Juniper firewalls - SSG or SRX
Ken Gilmour
ken.gilmour at gmail.com
Tue Apr 20 15:15:26 UTC 2010
We are in the process of replacing some SSGs (and NSes) with SRXes. The
biggest issues so far that we've faced are:
1. Although the devices can be used at the core you can't enable
"multifunction" IDP (i.e. you can only enable the filters for HTTP or
Fileserver etc, not all at the same time or the device will crash).
2. The config restore is limited to a small file (i don't know what that is
yet). If you need to restore a big file from SCP or USB key it will fail,
you have to convert the file into commands (a bit like ScreenOS or IPTables)
and then paste them all into CLI which can get messy if you make a typo or
do them in the wrong order.
3. In shell mode the CPU shows pflow using up over 1000% CPU, apparently
this is just an aesthetics problem and it's not actually using up 1000% CPU
(the GUI also shows this but this is also an aesthetics problem).
The advantages are that the CLI has more middle ground between IOS and
ScreenOS, for example:
ScreenOS and JunOS:
set interfaces <name> <setting>
Cisco
interface <name>
<setting>
JunOS
edit interface <name>
set <setting>
The BGP configuration is much more complicated, and in my short experience
with JunOS, less feature rich than OpenBGPd from the OpenBSD crew (although
the syntax is very similar).
Regards,
Ken
On 19 April 2010 18:32, Jeffrey Negro <jnegro at billtrust.com> wrote:
> Has anyone on Nanog had any hands on experience with the lower end of the
> new SRX series Junipers? We're looking to purchase two new firewalls, and
> I'm debating going with SSG series or to make the jump to the SRX line.
> Any
> input, especially about the learning curve jumping from ScreenOS to JunOS
> would be greatly appreciated. Thank you in advance.
>
> Jeffrey
>
More information about the NANOG
mailing list