Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

netscreen ssg versus asa

hi would like to hear comments from everybody here as to what they feel abt netscreen ssg as compared to asa. people blinded by cisco may not post. this is for people who are open to compare the technologies offered by both the vendors in the firewall platforms.



Community Member

Re: netscreen ssg versus asa

I have used both, so will offer my comments.

I find the Netscreen CLI language (especially NAT configuration) to be more intuitive and simpler to use than the ASA CLI. The GUI is worlds better than the Cisco GUI, although the Cisco GUI is much better than it used to be.

Many of the SSG series accept plug-in cards (PIM and mini-PIM) for adding T1/E1, ADSL, ISDN, and serial WAN connectivity.

The Juniper JTAC is good, but not as good as the Cisco TAC. There are far more on-line resources and help forums available for the PIX/ASA than the Netscreen SSG.


Re: netscreen ssg versus asa

I am a fan of Cisco PIX/ASA. However, in one of the GSM projects we used NetScreen because it used to support GTP while PIX 6.x used not and ASA was not in the market yet.

We faced several occasions when the NetScreen reboots and flushes all the configuration. Out of Six firewalls they change two in six months. Their CPU used to easily hit the 70% eventhough we were just using firewalls rules and VPNs.

As for the GUI is good however the ASA is pretty similar to it and has more troubleshooting cababilities.

Another issue that we faced is their interface negotiation problem with the Cisco Switches where setting them to 100 Full was not as good as setting them to Auto on both sides.


Community Member

Re: netscreen ssg versus asa

I manage several NetScreens that predominantly do VPN and their logging is the pits you can't troubleshoot very well based on the log files. I also think that the ASA is easier to set up for management and the fact that the new ASDM for 7.0(2) actually allows you to filter the log entries for troubleshooting is WAY better. The routing and the VLAN configuration on the NetScreen is ok but their interpretation of VLANS and routes is a little obscure. They have however been very stable. I also think that Cisco's QOS is better and you can really be granular with it on the Tunnels in pre-classifying traffic and it appends the QOS markings to the IPSEC headers.

CreatePlease to create content