Juniper SRX Series Firewall Reviews

Our primary use case is for MPBN, where we provide a firewall for our mobile data customers. As an ISP, we protect the 2G, 3G, and 4G customers.

The most valuable feature is the virtualization because it can be used for customers who are using the mobile data network to request a private connection to a remote site.

There are also standard security features such as NTP groups and firewalling features and these are also good. 

The Juniper product has to improve in terms of innovation.

It only has standard reports, such as memory capacity and data traffic. By comparison, the Check Point solution comes with great reports. Check Point tracks the logs, then analyses the logs and can tell you when you are under attack. Then, you can prevent it. With Juniper today, what you have in terms of log analysis is not so good. I think that they have another solution for this, but it is not embedded, and you have to purchase it separately.

Since we have deployed, there have been maybe two or three minor issues. Our local support helped us to clear these.

I cannot really tell if it is scalable because we are managing twenty gigabytes of traffic on the node. They say that it can scale up to almost one terabyte, but we don't have the capacity so I can't really tell.

This solution is used for all of our mobile customers, which is approximately twelve million. All of our 4G customers use it. This includes standard users who want internet access on their phone, as well as those who want a VPN connected to a private server.

I would rate their support seven out of ten.

The technical support directly from Juniper is too expensive, so we receive support from our local reseller instead. This can take between one and three hours, which at times is not up to our company standards.

While the Juniper support staff is skilled, is it too expensive, which is why I rate it seven.

At one point we tried to move the mobile data firewall from our Juniper SRX56 to the Cisco ASA 5585. What we found out is that Cisco was not performing well at all. I was very disappointed by the Cisco solution. There were more issues for the same amount of traffic. With Juniper, you just have to upgrade to handle additional clients, but when we tried with Cisco, definitely the result was not good at all.

The initial setup was straightforward, especially compared to that of Cisco. It was very simple with the help of our local provider.

From the design phase up to the implementation stage took approximately one month per site. This included the time to validate the design documents and then validate and approve the changes. We needed to slot a window of time for the change, consider whether there is any impact on the customer, and then monitor what happens during the change. For both of our sites, it took approximately three months.

For the design and clarification, we had one person for four nodes. In terms of operations, we have two engineers.

Our local provider assisted us with the implementation of the final solution. In Cameroon, we had Erikson, and they knew what they had to do so it was really straightforward.

While the price of support is expensive, the price of the solution, itself, is not.

The problem came about when we tried switching to Cisco and discontinued our support. In order to subscribe again later, we had to pay a reinstatement fee. We found out that if you have not used the product for a certain period of time, you have to pay for this period before paying for a new year of support. Say, for example, that you don't pay for support for one year. That year must be paid for, first, before getting support. That is why I am saying that support is expensive, in my opinion.

We did not evaluate vendors other than Juniper and Cisco because in the enterprise we have a set of approved vendors for each sector and these are two only two in this group.

My advice is to make sure that you have local support because it is very important. Juniper does have some good options in terms of support.

This is not a perfect solution because I think that there is still room for improvement, but I think it is the best solution that I have tested for MBPN.

I would rate this solution an eight and a half out of ten. 

The primary use case is a combination of a firewall, router, and VPN termination device.

It allows us to do remote configuration changes, and if there is a problem, not losing connectivity to the device.

I really like the Juniper operating system. It is more of a UNIX based system, more than Cisco, and I really like it. There is a lot of flexibility in how you can commit, check, and back out of a configuration.

In terms of improvement, it could use more on the security side. It's a good stable firewall, but it's nowhere near what it needs to be for a next-generation type firewall. 

They also need to improve their documentation. With Cisco, you can find lots of examples, but with Juniper, it is not always the case. One area that needs more focus is instruction on how to interoperate with other vendor's products. I would like to see documentation on running IPsec tables between Fortinet and Juniper or Cisco and Juniper because the information is not there.

Their technical support also needs improvement, as they are lagging behind Cisco.

This is a very, very stable solution. Again, their operating system is outstanding. Really, this is what differentiates it.

In terms of scalability, it clusters nicely so you can put it into a stacked mode. The size that it is meant to serve, it does very well. It is not meant as a large enterprise-type firewall. Rather, it is meant for a small to medium sized customer.

We currently have about seventy-five users, and we don't plan to increase that number at this time.

I would say that their technical support is ok, but it needs improvement. This is an area where they are not as good as Cisco.

We migrated to this solution from a Cisco ASA (Adaptive Security Appliance).

Transitioning from the Cisco ASA that we had running took about two hours of planning and another two hours of execution time.

In terms of the maintenance, myself and one other person take care of everything. We take on small contracts all over the place.

I handled the implementation for this solution myself.

The pricing is perhaps half to around forty percent of Cisco. 

Juniper is my favorite and I had used it so much that we did not evaluate any other products.

This solution is really nice to use. It's very similar in terms of capabilities to a Cisco, but it's just that the operating system is so much nicer to use.

I would say that you need some time to get comfortable with the operating system if you've never used it before, but don't let that scare you. Buy it and put it on your desk for a week, then play with it. If you've got a live environment or if you've got some type of simulation you can set it up in, it won't take long and you can feel comfortable using it.  

I would rate this product an eight and a half out of ten.

Our primary use case is consultation and deployment of the solution. We operate as a Juniper Elite Partner. Our customers, large enterprises, want to prevent network failure and downtime.

Improvements can be made to the GUI. The GUI can be improved by creating policies to handle IPS requirements. The configuration should be a one-step process. This would make it easier to complete the setup to register the time of operation.

Yes, it's very stable.

It's scalable. Juniper Select has a solution to boot in high availability technology. We use the Juniper Select from low-end and high-end. In my position as a Senior Network Security Engineer, I handle the high-end suite of Juniper Select 5K.

Currently, the solution is being used every day. We have plans to increase usage in the future.

Technical support is good. They seem to understand our customer's requirements. When they troubleshoot or support our customers, they seem to know what they are doing. They seem to be very helpful. But customers need support right away, and this has been an issue. It can take two to three days to get help some times just because of the volume of ticket request. 

Previously we used a CISCO ASA solution. But in the last three years, we switched to the Juniper solution because Juniper has a competitive price per feature.

The initial setup was complex. It took a group of five, engineers and architects, to get it up and running within 24-hours. And it takes a group of five, engineers and IT experts, to operate and maintain

Licensing which covers maintenance is on an annual basis. Our customers are on one-year contracts. There are additional cost above and beyond the standard licensing fees.

Before choosing Juniper, we evaluated a Fortinet solution because Fortinet has a competitive price. It's also effortless for our engineers to operate and maintain. They can understand and complete tasks quickly. 

Further advice regarding this solution is that anyone planning to implement this product should understand the Juniper suite. They should understand the firewall concept, Juniper configuration, and the command line. They need previous experience with Juniper products. 

On a scale from one to ten, one being the worst and ten being the best I'd give Juniper SRX an overall rating of eight because of its' competitive price. But it's a very complex product compared with other similar products.

We are using this solution mainly for the NPCs and the firewall of the mobile data customers. We are using it to protect the ISP of the mobile data customers: 2G, 3G, and 4G customers. 

In terms of features, we are using Source NAT. 

The virtualization feature: Sometimes customers are requesting a private connection using mobile data when they are connecting to remote sites. 

The Juniper SRX product needs to improve in terms of innovation. E.g., Checkpoint comes with a monitoring solution embedded in its product, as well as providing good reports. Checkpoint also does analysis by tracking the logs and letting you know when you are under attack. What Juniper has today in comparison is not so good.

Juniper only has limited reports, such as memory, capacity, data, and traffic.

Since we have deployed the product, we have had two or three minor issues.

We have something like 12 million customers (mobile data customers).

Sometimes, it is difficult to contact the Juniper support because we did not purchase the support package, as it was too expensive. We are using a local reseller instead. Sometimes, when we have had issues, it can take one to three hours for resolution, which is not good at all based on our company standard. However, once we have the right thing connected on the device, then it's very fast.

I would rate the technical support as a seven out of ten. The support is skilled, but the cost is expensive.

We previously used Cisco ASA. The results were not good.

The initial setup is straightforward. We had the help of the local provider. So, it was very straightforward. 

Even now, when I compare the initial setup to Cisco, the implementation of Juniper SRX is very simple.

To finish the implementation, we had the help of the local provider, Ericsson.

From the design phase up to the implementation phase, it took more than one month per site. The time to validate the design documents and change, then doing those changes, approve those changes and implementing them. Because we have two sites, it was somewhere around three months.

After the acquisition phase, we discussed the plan and the design document. We did the architecture and design document with the vendor. Before going into the implementation phase, we have to validate all our documents for the high-level and low-level designs. The operational teams are also validating these documents.

Once we have all those documents validated, we request the approval for change. We have a committee who analyzes the documentation. We analyze the work that we are planning to do and validate the changes for a specific time.

We need to look if there any impact on the customer side, do we need to present it to the customer before making the change, and what is the plan for monitoring after the change?

The direct support with Juniper is expensive. When you stop using the solution and miss one year of payments, if you want the support back on a specific node, they ask you to pay for the year that you haven't used the node.

We tried to move our mobile data firewall from Juniper SRX to Cisco ASA. What we found was that Cisco did not performing well at all. We were very disappointed by the Cisco solution. With the Cisco solution, we had more memory issues with the same amount of traffic. With Juniper SRX, it just needs an upgrade to carry the traffic.

We have approved vendors in every industry. We cannot deviate and chose any vendor that we want. We can only select vendors from our approved list. The two vendors on that list for this industry include Cisco and Juniper, though recently Huawei was added.

Make sure to have skilled local support.

We are planning to move to the bigger version of Juniper SRX later this year (SRX5800). We are also planning to move to IPv6.

Juniper SRX is solely used as a firewall gateway. We use it only for interfacing with the internet and for server farms, as a data center firewall gateway.

Most of our clients use it as a traditional firewall, blocking Layer 3 and Layer 4, blocking by transport.

We also use firewalls from FortiGate and Palo Alto and they're built with technology to make them next-generation firewalls. Juniper utilizes a router OS and includes enhancements to make it a firewall. But FortiGate and Palo Alto are full-on firewalls because they are built from scratch with features which are specific to firewalls. 

Juniper needs to enhance the solution so that it is more powerful. They need to update the administrative tools to create an easier admin experience. An average administrator would find it easier to configure if they could use https rather than the command line interface to do so.

In addition, it would be more powerful if Juniper brought out a security product other than firewalls, like anti-spam, endpoint protection, etc. Customers who want to deploy security solutions are not just thinking about firewalls. They're thinking about security across their environment. If Juniper could give me a security solution, beyond the firewall, that integrates with the firewall, that would be helpful. Other products have built a security fabric. So if a customer already uses one of their solutions, like a firewall, they will be thinking about integrating with that vendor's other products. If there is more than just a firewall solution, they will use that same vendor's products throughout the security environment. A security fabric is more powerful than just blocking via network parameters.

Juniper should have an end-to-end solution, from the endpoint to the network level. It would provide a more powerful security solution to the customer. Customers are looking for a holistic security solution.

For one to three years it's stable.

If users want to scale up the firewall, they basically want the cheapest firewall that gives them powerful features. Most users choose FortiGate rather than Juniper. Technically, Juniper's scalability is good. But when customers look at the overall price, FortiGate will come out cheaper than Palo Alto or Juniper.

The technical support is good. The engineers help support our customers day-to-day.

The setup depends on the deployment, on what we have to configure. But from one firewall to another firewall, it's about the same. They're not really complex. We have experience using the command line and the user interface. If you ask me which one is easier to configure, I will answer that configuring through the user interface is easier.

The amount of time the deployment takes depends on the complexity of the solution. If the firewall is used as an L3 firewall or L4 firewall, for blocking by IP address and, it's going to be faster to deploy than deploying the firewall using Unified Threat Management. In that case, we need to carefully tune the VPN configuration.

The time for one of our customers to achieve ROI depends on the scalability of the product. It also depends on the type of organization. If it's a hospitality or government organization, it will take them more time to achieve ROI than an internet service provider, where using this product is in line with their business objectives.

In terms of pricing, Juniper is in the middle. The most expensive firewall is Palo Alto. If a customer wants the cheapest price they should go for FortiGate. Juniper is in between these products.

From experience, we like to use firewalls from Palo Alto and FortiGate because the solution is easy to configure with a UI to execute the app. If we use Juniper firewalls, we don't really use the UI because it is not as easy as the command line interface for configuration.

The VPN is different between Juniper and Palo Alto. As far as I know, Juniper does packet inspection in their VPN. Functions like anti-spam and antivirus are running step-by-step. Once the anti-spam processing is done, it goes on to antivirus scanning. But with Palo Alto, the technology is different. It copies each packet to each function. For example, if we activate anti-spam, antivirus, and another check, Palo Alto makes three copies of each packet and inspects them in parallel. This makes the system faster, compared to Juniper. This is the biggest difference as far as I know.

Juniper is good at the routing protocol. If you want a solution to protect your environment from the internet, I would propose a firewall gateway solution but ultimately it depends on what the customer needs.

We are partnered with Juniper, so if customers ask for a firewall solution, the first solution that we pick is generally a Juniper firewall. If a customer wants a firewall other than Juniper, we offer it. Usually, we will do a firewall like FortiGate or Palo Alto, if the customer has enough money, as Palo Alto is very expensive.

The primary use case is for protecting enterprise systems.

It allows users connecting from homes, who urgently need to log into the networks through a secure tunnel without using internet IP gateway, access using a SSL.

• It is highly scalable, stable, and can be easily updated.
• It protects from distributed denial-of-service attacks, DDoS attacks, with Screen Options.
• When you design your networks, you can put SSL Inspection as a gateway to make the systems secured, like IT systems.

The GUI needs to be easier and more helpful for users who don't have security experience.

They need to add WAF management to the tool, as competitors already have it as part of their offerings. This feature is future of protecting enterprise solutions.

It is very stable, but it needs an engineer on the system while it is running to monitor for attacks and when attacks are in process.

It is easy to expand.

The technical support is good, but there is a time delay between the support and attacks.

The initial setup was straightforward, but has since become straightforward with experience.

For example, with MX (not SRX), it needs to be specific when you export or import the subnetting or addresses that you want to block or filter out of your networks. This is why it is a complex process the first time and becomes subsequently easier

You have to be aware of Linux commands, which will make you able to use this device, like exporting file, saving file, monitoring your logs, and making a new script.

Firewall for a lab environment.

Before, we were handling everything with a Vyatta server until our network became more complex.

Stability.

The device could be more user-friendly.

It is a basic firewall that we have been using for six years. It is a  good solution.

The most valuable feature is the brand itself. From a protection perspective, it provides a network perimeter security function for our company. 

We are finding that the UTM features which is required (like an antivirus or URL filtering) are not available.  We are now looking for the "Next Generation" of firewall protection. We need to be less vulnerable to attacks. 

In addition, we would really like to see an automated policy feature added.