Educause Security Discussion mailing list archives

Re: juniper srx 3400/3600 vs. cisco asa 5580

From: Mike Patterson <mpatters () IST UWATERLOO CA>
Date: Wed, 19 May 2010 12:11:47 -0400

On 2010/05/19 10:57 AM, Michael Renne wrote:

I am looking for advice/likes and dislikes/comparisons/comments from
anyone with experience with either or both of these firewall models in the
areas of software/hardware support, ease of administration, code
complexity, available feature sets, expandability, or anything else you
feel is pertinent like any differences you see between juniper and cisco
regardless of the equipment. thanks for the input.


I can't speak at all to the Cisco side, but we've got several SRX-class
firewalls in production now, including a pair of clustered 3600s.  We've
had some odd problems with the 3600s, we're working with Juniper to
resolve them.  Overall, they're *tons* better than the Nokia Checkpoints
they replaced.  We have some SRX210 and 240s in production that have
been totally problem-free, and a cluster of 650s with some outstanding
annoying issues that we can live with for now - again, working with
Juniper to resolve.  Most of the issues we've had have been from our
cluster configurations - none of our standalone boxes have had any
trouble at all.

Like others have said, the web UI is nice for some things (I find visual
comparison of rollback history is much nicer in the web UI) but it's dog
slow even with 10.0R2.  CLI's where it's at for real management, and
that's one reason we selected Juniper.

One gotcha we ran into with our 3600s was they were preventing a lot of
SQL type traffic, despite policies specifically allowing it.  We tracked
it down to TCP sequence numbering; both our Oracle and MySQL instances
were generating sequence numbers in ways that the Junipers apparently
didn't like, and they would drop some of the traffic.  Disabling
sequence number checking helped.  We didn't see this with our 650s, but
those are mostly only doing NAT for our campus wireless network and we
obviously don't want production hosts running SQL through that service.  :-)

Overall our support from Juniper has been pretty good.  We had one
problem getting timely support when our 650 cluster was crashing, but
that has been resolved.  You may wish to find out which timezone your
support team would be in relative to yours; this may affect timely access.

Hope this helps,

Mike Patterson
IT Security Group
University of Waterloo

--
The secret of getting things done is to act!  - Dante Alighieri

Current thread:

juniper srx 3400/3600 vs. cisco asa 5580 Michael Renne (May 19)
- <Possible follow-ups>
- Re: juniper srx 3400/3600 vs. cisco asa 5580 Razi Ahmad (May 19)
- Re: juniper srx 3400/3600 vs. cisco asa 5580 Julian Y. Koh (May 19)
- Re: juniper srx 3400/3600 vs. cisco asa 5580 Mike Patterson (May 19)
- Re: juniper srx 3400/3600 vs. cisco asa 5580 Dexter Caldwell (May 19)