Differences between Juniper SRX and Palo Alto Networks firewalls

Once you are familiar with one firewall, sometimes it is difficult to be comfortable on another firewall. Here I will list 2 things that you do differently on these firewalls. At least these were the first things I noticed.

1) PING

On an SRX firewall, if you ping a remote address, command will be accepted.

root@J200> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=12.637 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=7.674 ms

However if you run the same command on a Palo Alto firewall, you get an invalid syntax.

admin@PA10> ping 8.8.8.8

Invalid syntax.

However this isn’t really the difference I would like to tell. The correct syntax on Palo Alto is like this

admin@PA10> ping host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=10.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=9.69 ms

Although the outcome is the same, in Palo Alto firewall, you are running it by default on management instance i.e your default gateway that you set in your virtual router, doesn’t receive this traffic. This is important in troubleshooting. As you can see below, we have two different gateway for management network space and traffic network space. (I made these term up by the way:)

admin@PA10> show interface management


-------------------------------------------------------------------------------
Name: Management Interface
Link status:
  Runtime link speed/duplex/state: unknown/unknown/up
  Configured link speed/duplex/state: auto/auto/auto
MAC address:
  Port MAC address 00:50:56:b8:4f:c2

Ip address: 10.100.100.150
Netmask: 255.255.255.0
Default gateway: 10.100.100.1   <---Management gateway

admin@PA10> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp


VIRTUAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS

0.0.0.0/0                                   192.168.6.1                             10     A S              ethernet1/1

10.2.2.0/24                                 10.2.2.1                                0      A C              ethernet1/2

In order to change ping source from management interface to a traffic interface address you simply run the command in the following way;

admin@PA10> ping source 192.168.6.3 host 8.8.8.8

This time you specifically tell the system that packets should leave the firewall via the traffic interface with the source address specified. SRX however doesn't have this separation at least till the releases I have experienced i.e it follows the normal routing table.

2) Security Policy and Destination NAT Configuration

On SRX, if you are creating a DNAT and Security policy couple,

• Security policy should have the internal destination IP address and translated port number (if port changes)
• DNAT rule zone context has only from zone statement. There is no to-zone in the configuration

On Palo Alto, however

• Security policy should have the external destination IP address instead of the internal one as opposed to SRX and pre-NAT port number in the policy
• As for DNAT, if packet is coming from untrust and going to trust, you still write your NAT rule from untrust to untrust

I hope I haven't made a mistake so far. I am hoping to write more later in topology examples.

Please drop your comment if you would like to share anything.