Re: Juniper firewalls - SSG or SRX
On Apr 19, 2010, at 7:32 PM, Jeffrey Negro wrote: Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. My general take: Hardware == Well built and designed, very robust. The only thing 2 things I'd like to see are: 1) a field-replaceable CF card like the J- series (bonus points if there's a backup like the J's as well!) and 2) a 2-port T1 mPIM card. Software == Not horrible but far from great. We have issues with: Ethernet switching not functioning correctly, IPv6 not wanting to work on Enet switched VLANs, IP-IP tunnels acting very weird, gmd crashing when trying to commit randomly, and lack of pretty much all IPv6 security features. I'd like to see Juniper really focus on getting the branch SRX software up-to-snuff especially in regards to IPv6 security features. I think they're working pretty hard on it but I haven't seen the fruits of their labor yet!
Re: Juniper firewalls - SSG or SRX
I prefer Junos as screenOS except for one thing : HA is a hell to configure with Junos whereas it's really easy to do it with screenOS, at least last time I tried a couple of months ago. Anyway, ScreenOS cli really sucks compared to JunOS cli. Pierre-Yves 2010/4/20 seph s...@directionless.org I'm with Owen. I have nothing good to say about ScreenOS. In contrast JunOS has been great. seph Owen DeLong o...@delong.com writes: Much.. Go SRX over SSG every time. For anything that doesn't have an SRX analog, consider the J-series. SRX/J-Series == JunOS == Good. SSG Series == ScreenOS == @)#$*#@)$(*!)(@$...@$ Just my $0.02 having dealt extensively with both environments over the years. Owen On Apr 19, 2010, at 5:32 PM, Jeffrey Negro wrote: Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. Jeffrey
Re: Juniper firewalls - SSG or SRX
Count me in as well. I ditched my personal Netscreens and replaced with SRXs and we have done so as well at my day job. Other than a few quirky things, they are very nice. V6 support is still somewhat limited though, but I am using an SRX210H with ADSL2 PIM as my main router at home and it has been absolutely solid. Using it for both V4 (flow) and V6 (packet) routing, as well as doing a bunch of other things. It replaced my older NS5GT and SSG5. Configuration is so much easier now too. I almost forgot the pain of screenos. Ok, maybe not... -Jeff On Apr 19, 2010, at 9:39 PM, seph wrote: I'm with Owen. I have nothing good to say about ScreenOS. In contrast JunOS has been great. seph Owen DeLong o...@delong.com writes: Much.. Go SRX over SSG every time. For anything that doesn't have an SRX analog, consider the J-series. SRX/J-Series == JunOS == Good. SSG Series == ScreenOS == @)#$*#@)$(*!)(@$...@$ Just my $0.02 having dealt extensively with both environments over the years. Owen On Apr 19, 2010, at 5:32 PM, Jeffrey Negro wrote: Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. Jeffrey
Re: Juniper firewalls - SSG or SRX
On Mon, Apr 19, 2010 at 08:32:47PM -0400, Jeffrey Negro wrote: Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. Depends. SRXes are (in my experience) still quite a bit away from stable. We've had far more crashes than I'd like with them, without doing anything particularly strange. SSGs on the other hand are a horrible pain to admin, but (again, ime) seem stable as a rock. I assume SRXes will get betters given time, so the question is can you afford the instability for the moment? Jeffrey -- --
Re: Juniper firewalls - SSG or SRX
On Apr 20, 2010, at 1:11 AM, Cian Brennan wrote: On Mon, Apr 19, 2010 at 08:32:47PM -0400, Jeffrey Negro wrote: Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. Depends. SRXes are (in my experience) still quite a bit away from stable. We've had far more crashes than I'd like with them, without doing anything particularly strange. SSGs on the other hand are a horrible pain to admin, but (again, ime) seem stable as a rock. I assume SRXes will get betters given time, so the question is can you afford the instability for the moment? Interesting. My SRXes have been rock solid since upgrading to 10.0R1.8. Owen
Re: Juniper firewalls - SSG or SRX
On Tue, Apr 20, 2010 at 04:18:11AM -0700, Owen DeLong wrote: Interesting. My SRXes have been rock solid since upgrading to 10.0R1.8. Not so much here. My basement SRX210 starts dropping bgp sessions over an IPSEC tunnel every 30 secs or so after around 1-1.5 days of uptime, and won't stop until you restart rpd (which buys you another day or so of functioning bgp). And about 1 out of every 4 times you do restart rpd, dhcpd will spin at 100% cpu until you restart that too. Even 10.1S1.3 doesn't help these issues. It's a nice box in theory, and it has lots of potential, but lots and lots of unresolved bugs too. I knew things were off to a bad start when I tried to downgrade from the 10.0R1 that shipped with the box to 9.6 after my first round of issues, and it crashed in the middle of the installer, wiping the config in the process and requiring a tftp boot of new code to recover. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Juniper firewalls - SSG or SRX
I will admit I have the same issue with a both my BGP sessions over GRE as well, which is really annoying, but I only use this for remote hopping over to my other lab, not for anything I would ever do in production so I haven't bothered opening a case on it yet. Glad to know I am not the only one though. However, that said, everything else I am doing has been rock solid, so no complaints there. -Jeff On Apr 20, 2010, at 5:01 AM, Richard A Steenbergen wrote: On Tue, Apr 20, 2010 at 04:18:11AM -0700, Owen DeLong wrote: Interesting. My SRXes have been rock solid since upgrading to 10.0R1.8. Not so much here. My basement SRX210 starts dropping bgp sessions over an IPSEC tunnel every 30 secs or so after around 1-1.5 days of uptime, and won't stop until you restart rpd (which buys you another day or so of functioning bgp). And about 1 out of every 4 times you do restart rpd, dhcpd will spin at 100% cpu until you restart that too. Even 10.1S1.3 doesn't help these issues. It's a nice box in theory, and it has lots of potential, but lots and lots of unresolved bugs too. I knew things were off to a bad start when I tried to downgrade from the 10.0R1 that shipped with the box to 9.6 after my first round of issues, and it crashed in the middle of the installer, wiping the config in the process and requiring a tftp boot of new code to recover. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Juniper firewalls - SSG or SRX
We are in the process of replacing some SSGs (and NSes) with SRXes. The biggest issues so far that we've faced are: 1. Although the devices can be used at the core you can't enable multifunction IDP (i.e. you can only enable the filters for HTTP or Fileserver etc, not all at the same time or the device will crash). 2. The config restore is limited to a small file (i don't know what that is yet). If you need to restore a big file from SCP or USB key it will fail, you have to convert the file into commands (a bit like ScreenOS or IPTables) and then paste them all into CLI which can get messy if you make a typo or do them in the wrong order. 3. In shell mode the CPU shows pflow using up over 1000% CPU, apparently this is just an aesthetics problem and it's not actually using up 1000% CPU (the GUI also shows this but this is also an aesthetics problem). The advantages are that the CLI has more middle ground between IOS and ScreenOS, for example: ScreenOS and JunOS: set interfaces name setting Cisco interface name setting JunOS edit interface name set setting The BGP configuration is much more complicated, and in my short experience with JunOS, less feature rich than OpenBGPd from the OpenBSD crew (although the syntax is very similar). Regards, Ken On 19 April 2010 18:32, Jeffrey Negro jne...@billtrust.com wrote: Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. Jeffrey
Juniper firewalls - SSG or SRX
Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. Jeffrey
Re: Juniper firewalls - SSG or SRX
SRX seems very new and many comment it as unstable, this includes some of Juniper engineers I know in person. SSG though is phasing out. 8months ago while I was looking for these solutions more closely, I had decided to stay with SSG, which was good for next 3-4 years. However I believe probabyl SRX is more reliable now, and moving from ScreenOS to Junos definitely is a learning curve but something that worth in long term. Mehmet On 4/19/10 5:32 PM, Jeffrey Negro jne...@billtrust.com wrote: Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. Jeffrey
RE: Juniper firewalls - SSG or SRX
We've had GREAT success with SRX210, SRX240 and SRX650 boxes in the past 3-4 months. There has been some issues I'll admit but they were all fixed either in service releases or actual JunOS upgrades. I believe that most of the issues you hear about were in the 9.x JunOS releases or at least that was my experience... Paul -Original Message- From: Mehmet Akcin [mailto:meh...@icann.org] Sent: April-19-10 9:48 PM To: Jeffrey Negro; nanog@nanog.org Subject: Re: Juniper firewalls - SSG or SRX SRX seems very new and many comment it as unstable, this includes some of Juniper engineers I know in person. SSG though is phasing out. 8months ago while I was looking for these solutions more closely, I had decided to stay with SSG, which was good for next 3-4 years. However I believe probabyl SRX is more reliable now, and moving from ScreenOS to Junos definitely is a learning curve but something that worth in long term. Mehmet On 4/19/10 5:32 PM, Jeffrey Negro jne...@billtrust.com wrote: Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. Jeffrey
Re: Juniper firewalls - SSG or SRX
Much.. Go SRX over SSG every time. For anything that doesn't have an SRX analog, consider the J-series. SRX/J-Series == JunOS == Good. SSG Series == ScreenOS == @)#$*#@)$(*!)(@$...@$ Just my $0.02 having dealt extensively with both environments over the years. Owen On Apr 19, 2010, at 5:32 PM, Jeffrey Negro wrote: Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. Jeffrey
Re: Juniper firewalls - SSG or SRX
I'm with Owen. I have nothing good to say about ScreenOS. In contrast JunOS has been great. seph Owen DeLong o...@delong.com writes: Much.. Go SRX over SSG every time. For anything that doesn't have an SRX analog, consider the J-series. SRX/J-Series == JunOS == Good. SSG Series == ScreenOS == @)#$*#@)$(*!)(@$...@$ Just my $0.02 having dealt extensively with both environments over the years. Owen On Apr 19, 2010, at 5:32 PM, Jeffrey Negro wrote: Has anyone on Nanog had any hands on experience with the lower end of the new SRX series Junipers? We're looking to purchase two new firewalls, and I'm debating going with SSG series or to make the jump to the SRX line. Any input, especially about the learning curve jumping from ScreenOS to JunOS would be greatly appreciated. Thank you in advance. Jeffrey
