Juniper SRX vs. Palo Alto Networks Next-Generation Firewalls - PA Series

SRXs seem to be well suited at the enterprise level for plain routers, firewalls, and IDP/IDS. They work well on MPLS and Ethernet, including Internet. I have 3 SRXs also performing edge duty, with 2 in a high availability (HA) cluster. The Juniper line of SRXs provides a good range of scaling from small business to extremely large enterprise. Wire speed is a common comparison factor and Juniper shines in that area.

Incentivized

It is well-suited for a company needing strong edge security with ease of administration. It comes standard with many features such as VPN, Application ID and "Day-1 Config" that make the networks it protects secure from the very start. Palo is definitely a premium product and is much more expensive than other firewalls, but the value is realized immediately. The robust options for firewall rules/policies allow the administrator to apply security in new and creative ways to hit the sweet spot between security and usability.

Incentivized

• Edge Device (Tunneling & Routing)
• Routing Instances
• Zone Based Firewall
• L3 Gateway/Vlan termination
• DHCP Server & DHCP Relay
• Good support community & Good available documentation
• Good support by the Vendor

Incentivized

• The PA handles VPN connectivity without missing a beat. We have multiple VPN tunnels in use for redundancy to cloud-based services.
• The PA has great functionality in supporting failover internet connections, again with the ability to have multiple paths out to our cloud-based services.
• The PA is updated on the regular with various security updates, we are not concerned with the firewall's ability to see what packets are really flowing across the network. Being able to see beyond just IP and port requests lets you know things are locked down better than traditional firewalls.
• It is a great overall kit, with URL filtering and other services that fill in the gaps between other solutions without breaking the bank.

Incentivized

• My only real criticism of the product is that it's hard to figure out how to upgrade the firmware from the CLI via TFTP via the docs, but it works great once you get it sorted.

Incentivized

• Setting up certain things can be somewhat complicated due to the numerous options and abstractions involved.
• It would be nice to have somewhere to get simple canned reports easily.
• It would be nice to be able to remove options we never use from various setup dialogs.

Incentivized

The PA5220s have far exceeded what we have expected out of them. It was a bit of a learning curve coming from another vendor, but everything falls into place now with ease. The capabilities of the solution still surprise us, allowing us to remove other costly hardware and providing a single point of management needed

Incentivized

It can be a little tricky at first if you have never used the product or a firewall before. If you have experience with firewalls in general, it does not take long to learn the Palo Alto Networks Next-Generation Firewalls - PA Series interface. They offer great training resources and knowledge base articles to help get up to speed.

Incentivized

This is the one area where I have a beef with Juniper. When I called into Cisco TAC, 90% of the time, the first person I spoke with was able to resolve my issue. With Juniper TAC, 90% of the time, the first person I speak with is not able to resolve my issue, seems to almost be reading from a script, and must escalate my ticket. All of which takes time.

Incentivized

We've run into a couple undocumented bugs, but that seems to happen with every brand and technology. Any time we've had to engage Palo Alto support they've always been professional, knowledgeable and prompt. In almost all cases we've been able to resolve our issues without having to escalate our tickets.

Incentivized

Juniper SRX stands tall compared to all these products for Large Service Provider Networks, where traffic volume is larger. Also, cost comparison with SRX's few other products can also be another contributing factor while selecting this. As well as Juniper Routers, Switches, and multiple products from the same vendor to maintain one single vendor environment. As well as Juniper Support is also really good.

We are using Cisco ASA before in our environment but when it comes to deep scanning & layer 7 security it doesn't have that capability. After using Palo Alto Networks Next-Generation Firewall we are using sandboxing & advance malware protection that provides high-level end-user security. Also after implementing it we can easily monitor user-level traffic.

Incentivized

• It is a workhorse for our field operations. It provides the last touch for an ISP to the customer. The customer has no view of the device, but with the repeatability of the device, they do not need to.
• The ability to roll out a dynamic routing protocol attached to a security zone allows elasticity to the environment that supports growth.
• VLAN support on the inside interfaces allow this to be the only device in some smaller deployments we install these in.

Incentivized

• We used to outsource our Firewall and it's management. Not only did we find their SLA's to be lacking, in general, but communication between us was horrible. Many times we could not understand them and that resulted in less than desirable rule creation or troubleshooting.
• Since we no longer have to pay a company for 24/7 management (and SLOW SLA's) we are saving a ton of money each year. Also our fellow employee's are much happier that things can be resolved in a timely manner.

Incentivized