Thursday, December 18, 2014

Juniper SRX vrs cisco ASA

I think I get ask what's the better firewall between these 2 vendors at least every month now.

It's a hard question to answer, but I would like to point out just some of the few differences that you should be aware of. This comparison list is not 100% complete,  and is just a few of the highlights that I've found or crossed when designing and deploying security gateways for enterprises and service-providers networks.

1st I would like to say,  neither vendors are a slam dunk in all categories,  but many  differences exists  between these 2 platforms. Both of these platform could be very well become a  multi-box solution if you need advance security services and to take advantage of UTM features.


The SRX  is used in every sector from SME to Enterprise, but is not well received like that of the cisco ASA and the former PIX. You will probably find more cisco ASA products out on the streets, and that's because cisco is better at peddling the ASA, than what  juniper is at selling the SRX. But keep in mind, the meer more appliances ( volume )  don't always mean better. I 'm sure there's more Hyundai KIA cars on the streets of NYC than the Mercedes Benz, but that doesn't make the KIA a better car over the Mercedes.
 PRO cisco ASA widely used &  more than SRX in the NA/EU markets more support and more Security Engineers aligned with cisco

The Jweb WebGUI interface is integral, you do not need an "asdm"  package software like that of a cisco ASA. The jweb runs okay, but it's not speedy as the cisco asdm and this more evident under the smaller branch series models, ( think a tortoise  vrs a rabbit ). I tried to avoid the jweb at all cost, 78-92%  of the time  I'm in the CLI. This holds true on the cisco ASA, but I don't have any real complaints with ASDM accept it's awkward for me to use.
 PRO cisco ASDM

Junos works, but some of the basic features somethings ; just don't work, and when they don't work; "  it a very bad outcome ". ASA has been slightly better with asa code and it has been a more stable within the codeset from my experiences. JTAC will resolve the issues and identify the problems but you could struggle to get the resolution.
 PRO cisco ASA for stability in the OS releases

Routing features, the ASA is a few years behind the SRX ( period ). No need to go further in this area. Juniper has shared a lot of the routing features in the SRX  & from the M series. The cisco folks are still playing catch-up.
 PRO juniper SRX for routing and advance L3 unicast/multicast support

Config archival and rollback,  hands down a  SRX has better diff controls on cfg and retsoral. I really wish cisco would make improvements in this area. Change controls and configuration commits and restores is not very well planned in a cisco or to recovery.
 PRO juniper SRX cfg management and control points locally within  CLI

IPV6 support, more mature, better and  much stronger in a SRX
 PRO juniper SRX IPV6

For WAN interface models or  add-on WAN interfaces, hands-down the SRX leads the pack in this area. Your not going to get a E1/T1, ISDN, 3gCelluar  or  ADSL interface in a cisco ASA, but you can easily do this with a cisco ISR and their security ios codeset.

In fact cisco off-load these lacking features to a cisco router as a quick sell and pitch to the end-user, but they forget to tell you  that the router is not going to be as quick or have high thruput as the firewall.
PRO juniper SRX WAN availability

For services restarts ( daemons )  the SRX is hands down better. In a ASA, you have very little to no means to restart a services for the most part. If it stops, you need the reboot the appliance to get it rolling again.
 PRO juniper SRX services managements start and kill

The https/ssh  allow-access is much easier to deploy in in a cisco ASA. Also the SRX is complicated with simple services enabling from dhcp to ipv6 neighbor-discovery and the various filter. When local source features and functions don't work,  9 out of 10 times it's due to the service filter.
 PRO cisco ASA for management access configuration

The SRX  has higher  port density than a ASA, in fact you have more ports and more 10gige ports than the top-end cisco ASA. I believe the  SRX was the 1st to offer  40gige  and  100gige interfaces iirc. This is not even on the grid or radar for our cisco ASA. Both the  40 & 100gige interfaces are foreign words for the cisco ASA  lineup ;)
 PRO juniper SRX for higher thruput and faster interfaces

The SRX allows you access to a limited shell. here you can do captures, execute scripts, and do stuff that you can do from the simple unix  sysadmin approach. For the cisco ASA ... this is not going  to happen.
 PRO juniper SRX  for the shell access

Software code upgrades or download.....The ASA is a breeze in  this area. The juniper requires more thought and preparations when doing systems upgrades.

 PRO ciscoASA for code deployment ( simple , sweet ,and to the spot )

For the  SRX SNAT, much easier to manipulate. Cisco requires a PhD to just about NAT any thing outside of a 1-to-Many ;)
 PRO juniper SRX NAT'ing

Firewall HA clustering is very straight forward in the cisco ASA and you need a PhD to figure it out in a SRX ;). Doing a ISSU is simpler and let's of an issues in a cisco ASA. I always recommend opening a JTAC case, and get a 2nd opinions on your maintenace-operation-plan for any upgrades when you have a clustered pair.
 PRO cisco failover creation and management

Integration into a l2/l3switch, will the cisco ASA has a firewall blade. But be careful and review what features are NOT  available on the blade.
 PRO  cisco integration for existing multislot chassis

The Cisco software virtual firewall has been out ahead of juniper Firefly, but one key plus here is that the juniper version  has support for KVM, where cisco is all VMware. If you have access to Junos software you can still get a 60day eval image for testing.
 PRO juniper SRX firefly

UTM features like Anti-Spam exists in a SRX but requires a license and is not available across all models. I believe that cisco ASA NGFW still don't have am on appliance AS/AV UTM feature. Most of any UTM features in a cisco ASA 5558-X will be external or a cloud based solution  & at some extra-license and cost. 

Application visibility is a big weak spot in the cisco ASA, where-as  Juniper AppSecure is available but not refined as let's say  PaloAlto or Fortinets , but it works and can be buggy in earlier JunOS codes. Also Juniper AppSecure is for a higher end model SRX and is not available across all platforms. Cisco has recently  bought and now includes FirePower, but little information and use can be found about it's accuracy in application visibility.
 PRO juniper SRX for application awareness but still is not a single-box solution , & neither is the cisco ASA

Layer3 and 4  attack mitigation is slightly better with Juniper "Screens" in the SRX. At least the concept and controls are better.
The Cisco ASA will probably need a few ACL and service policys or other methods. Everything in a SRX is "security screen" single line configuration item.
 PRO juniper SRX for simple L3/4 flooding and L3/4 based attacks

GRE tunneling support is available in a SRX and not even an options in a ASA.
 PRO juniper SRX for ad-hoc GRE tunnels or other tunneling-support

Multiple VirtualRouter instances is probably better designed within the SRX than the ASA 's multi-context. You don't need to reboot the  firewall when  deploying VRinstances  as what you need to do when converting from single context to multi-context or back in a  ASA.
 PRO for juniper on multiple instances support, design and exchange  of information between instances

Cisco TAC and Juniper JTAC have both declined in the past 5 years or so.Cisco still has a better RMA  process for relacement and delivery. Juniper has gotten better with Kb knowledge. It's still hit & miss on each person feedback  and experience with working with these 2 outfits, but cisco has a slight edge.
 PRO cisco

For SSLvpn , we have the availability in the cisco ASA for ipv4/v6 sslvpns, but still the SRX has no means for SSL based vpns.  For Juniper, you will need a SecureAccess appliance or a MAG, which is yet another box.
 PRO for cisco ASA on webvpn availabilities integral to the appliance

Speaking of SSLVPN, the Juniper SA/MAG is a cheaper solution for SSLVPN users. The average cost for example with a  SA2500  vrs the  basic 100  cisco-ASA-webvpn license will place the  Juniper SA/MAG appliance cheaper per sslvpn-users.
 PRO juniper per sslvpn seat cost


Okay that's a wrap on my SRX vrs ASA comparison. Keep in mind, they both offer great firewall in the security  realm & the sectors they serve. To be fair,  don't try to think of "which one is better", but look at what's your need and them decide after doing a 1-to -1 comparison and cost analysis.

With these appliances, you have understand that the Juniper SRX is a zone-based firewall &  where the cisco ASA is a  ACL based filter firewall. They do the same thing, but the concepts are very different. There's pro/cons within these 2 strategies  but that another thread and only become a factor when you have dozens+  of interfaces or more.

lastly,  I hate the cisco/juniper shops that only expect one vendor to be present from switching/routing./firewall/others services. Some of the best networks that I ever worked  and consulted  for, where a mix of everything from A to Z.

Ken Felix
Freelance Network/Security Engineer Mail Security Specialist
kfelix  -----a----t---- socpuppets ---dot---com

     ^    ^
=(  % $  )=
      /   \


  1. Actually I was looking for a good comparison between Juniper SRX and the Cisco's new ASA. As Cisco claims that it does application filtering. Thanks for sharing this nice post.

  2. NP

    There's good things to be found in both platforms. The Cisco approach to application filtering & awareness, " is not a leading feature imho".

    Stay tune for more.

  3. Which of the different models of cisco asa would you recommend to buy? I was reading some reviews in but still not sure

  4. Lizz,

    It depends on your business needs and requirements. Review the cisco datasheets and contract with a consultant or reseller. Your question is too broad to give a reasonable reply.

  5. What would you recommend, to use of route base IPsec tunnels and enable full UTM feature for internal 500 users. cisco 5516x with firepower services or SRX300 series or else.

  6. Okay where to start;

    How many user is good, but what thruput are you expecting from BW ?

    With regards to users are you expecting SSL or IPSEC connectivity, the former will rule out the SRX300 and with the ciscoASA that could be a license issue if you need SSLVPN aka webvpn access

    Next, the 2 models are great ( I have a SRX300 btw ) so do you need only copper interfaces? The SRX will support SFP interface if so desired

    And lastly are you looking for HA? Both should be find in that area.

    Finally, routed-based is a "must" or preferred for vans in a SRX platform. I would not do a policy based vpn for any means. Route based with a "routed tunnel interfaces" are so much better from a diagnostic and collection standpoint.

    I hope that helps