This little post is more of a continuation from a previous post. It is important to note that while this post dwells mostly on the negative, I am actually a large fan of Juniper Netscreen Firewalls. There are just various elements of the firewall that bother me.
All the problems I have with the firewall actually revolve around the Netscreen Manager. I'm not against Graphical User Interfaces. I believe it makes reviewing easier when I actually see the rules rather than the commands. Unfortunately the user interface that Juniper has come with has many major faults
- The interface is built on Java. Java isn't a bad language but it does have the problem of being memory/cpu intensive many times. Most days, within 20 minutes of opening the application, NSM is using roughly 500MB - 800MB of memory. There have also been countless memory leaks in the application. It's important to note that Juniper is working on the issues and has patched a memory leak issue we were having at the 'ol job.
- The more users working in the NSM server, the slower NSM appears to be. Where I work, we only tend to have up to 5 users in NSM at any point but NSM still slows to a crawl. It doesn't help that NSM is not optimized to use multiple core processors. This is a pretty major issue in the world of multi-core servers.
- When a netscreen contains IDP and firewall blades, there is a nifty little checkbox to allow the user to push ONLY IDP policies when checked. This seems like an awesome option when you have multiple policies and you just want to push the IDP policy on the firewalls. Unfortunately, this button does not work as desired. If you happen to be pushing to a bunch of firewalls, you'd better be sure they have IDP. Logic would dictate that if that box is checked, and there's no IDP, then NSM shouldn't push anything. Unfortunately, when NSM sees no IDP policy and the checkbox is checked, NSM will push the firewall policy.
- The audit logs are next to useless, in my opinion. It's hard to find anything you're really looking for. I would much prefer if Juniper took a page from Checkpoint in the way audit logs were handled.
A few run on sentences never hurt anybody. ;-) There are a few minor annoyances but those were just a few of the large problems I have with NSM. It's important to note that Netscreens are still excellent firewalls and I'm sure Juniper is working on the issues I've described. It's also important to note that my company uses Netscreens a great deal and it's possible that Juniper never expected such a large amount of policies to be used on the same NSM server. It's quite possible that users/companies with a smaller list of firewall policies in use would not see the issues I've noticed.
Keep a lookout for my post on some of my favorite features of Netscreens that make it such an awesome firewall (NSM included)