topic Cisco ASA vs Juniper SRX in Network Security

Cisco ASA vs Juniper SRX

scottrad666 — Mon, 11 Mar 2019 21:30:45 GMT

Hi All

Not sure if this is the correct forum for this thread....

I am working for a consultancy firm and we are under increasing pressure from various customers to use Juniper SRX's in place of Cisco ASA equivalent due to cost. The ASA is a great product, and I enjoy working on them far more than the SRX, but it's over twice the cost once licensing is factored in than the SRX.

Just wondering how other members of the community are dealing with this situation, and if Cisco will compete head to head with Juniper on price and features. (or will I have to dust off the books and get the JNCIE cert, boooo!)

Regards

Andrew Radford

CCIE 16499

Cisco ASA vs Juniper SRX

James Gunnarson — Tue, 27 Sep 2011 20:32:41 GMT

Andrew,

That is a great question. I am now in a Cisco shop and came from a 3COM to Cisco to Juniper shop and now I am pushing Juniper. The main factor, features, managability, and cost. Quotes I have received for a comparable solution are $50K for Cisco and $7K for Juniper. However the Cisco solution is still not comparable as far as bandwidth/throughput/features are concerned. The technical comparable solution from Cisco would be well above $75K half of which is licensing. What you have to remember though is the SRX is a great device however it is not an all in one solution for most medium to large environments. I would recommend not implementing Antivirus/Web/SPAM filtering on a single SRX and utilize other solutions as they are resource/bandwidth intensive. Cisco does provide a great product but they are way over priced for old technology. I had a conversation with a Cisco Engineer a week ago about moving to Juniper. The first thing out of his mouth was you know you wont be able to do certain things if you move to Juniper. What he meant was you wont get the Cisco Propriatary features. What I didn't say was if I wanted to use the features I could only use them with other Cisco products. Same thing went when we were looking a a VOIP vendor for our Call Center. The told us up front if we wanted to use their VOIP software/systems we would have to run them on their Cisco Blades. Let me tell you that was a quick conversation. Your customers have seen the benefits and quite frankly are right. I could go on and on and a Cisco guy would come up with all kinds of excuses on why they are better. If you were going to lose a customer wouldn't you do what you could to keep them?

You will find that moving to Juniper is well worth the effort. Naturally the big name is not always the best and every vendor has their flaws.

Jim

Cisco ASA vs Juniper SRX

scottrad666 — Wed, 28 Sep 2011 12:59:15 GMT

Thanks Jim

Does seem Cisco is loosing ground to Juniper in the small to mid range arena. We are looking to now become a multi vendor Cisco & Juniper consultancy just to stay competitive.

Will have to dig out those Juniper books then 😞

Regards

Andrew

Cisco ASA vs Juniper SRX

James Gunnarson — Wed, 28 Sep 2011 13:06:47 GMT

Juniper has taken some of the small to mid range area and still has quite a bit of the large ISP/Teclom sector. Good choice on becoming a multi vendor company. It makes sense. No need to dig out the books. Juniper offers free certification training on their website. Below is a link. They have a IOS to JUNOS course that is really good. I think you will find that JUNOS is much easier to navigate once you get the syntax down. It really isn't much different, it just makes more sense.

http://www.juniper.net/us/en/training/fasttrack/

Jim

Cisco ASA vs Juniper SRX

scottrad666 — Wed, 28 Sep 2011 13:26:04 GMT

Cheers Jim, will tak a look for sure.

I have used the SRX a bit, its like anything I guess, fine if you know it. At least i will understand all the technologies, just the syntax changes.

I must be getting old as I find it hard to get excited about learning about another Vendor other than Cisco!

old habbits eh....

Regards

Andrew

Cisco ASA vs Juniper SRX

juan-ruiz — Mon, 24 Oct 2011 15:56:11 GMT

Hi Guys,

I think this thread is awesome and I work a lot with Juniper and Cisco and I need to add my comments on both.

1. Juniper offers many more configuration features that ASA does not. Not only can you firewall but you have full routing features and protocols so you can do a lot with that combined feature set that you can't with Cisco

2. In my experiences with Juniper SRX I have had more downtime with their product due to bugs than I have with Cisco ASA

3. Cisco ASA is fast quick and very stable to deploy while SRX requires a lot more configuration to accomplish the same as the ASA.

4. Juniper has full blow virtual routing capabilities that again are more of a routing function while the ASA can’t really perform the routing that the SRX can.

5. Jtac and Cisco tac: I have had to escalate my case in JTAC many times to the highest level engineer while in Cisco TAC I barely have to escalate as most issues get resolved on the spot when it gets to this level.

In a nutshell the uptime and reliability/Vendor support has been higher and better on the Cisco ASA than the SRX but the capabilities and flexibilities have been more available on the Juniper SRX from a routing / firewall perspective not including any UTM features or IPS.

These are my thoughts as I have to manage both technologies in many different environments as a consultant.

Cisco ASA vs Juniper SRX

Tadiran-Telecom TBSI Support — Thu, 08 Mar 2012 10:25:46 GMT

spot on.

Cisco ASA vs Juniper SRX

ScorpionSting — Sun, 29 Apr 2012 03:08:21 GMT

Very helpful forum thread!

Was just investigating whether to upgrade ASA5505 to 5510 or jump to Juniper SRX210 now that my ISP provides actual High Speed Bandwidth...

I saw the cost difference, but nice to hear from those who have worked extensively with both and provide nice non-bias opinions

Cisco ASA vs Juniper SRX

scottrad666 — Mon, 30 Apr 2012 15:02:10 GMT

Hi Ben

I have been working with the Juniper SRX series for some 7 months now and am now pretty confident on the CLI, so would like to think I am less biased than I was when I begun this discussion!

Must say I have warmed to the Juniper, and now recommend it to customers when price/performance is a sticking point.

I still find it quicker to configure the Cisco ASA and I find the Juniper GUI too clunky so I stick with the CLI (which I think is more logical than Cisco IOS)

Will be interesting to see what happens with the Cisco/Juniper race now Cisco have released the ASA-5500-X series firewalls that do appear to complete performance wise (but not price) with the Juniper equipment.

Personally I am going to sit on the fence and enjoy both vendors technologies.

Regards

Andrew Radford

CCIE 16499

Cisco ASA vs Juniper SRX

juan-ruiz — Mon, 30 Apr 2012 15:39:57 GMT

I think having a good working knowledge of both is a major asset to anyone in this field so if you have the chance dive in and enjoy it but if you are really looking for feature to provide to the business over self knowledge then I suggest it if you need some major robust routing capabilities like virtual routing tables or running BGP right at the internet edge then go Juniper, if it’s just basic firewalls and VPN stay with ASA and don’t rock the boat.

Other highlights to mention about the SRX and ASA:

1. SRX can keep local copies of the configuration on the hard disk up 49 rollbacks so if you keep good track of changes then you can roll back to a specific one without much work
2. Cisco ASA you need to restore from backup or keep the rollback as a manual process not part of the system feature set but using a good tool like kiwi cat Tools you can be fine.
3. Restricting local access to the firewall on SRX requires firewall filters and not so easy to configure at a glance unlike the netscreen with the manager IP configuration
4. Restricting local access to the firewall on ASA is a snap configured at the management protocol level
5. SRX has a nice system restore point feature that if all else fails you can restore to that point
6. ASA does not
7. SRX has a nice feature to allow a service to be restarted without having to restart the firewall for example a VPN issue
8. ASA does not a reboot is required
9. SRX runs two operating system free BSD and JUNOS
10. ASA does not to the best of my knowledge so it is easier from an OS to debug and troubleshoot and does not require special access to any other place but the ASA OS itself
11. SRX does a great job with all types of NATS
12. ASA on 8.3 and great has added many nice NAT feature
13. SRX is a zone based firewall which is a handy feature for a busy SRX with a lot of interfaces or sub interfaces
14. ASA does not support zones to the best of my knowledge
15. SRX Ip gateway monitor requires an external script to run
16. ASA has a nice IP gateway monitor built in (IP SLA)

There are a ton more features to compare but here are some.

I work with both and enjoy them a lot and surprisingly enough the JUNOS is very easy to use and fun once you get familiar with the basics of navigation from the different configuration stanzas. I would not replace the ASA unless I needed some major robust routing at the edge or I had a firewall deployment that required many zones to firewall.

Cisco ASA vs Juniper SRX

Marvin Rhoads — Mon, 30 Apr 2012 15:41:07 GMT

I too have used both ASA and SRX. I have found the ASA to be more stable code-wise. That is, you generally upgrade ASAs for new features - not to fix things that just plain don't work (bugs).

I'm not saying the ASA is bug-free but I have seen SRXs fail to do basic things (broken ALGs, memory leaks, and failover issues to name the ones that come to mind) and the JTAC confirmed a bug and had us upgrade - 2 to 3 times in some cases.

I echo the experience that when you do need help with an ASA the Cisco TAC is far superior - first level support can answer my question 9 times out of 10 (or more) and it's usually my poor understanding of a certain feature that's the issue. JTAC cases always seemed to end up needing escalation and then more often than not ended up with a need to upgrade the JunOS. This is mirrored in the larger community - there is 10 times the knowledge base and community for ASA vs. SRX.

The SRX is not an awful box - it can do the routing as noted and JunOS indeed has some nice benefits over the monolithic ASA software. They do cost less but to some extent you get what you pay for (and to some extent Cisco's price point is too high). If you could perhaps take half that cost savings and invest it in your staff getting their Juniper certification training, it might be worth your while. Alas corporate accounting seldom accounts for anything like that.

Hope this helps.

Cisco ASA vs Juniper SRX

johng231 — Mon, 09 Jul 2012 19:47:47 GMT

Hello

We are thinking of deploying a Datacenter firewall in our environment. We are primarily a Cisco shop with ASA 5500 series firewalls. We are demoing the Juniper SRX 3600 FW in a lab using it as an active/standby clustering model. The only feature I don't like is managing the security policies. They force you to use the address book to name all of your subnets or /32 hosts rather than specifying them on the policy as a number. I preferred to have this be an option.

The reason we are looking at Juniper SRX is purely for the routing and state full firewalling. The SRX gives you a separate routing engine and it has a lot more routing features. They have more 10GIG port interfaces than the ASA, which allows us to scale up into future environments.

Would anyone recommend using the SRX instead of the ASA as a DC FW in what I just described to be our scenario here? Or is there an ASA product that can match the routing capabilities along with state full firewalling along with plenty of 10GIG interfaces?

Cisco ASA vs Juniper SRX

juan-ruiz — Wed, 11 Jul 2012 14:49:43 GMT

I think the SRX are awesome and feature rich especially with routing and virtual router but know your stuff as you can burn a lot of hours with support. Have you considered a Cisco firewall service module for the 6500 and get full routing, security and the 10G you’re looking for?

Cisco ASA vs Juniper SRX

jesse.fields — Thu, 12 Jul 2012 22:10:10 GMT

Unless I am missing something, I don't think the FWSM is a good long-term investment based on this:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/eol_c51-699134.html

No VPN capabilities and routing is limited. They do provide basic firewall features very well in places where a large number of interfaces and/or contexts are needed.

I am looking to deploy the SRX3600 in a datacenter environment over the ASA-5585 series. The price, scale and flexibility is hard to pass up. I agree Cisco TAC is awesome in most cases, but awesome support on a device that doesn't meet my needs isn't really that awesome in this case.

Cisco ASA vs Juniper SRX

johng231 — Fri, 13 Jul 2012 18:33:15 GMT

We want to place the DC firewall at our core layer (Nexus 7K) to separate users/WAN traffic from servers. There is no FWSM yet for the Nexus that I'm aware of and if there was, I wouldn't use it. That's assuming all of your routing is happening at the core for each of your environments.

Also, the ASA can't perform BGP routing. We're debating running BGP vs OSPF in the core. Right now we're using EIGRP as our IGP. If we go Juniper SRX, it would be either BGP or OSPF. Can the ASA run full OSPF routing at your core layer? If so, is anyone using dynamic routing on the ASA? I never seen any marketing docs on Cisco that show ASA doing full OSPF routing with x number of supported routes.

Cisco ASA vs Juniper SRX

Ramraj Sivagnanam Sivajanam — Tue, 17 Jul 2012 19:36:04 GMT

Hi Bro

As you know, Cisco ASA can run OSPF, but the OSPF features are not as widespread, compared to those Cisco IOS equipment. For example, the Cisco ASA doesn’t support more than one OSPF routing process.

However, you must realize that Cisco ASA wasn’t built to do extensive routing, as its’ primary role. Cisco ASA was built to do far-reaching Firewalling, IPS and VPN (with the inclusion of the SSM modules). Even though the OSPF features are there in a Cisco ASA, but I’m sure Cisco will not position Cisco ASA as a total routing product, if you know what I mean 🙂

P/S: If you think this comment was helpful, please do rate it nicely 🙂

Cisco ASA vs Juniper SRX

walleed222 — Tue, 19 Nov 2013 09:08:59 GMT

I want to add to this nice discussion one advantage to ASA over SRX and one for SRX over ASA :

actually SRX GUI is very slow ,juniper has GUI problems before on SSG and look like it is same with SRX , ASA ASDM is very nice and stable and have nice logging and tracking options
ASA still not supporting IPsec VPN over virtual interfaces and GRE also , and those tow features are supported on SRX

So it depends on what your

slicerpro — Wed, 05 Aug 2015 21:16:14 GMT

So it depends on what your deployment is. If you are a large ISP/service provide, I have worked for many, I don't know of any that prefer an ASA over an SRX. When it comes to performance and throughput, there is just no debate to be had.

Now when It comes to buggy code, you run into issues only if you are always upgrading to the latest. Stay 2-3 versions behind and you won't have those.

If you are an SMB, then you have to strike a balance between price and some features and license bundles, some of which you might not need.

Also when It comes to Jtac/tac comparisons, working in isp/service provider environment, I have had to escalate for both in almost equal measure.

As engineer, we shouldn't recommend one over the just because we are more comfortable configuring it, the actual capabilities and value to the customer should matter.

I think so far no one has

Tagir Temirgaliyev — Sun, 08 Nov 2015 13:29:30 GMT

I think so far no one has made the real comparison measurement bandwidth of asa and srx and palo-alto too

Re: Cisco ASA vs Juniper SRX

tsubakaran — Wed, 11 Apr 2018 13:19:27 GMT

Most important point - SRX/JunOS, well structured cli language that is missing in the ASA cli.
commit confirm - great feature for the short time commitment feature that is not available in ASA firewalls.
show | compare - easy to understand, what you add/remove in the cli - not at all in the ASA, changes going to running config ASA.
ASA5506 - you can't setup and use few ports in a vlan to act like a switch , it is still available in SRX firewalls.
I love Cisco, .. but srx was very impressive when configuring.