[j-nsp] NSM API resources with SRX

Ben Dale bdale at comlinx.com.au
Mon Jan 23 15:25:22 EST 2012 

So my thoughts on managing SRXs with Space:

- Using the base platform, configuration templates and general Junos configuration pushing, it seems to be reasonably stable and once you wrap your head around the workflow for templating it is really quite straightforward.
(though documentation could be better)

There are a couple of niggling issues I've come across regarding configuration merges vs. overrides, but on the whole it seems a lot better suited to the Junos way of doing things than NSM is.  

There is also the unbeatable price or free as long as you maintain an active support contract on your devices.

- Security Design (SRX-specific security policy management application) has had a major overhaul in Space 11.4, but I think it still has a way to go yet.  

As it stands today, you can't import security policy from already deployed SRXs into Security Design, so for existing sites, this is a bit of pain.  

If you're greenfield with Space though, this might not be such a problem.

Configuration is quite basic, covering security policy, NAT and IDP only and I don't think support for LSYS has been included yet either, so keep that in mind.

Licensing is for SD id device-count based, but Juniper give you access a full-featured trial version so you can try-before-you-buy.

On 24/01/2012, at 4:49 AM, Misha Gzirishvili <misha.gzirishvili at gmail.com> wrote:

> Agree with Pavel about nsm,
> Have a question about SPACE, Is it better to manage SRXes with space? Have
> not tried space yet.
> On Jan 23, 2012 11:04 AM, "Pavel Lunin" <plunin at senetsy.ru> wrote:
> 
>> Only thing I can say is SRX managed with NSM (manually) is a total mess,
>> much like any other JUNOS device.
>> 
>> To be honest, I don't see much reason to automate SRX management via NSM
>> except some specific cases of existing NSM infrastructure already automated
>> for hundreds of ScreenOS/IDP and a couple of JUNOS devices needed to be
>> added. JUNOS has enough of well documented XML API to automate the process
>> without NSM. NSM can be set in parallel if needed.
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list