Juniper SRX Series Firewall Reviews

We are using this solution mainly for the NPCs and the firewall of the mobile data customers. We are using it to protect the ISP of the mobile data customers: 2G, 3G, and 4G customers. 

In terms of features, we are using Source NAT. 

The virtualization feature: Sometimes customers are requesting a private connection using mobile data when they are connecting to remote sites. 

The Juniper SRX product needs to improve in terms of innovation. E.g., Checkpoint comes with a monitoring solution embedded in its product, as well as providing good reports. Checkpoint also does analysis by tracking the logs and letting you know when you are under attack. What Juniper has today in comparison is not so good.

Juniper only has limited reports, such as memory, capacity, data, and traffic.

Since we have deployed the product, we have had two or three minor issues.

We have something like 12 million customers (mobile data customers).

Sometimes, it is difficult to contact the Juniper support because we did not purchase the support package, as it was too expensive. We are using a local reseller instead. Sometimes, when we have had issues, it can take one to three hours for resolution, which is not good at all based on our company standard. However, once we have the right thing connected on the device, then it's very fast.

I would rate the technical support as a seven out of ten. The support is skilled, but the cost is expensive.

We previously used Cisco ASA. The results were not good.

The initial setup is straightforward. We had the help of the local provider. So, it was very straightforward. 

Even now, when I compare the initial setup to Cisco, the implementation of Juniper SRX is very simple.

To finish the implementation, we had the help of the local provider, Ericsson.

From the design phase up to the implementation phase, it took more than one month per site. The time to validate the design documents and change, then doing those changes, approve those changes and implementing them. Because we have two sites, it was somewhere around three months.

After the acquisition phase, we discussed the plan and the design document. We did the architecture and design document with the vendor. Before going into the implementation phase, we have to validate all our documents for the high-level and low-level designs. The operational teams are also validating these documents.

Once we have all those documents validated, we request the approval for change. We have a committee who analyzes the documentation. We analyze the work that we are planning to do and validate the changes for a specific time.

We need to look if there any impact on the customer side, do we need to present it to the customer before making the change, and what is the plan for monitoring after the change?

The direct support with Juniper is expensive. When you stop using the solution and miss one year of payments, if you want the support back on a specific node, they ask you to pay for the year that you haven't used the node.

We tried to move our mobile data firewall from Juniper SRX to Cisco ASA. What we found was that Cisco did not performing well at all. We were very disappointed by the Cisco solution. With the Cisco solution, we had more memory issues with the same amount of traffic. With Juniper SRX, it just needs an upgrade to carry the traffic.

We have approved vendors in every industry. We cannot deviate and chose any vendor that we want. We can only select vendors from our approved list. The two vendors on that list for this industry include Cisco and Juniper, though recently Huawei was added.

Make sure to have skilled local support.

We are planning to move to the bigger version of Juniper SRX later this year (SRX5800). We are also planning to move to IPv6.

Juniper SRX is solely used as a firewall gateway. We use it only for interfacing with the internet and for server farms, as a data center firewall gateway.

Most of our clients use it as a traditional firewall, blocking Layer 3 and Layer 4, blocking by transport.

We also use firewalls from FortiGate and Palo Alto and they're built with technology to make them next-generation firewalls. Juniper utilizes a router OS and includes enhancements to make it a firewall. But FortiGate and Palo Alto are full-on firewalls because they are built from scratch with features which are specific to firewalls. 

Juniper needs to enhance the solution so that it is more powerful. They need to update the administrative tools to create an easier admin experience. An average administrator would find it easier to configure if they could use https rather than the command line interface to do so.

In addition, it would be more powerful if Juniper brought out a security product other than firewalls, like anti-spam, endpoint protection, etc. Customers who want to deploy security solutions are not just thinking about firewalls. They're thinking about security across their environment. If Juniper could give me a security solution, beyond the firewall, that integrates with the firewall, that would be helpful. Other products have built a security fabric. So if a customer already uses one of their solutions, like a firewall, they will be thinking about integrating with that vendor's other products. If there is more than just a firewall solution, they will use that same vendor's products throughout the security environment. A security fabric is more powerful than just blocking via network parameters.

Juniper should have an end-to-end solution, from the endpoint to the network level. It would provide a more powerful security solution to the customer. Customers are looking for a holistic security solution.

For one to three years it's stable.

If users want to scale up the firewall, they basically want the cheapest firewall that gives them powerful features. Most users choose FortiGate rather than Juniper. Technically, Juniper's scalability is good. But when customers look at the overall price, FortiGate will come out cheaper than Palo Alto or Juniper.

The technical support is good. The engineers help support our customers day-to-day.

The setup depends on the deployment, on what we have to configure. But from one firewall to another firewall, it's about the same. They're not really complex. We have experience using the command line and the user interface. If you ask me which one is easier to configure, I will answer that configuring through the user interface is easier.

The amount of time the deployment takes depends on the complexity of the solution. If the firewall is used as an L3 firewall or L4 firewall, for blocking by IP address and, it's going to be faster to deploy than deploying the firewall using Unified Threat Management. In that case, we need to carefully tune the VPN configuration.

The time for one of our customers to achieve ROI depends on the scalability of the product. It also depends on the type of organization. If it's a hospitality or government organization, it will take them more time to achieve ROI than an internet service provider, where using this product is in line with their business objectives.

In terms of pricing, Juniper is in the middle. The most expensive firewall is Palo Alto. If a customer wants the cheapest price they should go for FortiGate. Juniper is in between these products.

From experience, we like to use firewalls from Palo Alto and FortiGate because the solution is easy to configure with a UI to execute the app. If we use Juniper firewalls, we don't really use the UI because it is not as easy as the command line interface for configuration.

The VPN is different between Juniper and Palo Alto. As far as I know, Juniper does packet inspection in their VPN. Functions like anti-spam and antivirus are running step-by-step. Once the anti-spam processing is done, it goes on to antivirus scanning. But with Palo Alto, the technology is different. It copies each packet to each function. For example, if we activate anti-spam, antivirus, and another check, Palo Alto makes three copies of each packet and inspects them in parallel. This makes the system faster, compared to Juniper. This is the biggest difference as far as I know.

Juniper is good at the routing protocol. If you want a solution to protect your environment from the internet, I would propose a firewall gateway solution but ultimately it depends on what the customer needs.

We are partnered with Juniper, so if customers ask for a firewall solution, the first solution that we pick is generally a Juniper firewall. If a customer wants a firewall other than Juniper, we offer it. Usually, we will do a firewall like FortiGate or Palo Alto, if the customer has enough money, as Palo Alto is very expensive.

The primary use case is for protecting enterprise systems.

It allows users connecting from homes, who urgently need to log into the networks through a secure tunnel without using internet IP gateway, access using a SSL.

• It is highly scalable, stable, and can be easily updated.
• It protects from distributed denial-of-service attacks, DDoS attacks, with Screen Options.
• When you design your networks, you can put SSL Inspection as a gateway to make the systems secured, like IT systems.

The GUI needs to be easier and more helpful for users who don't have security experience.

They need to add WAF management to the tool, as competitors already have it as part of their offerings. This feature is future of protecting enterprise solutions.

It is very stable, but it needs an engineer on the system while it is running to monitor for attacks and when attacks are in process.

It is easy to expand.

The technical support is good, but there is a time delay between the support and attacks.

The initial setup was straightforward, but has since become straightforward with experience.

For example, with MX (not SRX), it needs to be specific when you export or import the subnetting or addresses that you want to block or filter out of your networks. This is why it is a complex process the first time and becomes subsequently easier

You have to be aware of Linux commands, which will make you able to use this device, like exporting file, saving file, monitoring your logs, and making a new script.

Firewall for a lab environment.

Before, we were handling everything with a Vyatta server until our network became more complex.

Stability.

The device could be more user-friendly.

It is a basic firewall that we have been using for six years. It is a  good solution.

The most valuable feature is the brand itself. From a protection perspective, it provides a network perimeter security function for our company. 

We are finding that the UTM features which is required (like an antivirus or URL filtering) are not available.  We are now looking for the "Next Generation" of firewall protection. We need to be less vulnerable to attacks. 

In addition, we would really like to see an automated policy feature added. 

We use it as a firewall at our head office and branches. We use its IDS solution at the head office too.

It did not improve our safety because the IDS does not detect some attacks, but our anti-virus software did.

• Correct the bugs in the current version. 
• Help customers more with its configuration so they can feel safer.

We tried configuring the IDS for more than four months, but it did not work properly.

Our primary use case is security. The performance has been okay. It's a bit of a change from the Ciscos in terms of the configuration syntax, from the CLI perspective. We use it just as a firewall. We don't use it for routing functionality.

The Juniper was a later model, later technology than we had, more horsepower than we had before. The performance is better, but it could have been any firewall in its peer group. The improvement was because our old firewalls were, well, old. So the performance has been an improvement. And the IDS, perhaps, is a little better than what the older firewalls had.

I'm not sure what the most valuable features are. I'm not really that impressed with the technical support. I'm not really that impressed with the product, to be honest with you. Throughput seems to be okay.

The CLI is verbose. You have to say a lot to do a little. I don't like that part of it. Cisco's command syntax seems to be a good bit more concise. When you're trying to get something done, you don't want to have to type a bunch. I wish there was a quicker way to configure through the CLI. I know all the tricks of hitting spacebar etc. to finish the command, and the context tricks of going further in. But it just reminds me of an older operating system, like VAX/VMS. It's just very verbose.

Maybe this is where the Space Security Director product comes in, but we aren't quite using the Security Director in Space to its fullest yet.

It seems stable. We haven't had too many failures. We have had some but, by and large, it's been pretty stable. It's not taxed, the way we're using it.

The model we have is very scalable. It's a fairly large firewall.

I have spoken with technical support 30 or 50 times. On a scale of one to 10, I would evaluate Juniper technical support at five. It's never resolved in one call. It's always a couple of calls. We're not being passed from one department to another, it's just that they don't seem to be answering the question you give them. It's very frustrating.

I migrated it from an ASA to the Juniper. It was a fairly straightforward process. There are things that are required on the Juniper that weren't required on the Cisco, like the global address book. Things have to be on there before you can do a lot of net and the like.

You need to know what your company's strategic vision is, and then map the security part of that. I don't just mean cost-related, but the strategy for profit-related future ventures. You need to know why you want a particular firewall. Don't ignore the functions and future growth and products on the horizon from each of the vendors.

What you go with has to meet your current needs but, more importantly, is the company a going concern - meaning if they're going to get better - then how do they complement your particular industry's growth? Are they going to be there to make remote access and extranets and research easier to deliver? The product has to be configurable, with lots of options should you need to subscribe to those options.

The most important criterion, for me, when selecting a vendor is that they have to rank high in industry ratings. Juniper has just not been there. I haven't seen the 2018 reports, but year after year Juniper is not only the least visionary but one of the least in terms of performance. I also don't like the fact that they spun off their VPN to Pulse Secure. I know that's a subsidiary, but I don't necessarily want to have a separate appliance for a light-duty VPN.

I would rate Juniper at seven out of 10. It's a little harder to configure from a VPN perspective, VPN Tunnels. Their tech support is the big problem for me. I don't want to be bounced around. I don't want to get half an answer when I ask a whole question. I would take an inferior product with better tech support, without question. If I have a responsive engineering team that will fix problems when they come in, with firmware releases, etc., I'd clearly take an inferior product with that better support. It's all about function.

I probably wouldn't have chosen the Juniper in this environment. We just don't need yet another knowledge base to learn. And it doesn't fold into some of our Cisco services. For example, the assets control doesn't integrate well with the Radius servers. Something like that could be downloadable ACLs, for instance.

We use it as a perimeter firewall, data center firewall, and as VPN concentrators for some companies. It protects the data behind our switches. Our company provides the switches, like the EX-Series. 

We are an elite partners for Juniper. We use the firewall for data protection.

It has a high security implementation.

It integrates well with Fortinet and Palo Alto.

It uses many applications, like antivirus blocking and web filtering. Also, defining routing on it is very easy along with netting. The high availability of the application is good. We use the IDS and IPsec VPN features.

I would like to see endpoint control and endpoint testing security.

The GUI needs to be easier to handle.

The stability is good.

The scalability is good.

When we face problems, it is a firmware or software update. We call Juniper for support and they have a very good team for technical support. They help us a lot, then we will find the solution in the upgraded version of software of unit. 

I think there was a problem before I came to the company with Cisco and their firewall, so they decided to switch to Juniper.

It is more complex than other vendors, but we have gotten used to it. So, we find it easy to implement and deploy.

It has a low price.

We are also using Fortinet and have a partnership with Palo Alto. In addition, we are looking into a partnership with Citrix.

Cisco and FortiGate were on original shortlist.

They can use the Juniper SRX as a data center firewall. Juniper needs to focus more on their perimeter firewalls.

Our most important criteria is to look for 24-hour support, prices, partnerships, and what they offer to partners. Also, we want to know if the product can function with Juniper.