Juniper SRX vs. Palo Alto Networks Next-Generation Firewalls - PA Series

SRXs seem to be well suited at the enterprise level for plain routers, firewalls, and IDP/IDS. They work well on MPLS and Ethernet, including Internet. I have 3 SRXs also performing edge duty, with 2 in a high availability (HA) cluster. The Juniper line of SRXs provides a good range of scaling from small business to extremely large enterprise. Wire speed is a common comparison factor and Juniper shines in that area.

Incentivized

Anywhere where high performance and application-specific rules are necessary would be a great fit. Palo Alto NG firewalls are exceptionally well suited to doing application-based rules, rather than service-based rules, although they can still easily do those. The cost might make it less well-suited for smaller installations or where the more complicated setup procedures are too much for a user with limited proficiency to handle.

Incentivized

• Edge Device (Tunneling & Routing)
• Routing Instances
• Zone Based Firewall
• L3 Gateway/Vlan termination
• DHCP Server & DHCP Relay
• Good support community & Good available documentation
• Good support by the Vendor

Incentivized

• The PA handles VPN connectivity without missing a beat. We have multiple VPN tunnels in use for redundancy to cloud-based services.
• The PA has great functionality in supporting failover internet connections, again with the ability to have multiple paths out to our cloud-based services.
• The PA is updated on the regular with various security updates, we are not concerned with the firewall's ability to see what packets are really flowing across the network. Being able to see beyond just IP and port requests lets you know things are locked down better than traditional firewalls.
• It is a great overall kit, with URL filtering and other services that fill in the gaps between other solutions without breaking the bank.

Incentivized

• My only real criticism of the product is that it's hard to figure out how to upgrade the firmware from the CLI via TFTP via the docs, but it works great once you get it sorted.

Incentivized

• The interface is a little complicated at first. This is common for all firewall products I've used but Palo Alto could definitely update the UI.
• Firewall rule audits are cumbersome. I have been using third-party tools to assist with the management. It would be great if Palo Alto could build out this functionality within Panorama.
• Best-Practice Assessment (BPA) is not well advertised. These are very useful but require reaching out to your rep. Palo Alto should look at automating this and building it into QBR touchpoints with their customers.

Incentivized

The PA5220s have far exceeded what we have expected out of them. It was a bit of a learning curve coming from another vendor, but everything falls into place now with ease. The capabilities of the solution still surprise us, allowing us to remove other costly hardware and providing a single point of management needed

Incentivized

PA Series firewalls provides good value for the price spent on them. Specially the 3K and 5K series devices contains hardware which keeps the management access smooth even during the peak hours of data traffic. The next gen firewall filtering services does function well (except for some bugs).

Incentivized

This is the one area where I have a beef with Juniper. When I called into Cisco TAC, 90% of the time, the first person I spoke with was able to resolve my issue. With Juniper TAC, 90% of the time, the first person I speak with is not able to resolve my issue, seems to almost be reading from a script, and must escalate my ticket. All of which takes time.

Incentivized

We've run into a couple undocumented bugs, but that seems to happen with every brand and technology. Any time we've had to engage Palo Alto support they've always been professional, knowledgeable and prompt. In almost all cases we've been able to resolve our issues without having to escalate our tickets.

Incentivized

Juniper SRX stands tall compared to all these products for Large Service Provider Networks, where traffic volume is larger. Also, cost comparison with SRX's few other products can also be another contributing factor while selecting this. As well as Juniper Routers, Switches, and multiple products from the same vendor to maintain one single vendor environment. As well as Juniper Support is also really good.

We are using Cisco ASA before in our environment but when it comes to deep scanning & layer 7 security it doesn't have that capability. After using Palo Alto Networks Next-Generation Firewall we are using sandboxing & advance malware protection that provides high-level end-user security. Also after implementing it we can easily monitor user-level traffic.

Incentivized

• It is a workhorse for our field operations. It provides the last touch for an ISP to the customer. The customer has no view of the device, but with the repeatability of the device, they do not need to.
• The ability to roll out a dynamic routing protocol attached to a security zone allows elasticity to the environment that supports growth.
• VLAN support on the inside interfaces allow this to be the only device in some smaller deployments we install these in.

Incentivized

• We used to outsource our Firewall and it's management. Not only did we find their SLA's to be lacking, in general, but communication between us was horrible. Many times we could not understand them and that resulted in less than desirable rule creation or troubleshooting.
• Since we no longer have to pay a company for 24/7 management (and SLOW SLA's) we are saving a ton of money each year. Also our fellow employee's are much happier that things can be resolved in a timely manner.

Incentivized