I can’t really say a firewall improves anything other than security, but we have been able to solve a lot of extranet connectivity issues with these firewalls that the bigger name devices didn’t handle so well.
It is bomb proof as seen by the fact they are still in production use today. A simple human friendly command structure, making CLI edits and debug sessions easy and quick, means that they just don’t fail.
The SRX is a different device. It is much more sensitive to unexpected power loss so we had to RMA several after unexpected site power outages. The command structure is also different so that I always need my cheat sheet when debugging on them.
The NSM is its own beast. It's a 10 when it’s running properly, gives you all the info you need easily to make and document edits and monitor status of devices, but keeping it running well is almost a job in itself. It doesn’t manage its own database very well and it gets slow and unresponsive, often requiring user intervention on the server backend.
Currently we use Juniper products, SSG and SRX firewalls in about a 50/50 mix both standalone and in HA clusters. We also use their NSM for device management and logging.
The SSG models are mostly EOL and are being replaced with new “Next Gen” firewalls. The SRX models will likely continue to be used internally as support will remain available for some time.
We only use the firewall and virtual router options and they do what we need:
- The firewall is easy to configure and testing shows we are blocking the threats.
- The virtual routers make this solution a one box answer for our needs and simplify our internal networking. As they are built into the devices, they allow you to move and separate traffic in a number of ways on one set of hardware.
They constitute a solid working solution that has been able to cope with any of the unique challenges that have come up.
While the OS supports a pretty full UTM option, we found in testing that the hardware was not powerful enough to run with all the bells and whistles turned on for the amount of traffic we process. So we use other hardware for those services meaning it’s not a deal breaker for us.
We have had no issues at all with the SSG models and the SRX model only had problems with sudden power loss occasionally.
The only issue was that the Network Security Manager (which is EOL) was sold as supporting over 125 devices. That may be true if you are just managing the configurations but once you add in monitoring and logging it’s really only happy with fewer than 40 devices, as the database grows too big to deal with and needs constant maintenance.
I would rate the technical support as average, as the calls were responded to quickly but as usual it depends on who you happen to get on the phone that day. Some were very good, others times I had to ask for a different engineer to join the call.
This solution was in place when I started so I cannot answer this question.
The setup was straightforward and to get into a cluster consists of about ten commands. The hardest part is deciding on active/active or active/passive for your solution.
I’m not involved in the financial side of the purchase. Our buyers handle that. Support and licensing comes in the usual tiers, SLA for repairs and/or options turned on in the device.
I know they left Check Point and looked at Cisco products before choosing Juniper, but that decision pre-dates my involvement.
I would say get an SSG but they are EOL so for the SRX make sure you have the recovery boot system configured and a way to remote console the device.
I know this sounds like a major problem but it’s not been that big an issue. We run HA and have same day replacement on them so if we lose one it’s not a major outage, just more work to do.