Embed Size (px)
Citation preview
Juniper SRX vs Cisco ASA vs Fortigate
A comparative analysis by Kashif Nawaz, Network Consultant, RackHiring
Firewall High-Availability and Clustering is one of the key features for next generation firewall
(NGFWs). RackHiring Professional Team technically compared two market leading firewall vendors in
terms of cluster configuration, operations and security performance. Firewalls compared for this review
activity were Juniper SRX (All-Series), Cisco ASA 5585 and Fortigate 1000D deployed under similar data
center environment.
SRX vs ASA: In ASA cluster we can have 8 members while in SRX cluster we can have 2 members. ASA
Cluster use control link for configuration sync and session traffic exchange among Session Owner,
Session Director and Session Forwarder. In SRX control link is used for configuration sync, routing
protocol updates and device management. ASA and SRX (high end only) both supports multiple control
links. ASA uses 802.3ad (and cluster members must be connected through a switch) while SRX supports
this by having by multiple RE this also varies in SRX 3K and 5K.
ASA Cluster uses Data Link for transit traffic where SRX uses RETH for transit traffic. ASA uses 802.3ad
Spanned cluster interface (same like Juniper MC LAG feature) in simple words all members of 802.3ad
from all cluster members drops into single port channel in connected switch. In this way any member of
cluster can receive and forward traffic on spanned cluster. In SRX RETH can be actively receive and
forward traffic on only specified member of cluster and in order to use both cluster members we can use
active-active scenarios where multiple RETHs (child of Redundancy group) can receive and forward traffic
in both cluster members. Data Link in SRX is used for sharing for session information instead transit
traffic (as ASA is doing this). For management of individual boxes and Cluster Master ASA uses either
single interface on each box or 802.3ad LAG which needs to be dropped on connected switch and
whereas SRX supports individual interface on both cluster members (fxp0).
Now, Cisco ASA claims that in Cluster mode you get 70 % increase in throughput and 60% increase in
concurrent session handling; e.g. If we have 4 members clusters and if each member support 20Gbps of
through put then overall throughput will 70% of accumulative throughput of all cluster members and
same formula applies for concurrent session handling (it will be 60% of accumulative session handling of
all cluster members). I am unable to find any document on Juniper Tech Publication where they shed
some light on throughput and session capacity enhancement when SRX is in cluster.
In ASA all three types of interfaces (Data Link, Cluster Control link and Management link) are being
monitored for cluster health check, if any of these interfaces on any cluster member got unplugged or
disabled/ status goes down then cluster is disabled on that member and you need console access to re -
enable cluster on that particular member. In SRX heart beats are being shared on both control link and
Data link. For control link recovery SRX support a "control-link recovery configuration command" mean if
one cluster member got some issue on control link and went to lost state , after control link recovery it
will be automatically become part of cluster if above stated command is configured in specific
conflagration hierarchy. For Data Link (fab0 and fab1) resiliency Juniper recommends that both cluster
members should contains multiple link in Data Link in order to avoid “loss of cluster member”.
SRX also support fail over of Data Plan / Transit traffic interfaces by motoring physical interfaces/ RETH
(on high end IP motoring is also supported) as earlier it is highlighted ASA support cLACP Spanned
Cluster interface (802.3ad) due to which all members of can actively send and receive traffic.
Conclusion: Cluster technology in both boxes has some advantages/ disadvantages over each other. Like
all other technology lovers I always love to explore new technologies but my 1st preference is always
SRX because it was my first love.
SRX vs Fortigate: (will be updated soon)
RACKHIRING MAIN OFFICE
44 - Granville Street, King Cross Road
London, WC1X 9QA
T: +44 844 855 4927
© 2015 RackHiring Netw orks, Inc. All Rights Reserved. 02/15 GA-DS-1547-01
RackHiring and its logo are trademarks of RackHiring Group, Inc., in the United Kingdom and/or in other
countries. Other brands, products, or service names mentioned are or may be trademarks or service marks
of their respective ow ners.
Notice: This document is for informational purposes only and does not set forth any w arranty, expressed or implied, concerning any
equipment, equipment feature, or service offered or to be offered by RackHiring. RackHiring reserves the right to make changes to
this document at any time, w ithout notice, and assumes no responsibility for its use. This informational document describes features
that may not be currently available. Contact RackHiring Customer Services team ([email protected]) for information on feature
and product availability. Export of technical data contained in this document may require an export license from the United Kingdom
government.
