NETSCREEN TECHNOLOGIES INC - 10-K Annual Report

Indicate by check mark whether the Registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes x No ¨

This annual report on Form 10-K contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These forward-looking statements may be identified by the use of words such as “expect,” “anticipate,” “intend,” “believe,” “estimate,” “will,” “may,” “continue” and similar terms. These forward-looking statements include our expectations about revenue, cost of revenues and various operating expenses. Our actual results may differ significantly from those projected in the forward-looking statements as a result of many factors, such as risks and uncertainties regarding our anticipated costs, expenses, revenue channel and revenue mix. Factors that might cause or contribute to these differences include, but are not limited to, those discussed in the section “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” and the section entitled “Factors That May Affect Our Business and Future Results of Operations and Financial Condition” and elsewhere in this report. You should also carefully review the risks described in other documents we file from time to time with the Securities and Exchange Commission, including the quarterly reports on Form 10-Q or current reports on Form 8-K that we will file in 2003. You are cautioned not to place undue reliance on the forward-looking statements, which speak only as of the date of this report. We undertake no obligation to update any forward-looking statements for any reason, except as required by law, even if new information becomes available or other events occur in the future.

Virtual private networks, called VPNs, allow access to an internal network through the Internet or other untrusted network to securely connect two or more locations as well as remote users. VPNs protect against malicious eavesdropping and/or data manipulation by encrypting data to provide confidentiality and authenticating data to provide data integrity. Firewalls help prevent unauthorized network access by establishing a perimeter defense between two networks, such as an enterprise’s network and the Internet. Firewalls enable users to establish security policies designed to permit only authorized traffic into and out of a connected network. Intrusion detection and prevention, called IDP, appliances detect network attacks using sophisticated detection methods and, once an attack is identified, can alert internal IT staff or drop the packets or connection associated with the attack.

Our firewall and VPN systems and appliances deliver integrated firewall, VPN and denial of service protection capabilities in a single device using our proprietary application specific integrated circuits, which we refer to as the GigaScreen and GigaScreen-II ASICs, and our proprietary security operating system and applications, which we refer to as ScreenOS. Our IDP appliances run a secure version of the Linux operating system and use proprietary software and multiple detection methods to identify network and application attacks and prevent them from reaching mission-critical resources. Our products are based on industry standard communication protocols so they can be integrated easily into networks and will interoperate with other security devices and software applications. Our security systems and appliances can be centrally managed with flexible management software. For our firewall and VPN systems and appliances, our NetScreen Global-PRO and Global-PRO Express enable secure, scalable monitoring of devices, network traffic and security events and policy administration. For our IDP appliances, our NetScreen-IDP Manager gives administrators control over which traffic the IDP appliance should examine and how it should respond when intrusions are detected.

Our end customers are a broad range of enterprises, large communication service providers, called carriers, and government entities. Our products are deployed in a wide range of networks from single user environments to large-scale, carrier class network deployments. Our family of products enables our end customers to cost-effectively address their network security needs across the network using firewall, VPN, denial of service protection and IDP solutions from a single vendor.

Our firewall and VPN systems and appliances deliver integrated firewall, VPN and denial of service protection capabilities in a single device. Each device is standards-based for easy integration into customer networks, interoperability with other IP security protocol, or IPSec, devices, and secure management and monitoring via a wide range of industry standard interfaces. Our IDP appliances incorporate multiple methods of detection, such as attack pattern matching, protocol anomaly detection and backdoor detection, in a single device. These detection methodologies monitor the data traffic and connection requests on a network, identify and stop attacks based on known patterns of attack, suspicious traffic or connection requests, and the likely means of attack. Using our products, enterprises, carriers and government entities can facilitate secure communication over the Internet, while accommodating sudden surges in network traffic and protecting against denial of service attacks as well as sophisticated intrusion attempts by hackers.

We provide two classes of firewall and VPN products: high performance chassis-based systems and fixed configuration appliances. Our firewall and VPN system products include the NetScreen-5400, NetScreen-5200, NetScreen-1000 and NetScreen-500. These products are high capacity, high availability, flexible configuration, network security platforms. These chassis-based systems allow users to deploy multiple configurations that best suit their network environment. Our firewall and VPN appliance products include the NetScreen-208, NetScreen-204, NetScreen-100, NetScreen-50, NetScreen-25, NetScreen-5XT and NetScreen-5XP. These appliances provide a fixed configuration solution that greatly simplifies customer installation and can be deployed to address specific network requirements. All of our firewall and VPN systems and appliances use our ScreenOS operating system and applications, enabling flexible security and network configurations to meet the needs of a wide variety of network environments.

We provide two IDP appliances: the NetScreen IDP-500 and NetScreen IDP-100. These products detect attacks and prevent intrusions to reduce or eliminate the impact of a broad range of sophisticated network attacks. These IDP appliances provide efficient attack detection, reducing the number of false alarms and missed attacks, and attack prevention, by dropping the packets or connection associated with the attack. These IDP appliances can be deployed as an enforcement point, or in-line, in the network to stop attacks that may have otherwise been missed by other security systems or otherwise have reached their intended network targets.

We also provide management software products that are deployed in connection with our network security solutions. Together with our firewall and VPN systems and appliances, NetScreen-Global PRO security management software permits our customers to enable VPN connections with the personal computers of remote users and to manage security policies and monitor network security from a single management application. NetScreen-IDP Manager provides centralized, rule-based management that simplifies how administrators and managers deploy, configure and respond to attacks using our IDP appliances.

Broad Security Solution. Our broad product line allows us to provide solutions that meet a range of enterprise, carrier and government entity requirements for firewall, VPN, denial of service protection and IDP capabilities. We believe our breadth of product offerings allows our customers to deploy broad security solutions to meet their connectivity, application and network requirements. Our breadth of product offerings allows us to address the needs of a wide range of customers and networks from single user environments to large-scale, carrier class network deployments. We believe we offer our customers the most comprehensive and effective network security solutions available.

Integrated, Cost-effective Network Security Solutions. Each of our firewall and VPN systems and appliances integrates firewall, VPN and denial of service protection capabilities into a single device. Each of our IDP appliances integrates multiple detection technologies and prevention capabilities into a single device. This integrated approach reduces the complexity and expense of purchasing and integrating separate single-function products from multiple vendors.

Industry Leading High Performance Security Systems. Our high performance firewall and VPN security systems can be deployed in mission-critical environments such as enterprise central sites, corporate extranets, major e-business Web sites and carrier network infrastructures and can be used to deliver managed security services. Using our high performance firewall and VPN systems, enterprises, carriers and government entities are able to deploy integrated VPN and firewall capabilities at up to 12 Gbps of throughput for firewall and 6 Gbps of throughput for VPN. Large numbers of VPN tunnels, sessions and policies can be added to the NetScreen-5400, NetScreen-5200, NetScreen-1000 and NetScreen-500, with minimal degradation in network performance.

High Performance. Our firewall and VPN systems and appliances are designed to maximize performance across the network. Each of our firewall and VPN systems and appliances uses either our GigaScreen or GigaScreen-II ASIC, which we believe are the fastest security ASICs in the industry and the first ASICs to combine both firewall and VPN capabilities.

Ease of Implementation and Manageability. Our firewall and VPN systems and appliances and IDP appliances are easily managed and require minimal configuration. As a result, they can be deployed quickly and cost-effectively in a network. In addition, the applications in ScreenOS and IDP OS implement industry standard protocols and management interfaces enabling interoperability with a broad range of third-party products.

	Throughput		IPSec Tunnels(1)	TCP Sessions(2)	List Price(3)
Product	Firewall	VPN	IPSec Tunnels(1)	TCP Sessions(2)	List Price(3)
Security Systems NetScreen-5400	12 Gbps	6 Gbps	25,000	1,000,000	$99,000–$310,000
NetScreen-5200	4 Gbps	2 Gbps	25,000	1,000,000	$69,000–$269,000
NetScreen-1000	2 Gbps	1 Gbps	25,000	500,000	$65,000–$245,700
NetScreen-500	700 Mbps	250 Mbps	10,000	250,000	$22,500–$84,600

Security Appliances NetScreen-208	550 Mbps	200 Mbps	1,000	128,000	$14,995–$20,800
NetScreen-204	400 Mbps	200 Mbps	1,000	128,000	$9,995–$14,300
NetScreen-100	200 Mbps	200 Mbps	1,000	128,000	$9,995–$14,300
NetScreen-50	170 Mbps	50 Mbps	100	8,000	$5,995–$7,795
NetScreen-25	100 Mbps	20 Mbps	25	4,000	$3,495–$4,500
NetScreen-5XT	70 Mbps	20 Mbps	10	2,000	$695–$1,500
NetScreen-5XP	10 Mbps	10 Mbps	10	2,000	$495–$1,300

Firewall and VPN Systems. The NetScreen-5400, NetScreen-5200, NetScreen-1000 and NetScreen-500 products are high performance security systems designed to provide integrated firewall, VPN and denial of service protection capabilities for enterprise environments and carrier network infrastructures. Each can be deployed in high bandwidth environments and can be used to deliver managed security services. Our firewall and VPN systems allow unique security policies to be enforced for multiple virtual local area networks, or VLANs, allowing a single system to secure multiple networks. Our security systems also allow for the creation of multiple Virtual Systems, each providing a unique security domain with its own virtual firewall and VPN and dedicated management interface. These features enable enterprises, carriers and government entities to use a single security system to secure multiple networks and enable carriers to deliver security services to multiple customers. For example, the NetScreen-5000 product family supports 4,000 VLANs and 500 Virtual Systems. The NetScreen-500 supports 100 VLANs and 25 Virtual Systems.

Firewall and VPN Appliances. The NetScreen-208, NetScreen-204, NetScreen-100, NetScreen-50, NetScreen-25, NetScreen-5XT and NetScreen-5XP security appliances are fixed configuration products of varying performance characteristics that offer integrated firewall, VPN and denial of service protection capabilities. Our security appliances are designed to maximize security and performance while using less physical space than competing products. Our security appliances can be deployed to provide small to medium-sized businesses and enterprise remote locations with secure Internet access and communication.

Our IDP appliances detect attacks and prevent intrusions using Multi-Method Detection, or MMD, which utilizes eight intrusion detection methods to increase the attack detection accuracy and provide the broadest attack detection coverage available. These attack detection mechanisms include protocol anomaly, backdoor, traffic anomaly, IP spoofing, Layer 2 and SYN-flood detection, a network honeypot and a technique called Stateful Signature Detection. Stateful Signature Detection uses signatures that look for attack pattern matches only in the relevant portions of the traffic where an intrusion can be perpetrated. Our IDP appliances provide fast and efficient traffic processing and alarm collection, presentation and forwarding. Once an attack is detected, our IDP appliances prevent the intrusion by dropping the packets or connection associated with the attack, reducing or eliminating the effects of the attack. Our IDP appliances can also alert the IT staff to respond to the attack. Our IDP appliances can be clustered to provide high availability and reduce risk associated with a single point of failure.

NetScreen-Global PRO. NetScreen-Global PRO is a centralized management application that enables enterprises, carriers and government entities to manage and control security for large-scale networks from a single location. NetScreen-Global PRO is designed to allow for multi-customer and role-based device configuration, policy management, real-time monitoring and historical reporting of network traffic and security logs for multiple firewall and VPN security systems and appliances. NetScreen-Global PRO manages all of our firewall and VPN systems and appliances and can be delivered as a pre-installed software application on a third party server to simplify deployment. NetScreen-Global PRO also enables centralized policy management for NetScreen-Remote VPN client software. The list price for NetScreen-Global PRO management software and the server is between $16,995 and $72,800 depending on the number of devices to be managed and customer location.

NetScreen-Global PRO Express. NetScreen-Global PRO Express is an entry-level version of our management software that enables configuration, policy management and real-time monitoring for up to 100 firewall and VPN security systems and appliances. NetScreen-Global PRO Express also enables centralized policy management for NetScreen-Remote VPN client software. NetScreen-Global PRO Express manages all of our firewall and VPN systems and appliances and is delivered as a pre-installed software application on a third- party server to simplify deployment. The list price for the NetScreen-Global PRO Express management software and the server is between $5,995 and $19,500 depending on the number of devices to be managed and customer location.

NetScreen-IDP Manager. NetScreen-IDP Manager provides centralized, policy-based management for all of our IDP appliances. Using the NetScreen-IDP Manager, customers can manage up to 100 IDP appliances from a single management console. Administrators create individual rules to establish a security policy. This gives administrators control over which traffic the IDP appliance should examine and how it should respond when attacks or intrusions are detected. NetScreen-IDP Manager capabilities include a policy editor, log viewer, integrated security incident management and reports to provide our customers useful tools to manage security by using our IDP application. Customers can manage up to 10 IDP appliances using NetScreen-IDP Manager at no cost. The list price for an upgrade to the NetScreen-IDP Manager management software and the server is between $8,495 and $22,795 depending on the number of devices to be managed and customer location.

NetScreen-Remote Client software. NetScreen-Remote is a line of two client software products that enable mobile or remote users with security capabilities. NetScreen-Remote VPN Client is used to establish VPN connections from personal computers. It is based on IPSec client software licensed from a third party. The list price for NetScreen-Remote VPN Client is up to $9.50 per license. NetScreen-Remote Security Client is used to establish VPN connections as well as integrated client-based firewall capabilities. It uses software licensed from a third party. The list price for NetScreen-Remote Security Client is up to $44.50 per license.

We provide a range of hardware and software support options for our firewall and VPN systems and appliances, IDP appliances and for our NetScreen-Global PRO, NetScreen-Global PRO Express and NetScreen-IDP Manager applications. These options include extended hardware maintenance, faster hardware replacement for defective units, software maintenance, as well as world-wide technical support with access 24 hours a day, seven days a week. These service offerings can be purchased as a bundle to provide complete service and support for the covered product or as separate support offerings. The software maintenance provides our end customers with updates and upgrades during the period of coverage purchased by the customer.

To facilitate the sale, customer installation and use of our security products, we provide our customers with fee-based, hands-on training classes, testing and certification, and professional services such as network design, product installation and configuration, and security assessments. These services can be sold by our resellers and can be delivered directly by our personnel or by authorized training and service partners.

We have established formal and informal commercial relationships with networking, security and application development companies to provide low cost, high performance network security solutions to our customers. We expect these alliances to verify and demonstrate the interoperability of our security products with other networking equipment and technologies. We also expect these alliances to help facilitate the introduction of new features and enhancements allowing our products to work with other security technologies such as anti-virus and authentication products and to facilitate our products compatibility with new technologies such as mobile data services, including GPRS.

Through our Global Security Alliance program, end customers can select scalable and comprehensive network security solutions to secure their networks. Solutions offered through this program combine the features of our systems and appliances, such as firewall, VPN, denial of service protection and intrusion detection and prevention, with the features of our alliance members’ products, that provide additional complementary technologies and services, to provide comprehensive end-to-end security for an end customer’s network infrastructure. The joint solutions are certified in an alliance integration lab and then made available to customers with integration documentation and other tools for successful implementation. Joint solutions currently include monitoring and reporting tools, content filtering, route optimization and application security.

Our Global Security Alliance currently includes the following members: Ericsson AB, Extreme Networks, Inc., Foundry Networks, Inc., Funk Software, Inc., Internet Security Systems, Inc., Juniper Networks, Inc., Micromuse, Inc., Network Security, Inc., netIQ Corporation, Radware Ltd., RouteScience Technologies, Inc., RSA Security Inc., SafeNet, Inc., SafeWeb, Inc., SilentRunner, Inc., Smartpipes, Inc., Solsoft, Inc., Stratum8 Networks, Inc., SurfControl, Inc., Sygate Technologies, Inc., TrendMicro, Inc., and Websense, Inc. Of the foregoing, Radware Ltd., RouteScience Technologies, Inc., SilentRunner, Inc., Stratum8 Networks, Inc. and SurfControl Inc. have certified solutions.

Domestically, we sell directly to major carriers and, through value-added resellers and a distributor, to end customers. Internationally, we sell primarily through distributors, who, in turn, sell to value-added resellers. Sales through distributors and value-added resellers represented approximately 86.9% of our total revenues in the year ended September 30, 2002.

Our products are sold to end customers, such as established companies and large carriers including traditional local and long distance telephone companies, Internet carriers, managed security service providers, Internet data center operators, metropolitan area network carriers and government entities. In 2002, 2001 and 2000, no customer accounted for more than 10% of our total revenues.

Each of our firewall and VPN security systems and appliances is built on a technology core that consists of our proprietary GigaScreen or GigaScreen-II ASICs, and our ScreenOS, which integrates a security operating system and other software applications. Our ASICs and ScreenOS have been designed specifically for the unique requirements of high performance security processing. The NetScreen-5000 series of systems uses GigaScreen-II ASICs and an innovative system architecture to deliver high performance security processing. We incorporate our Virtual Systems capability and high availability technology into the NetScreen-5400, NetScreen-5200, NetScreen-1000 and NetScreen-500. We incorporate our high availability technology into the NetScreen-208, NetScreen-204, NetScreen-100, the NetScreen-50 and the NetScreen-IDP appliances. The NetScreen-IDP 500 and NetScreen-IDP 100 appliances offer Multi-Method Detection, or MMD, which utilizes eight intrusion detection methods for efficient attack detection and intrusion protection, making it capable of dropping an attack to reduce or eliminate its impact on the network. We have also developed scalable, centralized management software to allow our end customers to manage large numbers of security devices.

The NetScreen-5000 series of systems use up to six GigaScreen-II ASICs and a distributed system architecture for high performance security processing. The GigaScreen-II ASIC contains multiple, small, yet powerful, processing engines, each responsible for a portion of data flow processing. Examples of these processing functions include packet parsing, classification, fragmentation, reassembly, encryption, decryption, network address translation and session lookup. The GigaScreen-II ASIC’s high performance packet input-output capability and controls are designed to integrate with modern hardware packet switching technology.

NetScreen’s other firewall and VPN products use our GigaScreen ASIC and innovative hardware designs to relieve the performance bottleneck that has been associated with both software-based security products running on general-purpose computers and first generation hardware-based security appliances. Our GigaScreen ASIC provides hardware-based acceleration for firewall and VPN functions, such as encryption, authentication, public key acceleration, security policy search engine and network address translation acceleration. Each GigaScreen ASIC performs data encryption using the data encryption standard, or DES, which is an industry standard encryption algorithm, at speeds of up to 1.2 Gbps, or up to 400 Mbps using 3DES encryption. Each GigaScreen ASIC also supports industry standard authentication algorithms, such as MD-5 and SHA-1. The NetScreen-1000, NetScreen-500, NetScreen-208, NetScreen-204 and NetScreen-100 are based on system-level designs that incorporate a GigaScreen ASIC connected to a reduced instruction set computing, or RISC, processor through a multi-bus architecture to accelerate processing-intensive security functions. This multi-bus architecture uses two independent buses to connect our GigaScreen ASIC and host processor to the packet memory. Our multi-bus architecture increases performance by reducing the bandwidth burden on the packet memory bus.

Our ScreenOS is a security operating system integrated with a suite of applications designed to offer high levels of security and performance that we have incorporated into all of our security systems and appliances. We have developed ScreenOS to deliver a complete suite of tightly integrated high performance network security functions including firewall, VPN, and denial of service protection. ScreenOS is designed to eliminate traditional performance bottlenecks and known security flaws. It cannot be easily analyzed for vulnerabilities by hackers since the source code is not generally publicly available. In addition to providing a secure operating system and key security applications, ScreenOS delivers a robust set of technologies based on industry standard protocols designed to allow our security systems and appliances to be integrated easily into our end customer’s existing networks.

To facilitate network integration, ScreenOS allows our security systems and appliances to be configured to work in one of three modes of operation, route mode, network address translation, or NAT, mode, and transparent mode. In route mode, the network is configured to have different IP networks on each interface of the security product, and our system or appliance enforces security policies as it routes traffic between different networks. In NAT mode, IP addresses on one interface can be translated into different IP addresses as the traffic traverses the device, allowing IP addresses to be hidden from outside view for increased security as well as allowing addresses to be conserved. NetScreen’s transparent mode enables the security device to be integrated easily into a network without any changes to IP addressing of the network. In transparent mode, the device will not be assigned an IP address, which makes it harder for a hacker to detect or attack the security system or appliance.

supports dynamic routing protocols including OSPF, BGP and RIPv2. ScreenOS supports and is compatible with authentication mechanisms including Radius servers, Secured token-based authentication and digital certificates and certificate authorities from VeriSign, Inc., Entrust, Inc., Baltimore Technologies plc, Microsoft Corporation, Netscape Communications Corp. and RSA Security Inc. ScreenOS supports industry standard management protocols including simple network management protocol, or SNMP, syslog, telnet and secure shell, or ssh, protocol, as well as proprietary management interfaces to our central management software and to NetIQ’s WebTrends monitoring application.

The NetScreen-5400, NetScreen-5200, NetScreen-1000, NetScreen-500, NetScreen-208, NetScreen-204, NetScreen-100 and NetScreen-50 incorporate our ScreenOS high availability capabilities, which are based on version 2 of the NetScreen Redundancy Protocol, or NSRPv2. NSRPv2 enables a redundant pair of our security systems to be integrated into a high availability network architecture, with redundant physical connections between the systems and the adjacent network switches. These systems can simultaneously process network traffic, called an active-active configuration, and can synchronize system configurations, session states and IPSec tunnel states between the systems using redundant, high availability connections between the two systems. This system synchronization allows a redundant system to take over network traffic processing typically in less than one second after a system or network failure to ensure that network traffic can continue to be forwarded. The NetScreen-50 provides for synchronization of system configuration, session states and IPSec tunnel states between an active appliance and a standby appliance, called an active-passive configuration.

The NetScreen-5400, NetScreen-5200, NetScreen-1000 and NetScreen-500 also incorporate our patent pending ScreenOS Virtual Systems capability. Used in conjunction with multiple physical interfaces or industry standard VLAN technology, this architecture allows end customers to use a single system to create up to 500 virtual firewalls and VPN gateways, each able to protect a unique security domain. Each Virtual System can have its own address book, policies and management set based on the end customer’s requirements. As a result, our Virtual Systems capability allows enterprises and government entities to implement multiple departmental security systems on a single platform, and it enables Internet data center operators and carriers to deliver managed security services to numerous individual users easily and cost effectively.

The NetScreen-IDP 500 and NetScreen-IDP 100 appliances offer MMD which utilizes eight intrusion detection methods to increase the attack detection accuracy and provide the broadest attack detection coverage available. These intrusion detection mechanisms include protocol anomaly, backdoor, traffic anomaly, IP spoofing, Layer 2 and SYN-flood detection, a network honeypot and a technique called Stateful Signature Detection. Stateful Signature Detection uses signatures that look for attack pattern matches only in the relevant portions of the traffic where an intrusion can be perpetrated.

We have developed our NetScreen-Global PRO and NetScreen-IDP Manager applications and scalable central management software to enable secure, scalable monitoring of devices, network traffic and security events, and device configuration and policy administration. The NetScreen-Global PRO management software incorporates at three-tier system architecture for scalable network monitoring. Devices forward log information to a layer of data collector software that aggregates network traffic logs from hundreds of devices. The data collector software, in turn, forwards log information to a master controller that stores log information in a relational database and enables sophisticated network monitoring and reporting of security information, and interfaces into third-party management applications. Multiple customer administrators and multiple customer domains can be supported, enabling service providers to deliver managed security services to multiple customers.

We have assembled a team of engineers with experience in the fields of computing, network system design, Internet routing protocols, Internet security standards, embedded software and network management software. In addition to having the ability to build complex hardware and software systems, our engineering team has experience in developing and delivering large, highly integrated ASICs and scalable security software.

We believe that strong product development capabilities are essential to our strategy of enhancing our core technology, developing and incorporating additional functions, and maintaining the competitiveness of our product offerings. We are building on our proprietary GigaScreen and GigaScreen-II ASICs and continuing to develop next generation technology to support the anticipated growth in network bandwidth requirements. We continue to develop new releases of our ScreenOS, IDP OS and management software to improve functionality, performance, scalability and the user interface.

We outsource the manufacturing of our systems and appliances. We subcontract our manufacturing requirements to Flash Electronics, Inc. and Solectron Corporation. This subcontracting activity extends from prototypes to full production and includes material procurement, assembly, test, control and shipment to our customers. We design, specify and monitor all of the tests that are required to meet internal and external quality standards. Our subcontracting arrangements provide us with the ability to deliver products quickly to customers by using Flash Electronics’ and Solectron’s turnkey manufacturing and drop shipment capabilities. In addition, we can adjust manufacturing volumes rapidly to meet changes in demand. Neither the Flash Electronics agreement nor the Solectron agreement provides for a fixed term of service. In addition, our proprietary ASICs are fabricated by foundries operated by Toshiba America Electronic Components, Inc.

The market for network security products is highly competitive, and we expect competition to intensify in the future. Competitors may gain market share and introduce new competitive products for the same markets and customers currently served by our products. We currently compete principally on the basis of product security, performance, reliability, scalability, manageability and cost-effectiveness. We believe that we compete favorably on the basis of these factors.

Our success and ability to compete are substantially dependent upon our internally developed technology and know-how. We have seven patent applications pending in the United States relating to our technologies and the design of our products. We have elected to extend three of these patent applications to other countries. Our engineering teams have significant expertise in ASIC design. Our ScreenOS operating system and applications and our NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Global Manager and NetScreen-IDP Manager software were developed internally and are protected by United States and international copyright laws.

While we rely on patent, copyright, trade secret and trademark law to protect our technology, we also believe that factors such as the technological and creative skills of our personnel, new product developments, frequent product enhancements and reliable product maintenance are essential to establishing and maintaining our position. Other companies may develop technologies that are similar or superior to our technology.

As of September 30, 2002, we had 493 full-time employees, 149 of whom were engaged in research and development, 225 in sales and marketing, 35 in customer service and support and 84 in administration and operations. None of our employees is represented by a labor union. We have not experienced any work stoppages and we consider our relations with our employees to be good.

On September 18, 2002, we completed the acquisition of OneSecure, Inc, a provider of network intrusion detection and prevention solutions. We issued 3.2 million shares of our common stock for all the outstanding stock of OneSecure. We also assumed all of the outstanding stock options of OneSecure, which were converted into options to purchase approximately 349,000 shares of our common stock, and issued options to purchase 1.4 million shares of our common stock in connection with the transaction. Through the acquisition of OneSecure, Inc., we added IDP appliances to our broad family of integrated network security solutions.

We were incorporated in Delaware in October 1997. Our principal executive offices are located at 350 Oakmead Parkway, Sunnyvale, California 94085, and our telephone number at this location is (408) 730-6000. Our common stock is traded on the Nasdaq National Market under the ticker symbol NSCN. Our primary Web site address is www.netscreen.com. The information on our Web site is not incorporated by reference into this annual report.

We are currently occupying approximately 51,000 square feet of office space in Sunnyvale, California pursuant to a lease that will expire on February 14, 2003. Effective February 2003, we will occupy approximately 156,000 square feet of office space in Sunnyvale, California pursuant to a lease that will expire on May 13, 2008. We may lease an additional 22,000 square feet in this facility, exercisable at our option anytime through February 14, 2004. We believe that these facilities are adequate to meet our needs for the foreseeable future.

We are subject to legal proceedings, claims and litigation arising in the ordinary course of business. While the outcome of these matters is currently not determinable, we do not expect that the ultimate costs to resolve these matters will have a material adverse effect on our consolidated financial position, results of operations or cash flows.

Our common stock has traded on the Nasdaq National Market under the symbol “NSCN” since our initial public offering of stock on December 12, 2001. Prior to this time, there was no public market for our common stock. The following table presents the high and low sales price per share of our common stock for the period indicated, as reported on the Nasdaq National Market:

The selected consolidated financial data presented below should be read in conjunction with “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” our consolidated financial statements and the related notes appearing elsewhere in this report. The consolidated statement of operations data presented below for the years ended September 30, 2002, 2001 and 2000, and the consolidated balance sheet data as of September 30, 2002 and 2001, have been derived from our audited consolidated financial statements appearing elsewhere in this report. The consolidated statement of operations data for the year ended September 30, 1999 and for the period October 30, 1997 (inception) to September 30, 1998, and the consolidated balance sheet data as of September 30, 2000, 1999 and 1998 have been derived from audited consolidated financial statements not appearing in this report. The historical results are not necessarily indicative of the operating results to be expected in the future.

	Year Ended September 30,									October 30, 1997 (Inception) to September 30 1998
	2002		2001			2000		1999
	(in thousands, except per share amounts)
Consolidated Statement of Operations Data:
Revenues:
Product	$	113,943	$	71,197		$	23,438	$	5,669	$	648
Maintenance and service		24,539		14,366	&

Delaware		77-0469208
(State or Other Jurisdiction of Incorporation or Organization)		(I.R.S. Employer Identification No.)

350 Oakmead Parkway, Sunnyvale, California		94085
(Address of Principal Executive Offices)		(Zip Code)

PART I		Page

ITEM 1:	Business	4

ITEM 2:	Properties	13

ITEM 3:	Legal Proceedings	14

ITEM 4:	Submission of Matters to a Vote of Security Holders	14

PART II

ITEM 5:	Market for the Registrant’s Common Equity and Related Stockholder Matters	14

ITEM 6:	Selected Consolidated Financial Data	15

ITEM 7:	Management’s Discussion and Analysis of Financial Condition and Results of Operations	16

ITEM 7A:	Quantitative and Qualitative Disclosures About Market Risk	40

ITEM 8:	Financial Statements and Supplementary Data	40

ITEM 9:	Changes In and Disagreements with Accountants on Accounting and Financial Disclosure	41

PART III

ITEM 10:	Directors and Executive Officers of the Registrant	41

ITEM 11:	Executive Compensation	41

ITEM 12:	Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters	41

ITEM 13:	Certain Relationships and Related Transactions	41

ITEM 14:	Controls and Procedures	41

PART IV

ITEM 15:	Exhibits, Financial Statement Schedules, and Reports of Form 8-K	42
Signatures		46
Financial Statements		49
Schedule II—Valuation and Qualifying Accounts		78

	High		Low
Fiscal Year ended September 30, 2002
First Quarter (beginning December 12, 2001)	$	24.69	$	20.95
Second Quarter	$	27.95	$	12.90
Third Quarter	$	16.46	$	7.76
Fourth Quarter	$	14.00	$	8.29

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Table of Contents

Product	Throughput	TCP Sessions(1)	List Price(2)
NetScreen-IDP 500	500 Mbps	200,000	$34,995-$45,495
NetScreen-IDP 100	200 Mbps	50,000	$16,495-$21,450