Unified Threat Management (UTM) on Junos is BAD

25 03 2010

I probably shouldn’t say this, but UTM on Junos with their new SRX devices.. (ahem).. is not very good… Juniper support is excellent, and the base features of the device are good, but there are a few caveats:

1. Don’t do too much logging
2. Especially, don’t log too much to the device’s filesystem
3. Don’t implement large whitelists/blacklists (particularly with wildcard filtering on URLs)

Juniper’s support on this product is (as usual) excellent, and far surpasses any other manufacturer’s level of help. However, there are some bits of code in this box that haven’t undergone the level of testing you might expect.
Junos 10.0R3 is therefore what we should all be waiting for – available in April. It includes almost 300 fixes (just fixes – no new features), and they have re-worked how the do Q&A on the entire product line.

If you’re struggling with an SRX right now, I’d be really interested to hear from you. In the meantime, let’s hope that release R3 is going to alleviate some of our pain..




11 responses

22 04 2010

I too am having ridiculous amounts of problems with the UTM features on the SRX box. In particular the anti-spam engine. In 10.0r2.1 I could not get any traffic to pass through what-so-ever with the utm applied to my testing policy. JTAC support recommended going to 10.0r3.1, in which I did. Everything seemed peachy as it was now allowing traffic and blocking SPAM as it should. Little did I know that I was receiving random cpu threshold exceeded error messages (thanks syslog logging, or lack thereof as far as configuration) and the device did a core dump after having the utm policy applied. I have had to turn this back off, again, and reopen my case with Juniper. At this point, I am having a hard time in coping with the difficulties I have had with this device (buggy OS versions), its limitations on things that are supported by devices that could easily be considered the lesser, and its overall feeling of beta stages.

25 04 2010

Interesting! Thanks for your reply… Are you using any other UTM features (other than the anti-spam)? What’s the process that is crashing? (I think it is named in the core file if you do a ‘show system core’).

You’re right – it does feel a bit buggy, and I’m disappointed. 10.0R3.10 seems better, but we had another crash the other day that we are getting checked out.

28 04 2010

On both occasions the PFE Manager went out to lunch and stopped responding. At that point, hosts of other services become……unavailable at best.

At this point, I still have an open JTAC ticket…….

29 04 2010

Interesting… Sounds a bit like one of our first major incidents, which was a memory leak in the anti-virus scanning. It would use up buffer space until eventually forwarding (or utmd) stopped. We’d have to do a ‘restart utm’ or ‘restart forwarding’ to get it going again.

They gave us a secret Junos command to check buffer utilisation – don’t know if you’ve seen this?

user@host> request pfe execute target fwdd command "show mbuf host"
SENT: Ukern command: show mbuf host
GOT: pool-size free-count Usage curr-allocable
GOT: --------- ---------- ----- --------------
GOT: zero payload: 339 339 0 98
GOT: 128 payload: 0 0 0 0
GOT: 512 payload: 0 0 0 0
GOT: normal payload: 40340 40335 0 40094
GOT: large payload: 49 39 20 7

What we were looking for was the Usage column and the Normal Payload row intersection. This is a percentage value, not an absolute figure. When the box is busy doing some UTM stuff, the figure will rise from 0%, but should drop back again. What we saw was that it rose about 1% every 10 minutes and never fell back. When it got to about 80% it was inoperative.

There was another site that had the same code and a very similar config, but didn’t have the issue as much. In the end it turned out to be traffic dependent. The affected site had more MIME traffic than the other.

Obviously you’re not doing the AV scanning, so it’s not directly relevant to your issue, but if this figure is creeping up, it could indicate a leak in the anti-spam part of UTM.

30 04 2010

This is excellent information. I have received nothing like this from JTAC as of this point. I will re-enable the policy and check this during a maintenance period. Thanks! I will let you know what happens.

23 05 2011

Good day Steve,

I am currently working on an SRX100 firewall , and I want it to block all sites on the Internet except the following sites in a whitelist

I have tried to use the value http://*.*.* in the blacklist but to no avail.
Also, I am not so sure of whether to have both blacklists and whitelists in my configuration. I have them both, but the websites that are not in the blacklists and whitelists are not being logged at all.

Can you please suggest how i can go about this?

Kind regards,

3 08 2011
Rex Henderson

So did the April release resolve any of the issues that you mention herein?

2 03 2012

From my understanding http://*.*.* isnt a valid string, I assume your trying to block everything except the whiltelist with the above?
Only the * before the first “.” will be valid, e.g.
*.juniper.net is valid
www.*.net isnt valid
In the web-filtering stanza under your profile you need to use a default deny.

7 04 2012
Huw bamford

I am new to juniper I have recently replaced my isa server with juniper srx220h with utm. So far happy with the new firewall I am unsure on how to manage the anitapam from Web browser or is this not possible.

Any help woul be great.

13 12 2015

Hi everyone,
i’am at the point to use SRX240 with UTM did they correct all the problem you got and i’am regarding to implement untangle in case of , any suggest ?

Thnx for your feedback

15 12 2015

Hi Dario –
To give Juniper credit, they worked very hard to fix a lot of the problems we had. At the end of the project everything was working very well – we just went through several release of code before we got to stability.

I’ve not used UTM in a couple of years though, so I imagine it is even better – especially with the new hardware Juniper have just released.

I think you still need to be careful about scaling when implementing anti-virus – it takes a lot of horsepower to do the AV function, so your throughput drops quite a bit. See Juniper datasheets for guidance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: