ScreenOS Firewalls (NOT SRX)
Reply
Visitor
flyfishin4trour
Posts: 5
Registered: ‎12-18-2011
0

Max Users on Netscreen-5gt

Just wondering what you guys think the max number of users you could put behind one of these? Normal workflow. Teachers and students. Just normal web surfing and email. Its licensed unlimited of course. Thanks 

Contributor
Morphic
Posts: 26
Registered: ‎03-17-2011
0

Re: Max Users on Netscreen-5gt

The classic answer is it depends... what are they doing, streaming video, voice, peer to peer, etc. 

 

Limits are the actual bandwidth throughput and the number of sessions on the device. 

 

Having said all that, I wouldn't want to put more than 20-30 normal users behind one personally. But if they're very light users (i.e. you restrict them down to what they can do!) you might get away with more. 

Visitor
flyfishin4trour
Posts: 5
Registered: ‎12-18-2011
0

Re: Max Users on Netscreen-5gt

Wow! I would have guessed at least 75. They are definitely very light users. No streaming, voice, p2p. Just surfing and email. What does it mean when they say 2000 concurrent sessions? Ive looked and looked and cant find a definitive answer to that. Thanks 

Super Contributor
mwdmeyer
Posts: 200
Registered: ‎03-11-2008
0

Re: Max Users on Netscreen-5gt

[ Edited ]
The netscreen 5gt is an old device, I wouldn't use for more than about 25 users. Infact I wouldn't really use it at all as they no longer get the latest screenos version. Sessions is the number of open connections. Most users would normally use around 8-15 sessions per device.
Visitor
flyfishin4trour
Posts: 5
Registered: ‎12-18-2011
0

Re: Max Users on Netscreen-5gt

The update that I just did was from Oct 18, 2011 so its not that old. But I get what your saying. 50 users would be pushing it for sure. Thanks 

Contributor
Morphic
Posts: 26
Registered: ‎03-17-2011
0

Re: Max Users on Netscreen-5gt

A session is any conversation happening between the zones on the firewall. 

 

So, if you go to a dos prompt now and type

 

netstat -an |find /i "established"

 

You can see how many TCP sessions you currently have established - look for any that have a public source or destination and you will see how many would traverse the firewall. Bare in mind opening a webpage these days will generate lots of sessions, as images/adverts etc are all loaded separately. 

 

So opening a graphic heavy page could generate 10 sessions (briefly). But the devices are well and truely end of lifed - see bellow

 

PSN Issue : This document announces the End of Life (EOL) for the NetScreen-5GT (NS-5GT) products. The EOL announcement for these products is effective 30-June-2008 with a last order date of 31-December-2008. Effective 1-January-2009, the above products will be removed from the price list and will no longer be orderable.

 

The new range of replacement firewalls, the SRX's, are several orders of magnitude more powerful...

 

Hope that helps!

Visitor
flyfishin4trour
Posts: 5
Registered: ‎12-18-2011
0

Re: Max Users on Netscreen-5gt

Thanks for all the input. If I was going to look at the srx series. What would be best version for 100 users? Could I get away with the srx100?  The client is a school and very short on funds so I am trying to do this as cheaply as possible. Thanks 

Visitor
flyfishin4trour
Posts: 5
Registered: ‎12-18-2011
0

Re: Max Users on Netscreen-5gt

I also forgot to mention that there will be no users using vpn on this router. That would bring down the cpu a bunch. Any ideas on a safe number of users after that?

Contributor
Morphic
Posts: 26
Registered: ‎03-17-2011
0

Re: Max Users on Netscreen-5gt

Hi there,

 

Again, it depends how much "stuff" they are doing, but this might help

 

http://www.juniper.net/us/en/local/pdf/datasheets/1000265-en.pdf

 

I expect the SRX100B would suffice if they are minimal users, like you suggest, and you're not doing much else. You can always upgrade to H version with a licence if you find you start running into session limits (just keep an eye on your logs, or setup alerts). If you want to use all the UTM features (webfiltering, anti-spam, anti-virus etc) you need the high memory version.

 

The SRX100B is actually the same physical hardware as the SRX100H, but you need to use a licence to activate the additional memory.

 

I hope that helps, and let me know if you have any problems with the deployment or would like to know anything about the other features.

 

Cheers,

Harry

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.