Michael Dale

Juniper SRX210 Review

Michael Dale — Fri, 29 Jan 2010 18:18:50 +1000

Well I've finally had some time to finish off my review of the SRX210! It's only taken like 4 months. There is still some things missing from this review that I will post about at some stage.

The Juniper SRX 210 is a new firewall/router released earlier in 2009. It is the second smallest device in the SRX range (the SRX 100 being the smallest).

The SRX range runs on JunOS with some new security features added that can be found in Juniper's previous firewall rage the SSG (and before that the netscreen) and in JunOS-ES.

It is my understanding that the SRX series will slowly replace the SSG range.

I recently purchased an SRX210 so that I could learn JunOS. I am coming from a Juniper SSG/Netscreen background, having looked after many Netscreen 5GTs, 25s and 50s along with the newer range the SSG 5/20/520 etc range.

I have primarily used the SSGs for linking sites together with VPNs, providing VPN access to clients/employees, general firewalling/routing and some high availability. More recently I have been doing IPv6 over some of them.

Since the SRX is based on JunOS it has all the underlying routing features found in Junipers other product ranges (such as the J series) plus the security features recently added, while the SSG is primarily a firewall device (although it has some pretty cool routing features in it too). You can read my review of the SSG 5 here.

So lets first look at the smaller SSG and SRX line up.

The SRX100 is basically the SSG5 equivalent, while the SRX210 better matches up to the SSG20.

In the SSG range the SSG5 and SSG20 were exactly the same except for the following differences:

SSG20 has two mini-pim slots (for ADSL modules etc)
SSG20 loses two of the ethernet ports the SSG5 has
SSG20 is physically larger

Other than that both have the same performance, memory options, wireless options etc.

With the new SRX range the SRX210 is actually faster than the SRX100 and includes some nice extra features such as:

SRX210 has 100mbit more routing throughput (750mbit)
2 gigabit ethernet ports
Express card slot for 3G modems
1 mini-pim slot
plus some other software things (increased session limit, max policies etc)

Juniper have a nice product chart here:

http://www.juniper.net/us/en/local/pdf/datasheets/1000265-en.pdf

One interesting difference between the two is the memory configuration options.

The SRX100 models all have 1GB of ram installed, yet the base version has a software licensing limitation of 512mb.
You cannot upgrade a base SRX210 to 1GB as the base version only has 512mb of fixed memory.

At this stage there is no built in wireless options for the SRX range. Juniper have released an external wireless access point that you can configure from the SRX, but I'm not going to talk about that in this review.

So the SRX210 is actually quite a bit more useful than SRX100 depending on what you want to do, although both devices should be more than powerful enough for most routing requirements (750mbit on the SRX210!), although If you want to take full BGP tables you will need to be using at least an SRX650. I think this is a bit of a shame seeing as we're no longer limited by the operating system routing capabilities.

One thing that I think is a bit odd is that the SRX can only do 3G via the Express Card slot (so SRX210 only); they don't support using usb modems (both SRX100 and SRX210 have USB ports). This feature could come in a software update, but I don't know if it will. At least it is an improvement over the SSG range that couldn't do it at all.

So for the Netscreen/SSG users what does the SRX range offer:

3G WWLAN (SRX210 only)
Significant routing performance increase
JunOS
Gigabit ethernet on smaller devices (from SRX210 upwards)
PoE options (SRX210)
Jflow/Netflow support

So sounds great but unfortunately the SRX range is actually missing some features from the SSGs:

Usable web interface (more on this later)
Integrated ADSL and wireless options
Auto Connect VPN (probably will be fixed in a software update)
Other minor feature differences

So lets now look at the software in a bit more depth.

ScreenOS vs JunOS.

One of the reason's I liked the SSG range was the web interface. You can do just about anything from the web interface, it is really easy to see what policies are setup and you can easily disable and rearrange them.

ScreenOS can have some interesting WebUI bugs but if you're running a fairly recent version and using Firefox or IE it works pretty well. It can be a bit slow to load over a WAN link, but once it has finished loading the excessive amount of javascript it is pretty quick.

The SRX version of JunOS (tested with 9.6R2.11) has a web interface that is completely different to ScreenOS. It is broken down into two main sections configure and monitor. Unlike ScreenOS you need to switch between these two sections to either configure a setting or see what is actually going on. It might actually be a useful feature if is wasn't for the fact that the web interface is bad, really bad.

My biggest issues include:

It's slow, much much slower to load that ScreenOS
It seems to expire my session and log me out while in the process of doing stuff
It doesn't feel like it was designed for people to actually use. It is basically a graphical representation of the configuration file. I've noticed that I expect different things from a web interface verses a command line interface.

Because of these reasons I don't even bother using the web interface, which really feels like I'm going backwards compared to the SSG. Don't get me wrong the command line in JunOS is great, more complex than ScreenOS but in the long term you will appreciate the power of it.

For the larger range of SRX devices this probably doesn't matter as much because the people configuring them should really know how to use the command line; but I believe a good web interface is really important for the smaller devices especially if Juniper want this device to be popular in not just the enterprise market.

UPDATE:

Juniper have since released JunOS 10.0R2.10 which seems to have improved the speed of the web interface. They have also started working on fixing up many of the configuration pages. From what I have heard Juniper plan to keep improving it over the next few versions. I might do an updated post once the WebUI has been improved further.

During the writing of this review Juniper have released at least three software updates and at least for me each upgrade as been an improvement. Before JunOS 10.0R2.10 the SRX210 was really too buggy for production use, I had lots of issues with keeping a stable PPPoE link up. Luckily this seems to have finally been fixed in the latest OS. This was one of the main reasons for the delay in this review. I really wanted to get the problem fixed first.

Also during the review, one of the companies I work for purchased two SRX240s, this has allowed me to really get used to the operating system as I've had to setup Clustering/NAT/DHCP/VLANs/SNMP/VPNs and some firewall rules. I ended up configuring everything via the command line and I'm glad I did because the command line in JunOS is really much better than ScreenOS.

The configuration in JunOS is converted to XML when loading, so the configuration process has a much more structured feel to it. Everything is nicely broken down into different sections such as: system, interfaces, security, vlans etc. I've found this makes it easier to find what you're looking when changing things.

Upgrading the operating system is also easy as you can simply point JunOS to an HTTP url and not need to setup a TFTP server.

I still prefer the ScreenOS WebUI for configuring firewall policies though, the whole process just seems quicker and better thought out.

For laptop style VPNs Juniper have moved away from Netscreen Remote the 3rd party IPsec VPN software and replaced it with basically nothing. They now have something call dynamic VPN, which I haven't used yet. This type of VPN setup has a new VPN client but it also requires extra licenses to be purchased (at great expense I'm sure), so I probably won't use it. Luckily JunOS still supports IPsec VPNs so you should simply be able to use one of the better free VPN clients (Netscreen Remote really sucked anyway so no big loss). I haven't tested this yet, although if it does work correctly that is great because the SRX actually supports 128 IPsec tunnels on the SRX100 and double that on the 210! Heaps more than the old SSGs.

One last thing I will mention in the software section, JunOS doesn't seem to support IPv6 in flow-based mode which is a shame. Hopefully this will come soon.

Hardware

The base Juniper SRX210 is about the same size as the SSG20; it includes 8 ethernet ports and a single mini-pim slot (the SSG20 had two, which was useful if say you wanted to have two adsl connections).

The main difference between the two is the different integrated options.

The SSG20 allowed for wireless, where as the SRX210 gives you PoE and VoIP options.

Final Thoughts

The SRX210 is a promising device that has been plagued by some early software bugs (most of which have been fixed). It doesn't include all the features from the old SSG range (yet) and it does feel a bit more enterprise than the SSG. I think the smaller SSG range was great for small businesses, where as the smaller SRX range can get quite expensive with some of the optional extras.

I will miss the integrated wireless options from the SSGs (the SRX external wireless is very expensive) and for the time being some of the stability.

Saying all this JunOS is the future for Juniper and I believe the SRX range will keep getting better (and quickly JunOS 10.1 is due out soon).

Juniper have also produced some nice help documents recently for users of ScreenOS, they also have many examples of say VPNs between an SSG and SRX which makes the upgrade process easier.

Further Reading

Getting Started Examples: http://kb.juniper.net/index?page=content&id=KB15694

Mapping of common troubleshooting commands from ScreenOS to JUNOS http://kb.juniper.net/index?page=content&id=KB14000

JunOS nat for screenos users http://www.juniper.net/us/en/local/pdf/app-notes/3500152-en.pdf

Native IPv6 over PPPoE with Internode and a Juniper SSG5

Michael Dale — Sun, 17 Jan 2010 11:10:17 +1000

Internode released a trial of native IPv6 over ADSL a few months back, so anyone with an ADSL account with them can try it.

So one of my clients has an SSG5 and an internode connection so I thought I'd set it up.

So the setup:

ADSL modem in bridge mode
SSG5 running ScreenOS 6.3.0r2 (I had some issues with 6.2, so it is best to use the latest OS)

The very first step is to enable IPv6 on the SSG5, this requires you to run the following command and then restart/reboot the device:

set envar ipv6=yes

Once done you should now have access to all the IPv6 functions in the WebUI.

The next step is to modify your PPPoE connection settings.

set pppoe name "Internode" username "username@ipv6.internode.on.net" password "encryptedpassword"

set pppoe name "Internode" ppp ipv6cp ipcp

Now you need to enable IPv6 on the interface that the PPPoE connection is setup on.

set interface "ethernet0/0" ipv6 mode "host"

set interface "ethernet0/0" ipv6 enable

set interface ethernet0/0 ipv6 ra accept

unset interface ethernet0/0 ipv6 nd nud

So the above should be enough for you to get the /64 on the PPPoE interface.

Internode is currently handing out a /60 for use in your network (via DHCPv6), so lets now set that up.

set interface ethernet0/0 dhcp6 client

set interface ethernet0/0 dhcp6 client options rapid-commit

set interface ethernet0/0 dhcp6 client options request pd

set interface ethernet0/0 dhcp6 client pd ra-interface bgroup0

set interface ethernet0/0 dhcp6 client enable

In the above "bgroup0" is my LAN interface.

Now let's get IPv6 running on "bgroup0"

set interface "bgroup0" ipv6 mode "router"

set interface "bgroup0" ipv6 ip 2001:44b8:7763:baa0::1/64

set interface "bgroup0" ipv6 enable

set interface bgroup0 ipv6 ra link-address

set interface bgroup0 ipv6 ra transmit

unset interface bgroup0 ipv6 nd nud

In the above the IPv6 address there is my first /64 out of the /60, I've manually set it to a :1 address but you can use whatever it's default auto assigned address is.

Now you might want to hand out internodes IPv6 DNS server addresses to your LAN

set interface bgroup0 dhcp6 server

set interface bgroup0 dhcp6 server options dns dns1 2001:44b8:1::6

set interface bgroup0 dhcp6 server options dns dns2 2001:44b8:2::6

set interface bgroup0 dhcp6 server enable

Now we need to setup the default IPv6 route, as the one that is added by default is incorrect.

set route ::/0 interface ethernet0/0 gateway ::

And finally the IPv6 policy to allow traffic out (yay no NAT).

set policy id 12 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log

That should be all you need to do to get IPv6 working on your network.

There is more information over at the internode site if needed.

And here is a traceroute from a computer on the LAN

C:\Users\Administrator>tracert -6 ipv6.google.com

Tracing route to ipv6.l.google.com [2001:4860:c004::68]

over a maximum of 30 hops:

1 1 ms <1 ms <1 ms 2001:44b8:7763:baa0::1

2 37 ms 37 ms 37 ms loop0.lns6.syd7.internode.on.net [2001:44b8:b070::4]

3 37 ms 37 ms 37 ms gi1-1.cor2.syd7.internode.on.net [2001:44b8:b070:5::1]

4 37 ms * 37 ms gi6-0-0-146.bdr1.syd6.internode.on.net [2001:44b8:b060:146::1]

5 37 ms 37 ms 37 ms 2001:4860:1:1:0:1283:0:2

6 38 ms 38 ms 39 ms 2001:4860::1:0:9f8

7 184 ms 295 ms 174 ms 2001:4860::1:0:165

8 175 ms 175 ms 175 ms 2001:4860::1:0:890

9 181 ms 176 ms 182 ms 2001:4860::29

10 185 ms 176 ms 244 ms tx-in-x68.1e100.net [2001:4860:c004::68]

Trace complete.

Intel Matrix Raid is Bad

Michael Dale — Sun, 03 Jan 2010 09:43:31 +1000

So we've got two computers in the house using Intel Matrix raid.

First our server is using it for our Raid 1 boot drive, and my old desktop (just upgraded to an i7 iMac) was using it for its Raid 5 boot drive.

From what I've found, if WIndows crashes or isn't shutdown correctly the Raid will require rebuilding, both these systems do it. While it is rebuilding the performance is awful. It also takes up to 24hrs on our server to rebuild the array.

The other thing I have found is that the write performance on the Raid 5 drives is really really slow. My desktop was running it, bad idea I should have just stuck to a single drive, there was no real reason for using Raid.

Both systems aren't bad/slow (Q6600s with 8 and 4gb ram). We've also got a Raid 5 in the server running off a RaidCore PCI-X card and it is great. Never needs to rebuild and it is quick.

So yeah not surprising that the RaidCore actually works well but I didn't think Intel Matrix raid would be so bad...

New Domain

Michael Dale — Tue, 20 Oct 2009 12:27:01 +1000

It's time for a different domain for my personal blog. I'm trying to seperate my work, personal and project sites.

So once finished it should look like:

bluetrait.com/org for Bluetrait projects
dalegroup.net/net.au for my business website
michaeldale.com.au for my personal blog

It might take some time for me to actually split bluetrait.com out and I'll need to make sure all the links keep working etc but it will happen.

On another note I've been meaning to release a newer version of Bluetrait Money for download but I keep adding things to it :)

Jflow on SRX210

Michael Dale — Thu, 13 Aug 2009 18:52:50 +1000

We'll I've got my Juniper SRX210 up and running and it supports some stuff the old SSG didn't (it is also missing a few features too).

One of the new features is the support for JFlow (which is the Juniper version of Cisco's NetFlow).

Basically it means that the firewall can log traffic to a server in a format that allows for graphs such as this:

Pretty cool. Anyway the documentation for the SRX isn't that great, so here is my configuration for this (running SRX JunOS 9.6):

fe-0/0/7 {

unit 0 {

family inet {

filter {

input cflow;

output all;

}

address 203.206.210.249/29;

}

firewall {

filter all {

term all {

then {

sample;

accept;

}

filter cflow {

term 1 {

then {

sample;

accept;

}

forwarding-options {

sampling {

input {

rate 1;

run-length 0;

max-packets-per-second 50000;

}

family inet {

output {

flow-server 203.206.210.250 {

port 2055;

version 5;

}

WordPress 2.0

Michael Dale — Fri, 31 Jul 2009 23:18:46 +1000

Well it looks like WordPress 2.0 is no longer going to be supported, so it is probably about time to rewrite some of my plugins to use some of the new WordPress developer features such as better database security.

I wonder when they're going to drop php 4...

Bluetrait Connector now out

Michael Dale — Fri, 24 Jul 2009 20:26:39 +1000

Well I've now released all three programs for download. More info here.

Bluetrait Connector for WordPress

Michael Dale — Fri, 24 Jul 2009 00:03:31 +1000

I've been hard at work on Bluetrait 2.1 and have now successfully got events to sync up to a master Bluetrait install.

So I've decided that the Bluetrait Event Viewer needed some love and have been working on a new WordPress plugin called Bluetrait Connector.

This plugin will allow a WordPress install to connect via SOAP to a Bluetrait server.

Basically using Bluetrait 2.1 + Bluetrait Event Viewer 1.9 and Bluetrait Connector you will be able to sync events from a WordPress install to Bluetrait.

I plan to have a beta release of these three programs this weekend :)

New Router/Firewall Time! Juniper SRX 210

Michael Dale — Wed, 22 Jul 2009 21:40:01 +1000

We'll I've had my SSG 5 for about 2.5 years now and it has worked great, and will probably keep working for many years to come. But Juniper have released a new/replacement model (kind of, they're still selling the SSGs) that runs JunOS.

So I thought it was about time to learn the operating system as ScreenOS (OS on the SSG) will eventually be discontinued.

The SRX 210 is really more of a replacement to the SSG 20, but it looks there isn't a SSG 5 replacement (yet at least, I did see some mentions of an SRX 100).

Anyway hopefully I should get it next week and then I'll do a review of it.

New Job

Michael Dale — Fri, 17 Jul 2009 23:49:00 +1000

I have a new job at Digital Pacific (a sydney based web hosting company) as their Network Engineer.

I have only been there two days and my desk is already filled with networking gear :)