• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 588
  • Last Modified:

Juniper Firewalls - Dying or getting Bricked?

Anyone experience issues with Juniper Firewalls being particularly sensitive hardware to power variations?  (brownouts, blackouts, spikes)  Presumably we have lost a couple of Juniper firewalls due to power surges, EVEN THOUGH the devices are on enterprise grade UPS. When power resumed, our firewalls did not, everything else was just peachy.

We've had several power outages and have lost multiple Juniper Firewalls even though they were on high-grade UPS backup battery and high-end power backup generation equipment. No other hardware, out of thousands of PCs, 60+ switches, wifi access points or other hardware, were effected by the power outages\surges.

I'm interested in hearing your experiences with Juniper hardware and it's sensitivity to power variations. Thanks
0
JohnArmstrong
Asked:
JohnArmstrong
  • 4
  • 3
  • 3
  • +1
1 Solution
 
John HurstBusiness Consultant (Owner)Commented:
I have Juniper Netscreen firewalls at clients and I have only had one failure. It was on a UPS. It was also five or six years old. I have had the others in place from 3 to 10 years and generally I find them to be reliable devices.

Separately, I have had other brands of routers fail as a result of power outages or variations.

... Thinkpads_User
0
 
giltjrCommented:
It would be nice to have a little clarification.

You state that you have "high-grade UPS backup battery and high-end power backup generation equipment"

Yet you also stated:

"When power resumed, our firewalls did not, everything else was just peachy."

That implies that they lost power when you lost building power and so they went down and when building power was restored they would not power up.

SO, did they lose power and go down when you lost building power?  If so, why?  If they did not, then what do you mean that statement.
0
 
btanExec ConsultantCommented:
actually it can be due to many factor, doubt it is specifically on the FW itself since it is supposed to be EMC Emissions, EMC Immunity, ETSI tested and certified. They also have fuse as per norm std.  In almost guide, they all recommend using a surge protector for the power connection. Not specific to Juniper only.

 Indeed for running datacenter, you cannot rely on the device native protection  but also need to ensure the correct DC or AC loading and all socket is grounded and have surge protector switches...I do see the other external factor being the culprit and even FW is of such military robust grade but more of standard security certified and safety certified as in all security appliance...they have fuse
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
JohnArmstrongAuthor Commented:
giltjr, thanks for your post. Yea I misspoke, when they power outage occurs, the UPS is there to cover the hardware during the couple of seconds before the generator kicks in and fires up. The hardware was dead when the power outage occured, so I don't know if it was due to a spike at the time of the outage (which the grounded outlet and UPS should have trapped anyway) or the switchover to batter or the switchover to generator or the switchover back to the grid when power was restored to the buildings.  I know that as a rule of thumb, generators can create spikes which is why you want your hardware on a UPS because they provide additional power filtering in addition to keeping the hardware alive until the diesel generator kicks in.
0
 
John HurstBusiness Consultant (Owner)Commented:
Power spikes can kill router equipment. I have had that happen, albeit not with Juniper. Perhaps get a small true UPS supply for your network gear so there is no outage at all during a switchover.

... Thinkpads_User
0
 
giltjrCommented:
How old is the UPS?  How often do you think you get power spikes?

What type of PDU's do you have?

Devices that are designed to absorb power spikes can actually "wear" out and allow spikes through.
0
 
JohnArmstrongAuthor Commented:
The UPS is new, 3 months?  In all environments where I've encountered this the UPS have been newer than 12 months.  I wonder if it's occuring when the device is trying to boot up and there's another blip in the power during boot-up cycle. Maybe Juniper doesn't like having it's boot cycle interupted?
0
 
John HurstBusiness Consultant (Owner)Commented:
If your UPS was protecting the gear, then it may just be a failure of the device. That happens.

I assume when you say UPS, you mean Uninterruptible Power Supply (you said enterprise grade UPS). These are devices that feed the gear from filtered battery supply and use AC to charge the batteries. Such devices are immune to ordinary power surges and blips.

So given the above, it does not appear to be a power issue and probably just failures of the gear. As I noted above, I had one such failure; otherwise Juniper gear is very robust.
0
 
btanExec ConsultantCommented:
pretty tough to say it is UPS issue as it is supposed to be robust and pass each defensive maintenance check at least bi-annual or adhoc check. typically if building has surge before, never assume the ups or equipment is ok but have it verified again - trust but verify.

also pwoer info of FW can be gotten from SNMP for monitoring e.g. To monitor the description and status of the power supply, the following OIDs can be used:

.1.3.6.1.4.1.3224.21.1.1.1 (.*) - A 32-bit integer that uniquely identifies the power supply
ID.
.1.3.6.1.4.1.3224.21.1.1.2 (.*) - A 32-bit integer that uniquely identifies the power supply module's status: 0 - Fail, 1 - Good
.1.3.6.1.4.1.3224.21.1.1.3 (.*)  - A description for the power supply module.

there should be dual supply possible but overall we need to consider the BTU as well as if the air con goes down the overall DC get heatup pretty fast and device failing will be even faster even if we have ups...

How can I tell what the BTU's are for Juniper firewall devices?
First confirm if the BTU is posted in the Firewall/IPSec VPN Specifications and Datasheets.  If it is not posted, a conversion of Watts to BTU is done as follows:
Kilowatt /hour (1000 watts)  = 3,413 BTU/ hour
Watts/hour  = 3.413 BUT/hour
Watts x 3.413 = BTU
The datasheets publish the watt specifications, so the BTU can be calculated using the above formula.

For example:
The NetScreen-204 and NetScreen-208 normal working status or average power consumption is roughly 30 Watts. The AC power supply output capacity is 45 Watts. Peak consumption and current on boot up is 20 A Max at 120 VAC, and 40 A Max at 240 VAC.

45 watts = 154 BTU         (45 watts x 3.413 = 154 BTU)
30 watts = 102 BTU         (30 watts x 3.413 = 102 BTU)
20 watts =  68  BTU         (20 watts x 3.413 = 68 BTU)

normal = 102.39 BTU max = 153.585 BTU, using 30 Watts and 45 Watts respectfully.  
This is based on published watt specifications from the Juniper datasheet for the device.
0
 
JohnArmstrongAuthor Commented:
Breadtran, a wealth of info, thank you.  I like the idea of monitoring the firewall's power supply with SNMP, but we get dinged for SNMP when we have it running because there are many potential vulnerabilities and now there are amplification attacks that can be utilized with SNMP.  John Hurst, thanks for feedback but your a bit off course when you say UPS are immune from ordinary power surges and blips. OMG! I can tell you have how many UPS I have seen misbehave and\or die from ordinary brown outs, surges or spikes.  This is simply not the case and anyone that's had a few years exposure to working with UPS will tell you so, they do not behave predictably under any circumstances.
0
 
btanExec ConsultantCommented:
thanks for sharing
0
 
John HurstBusiness Consultant (Owner)Commented:
John Hurst, thanks for feedback but your a bit off course when you say UPS are immune from ordinary power surges and blips.

I am pleased your problem is solved. However I have never in my life seen a commercial UPS pass spikes through the isolated battery supply that powers gear. So that is why I answered the way I did.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now