This article provides information about the minimum requirements for running NSRP on Juniper firewalls.
Minimum requirements
Software
Both firewalls must run the identical ScreenOS version. When running an engineering patch version of ScreenOS, both firewalls must run the identical patch version:
Platform |
Active/Passive |
Active/Active |
ISG Series |
5.0.0 or above |
5.0.0 or above |
NS5000 Series |
5.0.0 or above |
5.0.0 or above |
SSG550M |
5.1.0 or above |
5.1.0 or above |
SSG520M |
5.1.0 or above |
6.0.0 or above |
SSG300 Series |
5.4.0 or above |
5.4.0 or above |
SSG 140 |
5.4.0 or above |
6.0.0 or above |
SSG5 & SSG20 |
5.4.0 or above* |
6.0.0 or above* |
* extended license required
License Keys
Both firewalls must have identical features and license keys that are enabled or installed.
Hardware
Both firewalls must have identical hardware. The line modules must have the same number of ports. For information about certain exceptions, refer to KB13851 - What are the hardware requirements for NSRP cluster in ScreenOS?
HA Port and Cable
Each firewall must have at least one port that is dedicated to the HA zone, which will carry the NSRP control traffic between the firewalls. The HA cable between the firewalls can be connected directly or via a layer 2 switch with both the ports in the same VLAN.
In Active/Active mode, if data-path forwarding is required, each firewall must have an additional port that is dedicated to the HA zone, which will carry the data traffic between the two firewalls.
2020-08-28: Article reviewed for accuracy; no changes required; article valid and relevant
2017-12-07: Article reviewed for accuracy. Removed End of Life products from the table. Removed links for End of Life products. Article is correct and complete.