Categories

Bluetrait
        Bluetrait
            Coding
            Geek
            General
            Coding
                PHP
                Bluetrait
                WordPress
                    Plugins
                PHP
                Bluetrait (Program)
            Geek
                Juniper
                Cisco
                IBM N2200 8363
                PCs
                Spam
                IPv6
                Apple
                NetScreen
                Internet
            General
                Uni

Sat, 13 Jan 2007 9:58 PM

Juniper SSG 5

Michael Dale

We'll I finally got my new Juniper SSG 5 firewall (the replacement model for my old Netscreen 5gt).

I ordered it back in November, originally I was going to get the wireless version but they were still out of stock early this year so I ended up getting the base model (with 256mb of ram).

The main reason for the upgrade was that we'd run out of VPN tunnels (the 5gt did 10). The new version supports 25, plus it upgradeable to 40.
The SSG also has the following advantages over the 5gt (I'm comparing the base model 5gt and SSG 5):

  • 4000 sessions, up from 2000
  • 25 VPN tunnels, up from 10
  • Unlimited users, up from 20 (my 5gt has an upgrade to support 20 users)
  • 7 ethernet interfaces, up from 5 (plus they aren't limited in terms of zones like the 5gt).
  • DMZ support (we've just got a subnet so this should be useful)
  • Support for ScreenOS 6 which should be out this year
  • Faster (160mb firewall (from 75mb), 40mb VPN (from 20mb))
  • 256mb Ram, up from 128mb
  • 64mb Flash, up from 32mb

So the device is pretty much double everything that the 5gt is.

It also cost me double. I got the 5gt off ebay for $320, where as the SSG 5 new cost me $640. I got a really good price on it has Bryn was able to sign up as a Juniper reseller, the SSG 5 is about $1200 retail.

The main limitation of the old Netscreen 5gt was the port modes.

The port mode defines what zone (untrust, trust, dmz etc) each ethernet interface is in. Any time you needed to change this you were required to reset the device and config (see below).
Netscreen 5gt Port Modes.
Netscreen 5gt interface list
Where as the SSG 5 has something called bridge groups allowing you to easily change what zone each interface is in without resetting the device and/or config.

Much more useful if you're playing round with different network topologies (see below).
Juniper SSG 5 Bridge Groups

I've updated some of the IPSEC benchmarks to include both the SSG 5 and an old Netscreen 100 I picked up.


Comments

On Wed, 07 Feb 2007 at 12:06 PM, Mark Kamichoff wrote

Bridge groups are great, and very long overdue.

The SSG 5's seem to be capable of full-blown NSRP, too, which blows HA Lite out of the water. I think you have to manually set the interface, though (ie, set nsrp int e0/4), instead of moving an interface into the HA zone.

Bets on when Juniper is going to EoL the 5GT/5GT-Wireless models?

1: Comment Link

On Thu, 02 Aug 2007 at 9:07 PM, eDub wrote

I don't think the 5GT will EOL soon. As with the NS-204/208 and on down, Juniper stopped developing code for them beyond 5.4. I'm running 6.02 on my wireless SSG-5 and it is definitely a visual improvement and appears to be quite stable.

I was a SunRocket customer and recently ran to Packet8. It took me a bit of fiddling to get the SSG-5 to play nice with traffic destined for the Packet8 VOIP ATA which I've setup in my DMZ using a VIP. If anyone is interested, I can post what I did.

2: Comment Link

On Thu, 02 Aug 2007 at 9:33 PM, Michael Dale (of michaeldale.com.au) wrote

Did you notice that ScreenOS 6.0.0r2 increases the session limit on the SSG-5 to 8000 sessions (basic model)?

3: Comment Link

On Wed, 10 Oct 2007 at 1:39 AM, Kunal wrote

I have got one these and find 4 bgroups restrictive. I am trying to achieve 6 seperate networks( trust) and 1 WAN (untrust).

4: Comment Link

On Wed, 10 Oct 2007 at 7:42 PM, Michael Dale (of michaeldale.com.au) wrote

You don't need to use bgroups. Just create your own zones and assign each interface to that zone.

5: Comment Link

On Thu, 22 Nov 2007 at 1:42 PM, sourav wrote

how to configure VPN in Juniper SSG 5 firewall?

6: Comment Link

On Thu, 22 Nov 2007 at 4:56 PM, Michael Dale (of michaeldale.com.au) wrote

look here

7: Comment Link

On Sun, 02 Dec 2007 at 3:24 AM, Russ wrote

I just got an SSG5 w/wifi. It is way over my head. I am using it for a small network. We have a Comcast cable modem. Is there a simple way to set this up and get it working without utilizing all the features. I will need to have one PC and one printer attached via the ethernet cable and 3 PC's via the wifi. Any help will be greatly appreciated. Sounds like this should be a simple application, but I'm not having any success.

Thanks!

Russ
sales@dinettemart.com

8: Comment Link

On Wed, 13 Aug 2008 at 4:06 AM, ziz wrote

@eDub: would you post your config for allowing the SSG to play nice with Packet8?

9: Comment Link

Comments?

HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>

Your comment may need to be reviewed before it is published.

Message

Name

Email (not shown)

WWW (optional)

Allow contact form email

Remember details