JUNIPER SRX VS.

PALO ALTO NETWORKS NEXT-GEN FIREWALL

Juniper Networks Juniper’s Strengths

Founded in 1996 as an ISP router manufacturer, Juniper entered the security market • Juniper has strong brand recognition among network teams.
in 2004 with the acquisition of NetScreen. Juniper’s SRX firewalls, available as
branch, enterprise, or service provider (SP) appliances, run on Junos OS, like the • SRX shares network features with MX Series routers. Both run on Junos.
company’s MX Series routers.
ABOUT

SPs remain Juniper’s primary focus, with most products built for large-scale de-
ployments with little attention to enterprise requirements. Even though Juniper
continues to struggle in security, with revenue in this area declining year over year,
it remains a strong incumbent that can tug security into larger network deals, similar
to Cisco.
In 2015, Juniper sold its Pulse VPN technology to a private equity firm. It exists
today as Pulse Secure, without any relationship to Juniper.
• Junos is perceived as mature and stable. Data and control plane are separated.
• Existing customers like the powerful CLI and API functions.
• Juniper offers great automation capabilities, but manual stitching is required.
• SRX has very high L4 throughput without security features, including “Ex-
pressPath” for accelerating established connections.

STRENGTHS AND WEAKNESSES

Questions to Ask
CIO, CISO
As your organization moves
to the cloud, how will you
address security for SaaS
and other public cloud
applications?
Director IT / Information
Security
Do you spend a lot of your
time managing vendors and
stitching together security
platforms?
Juniper’s Weaknesses
• Security is not their game. There is no vision or thought leadership for
public cloud/SaaS or endpoint security.
• Juniper’s annual security revenues has been declining—from $670M in
Security Managers 2012 to $330M in 2018—in a market with 8% CAGR. Are they serious
about security?
Are your security analysts
overwhelmed with the • The virtual vSRX firewall is only supported in AWS and Azure.
amount of security controls?
• Third parties (Avira, Forcepoint/Websense, Sophos) provide most security
features, but none share findings with Juniper’s threat intelligence platform.

• Each security feature, including AppControl, requires a paid license and

Is the security different at
different locations inside
and outside your organi-
zation?
Are your network and
endpoint security controls
integrated?
­degrades performance. Unpredictable performance leads to security and/
or speed trade-offs.
Does your security vendor
rely on other vendors to
• Central configuration is split between Junos Space and Security Director
deliver core security fea-
(an app running on top of Space). There are still functional differences
tures? How well are they
integrated? ­between local (J-Web) and central Space administration. Multiple UIs
­create administrative overhead and opportunities for misconfiguration.

Are you confident that your
security vendor provides
the visibility into your secu-
rity posture that you need?
Can you enable advanced
security features without
resizing your firewall infra-
structure?
• Juniper focuses on the SP market. Everything is built for SPs first and scaled
Do you have to train your down for enterprises, which tends to make the products overly complicated.
teams on multiple admin
interfaces? • Juniper offers limited local log storage and reporting capabilities (no SLR/
BPA) and no visibility into threat intelligence (i.e., no AutoFocus equivalent).

© 2019 Palo Alto Networks, Inc. | Juniper SRX vs. Palo Alto Networks Next-Gen Firewall | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 1
JUNIPER SRX VS. PALO ALTO NETWORKS NEXT-GEN FIREWALL

Feature Comparison Matrix

Position Juniper SRX as a “Secure Router”
Juniper will try to avoid deep security discussions, instead Feature PAN-OS 9.0 Junos 19.2
highlighting the advanced network features of Junos (e.g.,
BGP, QoS). SEs will downplay the importance of App-ID and Single-Pass Architecture for Yes No (each feature degrades
steer the conversation toward Juniper’s higher L4 throughput, predictable performance performance)
connections per second (CPS), or max sessions.
Counter by emphasizing the importance of application-level Natively engineered next-gen Yes No (Router OS with bolt-on
visibility. Demonstrate actual security misses with an SLR. How firewall security capabilities; AppControl
many of the advanced network features and what CPS does an is third party)
enterprise customer really need?
Point out that security functions on SRX are managed by a Virtual next-gen firewall ESXi, NSX, Hyper-V, KVM, ACI, ESXi, NSX, KVM, AWS, Azure
different UI (Security Director on top of Junos Space). It is not ­deployment options GCP, AWS, Azure, AliCloud,
as simple as an MX router. Oracle, vCloud
Avoid a Proof of Concept
JUNIPER SALES PLAYS

Consistent management UI Yes (Panorama) No (Junos Space for network,

Juniper will try to avoid a PoC, but if forced into one, will likely
across firewall product line Security Director for security)
demonstrate Space/Security Director and tell a story about
automation using APIs and CLI.
Ask the customer if Juniper showed demos or a live deploy- Bare metal analysis of malware Yes No
ment. Push for an on-site PoC and demonstrate the consistency
and simplicity of PAN-OS and Panorama. Intrusion prevention system Yes, always on Yes, but “intelligence inspection”
(IPS) functionality will reduce IPS functionality
Juniper gives customers a lot of automation opportunities, but during stress
little guidance on implementation. Do a live demo of our auto-
mation capabilities. Don’t let Juniper cherry-pick network-cen-
tric use cases. Insist on enabling all security features. Natively integrated AV Yes No (third party)

Sell on Datasheet Numbers Natively integrated URL filtering Yes No (Forcepoint/Websense)

Juniper will try to sell customers on their IMIX L4 firewall
performance numbers. “Turn everything on” is a Juniper SE’s User identification AD, LDAP, XML API, syslog, Limited to LDAP/RADIUS/­
nightmare. port mapping, XFF headers, TACACS+
Point out the total lack of security features in this mode (“SRX client probing
delivers malware really fast”). Remind customers that Junipers
ExpressPath will route packets with no inspection after initial Local logging Yes Limited local storage and
session setup. reporting, recommend external
Steer the conversation toward an on-site PoC with real-world log collector
traffic mixes. Make sure Juniper enables “Enterprise Recom-
mended” IDP signatures and antivirus as both directly affect
Credential theft prevention Yes No
SRX performance.

© 2019 Palo Alto Networks, Inc. | Juniper SRX vs. Palo Alto Networks Next-Gen Firewall | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 2
JUNIPER SRX VS. PALO ALTO NETWORKS NEXT-GEN FIREWALL

Educate the Customer on the Importance of Security OBJECTION HANDLING

A router is not a security appliance. Repeat that over and over.
Stress the importance of advanced security features like App-ID,
Threat Prevention, and WildFire. Get the customer to create an
SLR and SaaS report. Juniper cannot match this level of visibility,
and it will open your prospect’s eyes to see what is really happen-
ing in their network.
“You don’t need advanced security features. Why pay a premium?”
Juniper claims most of our customers do not use advanced security features, such as App-ID,
Threat Prevention, and WildFire. In fact, App-ID is enabled by default and the attach rate of
Threat Prevention is around 80%. Companies need a Zero Trust strategy to prevent successful
­cyberattacks and cannot afford blind spots in their networks.

Demonstrate Our Natively Engineered Next-Generation Firewall

Point out that almost all of Juniper’s security technology comes
from other vendors. How long does it take to get a URL recatego-
rized when Juniper needs to contact Websense? What happens
if Juniper switches vendors? Automation can’t turn unknown
malware into prevention with that many disjointed third parties.
HOW TO COMPETE
“Don’t trust other security vendors to build great network stacks. We run the internet.”
Juniper wants to use its strong brand in routing/switching to sell security. In reality, it is more
difficult to get security right than to get networking right. Networks rely on established standards
and protocols while cybersecurity requires a lot of R&D and specialized knowledge to successfully
fight unknown threats.

Show how WildFire is natively integrated into all our products and
how prevention is automated.
“Why learn a new OS when you already use Junos OS on your routers?”
Leverage Our Strong Cloud Focus
Juniper will say SRX offers the same experience as MX Series routers. Junos Space requires a
Juniper does not have an answer for the customer’s journey to the ­separate application, Security Director, to be able to manage SRX firewalls. SRX devices operating
cloud. vSRX is only supported on AWS and Azure. Juniper has no as routers are not manageable under Junos Space. Sky ATP (a cloud sandbox) and JATP (an on-­premises
CASB, CWPP, or CSPM offering. Position Prisma SaaS, Traps, and sandbox) have completely separate UIs.
Prisma Cloud to force Juniper to bring in partners.

Push for a Proof of Concept “Junos OS had an API before it had a CLI.”
Set the table for the PoC and put a focus on security features. All Juniper claims to offer the best automation capabilities, but it is all DIY and not ready for ­enterprise
features, including logging, need to be enabled. Show the feature use. There are no templates or documented best practices. We have automation either built-in
parity between PAN-OS, Panorama, and the command line. Make (e.g., WildFire) or in the form of APIs, DAG/EDLs, HTTP Log Forwarding, auto-tagging, or via
sure Juniper demonstrates the SRX GUI as well. ­libraries (pan-python, pandevice). Show a live demo of these components playing together,
especially in the cloud.
Show the Ease of Use of PAN-OS and Panorama
Space and the Security Director have a steep learning curve. Our
user experience is consistent across local and central management.
Show the ACC and reporting capabilities.
Additional Resources
More competitive intelligence (internal)
Long-term Juniper customers tend to use the CLI and API for
managing firewalls. Show that we have the same capabilities.
More competitive intelligence (partner)

© 2019 Palo Alto Networks, Inc. | Juniper SRX vs. Palo Alto Networks Next-Gen Firewall | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 3