JUNIPER SRX VS.

PALO ALTO NETWORKS NEXT-GEN FIREWALL

Juniper Networks Juniper’s Strengths

Founded in 1996 as an ISP router manufacturer, Juniper entered the security market • Juniper has strong brand recognition among network teams.
in 2004 with the acquisition of NetScreen. Juniper’s SRX firewalls, available as
branch, enterprise, or service provider (SP) appliances, run on Junos OS, like the • SRX shares network features with MX Series routers. Both run on Junos.
company’s MX Series routers.
ABOUT

SPs remain Juniper’s primary focus, with most products built for large-scale de- • Junos is perceived as mature and stable. Data and control plane are separated.
ployments with little attention to enterprise requirements. Even though Juniper
• Existing customers like the powerful CLI and API functions.
continues to struggle in security, with revenue in this area declining year over year,
it remains a strong incumbent that can tug security into larger network deals, similar • Juniper offers great automation capabilities, but manual stitching is required.
to Cisco.
In 2015, Juniper sold its Pulse VPN technology to a private equity firm. It exists • SRX has very high L4 throughput without security features, including “Ex-
today as Pulse Secure, without any relationship to Juniper. pressPath” for accelerating established connections.

STRENGTHS AND WEAKNESSES

Juniper’s Weaknesses
• Security is not their game. There is no vision or thought leadership for
Questions to Ask public cloud/SaaS or endpoint security.
Director IT / Information • Juniper’s annual security revenues has been declining—from $670M in
CIO, CISO Security Security Managers 2012 to $330M in 2018—in a market with 8% CAGR. Are they serious
about security?
As your organization moves Do you spend a lot of your Are your security analysts
to the cloud, how will you time managing vendors and overwhelmed with the • The virtual vSRX firewall is only supported in AWS and Azure.
address security for SaaS stitching together security amount of security controls?
and other public cloud platforms? • Third parties (Avira, Forcepoint/Websense, Sophos) provide most security
applications? features, but none share findings with Juniper’s threat intelligence platform.

• Each security feature, including AppControl, requires a paid license and

­degrades performance. Unpredictable performance leads to security and/
or speed trade-offs.
Is the security different at Are your network and Does your security vendor
different locations inside endpoint security controls rely on other vendors to
• Central configuration is split between Junos Space and Security Director
and outside your organi- integrated? deliver core security fea-
(an app running on top of Space). There are still functional differences
zation? tures? How well are they
integrated? ­between local (J-Web) and central Space administration. Multiple UIs
­create administrative overhead and opportunities for misconfiguration.

• Juniper focuses on the SP market. Everything is built for SPs first and scaled
Are you confident that your Can you enable advanced Do you have to train your down for enterprises, which tends to make the products overly complicated.
security vendor provides security features without teams on multiple admin
the visibility into your secu- resizing your firewall infra- interfaces? • Juniper offers limited local log storage and reporting capabilities (no SLR/
rity posture that you need? structure? BPA) and no visibility into threat intelligence (i.e., no AutoFocus equivalent).

© 2019 Palo Alto Networks, Inc. | Juniper SRX vs. Palo Alto Networks Next-Gen Firewall | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 1
JUNIPER SRX VS. PALO ALTO NETWORKS NEXT-GEN FIREWALL

Feature Comparison Matrix

Position Juniper SRX as a “Secure Router”
Juniper will try to avoid deep security discussions, instead Feature PAN-OS 9.0 Junos 19.2
highlighting the advanced network features of Junos (e.g.,
BGP, QoS). SEs will downplay the importance of App-ID and Single-Pass Architecture for Yes No (each feature degrades
steer the conversation toward Juniper’s higher L4 throughput, predictable performance performance)
connections per second (CPS), or max sessions.
Counter by emphasizing the importance of application-level Natively engineered next-gen Yes No (Router OS with bolt-on
visibility. Demonstrate actual security misses with an SLR. How firewall security capabilities; AppControl
many of the advanced network features and what CPS does an is third party)
enterprise customer really need?
Point out that security functions on SRX are managed by a Virtual next-gen firewall ESXi, NSX, Hyper-V, KVM, ACI, ESXi, NSX, KVM, AWS, Azure
different UI (Security Director on top of Junos Space). It is not ­deployment options GCP, AWS, Azure, AliCloud,
as simple as an MX router. Oracle, vCloud
Avoid a Proof of Concept
JUNIPER SALES PLAYS

Consistent management UI Yes (Panorama) No (Junos Space for network,

Juniper will try to avoid a PoC, but if forced into one, will likely
across firewall product line Security Director for security)
demonstrate Space/Security Director and tell a story about
automation using APIs and CLI.
Ask the customer if Juniper showed demos or a live deploy- Bare metal analysis of malware Yes No
ment. Push for an on-site PoC and demonstrate the consistency
and simplicity of PAN-OS and Panorama. Intrusion prevention system Yes, always on Yes, but “intelligence inspection”
(IPS) functionality will reduce IPS functionality
Juniper gives customers a lot of automation opportunities, but during stress
little guidance on implementation. Do a live demo of our auto-
mation capabilities. Don’t let Juniper cherry-pick network-cen-
tric use cases. Insist on enabling all security features. Natively integrated AV Yes No (third party)

Sell on Datasheet Numbers Natively integrated URL filtering Yes No (Forcepoint/Websense)

Juniper will try to sell customers on their IMIX L4 firewall
performance numbers. “Turn everything on” is a Juniper SE’s User identification AD, LDAP, XML API, syslog, Limited to LDAP/RADIUS/­
nightmare. port mapping, XFF headers, TACACS+
Point out the total lack of security features in this mode (“SRX client probing
delivers malware really fast”). Remind customers that Junipers
ExpressPath will route packets with no inspection after initial Local logging Yes Limited local storage and
session setup. reporting, recommend external
Steer the conversation toward an on-site PoC with real-world log collector
traffic mixes. Make sure Juniper enables “Enterprise Recom-
mended” IDP signatures and antivirus as both directly affect
Credential theft prevention Yes No
SRX performance.

© 2019 Palo Alto Networks, Inc. | Juniper SRX vs. Palo Alto Networks Next-Gen Firewall | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 2
JUNIPER SRX VS. PALO ALTO NETWORKS NEXT-GEN FIREWALL

Educate the Customer on the Importance of Security OBJECTION HANDLING

A router is not a security appliance. Repeat that over and over.
Stress the importance of advanced security features like App-ID, “You don’t need advanced security features. Why pay a premium?”
Threat Prevention, and WildFire. Get the customer to create an Juniper claims most of our customers do not use advanced security features, such as App-ID,
SLR and SaaS report. Juniper cannot match this level of visibility, Threat Prevention, and WildFire. In fact, App-ID is enabled by default and the attach rate of
and it will open your prospect’s eyes to see what is really happen- Threat Prevention is around 80%. Companies need a Zero Trust strategy to prevent successful
ing in their network. ­cyberattacks and cannot afford blind spots in their networks.

Demonstrate Our Natively Engineered Next-Generation Firewall

Point out that almost all of Juniper’s security technology comes “Don’t trust other security vendors to build great network stacks. We run the internet.”
from other vendors. How long does it take to get a URL recatego- Juniper wants to use its strong brand in routing/switching to sell security. In reality, it is more
rized when Juniper needs to contact Websense? What happens difficult to get security right than to get networking right. Networks rely on established standards
if Juniper switches vendors? Automation can’t turn unknown and protocols while cybersecurity requires a lot of R&D and specialized knowledge to successfully
malware into prevention with that many disjointed third parties. fight unknown threats.
HOW TO COMPETE

Show how WildFire is natively integrated into all our products and
how prevention is automated.
“Why learn a new OS when you already use Junos OS on your routers?”
Leverage Our Strong Cloud Focus
Juniper will say SRX offers the same experience as MX Series routers. Junos Space requires a
Juniper does not have an answer for the customer’s journey to the ­separate application, Security Director, to be able to manage SRX firewalls. SRX devices operating
cloud. vSRX is only supported on AWS and Azure. Juniper has no as routers are not manageable under Junos Space. Sky ATP (a cloud sandbox) and JATP (an on-­premises
CASB, CWPP, or CSPM offering. Position Prisma SaaS, Traps, and sandbox) have completely separate UIs.
Prisma Cloud to force Juniper to bring in partners.

Push for a Proof of Concept “Junos OS had an API before it had a CLI.”
Set the table for the PoC and put a focus on security features. All Juniper claims to offer the best automation capabilities, but it is all DIY and not ready for ­enterprise
features, including logging, need to be enabled. Show the feature use. There are no templates or documented best practices. We have automation either built-in
parity between PAN-OS, Panorama, and the command line. Make (e.g., WildFire) or in the form of APIs, DAG/EDLs, HTTP Log Forwarding, auto-tagging, or via
sure Juniper demonstrates the SRX GUI as well. ­libraries (pan-python, pandevice). Show a live demo of these components playing together,
especially in the cloud.
Show the Ease of Use of PAN-OS and Panorama
Space and the Security Director have a steep learning curve. Our
user experience is consistent across local and central management.
Show the ACC and reporting capabilities.
Additional Resources
More competitive intelligence (internal)
Long-term Juniper customers tend to use the CLI and API for
managing firewalls. Show that we have the same capabilities.
More competitive intelligence (partner)

© 2019 Palo Alto Networks, Inc. | Juniper SRX vs. Palo Alto Networks Next-Gen Firewall | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 3