Differences between Juniper SRX and Palo Alto Networks firewalls

Once you are familiar with one firewall, sometimes it is difficult to be comfortable on another firewall. Here I will list 2 things that you do differently on these firewalls. At least these were the first things I noticed.


On an SRX firewall, if you ping a remote address, command will be accepted.

However if you run the same command on a Palo Alto firewall, you get an invalid syntax.

However this isn’t really the difference I would like to tell. The correct syntax on Palo Alto is like this

Although the outcome is the same, in Palo Alto firewall, you are running it by default on management instance i.e your default gateway that you set in your virtual router, doesn’t receive this traffic. This is important in troubleshooting. As you can see below, we have two different gateway for management network space and traffic network space. (I made these term up by the way:)

In order to change ping source from management interface to a traffic interface address you simply run the command in the following way;

This time you specifically tell the system that packets should leave the firewall via the traffic interface with the source address specified. SRX however doesn’t have this separation at least till the releases I have experienced i.e it follows the normal routing table.

2) Security Policy and Destination NAT Configuration

On SRX, if you are creating a DNAT and Security policy couple,

  • Security policy should have the internal destination IP address and translated port number (if port changes)
  • DNAT rule zone context has only from zone statement. There is no to-zone in the configuration

On Palo Alto, however

  • Security policy should have the external destination IP address instead of the internal one as opposed to SRX and pre-NAT port number in the policy
  • As for DNAT, if packet is coming from untrust and going to trust, you still write your NAT rule from untrust to untrust

I hope I haven’t made a mistake so far. I am hoping to write more later in topology examples.

Please drop your comment if you would like to share anything.

6 thoughts on “Differences between Juniper SRX and Palo Alto Networks firewalls

  1. rtoodtoo Post author

    I thought I had disabled sending notifications to subscribed users but I apparently I did a mistake:) You weren’t supposed to receive an update. Mike, I wish you will get one soon. GUI is really nice unfortunately there is no free education/lab version of Palo Alto Firewalls as far as I know.

    1. rtoodtoo Post author

      Thank you for the feedback Kerry. Much appreciated. I will probably write more about Palo Alto too.

    1. rtoodtoo Post author

      By using IDP, you can do this Metin but configuring IDP on SRX is really big challenge.


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.