Juniper SRX Series Firewall Reviews

Our primary use case is security. The performance has been okay. It's a bit of a change from the Ciscos in terms of the configuration syntax, from the CLI perspective. We use it just as a firewall. We don't use it for routing functionality.

The Juniper was a later model, later technology than we had, more horsepower than we had before. The performance is better, but it could have been any firewall in its peer group. The improvement was because our old firewalls were, well, old. So the performance has been an improvement. And the IDS, perhaps, is a little better than what the older firewalls had.

I'm not sure what the most valuable features are. I'm not really that impressed with the technical support. I'm not really that impressed with the product, to be honest with you. Throughput seems to be okay.

The CLI is verbose. You have to say a lot to do a little. I don't like that part of it. Cisco's command syntax seems to be a good bit more concise. When you're trying to get something done, you don't want to have to type a bunch. I wish there was a quicker way to configure through the CLI. I know all the tricks of hitting spacebar etc. to finish the command, and the context tricks of going further in. But it just reminds me of an older operating system, like VAX/VMS. It's just very verbose.

Maybe this is where the Space Security Director product comes in, but we aren't quite using the Security Director in Space to its fullest yet.

It seems stable. We haven't had too many failures. We have had some but, by and large, it's been pretty stable. It's not taxed, the way we're using it.

The model we have is very scalable. It's a fairly large firewall.

I have spoken with technical support 30 or 50 times. On a scale of one to 10, I would evaluate Juniper technical support at five. It's never resolved in one call. It's always a couple of calls. We're not being passed from one department to another, it's just that they don't seem to be answering the question you give them. It's very frustrating.

I migrated it from an ASA to the Juniper. It was a fairly straightforward process. There are things that are required on the Juniper that weren't required on the Cisco, like the global address book. Things have to be on there before you can do a lot of net and the like.

You need to know what your company's strategic vision is, and then map the security part of that. I don't just mean cost-related, but the strategy for profit-related future ventures. You need to know why you want a particular firewall. Don't ignore the functions and future growth and products on the horizon from each of the vendors.

What you go with has to meet your current needs but, more importantly, is the company a going concern - meaning if they're going to get better - then how do they complement your particular industry's growth? Are they going to be there to make remote access and extranets and research easier to deliver? The product has to be configurable, with lots of options should you need to subscribe to those options.

The most important criterion, for me, when selecting a vendor is that they have to rank high in industry ratings. Juniper has just not been there. I haven't seen the 2018 reports, but year after year Juniper is not only the least visionary but one of the least in terms of performance. I also don't like the fact that they spun off their VPN to Pulse Secure. I know that's a subsidiary, but I don't necessarily want to have a separate appliance for a light-duty VPN.

I would rate Juniper at seven out of 10. It's a little harder to configure from a VPN perspective, VPN Tunnels. Their tech support is the big problem for me. I don't want to be bounced around. I don't want to get half an answer when I ask a whole question. I would take an inferior product with better tech support, without question. If I have a responsive engineering team that will fix problems when they come in, with firmware releases, etc., I'd clearly take an inferior product with that better support. It's all about function.

I probably wouldn't have chosen the Juniper in this environment. We just don't need yet another knowledge base to learn. And it doesn't fold into some of our Cisco services. For example, the assets control doesn't integrate well with the Radius servers. Something like that could be downloadable ACLs, for instance.

Valuable features for us include:

• Routing: When firewalls can also perform full routing functionality, it helps to save cost on dedicated routing hardware.
• High Availability (clustering): This is important to ensure service availability in the event of a node failure. These firewalls in HA mode consist of a primary and backup node, and provide redundancy such that if one of the nodes fails, the other node will take over.
• Deep packet inspection (DPI) capabilities: Juniper SRX firewalls inspect packets as they traverse the firewalls and it goes beyond the traditional five tuples (source IP, destination IP, protocol, source port, and destination port) packet inspection by using the App-ID engine to inspect the protocol to correctly identify applications. It further rate-limits traffic, using the AppQoS features, based on specific types of applications.
• IPSec VPN: This is crucial because it provides secure site to site connectivity between the DC and remote locations. Traffic traversing the secure link is protected from the prying eyes of unauthorized intruders or the man-in-the-middle.

These features are valuable because they allow smooth operation of the business from a technology standpoint. Again, this is relative.

There was a business need to provide service high availability and system redundancy in addition to routing and firewalling at the internet edge and the datacenter core.

Having this design has greatly simplified the network and improved operational efficiency of support staffs.

The GUI needs improving.

We have been using the solution for seven years, providing design, implementation, support, and optimization.

We had a stability issue. Just like any other vendor, there are code stability issues on some of the platforms. However, there is always a recommended code version for each platform.

We did not encounter issues with scalability, but this depends on the environment. The DC class firewalls can scale vertically or horizontally.

They provide an awesome technical support.

We used Cisco and CheckPoint. Routing functionality and advanced security services were limited.

The setup was straightforward and simple once you understand the building blocks of Junos and firewalls.

Pricing and licensing are very reasonable.

We evaluated Palo Alto and Fortinet.

This product will offer maximum performance and capacity.

It is extremely reliable depending on the business need. It supports full routing functionality and advanced security services like Application Security, Unified Threat Management (UTM), IPS, and threat intelligence.

Advanced security services require a license.

We use the solution for our transport domain's server. We handle booking and billing using the solution.

I got to learn CLI after purchasing the solution. It counts as a benefit for me.

The solution's valuable features are excellent customer service and stability.

They should work on the pricing. I am using VPN and need to pay for its warranty and license separately. It needs to be addressed.

We have been using the solution for three years now.

It is a stable solution. We never faced any issues there.

If you have experience using the solution, it is scalable. 

The solution's initial setup process was lengthy as I was new to Juniper. I had to explore and learn the steps to implement the solution. Even after that, there was no guarantee that it would work fine. So that wasn't very easy.

I suggest adding more articles or blogs regarding the deployment and configuration part.

We had an engineer to help us deploy it, and the process lasted nearly six months.

I rate the solution's pricing as a four.

The solution is relatively easy and inexpensive to maintain. Also, I advise others to add chargeable features in the initial setup. If it increases the price of the device, that's fine.

I rate the solution as a seven.

We use the virtual on-premises in our data centers.

The reason that we picked Juniper SRX is for the scalability, the fit for purpose, the tools that are available, the ongoing support, and the ability to monitor, but particularly for the virtual routers in our data centers so that we can quickly upscale them when needed, when we need more throughput.

In the last year, we've started to roll out Juniper SRX for new sites. It has only been a couple, but we'll have about 10 to 15 sites within the next month in the new framework, and we'll also be putting a virtual SRX router at our gateway in our data centers as well.

We are using the latest version. It's not finalized to install yet. I expect it to be finalized next week in our city and Melbourne data centers.

So far they've been good in terms of stability.

The scalability has been very good so far.

We've got 420 staff using it, plus two of my internal team and two of my MSPs, four people,  working on the network stuff.

We have been in touch with support and they've been good. During the configuration stages, we had a couple of tickets and they were responsive to it.

The first configuration with my network experts took a little bit of time to work through the differences between their knowledge of the Huawei networking and the Juniper set-up and the change from all the Huawei to the Juniper and Sophos access points. The first install took a couple of weeks to configure the actual hardware, and then on site, what we expected to take half a day in the first instance probably took a week, but once we did one, we've been ok rolling out the next ones after that.

In terms of the initial setup being straightforward, that depends on your knowledge of the product. Juniper has been fairly responsive when my team has asked them questions. So it has taken us longer to install than I would've hoped, but that's one of those things when you change your products.

There is a component of monthly and yearly costs depending on the product.

Ongoing costs are something that we need to manage and make sure that we're getting value on. But with feeding the data back in and the capability, we're hoping that it will pay for itself in the monitoring tools and the ability to go past just the different baselines of stability and scalability to actually make sure that we're proactive in keeping our networks alive.

On a scale of one to ten, I would give Juniper SRX an eight.

The main thing is cost. Having said that, it's not ridiculous, but you're always looking for the best value, and them bringing out the virtual cores has been really good. The cost is more expensive, but you're getting a bang for your buck. They are very good value for money in their product.

The overall, ongoing costs of licensing has added to my budget, but until I get long-term experience and make sure that it's running as expected, I can't say it's everything that I expected.

Our primary use case is for MPBN, where we provide a firewall for our mobile data customers. As an ISP, we protect the 2G, 3G, and 4G customers.

The most valuable feature is the virtualization because it can be used for customers who are using the mobile data network to request a private connection to a remote site.

There are also standard security features such as NTP groups and firewalling features and these are also good. 

The Juniper product has to improve in terms of innovation.

It only has standard reports, such as memory capacity and data traffic. By comparison, the Check Point solution comes with great reports. Check Point tracks the logs, then analyses the logs and can tell you when you are under attack. Then, you can prevent it. With Juniper today, what you have in terms of log analysis is not so good. I think that they have another solution for this, but it is not embedded, and you have to purchase it separately.

Since we have deployed, there have been maybe two or three minor issues. Our local support helped us to clear these.

I cannot really tell if it is scalable because we are managing twenty gigabytes of traffic on the node. They say that it can scale up to almost one terabyte, but we don't have the capacity so I can't really tell.

This solution is used for all of our mobile customers, which is approximately twelve million. All of our 4G customers use it. This includes standard users who want internet access on their phone, as well as those who want a VPN connected to a private server.

I would rate their support seven out of ten.

The technical support directly from Juniper is too expensive, so we receive support from our local reseller instead. This can take between one and three hours, which at times is not up to our company standards.

While the Juniper support staff is skilled, is it too expensive, which is why I rate it seven.

At one point we tried to move the mobile data firewall from our Juniper SRX56 to the Cisco ASA 5585. What we found out is that Cisco was not performing well at all. I was very disappointed by the Cisco solution. There were more issues for the same amount of traffic. With Juniper, you just have to upgrade to handle additional clients, but when we tried with Cisco, definitely the result was not good at all.

The initial setup was straightforward, especially compared to that of Cisco. It was very simple with the help of our local provider.

From the design phase up to the implementation stage took approximately one month per site. This included the time to validate the design documents and then validate and approve the changes. We needed to slot a window of time for the change, consider whether there is any impact on the customer, and then monitor what happens during the change. For both of our sites, it took approximately three months.

For the design and clarification, we had one person for four nodes. In terms of operations, we have two engineers.

Our local provider assisted us with the implementation of the final solution. In Cameroon, we had Erikson, and they knew what they had to do so it was really straightforward.

While the price of support is expensive, the price of the solution, itself, is not.

The problem came about when we tried switching to Cisco and discontinued our support. In order to subscribe again later, we had to pay a reinstatement fee. We found out that if you have not used the product for a certain period of time, you have to pay for this period before paying for a new year of support. Say, for example, that you don't pay for support for one year. That year must be paid for, first, before getting support. That is why I am saying that support is expensive, in my opinion.

We did not evaluate vendors other than Juniper and Cisco because in the enterprise we have a set of approved vendors for each sector and these are two only two in this group.

My advice is to make sure that you have local support because it is very important. Juniper does have some good options in terms of support.

This is not a perfect solution because I think that there is still room for improvement, but I think it is the best solution that I have tested for MBPN.

I would rate this solution an eight and a half out of ten. 

Theere has been no change to our organization. We replaced an older Cisco ASA. We intended to use some of the UTM features, but we have not yet. In some cases, it is worse. We can’t do remote access IPsec VPNs for users like we could with the Cisco ASA. Instead, we set up OpenVPN. As the Cisco ASA is the de facto standard, doing a site-to-site IPsec VPN to other companies takes more time (e.g., IKEv2 will not work connecting to Cisco gear because traffic selectors are not supported for IKEv2).

We mostly use the Layer 4 firewall functions: Access rules, NAT, and site-to-site IPsec VPN. We liked that it had additional features and was more modern than the Cisco ASA line.

It needs better interoperability with Cisco gear.

No stability issues.

No issue. We are only a 40 person company and only have 50Mbps of internet bandwidth.

Technical support is good, though we have not really used support much. Juniper has a decent knowledgebase.

Previously, we had a Cisco ASA 5510. It was old and needed to be replaced. We switched because the Cisco ASA is underpowered. If you try to do too many functions, like IDS/IPS, UTM, virus scanning, and Smart Net, support is expensive.

The initial setup is mostly straightforward. We are converting one of our site-to-site VPNs with another company where we have overlapping subnets. This took some doing because the Cisco ASA allowed us to do policy-based NAT and could NAT the same IP subnet two different ways depending on the destination address. We needed to exclude 10 IP addresses out of a 24 subnet from the static NAT rule which was needed to deal with the overlapping subnets and ended up having to do more than 240 individual 32 NAT rules on the Juniper SRX240H2.

Work with a consultant who has good JunOS knowledge if you have a complex setup (we host more than 20 servers for internet access used by over a 1000 users).

Pricing is good. Most of the costs are in the UTM (IDS/IPS, virus scanning, etc.) subscription. Palo Alto was nice, but much more expensive.

We looked at Juniper SRX vs FortiGate and Juniper SRX vs Palo Alto, as well as the newer Cisco ASAs.

Thanks to the well-structured and organized security policies, we decreased operations time to create/update/delete our security policies.

Security policies in combination with zones: It is very easy to organize the security polices in a logical structure.

CLI: Junos CLI is very easy to use, and it is also very easy to find back items in the configuration and to change them.

Commit: You can update the whole configuration without affecting the production. The new configuration will be loaded once the command "Commit" is submitted. You can also do a Commit confirmed to automatically roll back to the previous config after X minutes. 

The visibility/reporting could be better. To see something, you have to export the log to a syslog and then process with another product.

We have used it for years without any stability issues.

We haven't encountered scalability issues.

Technical support is pretty good. I would rate it eight out of 10.

I previously used a Netscreen ISG1000 firewall. I switched because the ISG was end-of-life and Netscreen was bought by Juniper.

Initial setup was complex because Junos is totally different than ScreenOS. But with some introductory courses and some googling it becomes much easier.

I’m just the tech, I didn’t take part in the price negotiation. I would say about $20,000 for a SRX650 with IDP licence.

No, we didn't evaluate other options. This was a natural way for us to migrate from ISG to SRX.

Be sure you know what you are looking for. The SRX650 is a perfect product for a small datacenter, not for a branch office where you need lots of visibility.

Implement your structure (zones) first, on paper, before starting to configure it.

We use Juniper SRX as a firewall mainly, for security and securing the network.

Juniper SRX is a very powerful firewall and sometimes can be used as a router.

I think Juniper SRX should have a GUI. Some of the competitors are already implementing GUI for the firewall.

I have been working with Juniper SRX for sixteen years.

Juniper SRX is a stable solution.

The scalability of Juniper SRX is acceptable.

Technical support initially is not that fast, if the case requires escalation, the other levels of support are fast.

The setup is a straightforward configuration, but the security customization may take time.

I would rate Juniper SRX a nine out of ten.