Juniper SRX Series Firewall Reviews

We use Juniper SRX to do LAN routing. FortiGate uses it for public SMS, and we're using Juniper for internal LAN segmentation. We're routing between different international sites in Morocco, France, and Tunisia.

We're primarily using Juniper's EPA feature, but not the other things. We use it to manage different points of firewalling of routing.

Junos Space should be improved to be on par with FortiGate's solution for managing firewalls and routing. 

We've been using Juniper SRX for 10 years. 

Juniper SRX is stable. 

Juniper SRX lacks scalability. Juniper uses a switch car with different switches. We have some difficulties managing this kind of equipment and implementing some features, like Mac lock and Mac limiting solutions. It's difficult to get good support about this from Juniper. We have about 10,000 users across all routers and switches. I can say the same for FortiGate. We're currently using it extensively for all traffic, and we plan to expand usage.  

Juniper support is okay, but maybe they could improve their support for the gates or when the gates are returned. It takes a lot of time to get a return about the subgate.

It's easier to deploy FortiGate, so maybe we will replace some of our Juniper firewalls with FortiGate in the future. We would still use Juniper for routers and switches but use FortiGate for firewalls. 

It's easier to manage EDA TPS on FortiGate, so maybe we will replace Juniper if they can't provide us with a good solution for this in the future. Maybe in a few months, we will replace some Juniper appliances with FortiGate in some projects.

Setting up Juniper SRX is a little difficult. 

Juniper is annually licensed. There are some additional costs for APS. 

I rate Juniper SRX seven out of 10. 

We use the solution for protection and security. We primarily use the solution for an internal firewall.

If you require any particular rule that needs to be modified, any particular rule that needs to be fine-tuned, the solution will give you all the details regarding how to fine-tune the policy, including the destination, IP, et cetera. You can easily fine-tune whatever you need to in Juniper. It's easy to implement and meets our patience threshold. 

The dashboard is very helpful. It's extremely useful in terms of putting the necessary policies in place.

I handle the operation part. I'm just putting policies, et cetera, on Juniper. For tasks such as those, it is very easy and it is a comfortable, straightforward process.

The solution has proven to be quite stable.

Technical support has been quite helpful.

I've noticed that the management interface could use some updates and upgrades.

The dashboard can be updated. 

The reporting could be more robust and in-depth.

I've looked into the Check Point firewall a bit and I've found that its anti-spoofing is a good feature. Juniper should consider adding that as a feature.

I've only just begun to really use the product. I only have one year of experience so far. It's still new to me. Therefore, it's hard to make any notes on any features or improvements, as I'm still familiarizing myself with everything. I need time to compare it to other firewalls, and I have not gone through the process of doing that just yet. I need more time.

I've been dealing with the solution for about one year. It hasn't been that long. 

It is really stable. I've seen Juniper work well in my other companies as well. It is very good, in terms of stability. There are no bugs or glitches. It doesn't crash or freeze. The performance is reliable.

Overall, the scalability is very good. A company should have no trouble with scaling if it would like to do so.

We have about 2,000 users currently. They cover various roles in our organization. It's not just used by a specific team.

The technical support on offer is very good. Whenever I would have some issues, they have responded on time and they have really good knowledge of the product. We've been quite satisfied overall.

We use a variety of solutions, including Cisco and Check Point.

I did not handle the initial implementation. That was handled by someone else. Therefore, I can't really share any insights on the process. I do not know if it was easy or difficult, or how long it really took to deploy.

I do not handle the licensing arrangements. That's handled by management. Therefore, I can't speak to how much it costs the organization or how often we pay a licensing fee.

We're just a customer and an end-user.

In general, on a scale from one to ten, I'd rate this product at a nine. We've been quite satisfied with its capabilities so far. 

I'd recommend the solution, however, it really depends on what an organization needs. There are various factors, like pricing, for example, that should be taken into account when looking at solutions.

Our primary use case is for MPBN, where we provide a firewall for our mobile data customers. As an ISP, we protect the 2G, 3G, and 4G customers.

The most valuable feature is the virtualization because it can be used for customers who are using the mobile data network to request a private connection to a remote site.

There are also standard security features such as NTP groups and firewalling features and these are also good. 

The Juniper product has to improve in terms of innovation.

It only has standard reports, such as memory capacity and data traffic. By comparison, the Check Point solution comes with great reports. Check Point tracks the logs, then analyses the logs and can tell you when you are under attack. Then, you can prevent it. With Juniper today, what you have in terms of log analysis is not so good. I think that they have another solution for this, but it is not embedded, and you have to purchase it separately.

Since we have deployed, there have been maybe two or three minor issues. Our local support helped us to clear these.

I cannot really tell if it is scalable because we are managing twenty gigabytes of traffic on the node. They say that it can scale up to almost one terabyte, but we don't have the capacity so I can't really tell.

This solution is used for all of our mobile customers, which is approximately twelve million. All of our 4G customers use it. This includes standard users who want internet access on their phone, as well as those who want a VPN connected to a private server.

I would rate their support seven out of ten.

The technical support directly from Juniper is too expensive, so we receive support from our local reseller instead. This can take between one and three hours, which at times is not up to our company standards.

While the Juniper support staff is skilled, is it too expensive, which is why I rate it seven.

At one point we tried to move the mobile data firewall from our Juniper SRX56 to the Cisco ASA 5585. What we found out is that Cisco was not performing well at all. I was very disappointed by the Cisco solution. There were more issues for the same amount of traffic. With Juniper, you just have to upgrade to handle additional clients, but when we tried with Cisco, definitely the result was not good at all.

The initial setup was straightforward, especially compared to that of Cisco. It was very simple with the help of our local provider.

From the design phase up to the implementation stage took approximately one month per site. This included the time to validate the design documents and then validate and approve the changes. We needed to slot a window of time for the change, consider whether there is any impact on the customer, and then monitor what happens during the change. For both of our sites, it took approximately three months.

For the design and clarification, we had one person for four nodes. In terms of operations, we have two engineers.

Our local provider assisted us with the implementation of the final solution. In Cameroon, we had Erikson, and they knew what they had to do so it was really straightforward.

While the price of support is expensive, the price of the solution, itself, is not.

The problem came about when we tried switching to Cisco and discontinued our support. In order to subscribe again later, we had to pay a reinstatement fee. We found out that if you have not used the product for a certain period of time, you have to pay for this period before paying for a new year of support. Say, for example, that you don't pay for support for one year. That year must be paid for, first, before getting support. That is why I am saying that support is expensive, in my opinion.

We did not evaluate vendors other than Juniper and Cisco because in the enterprise we have a set of approved vendors for each sector and these are two only two in this group.

My advice is to make sure that you have local support because it is very important. Juniper does have some good options in terms of support.

This is not a perfect solution because I think that there is still room for improvement, but I think it is the best solution that I have tested for MBPN.

I would rate this solution an eight and a half out of ten. 

We use Juniper SRX for branch offices or for small office use.

The GUI is simple to use.

I have been using Juniper SRX for approximately 20 years.

Juniper SRX is stable, but it could improve. FortiGate has better stability than Juniper SRX.

Juniper SRX could improve the scalability to compete better with other solutions, such as 
FortiGate.

We have less than 10% of our customers using Juniper SRX.

We use FortiGate solutions and we have been deploying them more than Juniper SRX because of the benefits.

The installation is straightforward.

The time of the deployment depends on the complexity of the environment. If the customer requires HA deployment and the configuration could take longer time. On average, for a small-scale branch office, it can be completed within one day, which includes testing. If the customer does not have any special preference on the policy and they do not have any IP tunnels then it could be completed within half a day.

We have an in-house team of 10 engineers that do the implementation and maintenance of the solutions we provide.

I rate Juniper SRX a seven out of ten.

We are using this product as our Firewall.

The configuration is difficult and it should be easier.

I have been using Juniper SRX for three years.

Juniper is stable and I haven't had any problems.

The hardware is scalable and we have about 500 users.

Juniper supports their products very well.

I have experience with Fortinet and Sophos and I found that the installation and configuration were easier with these solutions.

This product is easy to install but difficult to configure. It takes perhaps three hours to deploy.

I completed the deployment myself. There are three people who work on it, including two administrators and the head of Network Infrastructure.

We plan on buying an SRX370 within the next year.

I would rate this solution a five out of ten.

We leverage this as a firewall and for IT tech services. It's more of a firewall used in a router sorting device. I see major benefits from leveraging it like this.

This is a product on the customer side, not in our services. What I have identified so far is that, considering the complex deployment that the customer wanted to make, the scalability with the feature support that they already have, and its functionality provided, Juniper SRX was one of the better products available. It helped us to scale well with that product customer requirement because they wanted the IT side on a virtual router, with a firewall so it was integrated to work. Such a complex setup cannot be easily accomplished by just using a firewall. SRX actually helps us scale and integrate the product according to customer requirements. It also helped us with its routing capabilities which eased the cost, because otherwise I would have had to take a router and firewall, and then integrate it. With this, however, it was an integration of firewall and routing services all together in a single product. That was one thing that I loved about it.

IPS is something that I do not find valuable, but the other features are awesome. Firewall IP second router is good, but IPS needs to be worked upon.

IPS, or IDS services, need improvement. Their major problem is that you have to integrate it with MSN or web building services, you need to buy support for that and services but you cannot. The best thing that I see was a filtering service with custom categories that I can create. If I buy a license, I can integrate it with a different product, but their own web building services is poor. So they can improve web building services, as well as look for application awareness, and maybe, with IPS, they can have their own built-in services rather than integration with MSN for using IPS. There are three things that can be improved.

IPS is one that I would definitely want to be improved. I would also like SSL VPN to be integrated. Other than that, I guess it's doing a firewall, so I would say it's cool. Next in features, I would want that to be included, along with SSL VPN, if possible. Other than that for the product, I don't think there's a need for doing anything with this.

More than 7 or 8 years

It's cool. I would say it's one of the most stable services. Providing for redundancy is a bit challenging, but it actually is something that can be worked upon because they have a different concept of highway building, as opposed to general people doing stuff. I would say it is a good, stable product, except for the problematic part of it. If people are not aware of how to deal with it, it can be very cumbersome.

You can scale it well, but when you scale you need to take a product out to another one. On a scale level, it's a very good scalable product. It's a good firewall so if you pump it in high traffic, it will be able to adapt to it, unless and until you outgrow its throughput. Then you would either have to get a new model or maybe if you have to avert your firewall, you might have to upgrade it to a new version. So far it's a good product.

This was for a 1,000 user base.

You don't need extra staff to maintain the solution. Unless and until you have a problem of lags or circuit issues, I don't think you need extra staff. One SE should be fine with this product.

I think there will be future plans to increase usage and get more devices. We are also trying to leverage this into a cloud platform, so there would be some more usage.

The technical support or tech team is good. So far, when I worked with them, they have been able to resolve issues firmly. If they cannot do it, they connect you with someone you can work with, so they can just connect to the engineering team. Their data services is something which is really good.

However, their documentation is a bit more challenging. They have unsourced to work, like knowledge base articles and stuff, but they would need to work a bit more on the documentation to compare with Cisco documentation. That's something that they can improve on. They have good documentation. The documentations are clear, but there is not sufficient content available.

The initial setup was very simple. I would say it was the simplest one to date.

Deployment time depends on the solution. This was a very complex one, so it took us four weeks to get the most complexity out of it. I think taking a single deployment, it would not be more than a couple of hours. If you are already working with Juniper products, it would be a couple of hours. If you're not working with Juniper products, maybe a week, not more than a week.

I did the implementation myself, I don't normally take help but in scenarios where documentation is not available, I do go ahead and refer it out but this was simple. I don't think I needed the technical support staff, but I have worked with Juniper tech for certain scenarios in integrating this. It was tax-supported, non-profit services.

There was no additional licensing cost because there were no IPS services. It was just a firewall IP circuit router so they have the default licensing. We just need to renew the support yearly.

Our customer evaluated Palo Alto also. They liked it, and even integrated it, but the scalability requirements they had were an issue. They loved Palo Alto for the security services, but their requirement was routing and security in a single device. That's the reason they were not able to go with the Palo Alto services, but they chose Juniper.

If you're looking for a product that can give you routing as well as security services, and you're not looking for too much taxing on the security part, I guess this is a good product. If, however, you're looking for security services on a greater edge, maybe something like next-gen firewall features, referencing services, or IPS to a greater level, I would recommend going with other security products. If you want integration of both, you can use this, and maybe if you evaluate, or move forward with better services over a period of time and better models of that, maybe this is something that you can always look for both, routing as well as security services.

SRX is a security product that's not that good on security, but it's good at routing, so they actually balance out. I would rate them around six of ten. 

Cisco does one thing right. Cisco has AnyConnect so they can fully integrate SSL routing services. Previously Juniper used to have Pulse Secure and MAG devices. They sold it off to Pulse Secure, but maybe they could try to integrate SSL VPN with their products. Maybe that would help them increase market share.

The greatest improvement we have seen is in operational performance and operational stability. There are no outages.

• It's a reliable firewall and very stable, for both the hardware and applications it is stable. 
• It's very powerful. 
• It's also a very secure device, it has good attack prevention capabilities using UTM.
• It's user-friendly with a good UI.
• It has powerful CLI.

It's not 100%, it's not a perfect product, some points need to be adjusted, need to be enhanced.

There have been no issues with this product.

It's a very scalable product.

I think they have professional support. Support is really good, they are professional engineers.

Customer support is very good.

I used Cisco, and Palo Alto, and used McAfee. As a consultant, a systems integrator, if customers go to SRX it's because of its features and the stability of the product. It's the most stable product.

It was very straightforward, very clear.

Other than Palo Alto, StrongSoft is very stable. Cisco Firepower is very unstable.

I can say for, that for a datacenter, and for price, first I appreciate Palo Alto and then I appreciate Juniper, more than the others.

Support for Juniper is best, better than Palo Alto, but Palo Alto is more powerful. And there is a big difference in pricing.

Valuable features for us include:

• Routing: When firewalls can also perform full routing functionality, it helps to save cost on dedicated routing hardware.
• High Availability (clustering): This is important to ensure service availability in the event of a node failure. These firewalls in HA mode consist of a primary and backup node, and provide redundancy such that if one of the nodes fails, the other node will take over.
• Deep packet inspection (DPI) capabilities: Juniper SRX firewalls inspect packets as they traverse the firewalls and it goes beyond the traditional five tuples (source IP, destination IP, protocol, source port, and destination port) packet inspection by using the App-ID engine to inspect the protocol to correctly identify applications. It further rate-limits traffic, using the AppQoS features, based on specific types of applications.
• IPSec VPN: This is crucial because it provides secure site to site connectivity between the DC and remote locations. Traffic traversing the secure link is protected from the prying eyes of unauthorized intruders or the man-in-the-middle.

These features are valuable because they allow smooth operation of the business from a technology standpoint. Again, this is relative.

There was a business need to provide service high availability and system redundancy in addition to routing and firewalling at the internet edge and the datacenter core.

Having this design has greatly simplified the network and improved operational efficiency of support staffs.

The GUI needs improving.

We have been using the solution for seven years, providing design, implementation, support, and optimization.

We had a stability issue. Just like any other vendor, there are code stability issues on some of the platforms. However, there is always a recommended code version for each platform.

We did not encounter issues with scalability, but this depends on the environment. The DC class firewalls can scale vertically or horizontally.

They provide an awesome technical support.

We used Cisco and CheckPoint. Routing functionality and advanced security services were limited.

The setup was straightforward and simple once you understand the building blocks of Junos and firewalls.

Pricing and licensing are very reasonable.

We evaluated Palo Alto and Fortinet.

This product will offer maximum performance and capacity.

It is extremely reliable depending on the business need. It supports full routing functionality and advanced security services like Application Security, Unified Threat Management (UTM), IPS, and threat intelligence.

Advanced security services require a license.