Juniper SRX Series Firewall Reviews

We use it as a perimeter firewall, data center firewall, and as VPN concentrators for some companies. It protects the data behind our switches. Our company provides the switches, like the EX-Series. 

We are an elite partners for Juniper. We use the firewall for data protection.

It has a high security implementation.

It integrates well with Fortinet and Palo Alto.

It uses many applications, like antivirus blocking and web filtering. Also, defining routing on it is very easy along with netting. The high availability of the application is good. We use the IDS and IPsec VPN features.

I would like to see endpoint control and endpoint testing security.

The GUI needs to be easier to handle.

The stability is good.

The scalability is good.

When we face problems, it is a firmware or software update. We call Juniper for support and they have a very good team for technical support. They help us a lot, then we will find the solution in the upgraded version of software of unit. 

I think there was a problem before I came to the company with Cisco and their firewall, so they decided to switch to Juniper.

It is more complex than other vendors, but we have gotten used to it. So, we find it easy to implement and deploy.

It has a low price.

We are also using Fortinet and have a partnership with Palo Alto. In addition, we are looking into a partnership with Citrix.

Cisco and FortiGate were on original shortlist.

They can use the Juniper SRX as a data center firewall. Juniper needs to focus more on their perimeter firewalls.

Our most important criteria is to look for 24-hour support, prices, partnerships, and what they offer to partners. Also, we want to know if the product can function with Juniper.

The Juniper SRX that we have is being used as a firewall. Somehow, it is performing.

The product is a normal router with basic firewall capacity. We don't have a dedicated firewall. Therefore, I don't have high expectations from Juniper. 

It helps us perform our daily jobs.

We are using it as a normal type of firewall.

I would like them to add a dashboard because it's difficult to operate.

The product only has basic features.

The stability is normal.

The scalability is normal.

I haven't used technical support, just local support.

The initial setup was complex.

It is not that expensive.

We are evaluating Palo Alto, Barracuda, and Sophos because we need a Next-Gen firewall.

It crashed, and we could not change it for some reason. I don't want to keep Juniper within my network anymore.

Most important criteria when selecting a vendor: 

• Dedicated support team
• Easy configuration.

Theere has been no change to our organization. We replaced an older Cisco ASA. We intended to use some of the UTM features, but we have not yet. In some cases, it is worse. We can’t do remote access IPsec VPNs for users like we could with the Cisco ASA. Instead, we set up OpenVPN. As the Cisco ASA is the de facto standard, doing a site-to-site IPsec VPN to other companies takes more time (e.g., IKEv2 will not work connecting to Cisco gear because traffic selectors are not supported for IKEv2).

We mostly use the Layer 4 firewall functions: Access rules, NAT, and site-to-site IPsec VPN. We liked that it had additional features and was more modern than the Cisco ASA line.

It needs better interoperability with Cisco gear.

No stability issues.

No issue. We are only a 40 person company and only have 50Mbps of internet bandwidth.

Technical support is good, though we have not really used support much. Juniper has a decent knowledgebase.

Previously, we had a Cisco ASA 5510. It was old and needed to be replaced. We switched because the Cisco ASA is underpowered. If you try to do too many functions, like IDS/IPS, UTM, virus scanning, and Smart Net, support is expensive.

The initial setup is mostly straightforward. We are converting one of our site-to-site VPNs with another company where we have overlapping subnets. This took some doing because the Cisco ASA allowed us to do policy-based NAT and could NAT the same IP subnet two different ways depending on the destination address. We needed to exclude 10 IP addresses out of a 24 subnet from the static NAT rule which was needed to deal with the overlapping subnets and ended up having to do more than 240 individual 32 NAT rules on the Juniper SRX240H2.

Work with a consultant who has good JunOS knowledge if you have a complex setup (we host more than 20 servers for internet access used by over a 1000 users).

Pricing is good. Most of the costs are in the UTM (IDS/IPS, virus scanning, etc.) subscription. Palo Alto was nice, but much more expensive.

We looked at Juniper SRX vs FortiGate and Juniper SRX vs Palo Alto, as well as the newer Cisco ASAs.

During our last network refresh, we did a wholesale forklift upgrade from Cisco to an entire Juniper network infrastructure, including Juniper SRX router/firewall/IDP, EX Series switches, and QFX Series core switches. The entire process took over two years to complete, but once it was completed, we were extremely happy with the Juniper equipment in terms of costs, performance, maintenance, and the ability to function as we needed.

• Once our engineers got their heads wrapped around the nuances of Juniper's CLI (took them about six months) with training (mostly free) and were able to get settled into Junos OS, we never looked back.
• SRX firewalls/IDP functions require similar technical knowledge level as Cisco ASA and are function on par with them. I recommend investing in Juniper Space if you have a significant amount of Juniper equipment to manage. We have three of the larger SRX550s, with one cluster configuration, for edge security devices (firewall/IDPs). We are very happy with them. 
• Not specifically in SRX category, but the 40Gb/10Gb interfaces in the QFX gear are truly wired for speed on all available ports. The virtual EX switch chassis configuration, where up to 10 switching devices can be managed as a single network device, is a solid configuration for us. We use it in three locations and have zero issues with it.

• I am really hesitate to repeat the Juniper sales line of "One Juniper", simply because within different devices, there are differences in the CLI commands used. This has been due to functional and hardware differences. For the vast majority of the Juniper CLI commands, if you learn them for the SRX, they are the same for the EX and QFX series switches. There is little to no differences between the Junos OS versions
• The "candidate configuration" and rollback features are real life savers. They are different from what Cisco does. At a Cisco CLI, when you hit enter, the command is live. Using a Juniper CLI, you configure a "candidate configuration", then "commit" it to bring it live. If you do not like it or messed up something, you just "rollback" to the previous configuration. It can all be done in a matter of minutes. This is super handy once you get use to it.
• Juniper has the "recovery safety feature", so if you perform a "commit confirmed" and the new configuration disconnects you. then there is no "confirmed" command with X mins (default = 10 mins). It automatically reverts (recovers) to the previous configuration. This is handy for when you do not want to make that trip down range just to reboot a router.
  

Third-party support for Juniper is a lot less than Cisco. This is no surprise, but a definite consideration if you are expecting to use a lot of third party support. In my guesstimate, for every 100 Cisco shops, you will find one Juniper shop.

JTAC (Juniper Networks Technical Assistance Center) is just okay for technical assistance.  However, if you are used to Cisco TAC responsiveness, you will need to adjust your expectations with Juniper Networks TAC.

I could normally fix my issue with Cisco on the first or second call, speaking with the first Cisco TAC engineer (Tier 1) that I spoke with. Juniper Networks TAC is just as good, but in my experience, it takes about two to three times longer to get the same results. It is not unusual to require escalation before the issue is resolved. Juniper simply does not have the depth and number of Juniper experts as Cisco. 

We were able to lower our overall operating costs over a three year period by 25%, mostly recovered from maintenance/support costs.

Our primary use is having a virtual appliance vSRX PoC in telco. We tested integration to their Vim, function and performance.

vSRX's performance is best with less resources, such as CPU and memory. It is easy to scale up by attaching more CPU and memory.

vSRX is easy to deploy to any virtual infrastructure, such as OpenStack, VMware, and even Docker (cSRX). It has already been tested with virtual acceleration, such as DPDK, SR-IOV, and PCI-Passthrough.

It could improve areas which need high performance. 

Small enterprises or telco have variant licenses, and this licensing model should be improved.

Thanks to the well-structured and organized security policies, we decreased operations time to create/update/delete our security policies.

Security policies in combination with zones: It is very easy to organize the security polices in a logical structure.

CLI: Junos CLI is very easy to use, and it is also very easy to find back items in the configuration and to change them.

Commit: You can update the whole configuration without affecting the production. The new configuration will be loaded once the command "Commit" is submitted. You can also do a Commit confirmed to automatically roll back to the previous config after X minutes. 

The visibility/reporting could be better. To see something, you have to export the log to a syslog and then process with another product.

We have used it for years without any stability issues.

We haven't encountered scalability issues.

Technical support is pretty good. I would rate it eight out of 10.

I previously used a Netscreen ISG1000 firewall. I switched because the ISG was end-of-life and Netscreen was bought by Juniper.

Initial setup was complex because Junos is totally different than ScreenOS. But with some introductory courses and some googling it becomes much easier.

I’m just the tech, I didn’t take part in the price negotiation. I would say about $20,000 for a SRX650 with IDP licence.

No, we didn't evaluate other options. This was a natural way for us to migrate from ISG to SRX.

Be sure you know what you are looking for. The SRX650 is a perfect product for a small datacenter, not for a branch office where you need lots of visibility.

Implement your structure (zones) first, on paper, before starting to configure it.

The greatest improvement we have seen is in operational performance and operational stability. There are no outages.

• It's a reliable firewall and very stable, for both the hardware and applications it is stable. 
• It's very powerful. 
• It's also a very secure device, it has good attack prevention capabilities using UTM.
• It's user-friendly with a good UI.
• It has powerful CLI.

It's not 100%, it's not a perfect product, some points need to be adjusted, need to be enhanced.

There have been no issues with this product.

It's a very scalable product.

I think they have professional support. Support is really good, they are professional engineers.

Customer support is very good.

I used Cisco, and Palo Alto, and used McAfee. As a consultant, a systems integrator, if customers go to SRX it's because of its features and the stability of the product. It's the most stable product.

It was very straightforward, very clear.

Other than Palo Alto, StrongSoft is very stable. Cisco Firepower is very unstable.

I can say for, that for a datacenter, and for price, first I appreciate Palo Alto and then I appreciate Juniper, more than the others.

Support for Juniper is best, better than Palo Alto, but Palo Alto is more powerful. And there is a big difference in pricing.

• Manipulation of rules
• Flexibility in day-by-day use

Junos is the best OS for networks. It is very powerful and flexible.

The rollback option and Commit Confirmed are great features. They give us the security to change configurations without downtime.

It would be good if Junos had "unique commands" between all hierarchical levels, discarding the use of the "Run" command.

The robustness of Linux on top of Junos can be more effective after power down.

No stability issues.

No scalability issues.

High level of technical support.

We used Fortinet, and changed to Juniper to use Junos.

Easy.

Pricing is very good, not expensive.

We use the SRX1500 with Junos 15.1X49-D75.5. 

I rate the product 10 out of 10. It is very strong and Junos is very powerful. The total throughput is very large.