What is advantage of SRX over Netscreen?

  • Hi,
    How is SRX product placed in the network infrastructure compared to netscreen firewalls(NS or ISGs)?
    I am aware that SRX has higher throughput and runs junos but what are the real advantages?

  • I am very concerned about these SRX’s also….and damned if I don’t have 4 of them sitting here that need to be deployed ASAP…really liking ScreenOS right now…haha

    Oh well, I think I better learn it if I’m going to continue with Juniper devices.

    What I’ve found is that they require a lot of trial and error to get up and running, even simple things like connecting to and managing the device.  Depending on JUNOS release the instructions from Juniper are far from accurate.  IE - no DHCP server, interfaces not assigned to trust or untrust as they should.

  • We just recently got two SRX 650s as gateway routers and an SRX 210 for a remote office, and it looks like they already moved many of the Screenos features into Junos.

    Junos supports zoning, and screening as prevention mechanisms.  It would not surprise me to see them moving all the firewall functionality from the ISG/SSG line into the Junos code.  Netscreen made really good firewalls, putting it into Juniper hardware with the same universal OS seems to be the next logical choice.

    I personally am a little leery, too because the devices are sold as a “it’ll do whatever you want” type of appliance, and it remains yet to be seen how well they will function as routers/firewalls in higher throughput areas.  However, this is Juniper and in my experience they have (for the most part) delivered on their promises.

  • The J-Series and SRX-210 should already have the ALG’s supported in 9.5, support on high end would be soon… Check for updates from your local Juniper sales

  • Hi,
    Thanks for all your replies.
    I also found that the SRX will be replacing the SSG series plus the SRX will be much cheaper compared to similar spec SSG. I am only worried about junos. I already have configuration issues with the Junos enhanced services. I mean the learning curve to do stuff like pbr etc. It was easy in screenOS but not sure about junos es.

  • Hi,

    please note that besides all the good stuff coming with running JUNOS, there are also some downsides.

    First of all, ALG’s available in ScreenOS are not all available in JUNOS (yet).

    Another thing to notice is that in JUNOS the controll plane is seperated from the forwarding (traffic handling) plane. This is a good thing, but a consequence is that logging is done by the controll plane. For routers this was never a problem apparently, but with lots of logging on firewall rules, you can run in the limitation which are set on the logging deamon. You can solve it partially, but you will need to sacrifice a dedicated interface for the logging.

    Allthough Juniper keeps stating it sees a future for ScreenOS, it might be a good moment to invest in some JUNOS knowledge  😉

  • Hi Haze,

    the netscreen is using the screenos. whereas all other enterprise products like routers, switches are running junos whose cli is very easy to use. srx is a newer version of firewall running junos code in it. it has major routing enchancements that netscreen doesn’t have including support for isis, and mpls in the road map for terminating mpls Layer-3 vpns in it.

    the netscreen ips functionality is not full fleged ips. whereas the srx has complete idp functionality in it just like the juniper idp appliance. without requiring any hardware module for it. it comes inbuilt with it. one just needs license for updated signatures in it.

    srx has also crossed benchmarks of providing 160Gbps of firewall throughput the fastest firewall today.

    very soon juniper will encouraging customers to move to srx and new buys ofcourse they will pushing srx more than netscreen.

    almost most of the netscreen models except the isg series are end of sale. you can find more information about srx on juniper.net