Educause Security Discussion mailing list archives
Re: juniper srx 3400/3600 vs. cisco asa 5580
From: Mike Patterson <mpatters () IST UWATERLOO CA>
Date: Wed, 19 May 2010 12:11:47 -0400
On 2010/05/19 10:57 AM, Michael Renne wrote:
I am looking for advice/likes and dislikes/comparisons/comments from anyone with experience with either or both of these firewall models in the areas of software/hardware support, ease of administration, code complexity, available feature sets, expandability, or anything else you feel is pertinent like any differences you see between juniper and cisco regardless of the equipment. thanks for the input.
I can't speak at all to the Cisco side, but we've got several SRX-class firewalls in production now, including a pair of clustered 3600s. We've had some odd problems with the 3600s, we're working with Juniper to resolve them. Overall, they're *tons* better than the Nokia Checkpoints they replaced. We have some SRX210 and 240s in production that have been totally problem-free, and a cluster of 650s with some outstanding annoying issues that we can live with for now - again, working with Juniper to resolve. Most of the issues we've had have been from our cluster configurations - none of our standalone boxes have had any trouble at all. Like others have said, the web UI is nice for some things (I find visual comparison of rollback history is much nicer in the web UI) but it's dog slow even with 10.0R2. CLI's where it's at for real management, and that's one reason we selected Juniper. One gotcha we ran into with our 3600s was they were preventing a lot of SQL type traffic, despite policies specifically allowing it. We tracked it down to TCP sequence numbering; both our Oracle and MySQL instances were generating sequence numbers in ways that the Junipers apparently didn't like, and they would drop some of the traffic. Disabling sequence number checking helped. We didn't see this with our 650s, but those are mostly only doing NAT for our campus wireless network and we obviously don't want production hosts running SQL through that service. :-) Overall our support from Juniper has been pretty good. We had one problem getting timely support when our 650 cluster was crashing, but that has been resolved. You may wish to find out which timezone your support team would be in relative to yours; this may affect timely access. Hope this helps, Mike Patterson IT Security Group University of Waterloo -- The secret of getting things done is to act! - Dante Alighieri
Current thread:
- juniper srx 3400/3600 vs. cisco asa 5580 Michael Renne (May 19)
- <Possible follow-ups>
- Re: juniper srx 3400/3600 vs. cisco asa 5580 Razi Ahmad (May 19)
- Re: juniper srx 3400/3600 vs. cisco asa 5580 Julian Y. Koh (May 19)
- Re: juniper srx 3400/3600 vs. cisco asa 5580 Mike Patterson (May 19)
- Re: juniper srx 3400/3600 vs. cisco asa 5580 Dexter Caldwell (May 19)