Security

Off and Running with the New Firefly Suite

By p.k posted 02-07-2014 10:41

  

Night Flight.jpgIn mid-January, Juniper Networks announced the new Firefly suite—a set of security products for public or private cloud. It includes three big components:

 

  1. Firefly Perimeter. This is, in fact, a virtualized Juniper SRX device – a services gateway capable of advanced security as well as routing and many other Junos features;

  2. Junos Space Virtual Director. A Junos Space application for full lifecycle management of Firefly Perimeter virtual machines (VMs);

  3. Firefly Host. Formerly named vGW Virtual Gateway, this is a hypervisor-based firewall that protects traffic between VMs.

For me (and many other Juniper fans), virtualized SRX was a long-awaited product and so I got my hands on it as quickly as I could. The product is available as an OVA file that is easily imported into a VMware ESX server using “Deploy OVF template” functionality (JVA file for KVM is available as well). In fact, I am actually running my Fireflies on an ESXi server, which is also supported.

 

By default, Firefly Perimeter has 2GB memory and 2GB virtual hard disk. It also uses two CPU cores (one for control plane and the other for data plane). Firefly Perimeter does not need a license activation key, but in order to use it after a 60-day evaluation period, a license purchase is required.

 

After I deployed and launched my Firefly-1 VM (it took several minutes), I liked what I was seeing and so repeated the process to produce Firefly-2. Every VM initially has two interfaces (ge-0/0/0 and ge-0/0/1) and I added a couple more interfaces from the VMware vSphere interface (they became visible in CLI after reboot). I also VLAN-tagged one of the interfaces and used it to connect VMs to other (physical) devices. Other interfaces connected my Fireflies to each other. This allowed me to test several security features, such as: security policy, NAT, IPSec VPN, etc. And guess what? Even I was able to create a working “chassis cluster” from these two VMs! IDP and UTM are, however, not supported at this time.

 

Greatly impressed, I quickly moved from security to test the routing features. Although it was not required, I changed VMs to packet mode (“set security forwarding-options family mpls mode packet-based”) and configured some OSPF, BGP and MPLS. All worked fine. By the way, VM’s Junos version that was installed initially is 12.1X46-D10.2—that is, the latest version available for SRX devices.

 

As a Junos instructor, I need permanent access to a small demo lab so that I can show (or recall for myself) some commands or features. For many years, I had a couple of J-series devices always turned on for that (don’t tell me about Olive as it is just illegal). I guess, in my case, I can just turn on Firefly Perimeter when needed! The product will also be beneficial for many other Junos people – for training and testing, not to mention its direct use as a cloud firewall.

 

And of course, we still have Junosphere for more complex topologies and tests. It also has Firefly VM available for use.

 

10 comments
0 views

Permalink

Comments

11-13-2014 02:32

Hi Alexander

 

There is already the next release

 

http://www.juniper.net/techpubs/en_US/firefly12.1x47/information-products/topic-collections/firefly-perimeter/firefly-perimeter-release-notes.pdf

 

It has UTM and IDP support. No AppSecure or GroupVPN at this time.

11-13-2014 02:16

HI

 

Regarding Features on current Firefly (junos-vsrx-12.1X46-D25.7-domestic)

running on VMware Workstation and VMware Player

 

NONWORKING:

 

APP-* ( APP-id, APP-FW...)

UTM

IDP

GroupVPN

 

WORKING:

 HA-Cluster

 

regards

alexander

09-19-2014 09:35

Hi Deepika

 

I believe the problem is not in the Junos config, but somewhere on the KVM level.

Probably virtual networks are not correctly mapped to the physical ones.

I was testing Firefly with vmware only, so maybe someone else can give more

details about KVM configuration.

 

- PK

09-19-2014 01:07

Hi,

 

I have installed Firefly perimeter -12.1X47-D10.4 using KVM.

 

When i gave " run show interfaces terse " command ,Interfaces are not displayed .

 

Then I configured the two interfaces using the below command:

 

set interfaces ge-0/0/1 unit 0 family inet address 11.1.1.2/24

 

 

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24

 

Then did commit check and commit

 

Then again I gave "run show interfaces terse " ,still the two interfaces (ge-0/0/0 and ge-0/0/1)  are not shown.

 

Can you kindly help me ?

 

Thanks ,

Deepika

 

 

 

 

 

 

 

09-10-2014 00:17

Hi

 

Just put interfaces from both VMs to the same virtual network on your ESX/ESXi server (can be vlan-tagged or untagged). The machines will be able to communicate then. 

09-09-2014 11:46

Hi Folks

 

Would you please help me 

 

I need to connect two Vmware SRX physically  for example  VM1 ge-0/0/0 ----VM2 ge-0/0/0

 

 

How to build our own topology

 

 

Waiting for quick response

02-17-2014 16:29

Thanks Petr , you deserve kudos 

02-13-2014 02:10

Thanks Scott and Chris!

 

Chris, yes, clustering is supported, but only for VMware version of Firefly Perimeter. See release notes

http://www.juniper.net/techpubs/en_US/firefly12.1x46-d10/information-products/topic-collections/firefly-perimeter/release-notes/firefly-perimeter-release-notes.pdf

02-13-2014 02:00

Is clustering possible in Firefly SRX?

Last time i tried the option for clustering was missing?


Great Post!

02-12-2014 10:54

Great post, PK!