Cisco ASA vs Juniper SRX

scottrad666 · ‎09-27-2011

Hi All

Not sure if this is the correct forum for this thread....

I am working for a consultancy firm and we are under increasing pressure from various customers to use Juniper SRX's in place of Cisco ASA equivalent due to cost. The ASA is a great product, and I enjoy working on them far more than the SRX, but it's over twice the cost once licensing is factored in than the SRX.

Just wondering how other members of the community are dealing with this situation, and if Cisco will compete head to head with Juniper on price and features. (or will I have to dust off the books and get the JNCIE cert, boooo!)

Regards

Andrew Radford

CCIE 16499

James Gunnarson · ‎09-27-2011

Andrew,

That is a great question. I am now in a Cisco shop and came from a 3COM to Cisco to Juniper shop and now I am pushing Juniper. The main factor, features, managability, and cost. Quotes I have received for a comparable solution are $50K for Cisco and $7K for Juniper. However the Cisco solution is still not comparable as far as bandwidth/throughput/features are concerned. The technical comparable solution from Cisco would be well above $75K half of which is licensing. What you have to remember though is the SRX is a great device however it is not an all in one solution for most medium to large environments. I would recommend not implementing Antivirus/Web/SPAM filtering on a single SRX and utilize other solutions as they are resource/bandwidth intensive. Cisco does provide a great product but they are way over priced for old technology. I had a conversation with a Cisco Engineer a week ago about moving to Juniper. The first thing out of his mouth was you know you wont be able to do certain things if you move to Juniper. What he meant was you wont get the Cisco Propriatary features. What I didn't say was if I wanted to use the features I could only use them with other Cisco products. Same thing went when we were looking a a VOIP vendor for our Call Center. The told us up front if we wanted to use their VOIP software/systems we would have to run them on their Cisco Blades. Let me tell you that was a quick conversation. Your customers have seen the benefits and quite frankly are right. I could go on and on and a Cisco guy would come up with all kinds of excuses on why they are better. If you were going to lose a customer wouldn't you do what you could to keep them?

You will find that moving to Juniper is well worth the effort. Naturally the big name is not always the best and every vendor has their flaws.

Jim

scottrad666 · ‎09-28-2011

Thanks Jim

Does seem Cisco is loosing ground to Juniper in the small to mid range arena. We are looking to now become a multi vendor Cisco & Juniper consultancy just to stay competitive.

Will have to dig out those Juniper books then :-(

Regards

Andrew

James Gunnarson · ‎09-28-2011

Juniper has taken some of the small to mid range area and still has quite a bit of the large ISP/Teclom sector. Good choice on becoming a multi vendor company. It makes sense. No need to dig out the books. Juniper offers free certification training on their website. Below is a link. They have a IOS to JUNOS course that is really good. I think you will find that JUNOS is much easier to navigate once you get the syntax down. It really isn't much different, it just makes more sense.

http://www.juniper.net/us/en/training/fasttrack/

Jim

scottrad666 · ‎09-28-2011

Cheers Jim, will tak a look for sure.

I have used the SRX a bit, its like anything I guess, fine if you know it. At least i will understand all the technologies, just the syntax changes.

I must be getting old as I find it hard to get excited about learning about another Vendor other than Cisco!

old habbits eh....

Regards

Andrew

slicerpro · ‎08-05-2015

So it depends on what your deployment is. If you are a large ISP/service provide, I have worked for many, I don't know of any that prefer an ASA over an SRX. When it comes to performance and throughput, there is just no debate to be had.

Now when It comes to buggy code, you run into issues only if you are always upgrading to the latest. Stay 2-3 versions behind and you won't have those.

If you are an SMB, then you have to strike a balance between price and some features and license bundles, some of which you might not need.

Also when It comes to Jtac/tac comparisons, working in isp/service provider environment, I have had to escalate for both in almost equal measure.

As engineer, we shouldn't recommend one over the just because we are more comfortable configuring it, the actual capabilities and value to the customer should matter.

Tagir Temirgaliyev · ‎11-08-2015

I think so far no one has made the real comparison measurement bandwidth of asa and srx and palo-alto too

juan-ruiz · ‎10-24-2011

Hi Guys,

I think this thread is awesome and I work a lot with Juniper and Cisco and I need to add my comments on both.

1. Juniper offers many more configuration features that ASA does not. Not only can you firewall but you have full routing features and protocols so you can do a lot with that combined feature set that you can't with Cisco

2. In my experiences with Juniper SRX I have had more downtime with their product due to bugs than I have with Cisco ASA

3. Cisco ASA is fast quick and very stable to deploy while SRX requires a lot more configuration to accomplish the same as the ASA.

4. Juniper has full blow virtual routing capabilities that again are more of a routing function while the ASA can’t really perform the routing that the SRX can.

5. Jtac and Cisco tac: I have had to escalate my case in JTAC many times to the highest level engineer while in Cisco TAC I barely have to escalate as most issues get resolved on the spot when it gets to this level.

In a nutshell the uptime and reliability/Vendor support has been higher and better on the Cisco ASA than the SRX but the capabilities and flexibilities have been more available on the Juniper SRX from a routing / firewall perspective not including any UTM features or IPS.

These are my thoughts as I have to manage both technologies in many different environments as a consultant.

Tadiran-Telecom TBSI Support · ‎03-08-2012

spot on.

Marvin Rhoads · ‎04-30-2012

I too have used both ASA and SRX. I have found the ASA to be more stable code-wise. That is, you generally upgrade ASAs for new features - not to fix things that just plain don't work (bugs).

I'm not saying the ASA is bug-free but I have seen SRXs fail to do basic things (broken ALGs, memory leaks, and failover issues to name the ones that come to mind) and the JTAC confirmed a bug and had us upgrade - 2 to 3 times in some cases.

I echo the experience that when you do need help with an ASA the Cisco TAC is far superior - first level support can answer my question 9 times out of 10 (or more) and it's usually my poor understanding of a certain feature that's the issue. JTAC cases always seemed to end up needing escalation and then more often than not ended up with a need to upgrade the JunOS. This is mirrored in the larger community - there is 10 times the knowledge base and community for ASA vs. SRX.

The SRX is not an awful box - it can do the routing as noted and JunOS indeed has some nice benefits over the monolithic ASA software. They do cost less but to some extent you get what you pay for (and to some extent Cisco's price point is too high). If you could perhaps take half that cost savings and invest it in your staff getting their Juniper certification training, it might be worth your while. Alas corporate accounting seldom accounts for anything like that.

Hope this helps.

ScorpionSting · ‎04-28-2012

Very helpful forum thread!

Was just investigating whether to upgrade ASA5505 to 5510 or jump to Juniper SRX210 now that my ISP provides actual High Speed Bandwidth...

I saw the cost difference, but nice to hear from those who have worked extensively with both and provide nice non-bias opinions

scottrad666 · ‎04-30-2012

Hi Ben

I have been working with the Juniper SRX series for some 7 months now and am now pretty confident on the CLI, so would like to think I am less biased than I was when I begun this discussion!

Must say I have warmed to the Juniper, and now recommend it to customers when price/performance is a sticking point.

I still find it quicker to configure the Cisco ASA and I find the Juniper GUI too clunky so I stick with the CLI (which I think is more logical than Cisco IOS)

Will be interesting to see what happens with the Cisco/Juniper race now Cisco have released the ASA-5500-X series firewalls that do appear to complete performance wise (but not price) with the Juniper equipment.

Personally I am going to sit on the fence and enjoy both vendors technologies.

Regards

Andrew Radford

CCIE 16499

juan-ruiz · ‎04-30-2012

I think having a good working knowledge of both is a major asset to anyone in this field so if you have the chance dive in and enjoy it but if you are really looking for feature to provide to the business over self knowledge then I suggest it if you need some major robust routing capabilities like virtual routing tables or running BGP right at the internet edge then go Juniper, if it’s just basic firewalls and VPN stay with ASA and don’t rock the boat.

Other highlights to mention about the SRX and ASA:

1. SRX can keep local copies of the configuration on the hard disk up 49 rollbacks so if you keep good track of changes then you can roll back to a specific one without much work
2. Cisco ASA you need to restore from backup or keep the rollback as a manual process not part of the system feature set but using a good tool like kiwi cat Tools you can be fine.
3. Restricting local access to the firewall on SRX requires firewall filters and not so easy to configure at a glance unlike the netscreen with the manager IP configuration
4. Restricting local access to the firewall on ASA is a snap configured at the management protocol level
5. SRX has a nice system restore point feature that if all else fails you can restore to that point
6. ASA does not
7. SRX has a nice feature to allow a service to be restarted without having to restart the firewall for example a VPN issue
8. ASA does not a reboot is required
9. SRX runs two operating system free BSD and JUNOS
10. ASA does not to the best of my knowledge so it is easier from an OS to debug and troubleshoot and does not require special access to any other place but the ASA OS itself
11. SRX does a great job with all types of NATS
12. ASA on 8.3 and great has added many nice NAT feature
13. SRX is a zone based firewall which is a handy feature for a busy SRX with a lot of interfaces or sub interfaces
14. ASA does not support zones to the best of my knowledge
15. SRX Ip gateway monitor requires an external script to run
16. ASA has a nice IP gateway monitor built in (IP SLA)

There are a ton more features to compare but here are some.

I work with both and enjoy them a lot and surprisingly enough the JUNOS is very easy to use and fun once you get familiar with the basics of navigation from the different configuration stanzas. I would not replace the ASA unless I needed some major robust routing at the edge or I had a firewall deployment that required many zones to firewall.

johng231 · ‎07-09-2012

Hello

We are thinking of deploying a Datacenter firewall in our environment. We are primarily a Cisco shop with ASA 5500 series firewalls. We are demoing the Juniper SRX 3600 FW in a lab using it as an active/standby clustering model. The only feature I don't like is managing the security policies. They force you to use the address book to name all of your subnets or /32 hosts rather than specifying them on the policy as a number. I preferred to have this be an option.

The reason we are looking at Juniper SRX is purely for the routing and state full firewalling. The SRX gives you a separate routing engine and it has a lot more routing features. They have more 10GIG port interfaces than the ASA, which allows us to scale up into future environments.

Would anyone recommend using the SRX instead of the ASA as a DC FW in what I just described to be our scenario here? Or is there an ASA product that can match the routing capabilities along with state full firewalling along with plenty of 10GIG interfaces?

juan-ruiz · ‎07-11-2012

I think the SRX are awesome and feature rich especially with routing and virtual router but know your stuff as you can burn a lot of hours with support. Have you considered a Cisco firewall service module for the 6500 and get full routing, security and the 10G you’re looking for?