Datasheet
Juniper Networks
The Juniper Networks NetScreen-5000 series
is a line of purpose-built, high-performance
security systems designed for large enterprise,
carrier, and data center networks. Architected
with both existing and future network design
in mind, the NetScreen-5000 series consists of
two platforms: the 2-slot NetScreen-5200 and
the 4-slot NetScreen-5400. Integrating firewall,
VPN, traffic management functionality, Denial of
Service (DoS) and Distributed Denial of Service
(DDoS) protection in a low profile modular
chassis, the NetScreen-5000 series delivers
scalable performance for the most demanding
network environments.
NetScreen-5000 Series
Product Description
The NetScreen-5000 series firewall/VPN is ideally suited for large enterprise network
backbones, including:
• Departmental or campus segmentation
• Enterprise data centers for securing high-density server environments
• Carrier-based managed services or core infrastructure
Offering excellent scalability and flexibility while providing high levels of security, the
NetScreen-5000 series is differentiated by its chassis configuration for fans, power
supplies, and number of slots for modules. Both the NetScreen-5200 and NetScreen-5400
support secure port modules that offer different throughput and interface options for
deployment flexibility. All chassis are designed with hot-swappable, redundant fans and
power supplies. This enables businesses to maximize device uptime and meet stringent
government and industry certifications, such as the rigorous Network Equipment Building
System criteria, the requirement for equipment used in the central office in the North
American Public Switched Network.
Employing a switch fabric for data exchange and separate multi-bus channel for control
information, the NetScreen-5000 series can scale up to 30 Gbps firewall and 15 Gbps
3DES/AES VPN. It provides low-latency performance for all packet sizes and is ideal for
multimedia, voice over IP (VoIP), and other streaming media applications.
Juniper Networks delivers all the components necessary to build and secure a highly
available infrastructure. Redundant links for full-mesh topologies, sub-second stateful
fail-over, path monitoring, and a secured control protocol all join to provide complete
resilience for the security layer. The NetScreen-5000 series also supports Juniper
Networks virtual systems capability, with capacity up to 500 virtual systems. Virtual
systems allow a single security device to be partitioned logically into multiple security
domains, each with a unique virtual router, policy set, address book, and administrative
login. Virtual systems can be used with physical interfaces, as well as VLAN tagged
interfaces bound to any interface, with multiple security zones supported within each
virtual system.
Whether the requirement is high-capacity session/tunnel aggregation, high-performance
small-packet throughput, a high degree of system virtualization or a high degree of
physical segmentation, the NetScreen-5000 is the ideal platform for large enterprise
and carrier grade networks. The additional benefits associated with lower total cost of
ownership and the ability to meet future service or application requirements make the
NetScreen-5000 series firewall/VPN the clear choice for network security operations.
Juniper Networks further expands overall system functionality and performance by
introducing a new management module and three new Secure Port Modules (SPMs)
for the NetScreen-5000. The new management module takes advantage of faster
CPU speeds and larger CPU cache to enhance performance while the new SPMs take
advantage of Juniper’s fourth generation security ASIC to deliver advanced functionality
at multi-gigabit rates. These new management and SPM modules deliver the Juniper
heritage of high-performance security while expanding capabilities and capacities for
NetScreen-5000 customers.
2
Features and Benefits
Feature
Purpose-built platform
High performance
Advanced network segmentation
System and network resiliency
High availability (HA)
Interface flexibility
Robust routing engine
Virtual system support
World-class professional services
Product Options
Option
Integrated IPS (Deep Inspection)
Web filtering (redirect)
Virtual systems
Feature Description
Modular, chassis-based security systems.
ASIC based architecture employs a switch fabric for
data exchange and a separate multi-bus channel for
control information.
Security zones, virtual LANs and virtual routers allow
administrators to deploy security policies to isolate
guests, regional servers, or databases.
Hardware component redundancy and full mesh
configurations enable redundant physical paths in the
network.
Active/passive, Active/active and Active/active
full mesh HA configurations using dedicated high
availability interfaces.
Modular architecture enables deployment with a wide
variety of interface options, including SFP (SX, LX, TX)
and XFP 10 gigabit (SR or LR).
The NetScreen-5000 series routing engine supports
OSPF, BGP, RIP v1/2, transparent Layer 2 operation,
NAT and Route mode.
Supports up to 500 virtual firewalls – each with a
unique set of administrators, policies, VPNs, and
address books.
From simple lab testing to major network
implementations, Juniper Networks Professional
Services will collaborate with your team to identify
goals, define the deployment process, create or
validate the network design, and manage the
deployment.
Option Description
Prevents application level attacks from flooding the
network using a combination of stateful signatures
and protocol anomaly detection mechanisms. IPS is
annually licensed.
Block access to malicious Web sites using a Web
filtering redirect solution such as SurfControl or
Websense technology.
Supports up to 500 virtual firewalls -- each with a
unique set of administrators, policies, VPNs, and
address books.
Benefit
Delivers the high performance and configuration flexibility
required to protect large enterprise and carrier environments.
Ensures scalable performance and low latency in sensitive
applications such as VoIP and streaming media.
Prevents unauthorized access, contains any attacks that may
occur, and facilitates regulatory compliance.
Provides the reliability required for high-speed network
deployments.
Achieve maximum availability and ensure synchronization for
sub-second failover between interfaces or devices.
Simplifies network integration and helps reduce the cost of
future network upgrades.
Facilitates the deployment of the NetScreen-5000 series as a
combined security and LAN routing device, lowering operational
and capital expenditures.
Reduces the number of physical units and allows the
partitioning of the network into separate administrative
domains.
Transforms the network infrastructure to ensure that it is
secure, flexible, scalable, and reliable.
Applicable Products
NetScreen-5200 and
NetScreen-5400
NetScreen-5200 and
NetScreen-5400
NetScreen-5200 and
NetScreen-5400
 3

Specifications
Juniper Networks Juniper Networks
NetScreen-5200 NetScreen-5400
Maximum Performance and Capacity(1)
ScreenOS version tested ScreenOS 6.1 ScreenOS 6.1
Firewall performance (Large packets)(2) 10/8 Gbps 30/24 Gbps
Firewall performance (Small packets) 4 Gbps 12 Gbps
Firewall Packets Per Second (64 byte) 6 M PPS 18 M PPS
AES256+SHA-1 VPN performance(2) 5/4 Gbps 15/12 Gbps
3DES+SHA-1 VPN performance(2) 5/4 Gbps 15/12 Gbps
Maximum concurrent sessions(3) 1,000,000 2,000,000(9)
New sessions/second(10) 26,500/22,000 26,500/22,000
Maximum security policies 40,000 40,000
Maximum users supported Unrestricted Unrestricted
Network Connectivity
Fixed I/O 0 0
Interface expansion slots 2 (1 x Management, 1 x SPM) 4 (1 x Management, 3 x SPM)
LAN interface options 8 mini-GBIC (SX, LX or TX), or 2 XFP 10Gig (SR or LR) 8 mini-GBIC (SX, LX or TX), or 2 XFP 10Gig (SR or LR)
Firewall
Network attack detection Yes Yes
Denial of Service (DoS) and Distributed Denial of Service (DDoS) protection Yes Yes
TCP reassembly for fragmented packet protection Yes Yes
Brute force attack mitigation Yes Yes
SYN cookie protection Yes Yes
Zone-based IP spoofing Yes Yes
Malformed packet protection Yes Yes

Unified Threat Management / Content Security(4)

IPS (Deep Inspection firewall) Yes Yes
Protocol anomaly detection Yes Yes
Stateful protocol signatures Yes Yes
IPS/Deep Inspection attack pattern obfuscation Yes Yes
External URL filtering(5) Yes Yes

Voice over IP (VoIP) Security

H.323 ALG Yes Yes
SIP ALG Yes Yes
MGCP ALG Yes Yes
SCCP ALG Yes Yes
NAT for VoIP protocols Yes Yes

IPSec VPN
Concurrent VPN tunnels(3) Up to 25,000 Up to 25,000
Tunnel interfaces(3) Up to 4,095 Up to 4,095
DES (56-bit), 3DES (168-bit) and AES encryption Yes Yes
MD-5 and SHA-1 authentication Yes Yes
Manual key, IKE, PKI (X.509), IKEv2 with EAP Yes Yes
Perfect forward secrecy (DH Groups) 1,2,5 1,2,5
Prevent replay attack Yes Yes
Remote access VPN Yes Yes
L2TP within IPSec Yes Yes
IPSec NAT traversal Yes Yes
Redundant VPN gateways Yes Yes
4

Juniper Networks Juniper Networks

NetScreen-5200 NetScreen-5400

User Authentication and Access Control

Built-in (internal) database - user limit(3) Up to 50,000 Up to 50,000
Third-party user authentication RADIUS, RSA SecurID, and LDAP RADIUS, RSA SecurID, and LDAP
RADIUS Accounting Yes – start/stop Yes – start/stop
XAUTH VPN authentication Yes Yes
Web-based authentication Yes Yes
802.1X authentication Yes Yes
Unified access control enforcement point Yes Yes

PKI Support
PKI Certificate requests (PKCS 7 and PKCS 10) Yes Yes
Automated certificate enrollment (SCEP) Yes Yes
Online Certificate Status Protocol (OCSP) Yes Yes
Certificate Authorities supported VeriSign, Entrust, Microsoft, RSA Keon, iPlanet (Netscape) VeriSign, Entrust, Microsoft, RSA Keon, iPlanet (Netscape)
Baltimore, DoD PKI Baltimore, DoD PKI
Self-signed certificates Yes Yes

Virtualization(6)
Maximum number of virtual systems 0 default, upgradeable to 500 0 default, upgradeable to 500
Maximum number of security zones 16 default, upgradeable to 1,016 16 default, upgradeable to 1,016
Maximum number of virtual routers 3 default, upgradeable to 503 3 default, upgradeable to 503
Maximum number of VLANs 4,094 4,094

Routing
BGP instances 128 128
BGP peers 256 256
BGP routes 30,000 30,000
OSPF instances Up to 8 Up to 8
OSPF routes 30,000 30,000
RIP v1/v2 instances Up to 512 Up to 512
RIP v2 routes 30,000 30,000
Dynamic routing Yes Yes
Static routes 30,000 30,000
Source-based routing Yes Yes
Policy-based routing Yes Yes
ECMP Yes Yes
Multicast Yes Yes
Reverse Path Forwarding (RPF) Yes Yes
IGMP (v1, v2) Yes Yes
IGMP Proxy Yes Yes
PIM SM Yes Yes
PIM SSM Yes Yes
Multicast inside IPSec tunnel Yes Yes

IPv6
Syn-Cookie and Syn-Proxy DoS Attack Detection Yes Yes
SIP, RTSP, Sun-RPC, and MS-RPC ALG’s Yes Yes
Dual stack IPv4/IPv6 firewall and VPN Yes Yes
IPv4 to/from IPv6 translations and encapsulations Yes Yes
Virtualization (VSYS, Security Zones, VR, VLAN) Yes Yes
RIPng Yes Yes

Mode of Operation
Layer 2 (transparent) mode(7) Yes Yes
Layer 3 (route and/or NAT) mode Yes Yes
 5

Juniper Networks Juniper Networks

NetScreen-5200 NetScreen-5400

Address Translation
Network Address Translation (NAT) Yes Yes
Port Address Translation (PAT) Yes Yes
Policy-based NAT/PAT Yes Yes
Mapped IP (MIP)(8) 10,000 10,000
Virtual IP (VIP) 64 per VSYS 64 per VSYS
MIP/VIP Grouping Yes Yes

IP Address Assignment
Static Yes Yes
DHCP, PPPoE client No, No No, No
Internal DHCP server No No
DHCP relay Yes Yes

Traffic Management Quality of Service (QoS)

Guaranteed bandwidth No No
Maximum bandwidth Yes – per physical interface only Yes – per physical interface only
Ingress traffic policing No No
Priority-bandwidth utilization No No
DiffServ marking Yes – per policy Yes – per policy
Jumbo Frames Yes Yes
Link aggregation up to 4 ports 8G2 SPM only 8G2 SPM only

High Availability (HA)

Active/Active Yes Yes
Active/Passive Yes Yes
Redundant interfaces 8G2 SPM only 8G2 SPM only
Configuration synchronization Yes Yes
Session synchronization for firewall and VPN Yes Yes
Session failover for routing change Yes Yes
Device failure detection Yes Yes
Link failure detection Yes Yes
Authentication for new HA members Yes Yes
Encryption of HA traffic Yes Yes
LDAP and RADIUS server failover Yes Yes

System Management
WebUI (HTTP and HTTPS) Yes Yes
Command line interface (console) Yes Yes
Command line interface (telnet) Yes Yes
Command line interface (SSH) Yes Yes
NetScreen-Security Manager Yes Yes
All management via VPN tunnel on any interface Yes Yes
Rapid deployment Yes Yes

Administration
Local administrator database size 8 MB 8 MB
External administrator database support RADIUS/LDAP/SecurID RADIUS/LDAP/SecurID
Restricted administrative networks 6 6
Root Admin, Admin and Read Only user levels Yes Yes
Software upgrades Yes Yes
Configuration rollback Yes Yes
6

Juniper Networks Juniper Networks

NetScreen-5200 NetScreen-5400

Logging/Monitoring
Syslog (multiple servers) Yes Yes
Email (two addresses) Yes Yes
NetIQ WebTrends Yes Yes
SNMP (v2) Yes Yes
SNMP full/custom MIB Yes Yes
Traceroute Yes Yes
VPN tunnel monitor Yes Yes

External Flash
Additional log storage Supports 128 or 512 MB Industrial-Grade SanDisk Supports 128 or 512 MB Industrial-Grade SanDisk
Event logs and alarms Yes Yes
System configuration script Yes Yes
ScreenOS Software Yes Yes

Dimensions and Power

Dimensions (WXHXD) 17.5 X 3.4 X 20 in 17.5 X 8.6 X 14 in
(44.5 X 8.6 X 50.8 cm) (44.5 X 21.8 X 35.6 cm)
Weight 37 lb / 17 kg 45 lb / 20 kg
Rack mountable Yes, 2 U’s Yes, 5 U’s
Power supply (AC) Yes, redundant, 100-240 VAC Yes, redundant, 100-240 VAC
Power supply (DC) Yes, redundant, -36 to -60 VDC Yes, redundant, -36 to -60 VDC
Maximum thermal output 472 BTU/Hour (W) 943 BTU/Hour (W)

Certifications
Safety certifications UL, CUL, CSA, CB, Austel, NEBS Level 3 UL, CUL, CSA, CB, Austel, NEBS Level 3
EMC certifications FCC class A, CE class A, C-Tick, VCCI class A FCC class A, CE class A, C-Tick, VCCI class A
NEBS Yes Yes
MTBF (Bellcore model) 7.9 years 7.0 years

Security Certifications
Common Criteria: EAL4 and EAL4+ Yes, MGT2 / 8G2 / 2XGE Yes, MGT2 / 8G2 / 2XGE
FIPS 140-2: Level 2 Yes, MGT2 / 8G2 / 2XGE Yes, MGT2 / 8G2 / 2XGE
ICSA Firewall and VPN Yes Yes

Operating Environment
Operating temperature 32° to 105° F (0° to 45° C) 32° to 105° F (0° to 45° C)
Non-operating temperature - 4° to 158° F (-20° to 70° C) - 4° to 158° F (-20° to 70° C)
Humidity 10 to 90% noncondensing 10 to 90% noncondensing
(1) Performance, capacity and features listed are based upon systems running ScreenOS 6.1 and are the measured maximums under ideal testing conditions unless otherwise noted. Actual results may vary
based on ScreenOS release and by deployment. For a complete list of supported ScreenOs versions for NetScreen-5000 platforms, please visit the Juniper Customer Support Center
(http://www.juniper.net/customers/support/).
(2) Listed first, higher performance numbers are achieved with 2XGE, lower numbers with the 8G2 Secure Port Modules.
(3) Shared among all virtual systems.
(4) IPS/Deep Inspection is delivered by annual subscriptions purchased separately from Juniper Networks. Annual subscriptions provide signature updates and associated support.
(5) Redirect Web filtering sends traffic to a secondary server and therefore entails purchasing a separate Web filtering license from either Websense or SurfControl.
(6) Requires purchase of virtual system key. Every virtual system includes one virtual router and two security zones, usable in the virtual or root system.
(7) NAT, PAT, policy based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA, and IP address assignment are not available in layer 2 transparent mode.
(8) Not available with virtual systems.
(9) 2 million sessions requires at least 2 Secure Port Modules (8G2 or 2XGE).
(10) The first numbers are performance achieved with the new MGT3/8G2-G4 modules, and the second numbers represent the performance achieved with the MGT2/8G2 modules.
 7

Ordering Information
Model Number Description Model Number Description
Juniper Networks NetScreen-5200 System Juniper Networks NetScreen-5000 Series – Accessories
NS-5200 NS-5200 System, No SPM or MGT modules, NS-SYS-GBIC-MSX SX transceiver (mini-GBIC)
includes Fan Tray, Dual AC power supply, 19” Rack
NS-SYS-GBIC-MLX LX transceiver (mini-GBIC)
Mount, 0 VSYS
NS-SYS-GBIC-MXSR XFP 10GigE transceiver Short Range (SR) (300m)
NS-5200-DC NS-5200 System, No SPM or MGT modules,
includes Fan Tray, Dual DC power supply, 19” Rack NS-SYS-GBIC-MXLR XFP 10GigE transceiver Long Range (LR) (10km)
Mount, 0 VSYS
Juniper Networks NetScreen-5200 Series – Components
Note: Add MGT2 and SPM Modules to build complete systems
NS-5200-CHA NetScreen-5200 Chassis
Juniper Networks NetScreen-5400 System
NS-5200-PWR-AC NetScreen-5200 AC Power Supply
NS-5400 NS-5400 System, No SPM or MGT modules,
NS-5200-PWR-DC NetScreen-5200 DC Power Supply
includes Fan Tray, 3 x AC power supply, 19” Rack
Mount, 0 VSYS NS-5200-FAN NetScreen-5200 Fan Assembly
NS-5400-DC NS-5400 System, No SPM or MGT modules, Juniper Networks NetScreen-5400 Series – Components
includes Fan Tray, 3 x DC power supply, 19” Rack
Mount, 0 VSYS NS-5400-CHA NetScreen-5400 Chassis

Note: Add MGT2 and SPM Modules to build complete systems NS-5400-PWR-AC NetScreen-5400 AC Power Supply

Juniper Networks NetScreen-5000 Series - Components needed NS-5400-PWR-DC NetScreen-5400 DC Power Supply
to build complete systems NS-5400-FAN NetScreen-5400 Fan Assembly
NS-5000-MGT2 Management Module 2
NS-5000-2XGE 2 x 10GigE Secure Port Module (SPM) – Does NOT
include transceivers
NS-5000-8G2 8 x GigE Secure Port Module 2 (SPM) – Includes
8 x transceivers (SX)
NS-5000-8G2-TX 8 x GigE Secure Port Module 2 TX (SPM) –
Includes 8 x Gig copper transceivers
NS-5000-MGT3* Management Module 3
NS-5000-2XGE-G4* 2 x 10GigE Secure Port Module (SPM) – Does NOT
include transceivers
NS-5000-8G2-G4* 8 x GigE Secure Port Module (SPM) – Includes
8 x transceivers (SX)
NS-5000-8G2-G4-TX* 8 x GigE Secure Port Module (SPM) – Includes
8 x Gig copper transceivers
Juniper Networks NetScreen-5000 Series -
Virtual System Upgrades
NS-5000-VSYS-5 VSYS upgrade 0 to 5
NS-5000-VSYS-25 VSYS upgrade 5 to 25
NS-5000-VSYS-50 VSYS upgrade 25 to 50
NS-5000-VSYS-100 VSYS upgrade 50 to 100
NS-5000-VSYS-250 VSYS upgrade 100 to 250
NS-5000-VSYS-500 VSYS upgrade 250 to 500
NS-5000-VSYS VSYS upgrade 0 to 500

*The NS-5000-MGT3, NS-5000-2XGE-G4, NS-5000-8G2-G4, and NS-5000-8G2-G4-TX modules require

ScreenOS version 6.1 or higher and CANNOT be intermixed with prior generation management or
SPM modules. Customer who wish to deploy NS-5000 series appliances with the latest Management
Module 3 must also deploy the latest G4 SPM modules.
About Juniper Networks
Juniper Networks, Inc. is the leader in high-performance for accelerating the deployment of services and applications over a
networking. Juniper offers a high-performance network single network. This fuels high-performance businesses. Additional
infrastructure that creates a responsive and trusted environment information can be found at www.juniper.net.

CORPORATE HEADQUARTERS EUROPE, MIDDLE EAST, AFRICA EAST COAST OFFICE AASIA PACIFIC REGIONAL
AND SALES HEADQUARTERS FOR REGIONAL SALES HEADQUARTERS Juniper Networks, Inc. SALES HEADQUARTERS
NORTH AND SOUTH AMERICA Juniper Networks (UK) Limited 10 Technology Park Drive Juniper Networks (Hong Kong) Ltd.
Juniper Networks, Inc. Building 1 Westford, MA 01886-3146 USA 26/F, Cityplaza One
1194 North Mathilda Avenue Aviator Park Phone: 978.589.5800 1111 King’s Road
Sunnyvale, CA 94089 USA Station Road Fax: 978.589.0800 Taikoo Shing, Hong Kong
Phone: 888.JUNIPER (888.586.4737) Addlestone Phone: 852.2332.3636
or 408.745.2000 Surrey, KT15 2PG, U.K. Fax: 852.2574.7803
Fax: 408.745.2100 Phone: 44.(0).1372.385500
www.juniper.net Fax: 44.(0).1372.385501

Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper
Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.
in the United States and other countries. JUNOS and JUNOSe are trademarks of Juniper To purchase Juniper Networks solutions, please
Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service
marks are the property of their respective owners. Juniper Networks assumes no responsibility contact your Juniper Networks sales representative
for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
at 1-866-298-6428 or authorized reseller.
110007-011 Mar 2008