Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
Distinguished Expert , Distinguished Expert Distinguished Expert
Off and Running with the New Firefly Suite
Feb 7, 2014

Night Flight.jpgIn mid-January, Juniper Networks announced the new Firefly suite—a set of security products for public or private cloud. It includes three big components:


  1. Firefly Perimeter. This is, in fact, a virtualized Juniper SRX device – a services gateway capable of advanced security as well as routing and many other Junos features;

  2. Junos Space Virtual Director. A Junos Space application for full lifecycle management of Firefly Perimeter virtual machines (VMs);

  3. Firefly Host. Formerly named vGW Virtual Gateway, this is a hypervisor-based firewall that protects traffic between VMs.

For me (and many other Juniper fans), virtualized SRX was a long-awaited product and so I got my hands on it as quickly as I could. The product is available as an OVA file that is easily imported into a VMware ESX server using “Deploy OVF template” functionality (JVA file for KVM is available as well). In fact, I am actually running my Fireflies on an ESXi server, which is also supported.


By default, Firefly Perimeter has 2GB memory and 2GB virtual hard disk. It also uses two CPU cores (one for control plane and the other for data plane). Firefly Perimeter does not need a license activation key, but in order to use it after a 60-day evaluation period, a license purchase is required.


After I deployed and launched my Firefly-1 VM (it took several minutes), I liked what I was seeing and so repeated the process to produce Firefly-2. Every VM initially has two interfaces (ge-0/0/0 and ge-0/0/1) and I added a couple more interfaces from the VMware vSphere interface (they became visible in CLI after reboot). I also VLAN-tagged one of the interfaces and used it to connect VMs to other (physical) devices. Other interfaces connected my Fireflies to each other. This allowed me to test several security features, such as: security policy, NAT, IPSec VPN, etc. And guess what? Even I was able to create a working “chassis cluster” from these two VMs! IDP and UTM are, however, not supported at this time.


Greatly impressed, I quickly moved from security to test the routing features. Although it was not required, I changed VMs to packet mode (“set security forwarding-options family mpls mode packet-based”) and configured some OSPF, BGP and MPLS. All worked fine. By the way, VM’s Junos version that was installed initially is 12.1X46-D10.2—that is, the latest version available for SRX devices.


As a Junos instructor, I need permanent access to a small demo lab so that I can show (or recall for myself) some commands or features. For many years, I had a couple of J-series devices always turned on for that (don’t tell me about Olive as it is just illegal). I guess, in my case, I can just turn on Firefly Perimeter when needed! The product will also be beneficial for many other Junos people – for training and testing, not to mention its direct use as a cloud firewall.


And of course, we still have Junosphere for more complex topologies and tests. It also has Firefly VM available for use.


Feb 12, 2014

Great post, PK!

Feb 13, 2014

Is clustering possible in Firefly SRX?

Last time i tried the option for clustering was missing?

Great Post!

Feb 13, 2014
Distinguished Expert

Thanks Scott and Chris!


Chris, yes, clustering is supported, but only for VMware version of Firefly Perimeter. See release notes

Feb 17, 2014
Recognized Expert Recognized Expert

Thanks Petr , you deserve kudos Smiley Wink

Sep 9, 2014

Hi Folks


Would you please help me 


I need to connect two Vmware SRX physically  for example  VM1 ge-0/0/0 ----VM2 ge-0/0/0



How to build our own topology



Waiting for quick response

Sep 10, 2014
Distinguished Expert



Just put interfaces from both VMs to the same virtual network on your ESX/ESXi server (can be vlan-tagged or untagged). The machines will be able to communicate then. 

Sep 19, 2014
Deepika Dwaraknath



I have installed Firefly perimeter -12.1X47-D10.4 using KVM.


When i gave " run show interfaces terse " command ,Interfaces are not displayed .


Then I configured the two interfaces using the below command:


set interfaces ge-0/0/1 unit 0 family inet address



set interfaces ge-0/0/0 unit 0 family inet address


Then did commit check and commit


Then again I gave "run show interfaces terse " ,still the two interfaces (ge-0/0/0 and ge-0/0/1)  are not shown.


Can you kindly help me ?


Thanks ,









Sep 19, 2014
Distinguished Expert

Hi Deepika


I believe the problem is not in the Junos config, but somewhere on the KVM level.

Probably virtual networks are not correctly mapped to the physical ones.

I was testing Firefly with vmware only, so maybe someone else can give more

details about KVM configuration.


- PK

Nov 13, 2014
Recognized Expert



Regarding Features on current Firefly (junos-vsrx-12.1X46-D25.7-domestic)

running on VMware Workstation and VMware Player




APP-* ( APP-id, APP-FW...)










Nov 13, 2014
Distinguished Expert

Hi Alexander


There is already the next release


It has UTM and IDP support. No AppSecure or GroupVPN at this time.

Top Kudoed Members