Page  Datasheet

Juniper Networks NetScreen-5GT Series

The Juniper Networks NetScreen-5GT Series is a family of three feature-rich, enterprise-class network
security solutions. They are ideally suited for securing remote offices, retail outlets and broadband
telecommuter environments, where IT staff support is minimal and ease of configuration and
management is crucial.
The NetScreen-5GT Series integrates Unified Threat Management (UTM) security applications, routing
protocols and resiliency features to provide IT managers a cost effective appliance that is easy to deploy
and manage. All NetScreen-5GT Series offerings described below come standard with the following
features:
• Security: Proven Stateful firewall and IPSec VPN combined with a complete set of best-in-class UTM
security features including IPS, Antivirus (includes Anti-Spyware, Anti-Adware, Anti-Phishing), Anti-
Spam, and Web Filtering allow the NetScreen-5GT to defend the network against worms, Spyware,
Trojans, malware and other emerging attacks.
• Network integration: Support for key routing protocols, such as BGP, OSPF, RIPv1/2 and ECMP along
with NAT, Route and Transparent Layer 2 operation helps facilitate network integration.
• Resiliency: Dial-backup or dual Ethernet ports, along with route-based VPNs provide redundancy when
network connectivity is business critical. Dual WAN ports can also be used to share traffic load.
• Port Flexibility: Almost every network deployment scenario can be accommodated without a
hardware upgrade through five configurable Ethernet interfaces. Administrators can enable
switching, dual WAN ports, a dedicated DMZ or any combination thereof through a set of six
predefined interface layouts called Port Modes.

5GT 10 user 5GT ADSL 5GT Wireless

Juniper Networks NetScreen-5GT Ethernet or plus 10 user or plus 10 user or plus
Juniper Networks NetScreen-5GT Ethernet solution is ideal for ScreenOS version support ScreenOS 5.4
environments that need hardwired connectivity backed by Firewall performance(1) 75 Mbps
robust network, application and payload level security. The 3DES+SHA-1 VPN performance 20 Mbps
NetScreen-5GT Ethernet is available with five Ethernet inter- Concurrent sessions 2000
faces that can be deployed in a wide variety of configurations.
New sessions/second 2000
Policies 100
Juniper Networks NetScreen-5GT ADSL
Interfaces 5 10/100 Base-T, 5 10/100 Base-T + 5 10/100 ports, 1
The Juniper Networks NetScreen-5GT ADSL adds ADSL con- 1 Modem, and 1 ADSL, 1 Modem, Wireless port with
nectivity to existing Ethernet connectivity, eliminating the Console and 1 Console up to 4 SSIDs, 1
need for an external ADSL modem. It provides a cost effec- Modem, and 1
Console, 1 ADSL
tive security and ADSL routing platform, with the same key port (optional),
security applications, routing protocols and resiliency features
5GT 10 user 5GT ADSL 10 5GT Wireless
found in the Ethernet-based platforms, to help ensure network Mode of Operation
or plus user or plus 10 user or plus
resources are not compromised. Layer 2 mode (transparent mode)(2) Yes Yes Yes (except with
ADSL)
Juniper Networks NetScreen-5GT Wireless Layer 3 mode (route and/or NAT mode) Yes Yes Yes
The Juniper Networks NetScreen-5GT with Wireless brings NAT (Network Address Translation) Yes Yes Yes
enterprise-level security applications, routing protocols and PAT (Port Address Translation) Yes Yes Yes
resiliency features to help organizations deploy 802.11b/g
Configurable port modes Yes Yes Yes
networks in a secure manner. The NetScreen-5GT Wireless
Dual Untrust Yes Yes Yes
offers administrators up to four configurable Wireless Security
Zones (patent-pending), each with a unique SSID that can be Dial back up Yes Yes Yes

used to provision appropriate levels of security for different Policy-based NAT Yes Yes Yes

types of users. To help ensure wireless security, privacy and Mapped IP 300 300 300
interoperability, the NetScreen-5GT Wireless supports a broad Virtual IP 1 1 1
set of wireless authentication and privacy mechanisms. The MIP/VIP Grouping Yes Yes Yes
NetScreen-5GT Wireless includes standard Ethernet connectiv- Users supported 10 or Unrestricted
ity with ADSL as a hardware option.
IPSec passthru in NAT mode Yes Yes Yes
 5GT Series
Page 

5GT ADSL 5GT Wireless 5GT ADSL 5GT Wireless

5GT 10 user 5GT 10 user
Firewall 10 user 10 user Logging/Monitoring 10 user 10 user
or plus or plus
or plus or plus or plus or plus
Number of network attacks detected 31 31 31 Syslog (multiple servers) External, up to 4 servers
Network attack detection Yes Yes Yes
E-mail (2 addresses) Yes Yes Yes
DoS and DDoS protections Yes Yes Yes
NetIQ WebTrends External External External
TCP reassembly for fragmented
Yes Yes Yes SNMP (v1, v2) Yes Yes Yes
packet protection
Standard and custom MIB Yes Yes Yes
Malformed packet protections Yes Yes Yes
Traceroute Yes Yes Yes
Malicious Web filtering Up to 48 URLs
At session start and end Yes Yes Yes
Brute force attack mitigation Yes Yes Yes
Virtualization
Syn cookie protection Yes Yes Yes
Virtual routers (VRs) 3 3 3
Zone-based IP spoofing Yes Yes Yes 802.1Q VLan Tagging Yes Yes Yes
VPN Routing
OSPF/BGP/RIPv1/v2 dynamic routing 3 instances each
Concurrent VPN tunnels Up to 10
Static routes 1024 1024 1024
Tunnel interfaces Up to 10 Source Based Routing, Source
Yes Yes Yes
DES (56 bit), 3DES (168-bit) and AES Interface Based Routing
Yes Yes Yes
encryption Equal cost multi-path routing Yes Yes Yes
MD-5 and SHA-1 authentication Yes Yes Yes IGMP groups 2400 2400 2400
Manual Key, IKE, PKI (X.509) Yes Yes Yes
High Availability (HA)
Perfect forward secrecy (DH Groups) 1, 2, 5 1, 2, 5 1, 2, 5
HA Lite Yes - with Extended License Key
Prevent replay attack Yes Yes Yes
Remote access VPN Yes Yes Yes Dial Backup(6) Yes Yes Yes
L2TP within IPSec Yes Yes Yes Dual Untrust Yes Yes Yes
Dead Peer Detection Yes Yes Yes VoIP
IPSec NAT traversal Yes Yes Yes
H.323 ALG Yes Yes Yes
Redundant VPN gateways Yes Yes Yes
SIP ALG Yes Yes Yes
VPN tunnel monitor Yes Yes Yes
Unified Threat Management / Content Security SCCP ALG Yes Yes Yes

IPS (Deep Inspection FW) Yes Yes Yes MGCP ALG Yes Yes Yes
Protocol anomaly detection Yes Yes Yes NAT for H.323/SIP Yes/Yes Yes/Yes Yes/Yes
Stateful protocol signatures Yes Yes Yes IP Address Assignment
Antivirus(3) Yes Yes Yes
Static Yes Yes Yes
Signature database 100,000+
Yes/Yes/Yes
Maximum AV Users(4) POP3, SMTP, HTTP, IMAP, FTP DHCP/PPPoE/PPPOA client Yes/Yes/No Yes/Yes/Yes
(w/ADSL)
Anti-Phishing Yes Yes Yes Internal DHCP server Yes Yes Yes
Anti-Spyware Yes Yes Yes DHCP relay Yes Yes Yes
Anti-Adware Yes Yes Yes PKI Support
Anti-Keylogger Yes Yes Yes PKI certificate requests (PKCS 7 and
Yes Yes Yes
PKCS 10)
Anti-Spam(4) Yes Yes Yes
Automated certificate enrollment
Yes Yes Yes
Integrated URL filtering(5) Yes Yes Yes (SCEP)
External URL filtering (6) Yes Yes Yes Online Certificate Status Protocol
Yes Yes Yes
(OCSP)
Firewall and VPN User Authentication
Self Signed Certificates Yes Yes Yes
Built-in (internal) database - user limit up to 100 up to 100 up to 100 Verisign, Entrust, Microsoft, RSA Keon, iPlanet
Certificate Authorities Supported
3rd Party user authentication RADIUS, RSA, SecurID, 802.1x and LDAP (Netscape), DOD PKI, Baltimore

XAUTH VPN authentication Yes Yes Yes RADIUS Accounting

Web-based authentication Yes Yes Yes RADIUS Start/Stop Yes Yes Yes

IPS System Management

Deep Inspection (DI) firewall (2)

Yes Yes Yes WebUI (HTTP and HTTPS) Yes Yes Yes

Protocol anomaly detection Yes Yes Yes Command Line Interface (console) Yes Yes Yes

Stateful protocol signatures Yes Yes Yes Command Line Interface (telnet) Yes Yes Yes
Command Line Interface (SSH) Yes, v1.5 and v2.0 compatible
NetScreen-Security Manager Yes Yes Yes
All management via VPN tunnel on
Yes Yes Yes
any interface
Rapid deployment Yes Yes Yes
 Page  Datasheet

5GT ADSL 5GT Wireless 5GT ADSL 5GT Wireless

5GT 10 user 5GT 10 user
Administration 10 user 10 user Dimensions and Power 10 user 10 user
or plus or plus
or plus or plus or plus or plus
8-1/4”x7- 8-1/4”x7-
Local administrators database size 20 20 20 Dimensions (W/L/H) 8-1/4”x5”x1”
1/4”x1” 1/4”x1”
External administrator database RADIUS/LDAP/SecurID Power Supply (DC) No No No
Weight 1.5 lbs 2 lbs. 2.5 lbs.
Root Admin, Admin, and Read Only Yes Yes Yes
use Rack mountable Yes, w/separate kit

Software upgrades TFTP/WebUI/SCP/NSM Power Supply (AC) 9-12VDC 12W 12VDC 18W
Configuration Roll-back Yes Yes Yes Environment
Traffic Management Operational temperature 32° to 1004° F, -0° to 40° C
Guaranteed bandwidth Yes Yes Yes
Non-operational temperature: -4° to 158° F, -20° to 70° C
Maximum bandwidth Yes Yes Yes
Humidity 10 to 90% non-condensing
Ingress Traffic Policing Yes Yes Yes
MTBF (Telecordia standard) 32.2 Years 26.7 Years 23.9 Years
Priority-bandwidth utilization Yes Yes Yes
Certifications
DiffServ stamp Yes Yes Yes
Safety Certifications UL, CUL, CB, TUV
ADSL Support
EMC Certifications FCC class B, CE class B, C-Tick, VCCI class B
ADSL over POTS N/A Yes Yes (optional)
Common Criteria EAL4 Certification Yes No No
ADSL over ISDN N/A Yes Yes (optional)
FIPS 140-2, Level 2 Certification Yes No No
ADSL DMT issue 2 N/A Yes Yes (optional)
ICSA Firewall and VPN Yes Yes Yes
ADSL G lite Yes No N/A Yes Yes (optional)
WI-Fi Alliance 802.11 Certification No No Yes
Dying Gasp Support N/A Yes Yes (optional)
WI-Fi Alliance Enterprise Certification No No Yes
Deutsche Telecom Support N/A Yes Yes (optional)
ADSL Layer 2 and encapsulations (1) Performance, capacity and features listed are based upon (3) Supported via Kaspersky Lab Antivirus engine
systems running ScreenOS 5.4 and are the measured (4) Supported via Symantec Brightmail
maximums under ideal testing conditions unless otherwise (5) Supported via SurfControl
PPPoE/PPPoA N/A Yes Yes (optional)
noted. Actual results may vary based on ScreenOS release (6) Supported via SurfControl and Websense
and by deployment.
2684/1483 (Bridge and Routed Mode) N/A Yes Yes (optional)
(2) NAT, PAT, policy based NAT, virtual IP, mapped IP, virtual
ATM AAL5/ATM PVCs N/A Yes/10 Yes/10 (optional) systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/
Active HA, and IP address assignment are not available in
Wireless Radio layer 2 transparent mode.

Transmit Power N/A N/A Up to 200 mW

Wireless Standards supported N/A N/A 802.11b/g
Access Point Survey N/A N/A Yes License Options
The NetScreen-5GT Series is available in licensing options to support different numbers
Maximum Configured SSIDs N/A N/A 8
of users.
Maximum Active SSIDs N/A N/A 4 Licensing Options Description
Wireless Security 10 user Product license Limits capacity to 10 concurrent users
Wireless Privacy N/A N/A WPA (AES or Plus Product license Increases capacity to an unlimited number of
TKIP), IPSec users
VPN, WEP
Extended Product license Increases sessions and VPN tunnel capacities to
Wireless Authentication N/A N/A PSK, EAP- 4000 and 25 respectively. Adds a DMZ zone and
PEAP, EAP- HA lite (no session synchronization)
TLS, EAP-TTLS
Port Modes
over 802.1x
Port Modes provide configuration flexibility to the interface options on each of the NetScreen-
Additional Dial-up VPN Tunnels N/A N/A 20 for 10-user 5GT Series platforms. The tables below depict the different Port Mode and Tunnel zone op-
and Plus, 40 tions. A tunnel zone is an extra zone for terminating tunnel interfaces.
for Extended NetScreen-5GT Ethernet Port Mode Options
MAC Access Controls N/A N/A Permit or Deny Interfaces 5 10/100 ports, 1 Modem and 1 Console, Current ScreenOS version 5.1

Client Isolation N/A N/A Yes Trusted Wired Secu-

Port Mode Availability Tunnel Zones
rity Zones
Antennae options
Trust-Untrust All Licenses 1 1
Diversity Antenna N/A N/A Included
Dual-Untrust All Licenses 1 1
Directional Antenna N/A N/A Optional
Home-Work All Licenses 2* 1
Omni-directional Antenna N/A N/A Optional
Trust\Untrust\DMZ Extended Only 2 1
DMZ\Dual Untrust Extended Only 2 1
Combined All Licenses 2* 1
Dual-Untrust-DMZ Extended Only 2 1
Dual-DMZ Extended Only 2 1
* Home Zone Cannot Access Work Zone in Home-Work and Combined Port Modes.
 Page 

NetScreen-5GT ADSL and NetScreen-5GT WIreless/ADSL Port Mode Options

Interfaces 5 10/100 ports, 1 ADSL port 1 Modem and 1 Console, Current ScreenOS version 5.3
Product Part Number
NetScreen-5GT Wireless
Availability Trusted Wired Tunnel Zones Additional
and Wireless** Wireless Juniper Networks NetScreen-5GT Wireless 10 User
Zones Security Zones** NetScreen-5GT Wireless US Only - US power supply NS-5GT-021
Trust-Untrust All Licenses 1 1 1 NetScreen-5GT Wireless World* - UK power supply NS-5GT-023
Home-Work All Licenses 2* 1 1 NetScreen-5GT Wireless World*- Europe power supply NS-5GT-025
Extended Extended Only 2 1 2 NetScreen-5GT Wireless Japan Only* - Japan power supply NS-5GT-027-nn
*Home Zone Cannot Access Work Zone in Home-Work and Combined Port Modes. NetScreen-5GT Wireless World* - US power supply NS-5GT-028
** Wireless security product only

NetScreen-5GT Wireless Port Mode Options NetScreen-5GT Wireless ADSL

5 10/100 ports, 1 Wireless radio, 1 Modem, and 1 Console, 1 ADSL port (optional), Current Juniper Networks NetScreen-5GT Wireless ADSL 10 User
ScreenOS version 5.3 NetScreen-5GT Wireless ADSL US Only - US power supply NS-5GT-031-x
Availability Trusted Wired Tunnel Zones Additional NetScreen-5GT Wireless ADSL World* - UK power supply NS-5GT-033-x
and Wireless** Wireless
NetScreen-5GT Wireless ADSL World* - Europe power supply NS-5GT-035-x
Zones Security Zones**
NetScreen-5GT Wireless ADSL World* - US power supply NS-5GT-038-x
Trust-Untrust All Licenses 1 1 1
NetScreen-5GT Upgrades
Dual-Untrust** All Licenses 1 1 1
Anti-Virus, Deep Inspection, Web Filtering, and Anti-Spam can be
Home-Work All Licenses 2* 1 1 purchased via subscription licenses.
Combined** All Licenses 2* 1 1 NetScreen-5GT Upgrade from 10-User to NetScreen-5GT Plus NS-5GT-PLU
Extended Extended Only 2 1 2 (Unrestricted user)
*Home Zone Cannot Access Work Zone in Home-Work and Combined Port Modes. NetScreen-5GT Upgrade from 10-User to NetScreen-5GT Extended NS-5GT-ETU
** These Port modes are not available in the ADSL version of the NetScreen-5GT ADSL
NetScreen-5GT Upgrade from Plus to Extended NS-5GT-EPU
Product Part Number Accessories
Juniper Networks-5GT Ethernet Rack mount kit for 2 NetScreen-5GTs NS-5GT-RMK
Juniper Networks NetScreen-5GT 10 User
* World units may not be purchased in Japan or the US due to regulatory restrictions.
NetScreen-5GT US power supply NS-5GT-001 To order ADSL Annex A or Annex B units, replace the –x at the end of the sku with an A or B.
Please check ISP and DSLAM compatibility for the ADSL connections at www.juniper.net/products/integrated/5GT-ADSL/
NetScreen-5GT UK power supply NS-5GT-003
NetScreen-5GT Europe power supply NS-5GT-005 Deep Inspection (DI) Signature Packs
This feature enhancement allows ScreenOS to support targeted DI signature pack
NetScreen-5GT Japan power supply NS-5GT-007-nn
optimized for your specific network deployment. You can now select the DI signature pack
NetScreen-5GT ADSL that improves threat prevention for your network environment to ensure detection accuracy
Juniper Networks NetScreen-5GT ADSL 10 User* and coverage.
NetScreen-5GT ADSL US power supply NS-5GT-011-x Protection Type* Deployment Type Defense type Attack Type
NetScreen-5GT ADSL UK power supply NS-5GT-013-x Base Branch Offices Client/Server and Selected set of critical
NetScreen-5GT ADSL Europe power supply NS-5GT-015-A Small/Medium worm protection signatures
Businesses
Client Remote/Branch Perimeter defense, Attacks in the server-
Offices compliance for to-client direction
hosts (desktops, etc)
Server Small/Medium Perimeter defense, Attacks in the client-to-
Businesses compliance for server direction
server infrastructure
Worm Mitigation Remote/Branch Most comprehen- Worms, Trojans, back-
Offices of Large sive defense against door attacks
Enterprises worm attacks

CORPORATE HEADQUARTERS
AND SALES HEADQUARTERS
FOR NORTH AND SOUTH AMERICA
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888-JUNIPER (888-586-4737)
or 408-745-2000
Fax: 408-745-2100
www.juniper.net
EAST COAST OFFICE
Juniper Networks, Inc.
10 Technology Park Drive
Westford, MA 01886-3146 USA
Phone: 978-589-5800
Fax: 978-589-0800
ASIA PACIFIC REGIONAL EUROPE, MIDDLE EAST, AFRICA Copyright 2006, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of
SALES HEADQUARTERS REGIONAL SALES HEADQUARTERS Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered
service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change
Juniper Networks (Hong Kong) Ltd. Juniper Networks (UK) Limited without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information
Suite 2507-11, Asia Pacific Finance Tower Juniper House in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Citibank Plaza, 3 Garden Road Guildford Road
Central, Hong Kong Leatherhead
Phone: 852-2332-3636 Surrey, KT22 9JH, U. K.
Fax: 852-2574-7803 Phone: 44(0)-1372-385500
Fax: 44(0)-1372-385501

110034-006 July 2006