Some dark clouds seen at the Juniper SSG520 haven.
After weeks and months of operating SSG520s I discovered some issues, which in my opinion should be fixed by Juniper as soon as possible.
- Proxy DNS: As long as you need only forward resolution of DNS names to IPs everyting is fine with proxy DNS. But if your application requires an working reverse resolution (IP to DNS) like SSH, than you will get in real trouble. Proxy DNS in ScreenOS 5.4 up to 6.1 does not support reverse lookups and so your SSH based applications at your clients connection through and SSG520 and using proxy DNS may get in trouble or run at slow performance. E.g. an SSH login may take 10-30 seconds until an timeout hits and the client detects that the reverselookup is not working or no reverse lookup record is available. Definetly a point that Juniper should fix. It should not be that complicated to extend the current implementation so that the admin can maintain a list of subnets in proxy DNS config and the assigned DNS servers for reverse lookups.
- Multiple crashes during IPS pattern updates. Initially we run all SSG520s at ScreenOS 5.4r6 during the deep inspection (IPS) pattern updates all boxes crashed some weeks ago. Based on our JTAC case the response was: it might happen that a pattern update crashes the box. Recommendation: upgrade to ScreenOS 6.1r1 or 6.1r2. But the root cause was the pattern file itself. I would recommend that Juniper reviews their procedure to release pattern updates. They should test the pattern files before they release it.
We will see what comes up during the next months.