Juniper SRX Series Firewall Reviews

During our last network refresh, we did a wholesale forklift upgrade from Cisco to an entire Juniper network infrastructure, including Juniper SRX router/firewall/IDP, EX Series switches, and QFX Series core switches. The entire process took over two years to complete, but once it was completed, we were extremely happy with the Juniper equipment in terms of costs, performance, maintenance, and the ability to function as we needed.

• Once our engineers got their heads wrapped around the nuances of Juniper's CLI (took them about six months) with training (mostly free) and were able to get settled into Junos OS, we never looked back.
• SRX firewalls/IDP functions require similar technical knowledge level as Cisco ASA and are function on par with them. I recommend investing in Juniper Space if you have a significant amount of Juniper equipment to manage. We have three of the larger SRX550s, with one cluster configuration, for edge security devices (firewall/IDPs). We are very happy with them. 
• Not specifically in SRX category, but the 40Gb/10Gb interfaces in the QFX gear are truly wired for speed on all available ports. The virtual EX switch chassis configuration, where up to 10 switching devices can be managed as a single network device, is a solid configuration for us. We use it in three locations and have zero issues with it.

• I am really hesitate to repeat the Juniper sales line of "One Juniper", simply because within different devices, there are differences in the CLI commands used. This has been due to functional and hardware differences. For the vast majority of the Juniper CLI commands, if you learn them for the SRX, they are the same for the EX and QFX series switches. There is little to no differences between the Junos OS versions
• The "candidate configuration" and rollback features are real life savers. They are different from what Cisco does. At a Cisco CLI, when you hit enter, the command is live. Using a Juniper CLI, you configure a "candidate configuration", then "commit" it to bring it live. If you do not like it or messed up something, you just "rollback" to the previous configuration. It can all be done in a matter of minutes. This is super handy once you get use to it.
• Juniper has the "recovery safety feature", so if you perform a "commit confirmed" and the new configuration disconnects you. then there is no "confirmed" command with X mins (default = 10 mins). It automatically reverts (recovers) to the previous configuration. This is handy for when you do not want to make that trip down range just to reboot a router.
  

Third-party support for Juniper is a lot less than Cisco. This is no surprise, but a definite consideration if you are expecting to use a lot of third party support. In my guesstimate, for every 100 Cisco shops, you will find one Juniper shop.

JTAC (Juniper Networks Technical Assistance Center) is just okay for technical assistance.  However, if you are used to Cisco TAC responsiveness, you will need to adjust your expectations with Juniper Networks TAC.

I could normally fix my issue with Cisco on the first or second call, speaking with the first Cisco TAC engineer (Tier 1) that I spoke with. Juniper Networks TAC is just as good, but in my experience, it takes about two to three times longer to get the same results. It is not unusual to require escalation before the issue is resolved. Juniper simply does not have the depth and number of Juniper experts as Cisco. 

We were able to lower our overall operating costs over a three year period by 25%, mostly recovered from maintenance/support costs.

Our primary use is having a virtual appliance vSRX PoC in telco. We tested integration to their Vim, function and performance.

vSRX's performance is best with less resources, such as CPU and memory. It is easy to scale up by attaching more CPU and memory.

vSRX is easy to deploy to any virtual infrastructure, such as OpenStack, VMware, and even Docker (cSRX). It has already been tested with virtual acceleration, such as DPDK, SR-IOV, and PCI-Passthrough.

It could improve areas which need high performance. 

Small enterprises or telco have variant licenses, and this licensing model should be improved.

Thanks to the well-structured and organized security policies, we decreased operations time to create/update/delete our security policies.

Security policies in combination with zones: It is very easy to organize the security polices in a logical structure.

CLI: Junos CLI is very easy to use, and it is also very easy to find back items in the configuration and to change them.

Commit: You can update the whole configuration without affecting the production. The new configuration will be loaded once the command "Commit" is submitted. You can also do a Commit confirmed to automatically roll back to the previous config after X minutes. 

The visibility/reporting could be better. To see something, you have to export the log to a syslog and then process with another product.

We have used it for years without any stability issues.

We haven't encountered scalability issues.

Technical support is pretty good. I would rate it eight out of 10.

I previously used a Netscreen ISG1000 firewall. I switched because the ISG was end-of-life and Netscreen was bought by Juniper.

Initial setup was complex because Junos is totally different than ScreenOS. But with some introductory courses and some googling it becomes much easier.

I’m just the tech, I didn’t take part in the price negotiation. I would say about $20,000 for a SRX650 with IDP licence.

No, we didn't evaluate other options. This was a natural way for us to migrate from ISG to SRX.

Be sure you know what you are looking for. The SRX650 is a perfect product for a small datacenter, not for a branch office where you need lots of visibility.

Implement your structure (zones) first, on paper, before starting to configure it.

The greatest improvement we have seen is in operational performance and operational stability. There are no outages.

• It's a reliable firewall and very stable, for both the hardware and applications it is stable. 
• It's very powerful. 
• It's also a very secure device, it has good attack prevention capabilities using UTM.
• It's user-friendly with a good UI.
• It has powerful CLI.

It's not 100%, it's not a perfect product, some points need to be adjusted, need to be enhanced.

There have been no issues with this product.

It's a very scalable product.

I think they have professional support. Support is really good, they are professional engineers.

Customer support is very good.

I used Cisco, and Palo Alto, and used McAfee. As a consultant, a systems integrator, if customers go to SRX it's because of its features and the stability of the product. It's the most stable product.

It was very straightforward, very clear.

Other than Palo Alto, StrongSoft is very stable. Cisco Firepower is very unstable.

I can say for, that for a datacenter, and for price, first I appreciate Palo Alto and then I appreciate Juniper, more than the others.

Support for Juniper is best, better than Palo Alto, but Palo Alto is more powerful. And there is a big difference in pricing.

• Manipulation of rules
• Flexibility in day-by-day use

Junos is the best OS for networks. It is very powerful and flexible.

The rollback option and Commit Confirmed are great features. They give us the security to change configurations without downtime.

It would be good if Junos had "unique commands" between all hierarchical levels, discarding the use of the "Run" command.

The robustness of Linux on top of Junos can be more effective after power down.

No stability issues.

No scalability issues.

High level of technical support.

We used Fortinet, and changed to Juniper to use Junos.

Easy.

Pricing is very good, not expensive.

We use the SRX1500 with Junos 15.1X49-D75.5. 

I rate the product 10 out of 10. It is very strong and Junos is very powerful. The total throughput is very large.

One solution is data center Firewall and also we use this solution for protection our service GI + Triple Play

It provides good routing and high performance of the data center. It solves protecting our datacenter, separate networks and protect data center with FW policies + DPI

The routing feature is most valuable, because SRX is the best enterprise router. SRX has complete MPLS service features with L3VPN, VPLS, EVPN. You can also combine Router and FW in one box, with selective packet filter to bypass flow engine and set traffic to packet mode.

Web management needs to improve. The web interface on Juniper SRX is just a short conversion from Junos OS CLI; this is not very suitable for users with little expertise.

But Juniper has complete MGMT for managing SRX devices and other Juniper devices. it' s called Junos Space with APP security director for security devices. It's good, but there is space for improvment.

There were some stability issues.

There are not many scalability issues experienced.

I would give the technical support an eight out of 10 rating.

Previously, we were using the old Juniper ScreenOS, we switched due to end-of-support. I have also expertise with Cisco ASA, Cisco Firepower, Checkpoint R80.10, Dell Sonicwall, Fortinet.

The setup was very complex, e.g., if you are beginner.

We implement is by our self with team in-house.

The prices are very good as compared to other vendors.

We looked at Cisco, FortiGate, Palo Alto

It is a very good router with firewall.

Valuable features for us include:

• Routing: When firewalls can also perform full routing functionality, it helps to save cost on dedicated routing hardware.
• High Availability (clustering): This is important to ensure service availability in the event of a node failure. These firewalls in HA mode consist of a primary and backup node, and provide redundancy such that if one of the nodes fails, the other node will take over.
• Deep packet inspection (DPI) capabilities: Juniper SRX firewalls inspect packets as they traverse the firewalls and it goes beyond the traditional five tuples (source IP, destination IP, protocol, source port, and destination port) packet inspection by using the App-ID engine to inspect the protocol to correctly identify applications. It further rate-limits traffic, using the AppQoS features, based on specific types of applications.
• IPSec VPN: This is crucial because it provides secure site to site connectivity between the DC and remote locations. Traffic traversing the secure link is protected from the prying eyes of unauthorized intruders or the man-in-the-middle.

These features are valuable because they allow smooth operation of the business from a technology standpoint. Again, this is relative.

There was a business need to provide service high availability and system redundancy in addition to routing and firewalling at the internet edge and the datacenter core.

Having this design has greatly simplified the network and improved operational efficiency of support staffs.

The GUI needs improving.

We have been using the solution for seven years, providing design, implementation, support, and optimization.

We had a stability issue. Just like any other vendor, there are code stability issues on some of the platforms. However, there is always a recommended code version for each platform.

We did not encounter issues with scalability, but this depends on the environment. The DC class firewalls can scale vertically or horizontally.

They provide an awesome technical support.

We used Cisco and CheckPoint. Routing functionality and advanced security services were limited.

The setup was straightforward and simple once you understand the building blocks of Junos and firewalls.

Pricing and licensing are very reasonable.

We evaluated Palo Alto and Fortinet.

This product will offer maximum performance and capacity.

It is extremely reliable depending on the business need. It supports full routing functionality and advanced security services like Application Security, Unified Threat Management (UTM), IPS, and threat intelligence.

Advanced security services require a license.

Stateful inspection , IPSEC and NAT as per our customers' design. The boxes are used as SecGW, Gi and SGi Firewall, those are the features usually needed in 3G/4G context.

It improved in term of security.

Clustering fab interface doesn't support bandwidth aggregation. This limitation caused a huge design change in our network.

I've used the solution for eight years.

Yes, some bugs in module restart and cluster failover, but without outage.

Yes, fab interface doesn't support bandwidth aggregation

9 out of 10.

No, we didn't.

Not complex.

We didn’t use any other solutions so I can’t compare this to others.

No.

We are satisfied with its stability , but we don’t advise others to implement a cluster design other than Active/Passive.