Abstract

Tolly Group Report #202121 (March 2002) benchmarks the NetScreen-5200 multi-gigabit firewall/VPN against Cisco PIX 535 and Nokia IP740, using zero-loss (<0.001% packet loss) Gigabit-Ethernet tests for firewall, IPSec VPN and latency.

Firewall throughput and scale

• NetScreen-5200 sustains 4 Gbit/s bidirectional firewall throughput and 2 Gbit/s at 64-byte packets with 100 000 sessions, outperforming PIX 535 by 26 × and IP740 by 17 ×.

• At 500 000 sessions the platform remains wire-speed on most frame sizes and still forwards 1.4 Gbit/s (70% line rate) for 64-byte traffic; Cisco could not reach 500 000 sessions and Nokia’s ceiling was lower.

VPN performance

• Across a single IPSec 3DES/SHA-1 tunnel NetScreen-5200 delivers 700 Mbit/s at 64-byte packets (24 × PIX 535) and scales to 1.93 Gbit/s (96.6% line rate) at 1 400-byte packets, while PIX 535 tops out at 110 Mbit/s.

• Accounting for IPSec overhead, NetScreen still moves 56% of theoretical bandwidth with 64-byte packets versus PIX 535’s 2%.

Latency

• Firewall latency is 6.5 µs for 64-byte frames—57 % below PIX 535 and 65 % below IP740—and remains lower across larger packets.

• VPN latency is 20 µs at 64 bytes, 93 % lower than PIX 535; the advantage persists up to 1 400-byte packets (66 % lower).

Key takeaways

NetScreen-5200 combines multi-gigabit firewalling, high-speed IPSec, sub-10 µs firewall latency and carrier-class session scale while competitors lose throughput or fail to scale. These results position it as a robust choice for enterprises and service providers that need predictable, low-latency security services at gigabit rates without performance trade-offs.