [at] delong> writes:
>
> > Much.. Go SRX over SSG every time. For anything that doesn't have an
> > SRX analog, consider the J-series.
> >
> > SRX/J-Series == JunOS == Good.
> > SSG Series == ScreenOS == @)#$*#@)$(*!)(@$!@$
> >
> > Just my $0.02 having dealt extensively with both environments over the
> > years.
> >
> > Owen
> >
> > On Apr 19, 2010, at 5:32 PM, Jeffrey Negro wrote:
> >
> >> Has anyone on Nanog had any hands on experience with the lower end of
> the
> >> new SRX series Junipers? We're looking to purchase two new firewalls,
> and
> >> I'm debating going with SSG series or to make the jump to the SRX line.
> Any
> >> input, especially about the learning curve jumping from ScreenOS to
> JunOS
> >> would be greatly appreciated. Thank you in advance.
> >>
> >> Jeffrey
>
>


jeff.richmond at gmail

Apr 20, 2010, 1:10 AM

Post #7 of 13 (2302 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

Count me in as well. I ditched my personal Netscreens and replaced with SRXs and we have done so as well at my day job. Other than a few quirky things, they are very nice. V6 support is still somewhat limited though, but I am using an SRX210H with ADSL2 PIM as my main router at home and it has been absolutely solid. Using it for both V4 (flow) and V6 (packet) routing, as well as doing a bunch of other things. It replaced my older NS5GT and SSG5. Configuration is so much easier now too. I almost forgot the pain of screenos. Ok, maybe not...

-Jeff

On Apr 19, 2010, at 9:39 PM, seph wrote:

> I'm with Owen. I have nothing good to say about ScreenOS. In contrast
> JunOS has been great.
>
> seph
>
> Owen DeLong <owen [at] delong> writes:
>
>> Much.. Go SRX over SSG every time. For anything that doesn't have an
>> SRX analog, consider the J-series.
>>
>> SRX/J-Series == JunOS == Good.
>> SSG Series == ScreenOS == @)#$*#@)$(*!)(@$!@$
>>
>> Just my $0.02 having dealt extensively with both environments over the
>> years.
>>
>> Owen
>>
>> On Apr 19, 2010, at 5:32 PM, Jeffrey Negro wrote:
>>
>>> Has anyone on Nanog had any hands on experience with the lower end of the
>>> new SRX series Junipers? We're looking to purchase two new firewalls, and
>>> I'm debating going with SSG series or to make the jump to the SRX line. Any
>>> input, especially about the learning curve jumping from ScreenOS to JunOS
>>> would be greatly appreciated. Thank you in advance.
>>>
>>> Jeffrey
>


cian.brennan at redbrick

Apr 20, 2010, 1:11 AM

Post #8 of 13 (2306 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

On Mon, Apr 19, 2010 at 08:32:47PM -0400, Jeffrey Negro wrote:
> Has anyone on Nanog had any hands on experience with the lower end of the
> new SRX series Junipers? We're looking to purchase two new firewalls, and
> I'm debating going with SSG series or to make the jump to the SRX line. Any
> input, especially about the learning curve jumping from ScreenOS to JunOS
> would be greatly appreciated. Thank you in advance.
>
Depends. SRXes are (in my experience) still quite a bit away from stable. We've
had far more crashes than I'd like with them, without doing anything
particularly strange. SSGs on the other hand are a horrible pain to admin, but
(again, ime) seem stable as a rock. I assume SRXes will get betters given time,
so the question is can you afford the instability for the moment?

> Jeffrey
>

--

--


owen at delong

Apr 20, 2010, 4:18 AM

Post #9 of 13 (2300 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

On Apr 20, 2010, at 1:11 AM, Cian Brennan wrote:

> On Mon, Apr 19, 2010 at 08:32:47PM -0400, Jeffrey Negro wrote:
>> Has anyone on Nanog had any hands on experience with the lower end of the
>> new SRX series Junipers? We're looking to purchase two new firewalls, and
>> I'm debating going with SSG series or to make the jump to the SRX line. Any
>> input, especially about the learning curve jumping from ScreenOS to JunOS
>> would be greatly appreciated. Thank you in advance.
>>
> Depends. SRXes are (in my experience) still quite a bit away from stable. We've
> had far more crashes than I'd like with them, without doing anything
> particularly strange. SSGs on the other hand are a horrible pain to admin, but
> (again, ime) seem stable as a rock. I assume SRXes will get betters given time,
> so the question is can you afford the instability for the moment?
>
Interesting. My SRXes have been rock solid since upgrading to 10.0R1.8.

Owen


ras at e-gerbil

Apr 20, 2010, 5:01 AM

Post #10 of 13 (2303 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

On Tue, Apr 20, 2010 at 04:18:11AM -0700, Owen DeLong wrote:
>
> Interesting. My SRXes have been rock solid since upgrading to
> 10.0R1.8.

Not so much here. My basement SRX210 starts dropping bgp sessions over
an IPSEC tunnel every 30 secs or so after around 1-1.5 days of uptime,
and won't stop until you restart rpd (which buys you another day or so
of functioning bgp). And about 1 out of every 4 times you do restart
rpd, dhcpd will spin at 100% cpu until you restart that too. Even
10.1S1.3 doesn't help these issues. It's a nice box in theory, and it
has lots of potential, but lots and lots of unresolved bugs too. I knew
things were off to a bad start when I tried to downgrade from the 10.0R1
that shipped with the box to 9.6 after my first round of issues, and it
crashed in the middle of the installer, wiping the config in the process
and requiring a tftp boot of new code to recover. :)

--
Richard A Steenbergen <ras [at] e-gerbil> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


jeff.richmond at gmail

Apr 20, 2010, 5:36 AM

Post #11 of 13 (2303 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

I will admit I have the same issue with a both my BGP sessions over GRE as well, which is really annoying, but I only use this for remote hopping over to my other lab, not for anything I would ever do in production so I haven't bothered opening a case on it yet. Glad to know I am not the only one though. However, that said, everything else I am doing has been rock solid, so no complaints there.

-Jeff

On Apr 20, 2010, at 5:01 AM, Richard A Steenbergen wrote:

> On Tue, Apr 20, 2010 at 04:18:11AM -0700, Owen DeLong wrote:
>>
>> Interesting. My SRXes have been rock solid since upgrading to
>> 10.0R1.8.
>
> Not so much here. My basement SRX210 starts dropping bgp sessions over
> an IPSEC tunnel every 30 secs or so after around 1-1.5 days of uptime,
> and won't stop until you restart rpd (which buys you another day or so
> of functioning bgp). And about 1 out of every 4 times you do restart
> rpd, dhcpd will spin at 100% cpu until you restart that too. Even
> 10.1S1.3 doesn't help these issues. It's a nice box in theory, and it
> has lots of potential, but lots and lots of unresolved bugs too. I knew
> things were off to a bad start when I tried to downgrade from the 10.0R1
> that shipped with the box to 9.6 after my first round of issues, and it
> crashed in the middle of the installer, wiping the config in the process
> and requiring a tftp boot of new code to recover. :)
>
> --
> Richard A Steenbergen <ras [at] e-gerbil> http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
>


ken.gilmour at gmail

Apr 20, 2010, 8:15 AM

Post #12 of 13 (2310 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

We are in the process of replacing some SSGs (and NSes) with SRXes. The
biggest issues so far that we've faced are:

1. Although the devices can be used at the core you can't enable
"multifunction" IDP (i.e. you can only enable the filters for HTTP or
Fileserver etc, not all at the same time or the device will crash).
2. The config restore is limited to a small file (i don't know what that is
yet). If you need to restore a big file from SCP or USB key it will fail,
you have to convert the file into commands (a bit like ScreenOS or IPTables)
and then paste them all into CLI which can get messy if you make a typo or
do them in the wrong order.
3. In shell mode the CPU shows pflow using up over 1000% CPU, apparently
this is just an aesthetics problem and it's not actually using up 1000% CPU
(the GUI also shows this but this is also an aesthetics problem).

The advantages are that the CLI has more middle ground between IOS and
ScreenOS, for example:

ScreenOS and JunOS:

set interfaces <name> <setting>

Cisco

interface <name>
<setting>

JunOS

edit interface <name>
set <setting>

The BGP configuration is much more complicated, and in my short experience
with JunOS, less feature rich than OpenBGPd from the OpenBSD crew (although
the syntax is very similar).

Regards,

Ken

On 19 April 2010 18:32, Jeffrey Negro <jnegro [at] billtrust> wrote:

> Has anyone on Nanog had any hands on experience with the lower end of the
> new SRX series Junipers? We're looking to purchase two new firewalls, and
> I'm debating going with SSG series or to make the jump to the SRX line.
> Any
> input, especially about the learning curve jumping from ScreenOS to JunOS
> would be greatly appreciated. Thank you in advance.
>
> Jeffrey
>


bdflemin at gmail

Apr 21, 2010, 6:51 AM

Post #13 of 13 (2287 views)
Permalink
Re: Juniper firewalls - SSG or SRX [In reply to]

On Apr 19, 2010, at 7:32 PM, Jeffrey Negro wrote:

> Has anyone on Nanog had any hands on experience with the lower end
> of the
> new SRX series Junipers? We're looking to purchase two new
> firewalls, and
> I'm debating going with SSG series or to make the jump to the SRX
> line. Any
> input, especially about the learning curve jumping from ScreenOS to
> JunOS
> would be greatly appreciated. Thank you in advance.
>

My general take:
Hardware == Well built and designed, very robust. The only thing 2
things I'd like to see are: 1) a field-replaceable CF card like the J-
series (bonus points if there's a backup like the J's as well!) and 2)
a 2-port T1 mPIM card.

Software == Not horrible but far from great. We have issues with:
Ethernet switching not functioning correctly, IPv6 not wanting to work
on Enet switched VLANs, IP-IP tunnels acting very "weird", gmd
crashing when trying to commit randomly, and lack of pretty much all
IPv6 security features.

I'd like to see Juniper really focus on getting the "branch" SRX
software up-to-snuff especially in regards to IPv6 security features.
I think they're working pretty hard on it but I haven't seen the
fruits of their labor yet!

NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.