Juniper firewalls - SSG or SRX

Ken Gilmour ken.gilmour at
Tue Apr 20 10:15:26 CDT 2010

We are in the process of replacing some SSGs (and NSes) with SRXes. The
biggest issues so far that we've faced are:

1. Although the devices can be used at the core you can't enable
"multifunction" IDP (i.e. you can only enable the filters for HTTP or
Fileserver etc, not all at the same time or the device will crash).
2. The config restore is limited to a small file (i don't know what that is
yet). If you need to restore a big file from SCP or USB key it will fail,
you have to convert the file into commands (a bit like ScreenOS or IPTables)
and then paste them all into CLI which can get messy if you make a typo or
do them in the wrong order.
3. In shell mode the CPU shows pflow using up over 1000% CPU, apparently
this is just an aesthetics problem and it's not actually using up 1000% CPU
(the GUI also shows this but this is also an aesthetics problem).

The advantages are that the CLI has more middle ground between IOS and
ScreenOS, for example:

ScreenOS and JunOS:

set interfaces <name> <setting>


interface <name>


edit interface <name>
set <setting>

The BGP configuration is much more complicated, and in my short experience
with JunOS, less feature rich than OpenBGPd from the OpenBSD crew (although
the syntax is very similar).



On 19 April 2010 18:32, Jeffrey Negro <jnegro at> wrote:

> Has anyone on Nanog had any hands on experience with the lower end of the
> new SRX series Junipers?  We're looking to purchase two new firewalls, and
> I'm debating going with SSG series or to make the jump to the SRX line.
>  Any
> input, especially about the learning curve jumping from ScreenOS to JunOS
> would be greatly appreciated.  Thank you in advance.
> Jeffrey

More information about the NANOG mailing list