[j-nsp] Using SRX's for BGP and Firewalling

Keegan Holley keegan.holley at sungard.com
Tue Nov 9 05:04:10 EST 2010

On Tue, Nov 9, 2010 at 4:01 AM, Maqbool Hashim <mhashim at ntsuk.co.uk> wrote:

> Hmmm, that’s interesting.  There were two reasons why I was considering the
> SRX's over the SSG's for this setup.
> 1) I had thought that the routing functionality in JunOS would be more
> mature than in the SSGs.

I think it depends on what mode you put the device in.  If you want stateful
firewall my guess would be that the SSG code is more stable.  If you put it
in packet mode you essentially have a glorified EX switch which can't really
be compared to the SSG in terms of maturity/stability.

> 2) Getting more experience with JUNOS and the SRX's as JUNOS might be the
> one platform for Juniper going forwards.

It depends on your needs. There definitely are some places I would use them
and places I wouldn't.

> I think we will still go for the SRX's in this case especially as they seem
> to offer better value for money in features and performance.

The performance is actually pretty good as well as the number of features it
can support.  It just depends on your design criteria.

-----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:
> juniper-nsp-bounces at puck.nether.net] On Behalf Of Michel de Nostredame
> Sent: 08 November 2010 22:30
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Using SRX's for BGP and Firewalling
> On Mon, Nov 8, 2010 at 10:54 AM, Keegan Holley <keegan.holley at sungard.com>
> wrote:
> > One of the things that turned us off to the SRX series was the fact
> > that code upgrades have to be done on both firewalls if you run them in
> HA mode.
> >  That's kind of a big deal if you want hitless upgrades or there are
> > issues with the upgrade itself.  BGP is one of the main reasons to use
> > a juniper fw over a cisco in some designs, but I find myself liking
> > the SSG/Netscreen code better for now, even though Juniper has stated
> > that they plan to move everything to JunOS.
> This is the reason we still stay in ScreenOS on all of our SSG and continue
> to buy SSG boxes. From our experience that ScreenOS on SSG is much stable
> and mature compares to JUNOS on SRX, if we don't take hardware performance
> into consideration.
> Don't know why Juniper is so keen on adapting everything to JUNOS. It only
> break stable things, from a small customer point of view.
> If the JUNOS CLI is that good and important (be honest, it is very good
> from our point of view) why not just add a shell in ScreenOS that accepts
> JUNOS CLI style statements?
> --
> Michel~
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> ----------------------------------------------------------------------
> This e-mail and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you are not an intended recipient, please delete this e-mail immediately
> and notify NTS(UK) Ltd on 0844 815 5925
> This e-mail does not necessarily reflect the Company's opinion and should
> not be interpreted as such.
> This message was scanned by Proofpoint Protection Server - please contact
> NTS for further information.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list