Security
Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
Distinguished Expert , Distinguished Expert Distinguished Expert
Security
Off and Running with the New Firefly Suite
Feb 7, 2014

Night Flight.jpgIn mid-January, Juniper Networks announced the new Firefly suite—a set of security products for public or private cloud. It includes three big components:

 

  1. Firefly Perimeter. This is, in fact, a virtualized Juniper SRX device – a services gateway capable of advanced security as well as routing and many other Junos features;

  2. Junos Space Virtual Director. A Junos Space application for full lifecycle management of Firefly Perimeter virtual machines (VMs);

  3. Firefly Host. Formerly named vGW Virtual Gateway, this is a hypervisor-based firewall that protects traffic between VMs.

For me (and many other Juniper fans), virtualized SRX was a long-awaited product and so I got my hands on it as quickly as I could. The product is available as an OVA file that is easily imported into a VMware ESX server using “Deploy OVF template” functionality (JVA file for KVM is available as well). In fact, I am actually running my Fireflies on an ESXi server, which is also supported.

 

By default, Firefly Perimeter has 2GB memory and 2GB virtual hard disk. It also uses two CPU cores (one for control plane and the other for data plane). Firefly Perimeter does not need a license activation key, but in order to use it after a 60-day evaluation period, a license purchase is required.

 

After I deployed and launched my Firefly-1 VM (it took several minutes), I liked what I was seeing and so repeated the process to produce Firefly-2. Every VM initially has two interfaces (ge-0/0/0 and ge-0/0/1) and I added a couple more interfaces from the VMware vSphere interface (they became visible in CLI after reboot). I also VLAN-tagged one of the interfaces and used it to connect VMs to other (physical) devices. Other interfaces connected my Fireflies to each other. This allowed me to test several security features, such as: security policy, NAT, IPSec VPN, etc. And guess what? Even I was able to create a working “chassis cluster” from these two VMs! IDP and UTM are, however, not supported at this time.

 

Greatly impressed, I quickly moved from security to test the routing features. Although it was not required, I changed VMs to packet mode (“set security forwarding-options family mpls mode packet-based”) and configured some OSPF, BGP and MPLS. All worked fine. By the way, VM’s Junos version that was installed initially is 12.1X46-D10.2—that is, the latest version available for SRX devices.

 

As a Junos instructor, I need permanent access to a small demo lab so that I can show (or recall for myself) some commands or features. For many years, I had a couple of J-series devices always turned on for that (don’t tell me about Olive as it is just illegal). I guess, in my case, I can just turn on Firefly Perimeter when needed! The product will also be beneficial for many other Junos people – for training and testing, not to mention its direct use as a cloud firewall.

 

And of course, we still have Junosphere for more complex topologies and tests. It also has Firefly VM available for use.

 

Feb 12, 2014

Great post, PK!

Feb 13, 2014

Is clustering possible in Firefly SRX?

Last time i tried the option for clustering was missing?


Great Post!

Feb 13, 2014
Distinguished Expert

Thanks Scott and Chris!

 

Chris, yes, clustering is supported, but only for VMware version of Firefly Perimeter. See release notes

http://www.juniper.net/techpubs/en_US/firefly12.1x46-d10/information-products/topic-collections/fire...

Feb 17, 2014
Recognized Expert Recognized Expert

Thanks Petr , you deserve kudos Smiley Wink

Sep 9, 2014
Faizankhurshid

Hi Folks

 

Would you please help me 

 

I need to connect two Vmware SRX physically  for example  VM1 ge-0/0/0 ----VM2 ge-0/0/0

 

 

How to build our own topology

 

 

Waiting for quick response

Sep 10, 2014
Distinguished Expert

Hi

 

Just put interfaces from both VMs to the same virtual network on your ESX/ESXi server (can be vlan-tagged or untagged). The machines will be able to communicate then. 

Sep 19, 2014
Deepika Dwaraknath

Hi,

 

I have installed Firefly perimeter -12.1X47-D10.4 using KVM.

 

When i gave " run show interfaces terse " command ,Interfaces are not displayed .

 

Then I configured the two interfaces using the below command:

 

set interfaces ge-0/0/1 unit 0 family inet address 11.1.1.2/24

 

 

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24

 

Then did commit check and commit

 

Then again I gave "run show interfaces terse " ,still the two interfaces (ge-0/0/0 and ge-0/0/1)  are not shown.

 

Can you kindly help me ?

 

Thanks ,

Deepika

 

 

 

 

 

 

 

Sep 19, 2014
Distinguished Expert

Hi Deepika

 

I believe the problem is not in the Junos config, but somewhere on the KVM level.

Probably virtual networks are not correctly mapped to the physical ones.

I was testing Firefly with vmware only, so maybe someone else can give more

details about KVM configuration.

 

- PK

Nov 13, 2014
Recognized Expert

HI

 

Regarding Features on current Firefly (junos-vsrx-12.1X46-D25.7-domestic)

running on VMware Workstation and VMware Player

 

NONWORKING:

 

APP-* ( APP-id, APP-FW...)

UTM

IDP

GroupVPN

 

WORKING:

 HA-Cluster

 

regards

alexander

Nov 13, 2014
Distinguished Expert

Hi Alexander

 

There is already the next release

 

http://www.juniper.net/techpubs/en_US/firefly12.1x47/information-products/topic-collections/firefly-...

 

It has UTM and IDP support. No AppSecure or GroupVPN at this time.

Top Kudoed Members