Juniper NetScreen Series

The NetScreen Series is a line of purpose-built, high-performance security systems designed for large enterprise, carrier, and data center networks. Architected with both existing and future network design in mind, the NetScreen Series consists of two platforms: the 2-slot NetScreen-5200 and the 4-slot NetScreen-5400. Integrating firewall, VPN, traffic management functionality, Denial of Service (DoS) and Distributed Denial of Service (DDoS) protection in a low profile modular chassis, the NetScreen Series delivers scalable performance for the most demanding network environments.

NetScreen-5200

NetScreen-5200 is a 2-slot chassis integrating firewall, VPN, traffic management functionality, Denial of Service, and Distributed Denial of Service protection, delivering up to 10 Gbps of firewall throughput.

Learn more

NetScreen-5400

NetScreen-5400 is a 4-slot chassis integrating firewall, VPN, traffic management functionality, Denial of Service and Distributed Denial of Service protection, delivering up to 30 Gbps of firewall throughput.

Learn more

Features & Benifits
Product Options
Comparisons
Data Sheets

The NetScreen Series Security Systems are purpose-built firewall/VPN security systems designed for large enterprise, carrier and data center networks.

The 2-slot NetScreen-5200 and the 4-slot NetScreen-5400 integrate firewall, VPN, DoS and DDoS protection, and traffic-management functionality in a low-profile modular chassis. Built around our third-generation security ASIC and distributed system architecture, these systems offer excellent scalability and flexibility, while providing a higher level security system through the NetScreen ScreenOS custom operating system.

The NetScreen Series Security Systems offer:

Feature	Benefit
Modular, chassis-based systems	Flexibility and scalability for large enterprises and carriers.
Comprehensive high-availability	Sub-second failover between interfaces or devices provide high availability.
Full mesh configurations	Redundant physical paths in the network provide maximum resiliency and uptime.
Virtual systems	Allows partitioning into multiple security domains, each with a unique set of administrators, policies, VPNs and address books.
Interface flexibility	Varying network-connectivity requirements and future growth requirements are accommodated with a flexible interface.
Virtual routers	Maps internal, private, or overlapped IP addresses to a new IP address, providing an alternate route to the final destination and concealing it from public view.
Customizable security zones	Increases interface density without additional hardware expenses, as well as lowering policy-creation costs, containing unauthorized users and attacks and simplifying management of firewall/VPNs.
Transparent mode	Firewall, VPN and DoS protections are offered with minimal change to the existing network.
Management	A graphical Web interface, CLI, or Juniper Networks Network and Security Manager provide management features. Policy-based management: provides centralized, end-to-end life-cycle management.

Option	Option Description	Applicable Products
Integrated IPS (Deep Inspection)	Prevents application level attacks from flooding the network using a combination of stateful signatures and protocol anomaly detection mechanisms. IPS is annually licensed.Option	NetScreen-5200 and NetScreen-5400
Web filtering (redirect)	Block access to malicious Web sites using a Web filtering redirect solution such as SurfControl or Websense technology.	NetScreen-5200 and NetScreen-5400
Virtual systems	Supports up to 500 virtual firewalls—each with a unique set of administrators, policies, VPNs, and address books.	NetScreen-5200 and NetScreen-5400

Model	NetScreen-5200	NetScreen-5400
Maximum Performance and Capacity1
ScreenOS® Software version tested	ScreenOS 6.2	ScreenOS 6.2
Firewall performance (large packets)2	10/8 Gbps	30/24 Gbps
Firewall performance (small packets)	4 Gbps	12 Gbps
Firewall Packets Per Second (64 byte)	6 M PPS	18 M PPS
AES256+SHA-1 VPN performance2	5/4 Gbps	15/12 Gbps
3DES+SHA-1 VPN performance2	5/4 Gbps	15/12 Gbps
Maximum concurrent sessions3	1,000,000(9, 10)	2,000,000(9, 10)
New sessions/second11	26,500/22,000	26,500/22,000
Maximum security policies	40000	40000
Maximum users supported	Unrestricted	Unrestricted
Network Connectivity
Fixed I/O	0	0
Interface expansion slots	2 (1 x Management, 1 x SPM)	4 (1 x Management, 3 x SPM)
AN interface options	8 mini-GBIC (SX, LX or TX), or 2 XFP 10GB (SR or LR)	8 mini-GBIC (SX, LX or TX), or 2 XFP 10GB (SR or LR)
Firewall
Network attack detection	Yes	Yes
Denial of Service (DoS) and Distributed Denial of Service (DDoS) protection	Yes	Yes
TCP reassembly for fragmented packet protection	Yes	Yes
Brute force attack mitigation	Yes	Yes
SYN cookie protection	Yes	Yes
Zone-based IP spoofing	Yes	Yes
Malformed packet protection	Yes	Yes
Unified Threat Management / Content Security4
IPS (Deep Inspection firewall)	Yes	Yes
Protocol anomaly detection	Yes	Yes
Stateful protocol signatures	Yes	Yes
IPS/Deep Inspection attack pattern obfuscation	Yes	Yes
External URL filtering5	Yes	Yes
VoIP Security
H.323 ALG	Yes	Yes
SIP ALG	Yes	Yes
MGCP ALG	Yes	Yes
SCCP ALG	Yes	Yes
NAT for VoIP protocols	Yes	Yes
IPsec VPN
Concurrent VPN tunnels3	Up to 25,000	Up to 25,000
Tunnel interfaces3	Up to 8,191	Up to 8,191
DES (56-bit), 3DES (168-bit) and AES encryption	Yes	Yes
MD-5 and SHA-1 authentication	Yes	Yes
Manual key, IKE, PKI (X.509), IKEv2 with EAP	Yes	Yes
Perfect forward secrecy (DH Groups)	1,2,5	1,2,5
Prevent replay attack	Yes	Yes
Remote access VPN	Yes	Yes
L2TP within IPsec	Yes	Yes
IPsec NAT traversal	Yes	Yes
Redundant VPN gateways	Yes	Yes
User Authentication and Access Control
Built-in (internal) database - user limit3	Up to 50,000	Up to 50,000
Third-party user authentication	RADIUS, RSA SecurID, and LDAP	RADIUS, RSA SecurID, and LDAP
RADIUS Accounting	Yes – start/stop	Yes – start/stop
XAUTH VPN authentication	Yes	Yes
Web-based authentication	Yes	Yes
802.1X authentication	Yes	Yes
Unified access control enforcement point	Yes	Yes
PKI Support
PKI Certificate requests (PKCS 7 and PKCS 10)	Yes	Yes
Automated certificate enrollment (SCEP)	Yes	Yes
Online Certificate Status Protocol (OCSP)	Yes	Yes
Certificate Authorities supported	VeriSign, Entrust, Microsoft, RSA Keon, iPlanet (Netscape) Baltimore, DoD PKI	VeriSign, Entrust, Microsoft, RSA Keon, iPlanet (Netscape) Baltimore, DoD PKI
Self-signed certificates	Yes	Yes
Virtualization6
Maximum number of virtual systems	0 default, upgradeable to 500	0 default, upgradeable to 500
Maximum number of security zones	23 default, upgradeable to 1,023	23 default, upgradeable to 1,023
Maximum number of virtual routers	3 default, upgradeable to 503	3 default, upgradeable to 503
Maximum number of VLANs	4093	4093
Inter-VSYS Communication (shared-DMZ)	Yes	Yes
Routing
BGP instances	128	128
BGP peers	256	256
BGP routes	30000	30000
OSPF instances	Up to 8	Up to 8
SPF routes	30000	30000
RIP v1/v2 instances	Up to 512	Up to 512
RIP v2 routes	30000	30000
Dynamic routing	Yes	Yes
Static routes	30000	30000
Source-based routing	Yes	Yes
Policy-based routing	Yes	Yes
ECMP	Yes	Yes
Multicast	Yes	Yes
Reverse Path Forwarding (RPF)	Yes	Yes
IGMP (v1, v2)	Yes	Yes
IGMP Proxy	Yes	Yes
PIM SM	Yes	Yes
PIM SSM	Yes	Yes
Multicast inside IPsec tunnel	Yes	Yes
IPv6
Syn-Cookie and Syn-Proxy DoS Attack Detection	Yes	Yes
SIP, RTSP, Sun-RPC, and MS-RPC ALG’s	Yes	Yes
Dual stack IPv4/IPv6 firewall and VPN	Yes	Yes
IPv4 to/from IPv6 translations and encapsulations	Yes	Yes
Virtualization (VSYS, Security Zones, VR, VLAN)	Yes	Yes
RIPng	Yes	Yes
BGP version 4	Yes	Yes
DHCPv6 Relay	Yes	Yes
NSRP (active/passive, active/active)	Yes	Yes
Transparent mode for IPv6	Yes	Yes
Mode of Operation
Layer 2 (transparent) mode7	Yes	Yes
Layer 3 (route and/or NAT) mode	Yes	Yes
Address Translation
Network Address Translation (NAT)	Yes	Yes
Port Address Translation (PAT)	Yes	Yes
Policy-based NAT/PAT	Yes	Yes
Mapped IP (MIP)8	20000	20000
Virtual IP (VIP)	64	64
MIP/VIP grouping	Yes	Yes
IP Address Assignment
Static	Yes	Yes
DHCP, PPPoE client	No, No	No, No
Internal DHCP server	No	No
DHCP relay	Yes	Yes
Traffic Management Quality of Service (QoS)
Guaranteed bandwidth	No	No
Maximum bandwidth	Yes – per physical interface only	Yes – per physical interface only
Ingress traffic policing	No	No
Priority-bandwidth utilization	No	No
DiffServ marking	Yes – per policy	Yes – per policy
Jumbo frames	Yes	Yes
Link aggregation up to 4 ports	8G2 SPM only	8G2 SPM only
High Availability (HA)
Active/Active	Yes	Yes
Active/Passive	Yes	Yes
Redundant interfaces	8G2 SPM only	8G2 SPM only
Configuration synchronization	Yes	Yes
Session synchronization for firewall and VPN	Yes	Yes
Session failover for routing change	Yes	Yes
Device failure detection	Yes	Yes
Link failure detection	Yes	Yes
Authentication for new HA members	Yes	Yes
Encryption of HA traffic	Yes	Yes
LDAP and RADIUS server failover	Yes	Yes
System Management
WebUI (HTTP and HTTPS)	Yes	Yes
Command line interface (console)	Yes	Yes
Command line interface (telnet)	Yes	Yes
Command line interface (SSH)	Yes	Yes
Juniper Networks Network and Security Manager	Yes	Yes
All management via VPN tunnel on any interface	Yes	Yes
Rapid deployment	Yes	Yes
Administration
Local administrator database size	8 MB	8 MB
External administrator database support	RADIUS/LDAP/SecurID	RADIUS/LDAP/SecurID
Restricted administrative networks	6	6
Root admin, admin and read only user levels	Yes	Yes
Software upgrades	Yes	Yes
Configuration rollback	Yes	Yes
Logging/Monitoring
Syslog (multiple servers)	Yes	Yes
Email (two addresses)	Yes	Yes
NetIQ WebTrends	Yes	Yes
SNMP (v2)	Yes	Yes
SNMP full/custom MIB	Yes	Yes
Traceroute	Yes	Yes
VPN tunnel monitor	Yes	Yes
External Flash
Additional log storage	Supports 1 GB or 2 GB industrial-grade SanDisk	Supports 1 GB or 2 GB industrial-grade SanDisk
Event logs and alarms	Yes	Yes
System configuration script	Yes	Yes
ScreenOS Software	Yes	Yes
Dimensions and Power
Dimensions (W x H x D)	17.5 X 3.4 X 20 in (44.5 X 8.6 X 50.8 cm)	17.5 X 8.6 X 14 in (44.5 X 21.8 X 35.6 cm)
Weight	37 lb / 17 kg	45 lb / 20 kg
Rack mountable	Yes, 2U	Yes, 2U
Power supply (AC)	Yes, redundant, 100-240 VAC	Yes, redundant, 100-240 VAC
Power supply (DC)	Yes, redundant, -36 to -60 VDC	Yes, redundant, -36 to -60 VDC
Maximum thermal output	472 BTU/hour (W)	943 BTU/hour (W)
Certifications
Safety certifications	UL, CUL, CSA, CB, Austel, NEBS Level 3	UL, CUL, CSA, CB, Austel, NEBS Level 3
EMC certifications	FCC class A, CE class A, C-Tick, VCCI class A	FCC class A, CE class A, C-Tick, VCCI class A
NEBS	Yes	Yes
MTBF (Bellcore model)	7.9 years	7.0 years
Security Certifications
Common Criteria: EAL4 and EAL4+	Yes, MGT2 / 8G2 / 2XGE	Yes, MGT2 / 8G2 / 2XGE
FIPS 140-2: Level 2	Yes, MGT2 / 8G2 / 2XGE	Yes, MGT2 / 8G2 / 2XGE
ICSA Firewall and VPN	Yes	Yes
Operating Environment
Operating temperature	32° to 105° F (0° to 45° C)	32° to 105° F (0° to 45° C)
Non-operating temperature	- 4° to 158° F (-20° to 70° C)	- 4° to 158° F (-20° to 70° C)
Humidity	10% to 90% non-condensing	10% to 90% non-condensing

Performance, capacity and features listed are based upon systems running ScreenOS 6.2 and are the measured maximums under ideal testing conditions unless otherwise noted. Actual results may vary based on ScreenOS release and by deployment. Please note the firewall/VPN performance data are identical for MGT2/SPM2 and MGT3/SPM3 configurations. For a complete list of supported ScreenOS versions for NetScreen Series Security Systems, please visit the Juniper Customer Support Center (www.juniper.net/customers/support/).
Listed first, higher performance numbers are achieved with 2XGE, lower numbers with the 8G2 Secure Port Modules.
Shared among all virtual systems.
IPS/Deep Inspection is delivered by annual subscriptions purchased separately from Juniper Networks. Annual subscriptions provide signature updates and associated support.
Redirect Web filtering sends traffic to a secondary server and therefore entails purchasing a separate Web filtering license from either Websense or SurfControl.
Requires purchase of virtual system key. Every virtual system includes one virtual router and two security zones, usable in the virtual or root system.
NAT, PAT, policy-based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA, and IP address assignment are not available in layer 2 transparent mode.
Not available with virtual systems.
512K or 1 million sessions per SPM can be achieved (2 ASICs per SPM), depending on inter-ASIC or intra-ASIC traffic flow respectively. 1 million sessions max on NetScreen-5200 and 2 million sessions max on NetScreen-5400.
Two million sessions requires at least two Secure Port Modules (8G2 or 2XGE).
The first numbers are performance achieved with the new MGT3/8G2-G4 modules, and the second numbers represent the performance achieved with the MGT2/8G2 modules.

Juniper NetScreen Series

Data sheets

NetScreen Series Security Systems

Security Product Comparison Chart

Implementation Guides

Implementing Firewalls Inside the Core Data Center Network

Network Diagram

Enterprise Product Portfolio

Solutions Briefs

Unified Threat Management—All-in-One Security for Branch and Small to Medium Offices

Free Consultation

Unbeatable Prices

Professional Services

24x7 Tech Support