Juniper SRX Review
We use the Layer 4 firewall functions: Access rules, NAT, and site-to-site IPsec VPN


Improvements to My Organization

Theere has been no change to our organization. We replaced an older Cisco ASA. We intended to use some of the UTM features, but we have not yet. In some cases, it is worse. We can’t do remote access IPsec VPNs for users like we could with the Cisco ASA. Instead, we set up OpenVPN. As the Cisco ASA is the de facto standard, doing a site-to-site IPsec VPN to other companies takes more time (e.g., IKEv2 will not work connecting to Cisco gear because traffic selectors are not supported for IKEv2).

Valuable Features

We mostly use the Layer 4 firewall functions: Access rules, NAT, and site-to-site IPsec VPN. We liked that it had additional features and was more modern than the Cisco ASA line.

Room for Improvement

It needs better interoperability with Cisco gear.

Use of Solution

One to three years.

Stability Issues

No stability issues.

Scalability Issues

No issue. We are only a 40 person company and only have 50Mbps of internet bandwidth.

Customer Service and Technical Support

Technical support is good, though we have not really used support much. Juniper has a decent knowledgebase.

Previous Solutions

Previously, we had a Cisco ASA 5510. It was old and needed to be replaced. We switched because the Cisco ASA is underpowered. If you try to do too many functions, like IDS/IPS, UTM, virus scanning, and Smart Net, support is expensive.

Initial Setup

The initial setup is mostly straightforward. We are converting one of our site-to-site VPNs with another company where we have overlapping subnets. This took some doing because the Cisco ASA allowed us to do policy-based NAT and could NAT the same IP subnet two different ways depending on the destination address. We needed to exclude 10 IP addresses out of a 24 subnet from the static NAT rule which was needed to deal with the overlapping subnets and ended up having to do more than 240 individual 32 NAT rules on the Juniper SRX240H2.

Implementation Team

Work with a consultant who has good JunOS knowledge if you have a complex setup (we host more than 20 servers for internet access used by over a 1000 users).

Pricing, License Cost and Setup

Pricing is good. Most of the costs are in the UTM (IDS/IPS, virus scanning, etc.) subscription. Palo Alto was nice, but much more expensive.

Other Solutions Considered

We looked at FortiGate and Palo Alto, as well as the newer Cisco ASAs.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Add a Comment

Guest
Why do you like it?

Sign Up with Email