Juniper SRX Series Firewall Reviews

During our last network refresh, we did a wholesale forklift upgrade from Cisco to an entire Juniper network infrastructure, including Juniper SRX router/firewall/IDP, EX Series switches, and QFX Series core switches. The entire process took over two years to complete, but once it was completed, we were extremely happy with the Juniper equipment in terms of costs, performance, maintenance, and the ability to function as we needed.

• Once our engineers got their heads wrapped around the nuances of Juniper's CLI (took them about six months) with training (mostly free) and were able to get settled into Junos OS, we never looked back.
• SRX firewalls/IDP functions require similar technical knowledge level as Cisco ASA and are function on par with them. I recommend investing in Juniper Space if you have a significant amount of Juniper equipment to manage. We have three of the larger SRX550s, with one cluster configuration, for edge security devices (firewall/IDPs). We are very happy with them. 
• Not specifically in SRX category, but the 40Gb/10Gb interfaces in the QFX gear are truly wired for speed on all available ports. The virtual EX switch chassis configuration, where up to 10 switching devices can be managed as a single network device, is a solid configuration for us. We use it in three locations and have zero issues with it.

• I am really hesitate to repeat the Juniper sales line of "One Juniper", simply because within different devices, there are differences in the CLI commands used. This has been due to functional and hardware differences. For the vast majority of the Juniper CLI commands, if you learn them for the SRX, they are the same for the EX and QFX series switches. There is little to no differences between the Junos OS versions
• The "candidate configuration" and rollback features are real life savers. They are different from what Cisco does. At a Cisco CLI, when you hit enter, the command is live. Using a Juniper CLI, you configure a "candidate configuration", then "commit" it to bring it live. If you do not like it or messed up something, you just "rollback" to the previous configuration. It can all be done in a matter of minutes. This is super handy once you get use to it.
• Juniper has the "recovery safety feature", so if you perform a "commit confirmed" and the new configuration disconnects you. then there is no "confirmed" command with X mins (default = 10 mins). It automatically reverts (recovers) to the previous configuration. This is handy for when you do not want to make that trip down range just to reboot a router.
  

Third-party support for Juniper is a lot less than Cisco. This is no surprise, but a definite consideration if you are expecting to use a lot of third party support. In my guesstimate, for every 100 Cisco shops, you will find one Juniper shop.

JTAC (Juniper Networks Technical Assistance Center) is just okay for technical assistance.  However, if you are used to Cisco TAC responsiveness, you will need to adjust your expectations with Juniper Networks TAC.

I could normally fix my issue with Cisco on the first or second call, speaking with the first Cisco TAC engineer (Tier 1) that I spoke with. Juniper Networks TAC is just as good, but in my experience, it takes about two to three times longer to get the same results. It is not unusual to require escalation before the issue is resolved. Juniper simply does not have the depth and number of Juniper experts as Cisco. 

We were able to lower our overall operating costs over a three year period by 25%, mostly recovered from maintenance/support costs.

I am a teacher and the solution is used as a router for my students' laboratory exercises. I have the firewall function switched off and the solution operates as a main router for our very limited traffic. 

The solution is stable, inexpensive, and works well for medium size companies.

The solution's configurations and syntax are specific and more complicated than other platforms. Compared to Cisco, the solution is not intuitive. 

I have been using the solution for two years. 

The solution is stable. 

The solution is scalable and I rate it a ten out of ten. 

I have not used support services because I rely on experienced colleagues for answers. 

The solution is quite simple to set up if you spend a few hours learning the syntax. Based on experience level, it can be implemented in a few hours. 

The pricing is very inexpensive which is the main reason I bought the solution. One device costs around 50 EUR through the University's vendor who is modernizing our network. 

I rate this solution a seven out of ten. 

The primary use case is a combination of a firewall, router, and VPN termination device.

It allows us to do remote configuration changes, and if there is a problem, not losing connectivity to the device.

I really like the Juniper operating system. It is more of a UNIX based system, more than Cisco, and I really like it. There is a lot of flexibility in how you can commit, check, and back out of a configuration.

In terms of improvement, it could use more on the security side. It's a good stable firewall, but it's nowhere near what it needs to be for a next-generation type firewall. 

They also need to improve their documentation. With Cisco, you can find lots of examples, but with Juniper, it is not always the case. One area that needs more focus is instruction on how to interoperate with other vendor's products. I would like to see documentation on running IPsec tables between Fortinet and Juniper or Cisco and Juniper because the information is not there.

Their technical support also needs improvement, as they are lagging behind Cisco.

This is a very, very stable solution. Again, their operating system is outstanding. Really, this is what differentiates it.

In terms of scalability, it clusters nicely so you can put it into a stacked mode. The size that it is meant to serve, it does very well. It is not meant as a large enterprise-type firewall. Rather, it is meant for a small to medium sized customer.

We currently have about seventy-five users, and we don't plan to increase that number at this time.

I would say that their technical support is ok, but it needs improvement. This is an area where they are not as good as Cisco.

We migrated to this solution from a Cisco ASA (Adaptive Security Appliance).

Transitioning from the Cisco ASA that we had running took about two hours of planning and another two hours of execution time.

In terms of the maintenance, myself and one other person take care of everything. We take on small contracts all over the place.

I handled the implementation for this solution myself.

The pricing is perhaps half to around forty percent of Cisco. 

Juniper is my favorite and I had used it so much that we did not evaluate any other products.

This solution is really nice to use. It's very similar in terms of capabilities to a Cisco, but it's just that the operating system is so much nicer to use.

I would say that you need some time to get comfortable with the operating system if you've never used it before, but don't let that scare you. Buy it and put it on your desk for a week, then play with it. If you've got a live environment or if you've got some type of simulation you can set it up in, it won't take long and you can feel comfortable using it.  

I would rate this product an eight and a half out of ten.

Our primary use case is security. The performance has been okay. It's a bit of a change from the Ciscos in terms of the configuration syntax, from the CLI perspective. We use it just as a firewall. We don't use it for routing functionality.

The Juniper was a later model, later technology than we had, more horsepower than we had before. The performance is better, but it could have been any firewall in its peer group. The improvement was because our old firewalls were, well, old. So the performance has been an improvement. And the IDS, perhaps, is a little better than what the older firewalls had.

I'm not sure what the most valuable features are. I'm not really that impressed with the technical support. I'm not really that impressed with the product, to be honest with you. Throughput seems to be okay.

The CLI is verbose. You have to say a lot to do a little. I don't like that part of it. Cisco's command syntax seems to be a good bit more concise. When you're trying to get something done, you don't want to have to type a bunch. I wish there was a quicker way to configure through the CLI. I know all the tricks of hitting spacebar etc. to finish the command, and the context tricks of going further in. But it just reminds me of an older operating system, like VAX/VMS. It's just very verbose.

Maybe this is where the Space Security Director product comes in, but we aren't quite using the Security Director in Space to its fullest yet.

It seems stable. We haven't had too many failures. We have had some but, by and large, it's been pretty stable. It's not taxed, the way we're using it.

The model we have is very scalable. It's a fairly large firewall.

I have spoken with technical support 30 or 50 times. On a scale of one to 10, I would evaluate Juniper technical support at five. It's never resolved in one call. It's always a couple of calls. We're not being passed from one department to another, it's just that they don't seem to be answering the question you give them. It's very frustrating.

I migrated it from an ASA to the Juniper. It was a fairly straightforward process. There are things that are required on the Juniper that weren't required on the Cisco, like the global address book. Things have to be on there before you can do a lot of net and the like.

You need to know what your company's strategic vision is, and then map the security part of that. I don't just mean cost-related, but the strategy for profit-related future ventures. You need to know why you want a particular firewall. Don't ignore the functions and future growth and products on the horizon from each of the vendors.

What you go with has to meet your current needs but, more importantly, is the company a going concern - meaning if they're going to get better - then how do they complement your particular industry's growth? Are they going to be there to make remote access and extranets and research easier to deliver? The product has to be configurable, with lots of options should you need to subscribe to those options.

The most important criterion, for me, when selecting a vendor is that they have to rank high in industry ratings. Juniper has just not been there. I haven't seen the 2018 reports, but year after year Juniper is not only the least visionary but one of the least in terms of performance. I also don't like the fact that they spun off their VPN to Pulse Secure. I know that's a subsidiary, but I don't necessarily want to have a separate appliance for a light-duty VPN.

I would rate Juniper at seven out of 10. It's a little harder to configure from a VPN perspective, VPN Tunnels. Their tech support is the big problem for me. I don't want to be bounced around. I don't want to get half an answer when I ask a whole question. I would take an inferior product with better tech support, without question. If I have a responsive engineering team that will fix problems when they come in, with firmware releases, etc., I'd clearly take an inferior product with that better support. It's all about function.

I probably wouldn't have chosen the Juniper in this environment. We just don't need yet another knowledge base to learn. And it doesn't fold into some of our Cisco services. For example, the assets control doesn't integrate well with the Radius servers. Something like that could be downloadable ACLs, for instance.

Valuable features for us include:

• Routing: When firewalls can also perform full routing functionality, it helps to save cost on dedicated routing hardware.
• High Availability (clustering): This is important to ensure service availability in the event of a node failure. These firewalls in HA mode consist of a primary and backup node, and provide redundancy such that if one of the nodes fails, the other node will take over.
• Deep packet inspection (DPI) capabilities: Juniper SRX firewalls inspect packets as they traverse the firewalls and it goes beyond the traditional five tuples (source IP, destination IP, protocol, source port, and destination port) packet inspection by using the App-ID engine to inspect the protocol to correctly identify applications. It further rate-limits traffic, using the AppQoS features, based on specific types of applications.
• IPSec VPN: This is crucial because it provides secure site to site connectivity between the DC and remote locations. Traffic traversing the secure link is protected from the prying eyes of unauthorized intruders or the man-in-the-middle.

These features are valuable because they allow smooth operation of the business from a technology standpoint. Again, this is relative.

There was a business need to provide service high availability and system redundancy in addition to routing and firewalling at the internet edge and the datacenter core.

Having this design has greatly simplified the network and improved operational efficiency of support staffs.

The GUI needs improving.

We have been using the solution for seven years, providing design, implementation, support, and optimization.

We had a stability issue. Just like any other vendor, there are code stability issues on some of the platforms. However, there is always a recommended code version for each platform.

We did not encounter issues with scalability, but this depends on the environment. The DC class firewalls can scale vertically or horizontally.

They provide an awesome technical support.

We used Cisco and CheckPoint. Routing functionality and advanced security services were limited.

The setup was straightforward and simple once you understand the building blocks of Junos and firewalls.

Pricing and licensing are very reasonable.

We evaluated Palo Alto and Fortinet.

This product will offer maximum performance and capacity.

It is extremely reliable depending on the business need. It supports full routing functionality and advanced security services like Application Security, Unified Threat Management (UTM), IPS, and threat intelligence.

Advanced security services require a license.

Our primary use case is for MPBN, where we provide a firewall for our mobile data customers. As an ISP, we protect the 2G, 3G, and 4G customers.

The most valuable feature is the virtualization because it can be used for customers who are using the mobile data network to request a private connection to a remote site.

There are also standard security features such as NTP groups and firewalling features and these are also good. 

The Juniper product has to improve in terms of innovation.

It only has standard reports, such as memory capacity and data traffic. By comparison, the Check Point solution comes with great reports. Check Point tracks the logs, then analyses the logs and can tell you when you are under attack. Then, you can prevent it. With Juniper today, what you have in terms of log analysis is not so good. I think that they have another solution for this, but it is not embedded, and you have to purchase it separately.

Since we have deployed, there have been maybe two or three minor issues. Our local support helped us to clear these.

I cannot really tell if it is scalable because we are managing twenty gigabytes of traffic on the node. They say that it can scale up to almost one terabyte, but we don't have the capacity so I can't really tell.

This solution is used for all of our mobile customers, which is approximately twelve million. All of our 4G customers use it. This includes standard users who want internet access on their phone, as well as those who want a VPN connected to a private server.

I would rate their support seven out of ten.

The technical support directly from Juniper is too expensive, so we receive support from our local reseller instead. This can take between one and three hours, which at times is not up to our company standards.

While the Juniper support staff is skilled, is it too expensive, which is why I rate it seven.

At one point we tried to move the mobile data firewall from our Juniper SRX56 to the Cisco ASA 5585. What we found out is that Cisco was not performing well at all. I was very disappointed by the Cisco solution. There were more issues for the same amount of traffic. With Juniper, you just have to upgrade to handle additional clients, but when we tried with Cisco, definitely the result was not good at all.

The initial setup was straightforward, especially compared to that of Cisco. It was very simple with the help of our local provider.

From the design phase up to the implementation stage took approximately one month per site. This included the time to validate the design documents and then validate and approve the changes. We needed to slot a window of time for the change, consider whether there is any impact on the customer, and then monitor what happens during the change. For both of our sites, it took approximately three months.

For the design and clarification, we had one person for four nodes. In terms of operations, we have two engineers.

Our local provider assisted us with the implementation of the final solution. In Cameroon, we had Erikson, and they knew what they had to do so it was really straightforward.

While the price of support is expensive, the price of the solution, itself, is not.

The problem came about when we tried switching to Cisco and discontinued our support. In order to subscribe again later, we had to pay a reinstatement fee. We found out that if you have not used the product for a certain period of time, you have to pay for this period before paying for a new year of support. Say, for example, that you don't pay for support for one year. That year must be paid for, first, before getting support. That is why I am saying that support is expensive, in my opinion.

We did not evaluate vendors other than Juniper and Cisco because in the enterprise we have a set of approved vendors for each sector and these are two only two in this group.

My advice is to make sure that you have local support because it is very important. Juniper does have some good options in terms of support.

This is not a perfect solution because I think that there is still room for improvement, but I think it is the best solution that I have tested for MBPN.

I would rate this solution an eight and a half out of ten. 

Theere has been no change to our organization. We replaced an older Cisco ASA. We intended to use some of the UTM features, but we have not yet. In some cases, it is worse. We can’t do remote access IPsec VPNs for users like we could with the Cisco ASA. Instead, we set up OpenVPN. As the Cisco ASA is the de facto standard, doing a site-to-site IPsec VPN to other companies takes more time (e.g., IKEv2 will not work connecting to Cisco gear because traffic selectors are not supported for IKEv2).

We mostly use the Layer 4 firewall functions: Access rules, NAT, and site-to-site IPsec VPN. We liked that it had additional features and was more modern than the Cisco ASA line.

It needs better interoperability with Cisco gear.

No stability issues.

No issue. We are only a 40 person company and only have 50Mbps of internet bandwidth.

Technical support is good, though we have not really used support much. Juniper has a decent knowledgebase.

Previously, we had a Cisco ASA 5510. It was old and needed to be replaced. We switched because the Cisco ASA is underpowered. If you try to do too many functions, like IDS/IPS, UTM, virus scanning, and Smart Net, support is expensive.

The initial setup is mostly straightforward. We are converting one of our site-to-site VPNs with another company where we have overlapping subnets. This took some doing because the Cisco ASA allowed us to do policy-based NAT and could NAT the same IP subnet two different ways depending on the destination address. We needed to exclude 10 IP addresses out of a 24 subnet from the static NAT rule which was needed to deal with the overlapping subnets and ended up having to do more than 240 individual 32 NAT rules on the Juniper SRX240H2.

Work with a consultant who has good JunOS knowledge if you have a complex setup (we host more than 20 servers for internet access used by over a 1000 users).

Pricing is good. Most of the costs are in the UTM (IDS/IPS, virus scanning, etc.) subscription. Palo Alto was nice, but much more expensive.

We looked at Juniper SRX vs FortiGate and Juniper SRX vs Palo Alto, as well as the newer Cisco ASAs.

Thanks to the well-structured and organized security policies, we decreased operations time to create/update/delete our security policies.

Security policies in combination with zones: It is very easy to organize the security polices in a logical structure.

CLI: Junos CLI is very easy to use, and it is also very easy to find back items in the configuration and to change them.

Commit: You can update the whole configuration without affecting the production. The new configuration will be loaded once the command "Commit" is submitted. You can also do a Commit confirmed to automatically roll back to the previous config after X minutes. 

The visibility/reporting could be better. To see something, you have to export the log to a syslog and then process with another product.

We have used it for years without any stability issues.

We haven't encountered scalability issues.

Technical support is pretty good. I would rate it eight out of 10.

I previously used a Netscreen ISG1000 firewall. I switched because the ISG was end-of-life and Netscreen was bought by Juniper.

Initial setup was complex because Junos is totally different than ScreenOS. But with some introductory courses and some googling it becomes much easier.

I’m just the tech, I didn’t take part in the price negotiation. I would say about $20,000 for a SRX650 with IDP licence.

No, we didn't evaluate other options. This was a natural way for us to migrate from ISG to SRX.

Be sure you know what you are looking for. The SRX650 is a perfect product for a small datacenter, not for a branch office where you need lots of visibility.

Implement your structure (zones) first, on paper, before starting to configure it.