Page 1 Datasheet

Juniper Networks NetScreen-204/208

The Juniper Networks NetScreen-200 Series is one of the most versatile pair of security appliances available
today. They easily integrate and secure many different network environments, including medium and large
enterprise offices, e-business sites, data centers, and carrier infrastructure. Complete with either four or eight
auto-sensing 10/100 Base-T Ethernet ports, the NetScreen-200 Series performs firewall functions at wire
speed (400 Mbps on the NetScreen-204 and 550 Mbps on the NetScreen-208). Even the most computationally
intense applications, such as 3DES and AES encryption, are performed at speeds greater than 200 Mbps.

Juniper Networks Juniper Networks Juniper Networks

NetScreen-204(1) NetScreen-208(1) NetScreen-200 Series(1)
Maximum Performance and Capacity(2) Firewall and VPN User Authentication
ScreenOS version support ScreenOS 5.2 ScreenOS 5.2 Built-in (internal) database - user limit up to 1,500
Firewall performance 400 Mbps 550 Mbps 3rd Party user authentication RADIUS, RSA SecurID, and LDAP
3DES performance 200 Mbps 200 Mbps XAUTH VPN authentication Yes
Deep Inspection performance 180 Mbps 180 Mbps Web-based authentication Yes
Concurrent sessions 128,000(4) 128,000(4) Logging/Monitoring
New sessions/second 11,500 11,500 Syslog (multiple servers) External, up to 4 servers
Policies 4,000 4,000 E-mail (2 addresses) Yes
Interfaces 4 10/100 Base-T 8 10/100 Base-T NetIQ WebTrends External
SNMP (v1, v2) Yes
Juniper Networks Standard and custom MIB Yes
NetScreen-200 Series(1) Traceroute Yes
Mode of Operation At session start and end Yes
Layer 2 mode (transparent mode)(3) Yes Virtualization
Layer 3 mode (route and/or NAT mode) Yes Custom security zones 8, 4 on NetScreen-204
NAT (Network Address Translation) Yes Virtual routers (VRs) 3
PAT (Port Address Translation) Yes VLANs supported 32
Policy-based NAT Yes Virtualization key Optional upgrade: adds 10 security
Virtual IP 4 zones, 5 VRs, and 96 VLANs
Mapped IP 4,000 Routing
Users supported Unrestricted OSPF/BGP Dynamic routing 3 instances each
Firewall RIPv1/v2 Dynamic routing Up to 8 instances
Number of network attacks detected 31 Static routes 4096
Network attack detection Yes Source-based routing Yes
DoS and DDoS protections Yes Equal cost multi-path routing Yes
TCP reassembly for fragmented packet protection Yes High Availability (HA)
Malformed packet protections Yes Active/Active Yes
Deep Inspection firewall Yes Active/Passive Yes
Protocol anomaly Yes Redundant Interfaces Yes
Stateful protocol signatures Yes Configuration synchronization Yes
DI Protocols supported HTTP, FTP, SMTP, POP, IMAP, DNS Session synchronization for firewall and VPN Yes
NetBIOS/SMB, MS-RPC, P2P, IM Session failover for routing change Yes
Number of application attacks detected w/DI over 650 Device failure detection Yes
Content Inspection Yes Link failure detection Yes
Embedded antivirus No Authentication for new HA members Yes
Malicious Web filtering up to 48 URLs Encryption of HA traffic Yes
External Web filtering (Websense or SurfControl) Yes LDAP and RADIUS server failover Yes
Integrated Web filtering No VoIP
Brute force attack mitigation Yes H.323 ALG Yes
DI attack pattern obfuscation Yes SIP ALG Yes
SYN cookie Yes NAT for H.323/SIP Yes
Zone-based IP spoofing Yes
IP Address Assignment
VPN Static Yes
Concurrent VPN tunnels up to 1,000 DHCP, PPPoE client Yes
Tunnel interfaces up to 256 Internal DHCP server Yes
DES (56-bit), 3DES (168-bit) and AES encryption Yes DHCP Relay Yes
MD-5 and SHA-1 authentication Yes
PKI Support
Manual Key, IKE, PKI (X.509) Yes
PKI Certificate requests (PKCS 7 and PKCS 10) Yes
Perfect forward secrecy (DH Groups) 1,2,5
Automated certificate enrollment (SCEP) Yes
Prevent replay attack Yes
Online Certificate Status Protocol (OCSP) Yes
Remote access VPN Yes
Self Signed Certificates Yes
L2TP within IPSec Yes Certificate Authorities Supported
IPSec NAT Traversal Yes Verisign Yes
Redundant VPN gateways Yes Entrust Yes
VPN tunnel monitor Yes Microsoft Yes
RSA Keon Yes
iPlanet (Netscape) Yes
Baltimore Yes
DOD PKI Yes
 Page 2

Juniper Networks Certifications

NetScreen-200 Series(1) Safety Certifications
UL, CUL, CSA, CB, NEBS Level 3 (NetScreen-208 with DC power supply)
RADIUS Accounting
RADIUS Start/Stop Yes EMC Certifications
FCC class A, BSMI, CE class A, C-Tick, VCCI class A
System Management
WebUI (HTTP and HTTPS) Yes Environment
Command Line Interface (console) Yes Operational temperature: 23 to 122° F, -5 to 50° C
Command Line Interface (telnet) Yes Non-operational temperature: -4 to 158° F, -20 to 70° C
Command Line Interface (SSH) Yes, v1.5 and v2.0 compatible Humidity: 10 to 90% non-condensing
NetScreen-Security Manager Yes
MTBF (Bellcore model)
All management via VPN tunnel on any interface Yes
NetScreen-204: 6.8 years, NetScreen-208: 6.5 years
SNMP Full Custom MIB Yes
Rapid deployment Yes Security Certifications (Advanced models only)
Common Criteria: EAL4 and EAL4+
Administration
FIPS 140-2: Level 2
Local administrators database 20
ICSA Firewall and VPN
External administrator database RADIUS/LDAP/SecurID
Restricted administrative networks 6
Root Admin, Admin, and Read Only user levels Yes Ordering Information
Software upgrades TFTP/WebUI/SCP/NSM Product Part Number
Configuration Roll-back Yes
Juniper Networks NetScreen-208 w/ AC power supply
Traffic Management NetScreen-208 US power cord NS-208-001
Guaranteed bandwidth Yes NetScreen-208 UK power cord NS-208-003
Maximum bandwidth Yes NetScreen-208 European power cord NS-208-005
Priority-bandwidth utilization Yes NetScreen-208 Japanese power cord NS-208-007
DiffServ stamp Yes
Juniper Networks NetScreen-208 w/ DC power supply
External Flash NetScreen-208 DC power NS-208-001-DC
CompactFlash™ Supports 96, 128 or 512 MB
Juniper Networks NetScreen-204 w/ AC power supply
Industrial Grade SanDisk
NetScreen-204 US power cord NS-204-001
Event logs and alarms Yes
NetScreen-204 UK power cord NS-204-003
System config script Yes
NetScreen-204 European power cord NS-204-005
ScreenOS software Yes
NetScreen-204 Japanese power cord NS-204-007
Dimensions and Power
Juniper Networks NetScreen-204 w/ DC power supply
Dimensions (H/W/L) 1.73/17.5/10.8 inches
NetScreen-204 DC power NS-204-001-DC
Weight 8 lbs.
Rack mountable 19” standard, 23” optional Juniper Networks NetScreen-200 Series Virtualization
Power Supply (AC) 90 to 264 VAC, 45 watts NetScreen-200 Virtualization Key NS-200-VIRT
Power Supply (DC) -36 to -72 VDC, 50 watts Virtualization Key adds 32 VLANs, 5 additional virtual routers, and 10 additional security
zones. Only available with NetScreen ScreenOS 4.0.2 and later.
Licensing Options: The NetScreen-204 and NetScreen-208 are both available with two
Baseline Products
licensing options to provide two different levels of functionality and capacity.
NetScreen-208 Baseline US power cord NS-208B-001
Advanced Models: The Advanced software license provides all of the features and
NetScreen-208 Baseline UK power cord NS-208B-003
capacities listed within this specsheet.
NetScreen-208 Baseline European power cord NS-208B-005
Baseline Models: The Baseline software license provides an entry-level solution for
NetScreen-208 Baseline Japanese power cord NS-208B-007
customer environments where features such as Deep Inspection™, OSPF and BGP
dynamic routing, advanced High Availabilty, and full capacity are not critical
NetScreen-204 Baseline US power cord NS-204B-001
requirements. The following table shows the features and capacities that are different
NetScreen-204 Baseline UK power cord NS-204B-003
than the Advanced models:
NetScreen-204 Baseline European power cord NS-204B-005
NetScreen-204 Baseline NetScreen-208 Baseline NetScreen-204 Baseline Japanese power cord NS-204B-007

Sessions 64,000 64,000

Concurrent VPN tunnels 500 500 (1) Performance, capacity and features listed are based upon the Advanced feature set running ScreenOS 5.2 and may vary
Deep Inspection Firewall N/A N/A with other ScreenOS releases. The Baseline model licensing option provides a subset of features as described in the table
below. Actual throughput for Advanced and Baseline products may vary based upon packet size and enabled features.
VLANs 0* 0*
(2 Performance and capacity provided are the measured maximums under ideal testing conditions and may vary by
OSPF/BGP N/A N/A deployment.
High Availability (HA) Active/Passive Active/Passive (3) The following features are not supported in Layer 2 (transparent mode): NAT, PAT, policy based NAT, virtual IP, mapped IP,
NetScreen Security Manager Supported Supported VLANs, OSPF, BGP, RIPv2, Active/Active HA, and IP address assignment.
(4) The maximum number of concurrent sessions with deep inspection enabled is 64,000.

*NetScreen-204/208 Baseline can be upgraded to include 96 VLANs, 5 additional virtual

routers, and 10 additional security zones with purchase of an additional Virtualization Key.

CORPORATE HEADQUARTERS
AND SALES HEADQUARTERS
FOR NORTH AND SOUTH AMERICA
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888-JUNIPER (888-586-4737)
or 408-745-2000
Fax: 408-745-2100
www.juniper.net
EAST COAST OFFICE
Juniper Networks, Inc.
10 Technology Park Drive
Westford, MA 01886-3146 USA
Phone: 978-589-5800
Fax: 978-589-0800
ASIA PACIFIC REGIONAL EUROPE, MIDDLE EAST, AFRICA
SALES HEADQUARTERS REGIONAL SALES HEADQUARTERS
Juniper Networks (Hong Kong) Ltd. Juniper Networks (UK) Limited
Suite 2507-11, Asia Pacific Finance Tower Juniper House
Citibank Plaza, 3 Garden Road Guildford Road
Central, Hong Kong Leatherhead
Phone: 852-2332-3636 Surrey, KT22 9JH, U. K.
Fax: 852-2574-7803 Phone: 44(0)-1372-385500
Fax: 44(0)-1372-385501
Copyright 2004, Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, the
NetScreen logo, NetScreen-Global Pro, ScreenOS, and GigaScreen are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. The following are trademarks of Juniper Networks, Inc.: ERX, ESP, E-series, Instant Virtual Extranet, Internet Processor, J2300,
J4300, J6300, J-Protect, J-series, J-Web, JUNOS, JUNOScope, JUNOScript, JUNOSe, M5, M7i, M10, M10i, M20, M40, M40e, M160, M320,
M-series, MMD, NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-204, NetScreen-208, NetScreen-
500, NetScreen-5200, NetScreen-5400, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, NetScreen-Remote Security Client,
NetScreen-Remote VPN Client, NetScreen-SA 1000 Series, NetScreen-SA 3000 Series, NetScreen-SA 5000 Series, NetScreen-SA Central
Manager, NetScreen Secure Access, NetScreen-SM 3000, NetScreen-Security Manager, NMC-RX, SDX, Stateful Signature, T320, T640, and
T-series. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective
owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this
document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

110004-005 June 2005