[j-nsp] SRX Reliability

Clay Haynes chaynes at centracomm.net
Wed Jun 12 16:35:08 EDT 2013 

On 6/12/13 2:10 PM, "Paul Stewart" <paul at paulstewart.org> wrote:


>
>
>On 2013-06-12 1:18 PM, "Brent Jones" <brent at brentrjones.com> wrote:
>
>>On Wed, Jun 12, 2013 at 5:41 AM, Andrew Gabriel
>><mailandrewg at gmail.com>wrote:
>>
>>> On Wed, Jun 12, 2013 at 3:58 PM, Phil Mayers <p.mayers at imperial.ac.uk
>>> >wrote:
>>>
>>> > We recently evaluated an SRX 3600, and modulo some minor cosmetic
>>>bugs
>>> and
>>> > one major one (PSN-2012-10-754, fixed in later software) they seemed
>>> solid
>>> > to me. We tested IPv4 & IPv6 layer4 firewalling, AppFW, dynamic
>>>routing
>>> > with BGP and multicast. It all seemed to work ok, and we have gone
>>>ahead
>>> > and purchased.
>>> >
>>> > It might help if you could specify what sort of things you want to do
>>>on
>>> > them e.g. IPsec, IDP, inline AV/web filtering (which the 3000s can't
>>>do)
>>> > and so forth.
>>> >
>>>
>>> Hi Phil,
>>>
>>> Thanks, we are mainly looking at basic FW, VPN, and routing capability,
>>> which we need to be rock solid. We do not intend to use the IPS and UTM
>>> type features at the moment.
>>>
>>> Thanks,
>>> -Andrew.
>>>
>>>
>>>
>>>
>>We have several sets of SRX1400s in chassis cluster, plus dozens of SRXs
>>from SRX100's up to SRX240's throughout various offices.
>>We've had minor bugs here and there, but they get resolved through code
>>or
>>workarounds, no more bugs than other vendors really.
>>Early on, yes, pre-10, tons of bugs, but 10.4 and greater are solid.
>>We do various NAT, FW, VPNs, routing instances, etc, no issues to report.
>
>I'd echo Brent's comments above - we have just over 120 SRX's in
>deployment currently and have very few issues.  Make sure you size them
>appropriately to the task if using UTM.  Yes, as mentioned before 10.x
>there was a lot of issues but we mainly deploy now at 11.4 and they are
>solid.
>
>
>Paul
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp



I echo the same sentiments as everyone else too. If there is a problem
JTAC and ATAC are very good at narrowing down the issue and finding
workarounds. The CLI is absolutely top-notch compared to other vendors,
especially ScreenOS. If you are looking for a good WebUI, you may want to
look at Space instead of the actual WebUI on the SRX.

If you're coming from ScreenOS there are some learning curves for VPN
tunnels, NAT policies (NAT is separate from the policy), and things such
as GRE Tunnel keepalives (look at RPM Monitors - they're awesome!)

Hit me up off list if you have any questions.

More information about the juniper-nsp mailing list