In mid-January, Juniper Networks announced the new Firefly suite—a set of security products for public or private cloud. It includes three big components:
- Firefly Perimeter. This is, in fact, a virtualized Juniper SRX device – a services gateway capable of advanced security as well as routing and many other Junos features;
- Junos Space Virtual Director. A Junos Space application for full lifecycle management of Firefly Perimeter virtual machines (VMs);
- Firefly Host. Formerly named vGW Virtual Gateway, this is a hypervisor-based firewall that protects traffic between VMs.
For me (and many other Juniper fans), virtualized SRX was a long-awaited product and so I got my hands on it as quickly as I could. The product is available as an OVA file that is easily imported into a VMware ESX server using “Deploy OVF template” functionality (JVA file for KVM is available as well). In fact, I am actually running my Fireflies on an ESXi server, which is also supported.
By default, Firefly Perimeter has 2GB memory and 2GB virtual hard disk. It also uses two CPU cores (one for control plane and the other for data plane). Firefly Perimeter does not need a license activation key, but in order to use it after a 60-day evaluation period, a license purchase is required.
After I deployed and launched my Firefly-1 VM (it took several minutes), I liked what I was seeing and so repeated the process to produce Firefly-2. Every VM initially has two interfaces (ge-0/0/0 and ge-0/0/1) and I added a couple more interfaces from the VMware vSphere interface (they became visible in CLI after reboot). I also VLAN-tagged one of the interfaces and used it to connect VMs to other (physical) devices. Other interfaces connected my Fireflies to each other. This allowed me to test several security features, such as: security policy, NAT, IPSec VPN, etc. And guess what? Even I was able to create a working “chassis cluster” from these two VMs! IDP and UTM are, however, not supported at this time.
Greatly impressed, I quickly moved from security to test the routing features. Although it was not required, I changed VMs to packet mode (“set security forwarding-options family mpls mode packet-based”) and configured some OSPF, BGP and MPLS. All worked fine. By the way, VM’s Junos version that was installed initially is 12.1X46-D10.2—that is, the latest version available for SRX devices.
As a Junos instructor, I need permanent access to a small demo lab so that I can show (or recall for myself) some commands or features. For many years, I had a couple of J-series devices always turned on for that (don’t tell me about Olive as it is just illegal). I guess, in my case, I can just turn on Firefly Perimeter when needed! The product will also be beneficial for many other Junos people – for training and testing, not to mention its direct use as a cloud firewall.
And of course, we still have Junosphere for more complex topologies and tests. It also has Firefly VM available for use.