I've been a Cisco guy for as long as i've been interested in networking. Heavy kool-aid drinker back then...
Recently I started using a SRX device from Juniper and i'm liking
it... It can do things ASA can't touch in so far as a firewall
appliance goes. the things i've most enjoyed thus far is its ability
to do policy routing based on most anything up to layer 4, including
QOS/DSCP tags. BGP/OSPF on the same device is also nice, clustering
too, most without additional licenses. The config at first was messy
looking (XML), now it looks logical and seems a better way to organize
sections than what PIX/FWSM/ASA use(d). The ability of the devices to
push packets threw it seems a lot better than Cisco from a dollar to PPM
perspective, both when loaded with features and ACLs in use, and raw
unhindered forwarding throughput. The only thing negative i can say
so far is the web gui sucks, its so slow. but real men don't use GUIs
anyway, right? sigh --- i did use it to set up the vpn stuff,
seemed like the path of least resistance as i am a juniper n00b.
policy routing is awesome. I want to make up a t-shirt with something to that effect. 8) I set up an acl on the squid server that tags any out bound traffic which contains "youtube" (and others of course) in the url string with a DSCP tag, the firewall is looking for these and when it sees one, it off loads that traffic onto our 'backup/backdoor' 5megabit DSL connection, leaving the high price commercial ISP to be more exclusive to 'real' business related traffic. doing other things with DSCP too, but i'm sure you all have heard the neat things you can do by classifying your traffic... suffice to say, my workstation will have as much as it wants whenever it wants!! muhhahahaha...
ok back to work. just wanted to share. I don't work for Juniper nor have the offered me a job or compensation. 8)
anyway if you will be purchasing a commercial firewall anytime in the future, put them on the list of vendors to consider. yes, we all know your linux/bsd firewall is awesome.
-g