This article provides information about the minimum requirements for running NSRP on Juniper firewalls. 

 

• NSRP supports two modes - Active/Passive and Active/Active.

• The Active/Passive mode is the most commonly used HA mode, in which all the traffic is processed by the Active or Master firewall; whereas the Passive or Backup firewall is in the warm standby mode, ready to take over as the Active firewall, in case of failure on the original Active firewall.

• The Active/Active mode allows both of the firewalls to process traffic by providing a load-sharing HA scenario.

• For more information, refer to the NSRP Overview section in the following Concepts & Examples Guides - High Availability, Volume 11:

  • Concepts & Examples ScreenOS Reference Guide Volume 11: High Availability - Release 5.4.0, Rev. D

  • Concepts & Examples ScreenOS Reference Guide Volume 11: High Availability - Release 6.2.0, Rev. 03

  • Concepts & Examples ScreenOS Reference Guide High Availability  Release - 6.3.0, Rev. 02

 

Minimum requirements

  Software

Both firewalls must run the identical ScreenOS version. When running an engineering patch version of ScreenOS, both firewalls must run the identical patch version:

Platform	Active/Passive	Active/Active
ISG Series	5.0.0 or above	5.0.0 or above
NS5000 Series	5.0.0 or above	5.0.0 or above
SSG550M	5.1.0 or above	5.1.0 or above
SSG520M	5.1.0 or above	6.0.0 or above
SSG300 Series	5.4.0 or above	5.4.0 or above
SSG 140	5.4.0 or above	6.0.0 or above
SSG5 & SSG20	5.4.0 or above*	6.0.0 or above*

* extended license required

  License Keys

Both firewalls must have identical features and license keys that are enabled or installed.

  Hardware

Both firewalls must have identical hardware. The line modules must have the same number of ports. For information about certain exceptions, refer to KB13851 - What are the hardware requirements for NSRP cluster in ScreenOS?

  HA Port and Cable

Each firewall must have at least one port that is dedicated to the HA zone, which will carry the NSRP control traffic between the firewalls. The HA cable between the firewalls can be connected directly or via a layer 2 switch with both the ports in the same VLAN.

In Active/Active mode, if data-path forwarding is required, each firewall must have an additional port that is dedicated to the HA zone, which will carry the data traffic between the two firewalls.

 

​2020-08-28: Article reviewed for accuracy; no changes required; article valid and relevant
2017-12-07: Article reviewed for accuracy. Removed End of Life products from the table. Removed links for End of Life products. Article is correct and complete.