Firefly Perimeter is a virtual security appliance that provides security and networking services at the perimeter in virtualized private or public cloud environments. It runs as a virtual machine (VM) on a standard x86 server and delivers similar security and networking features available on branch SRX Series devices.
However not all the features that are supported by SRX hardware devices are supported. Here is the list of features supported by current firefly 12.1x46-d10 release.
Firefly Perimeter Hardware Specifications
Thanks to Juniper’s software evaluation program we can download the Firefly Perimeter security solution for free and test it out for 60 days. In this tutorial we are going to connect Firefly Perimeter to GNS3 and create a simple lab to test connectivity between two vSRX instances. Even GNS3 has built-in support for VirtualBox, only Qemu / KVM will be used as hypervisor as I wasn't successful with running Firefly vSRX virtual on VirtualBox.
Firefly Perimeter virtual machines can be download here. You have to use your Juniper account to proceed the download but a valid service contract is not required to to download Firefly Perimeter virtual machine.
Picture 1 - Juniper Login Window
Notice that they are both JVA and OVA files available for download. We will download the OVA file archive that contains vmdk vSRX image and other files required for running vSRX on VMware appliance.
Picture 2 - Firefly Perimeter Download Page
This part discuss how to convert Firefly Perimeter installed on VMware image to qcow2 disk format that is recognized by Qemu and explains GNS3 Qemu settings configuration. As the current GNS3 1.0 beta2 does not have Qemu support included yet we will use the most latest GNS3 0.8.7 version with Qemu support.
1.1. Extract vmdk Virtual Disk from OVA File
$ tar xvf junos-vsrx-12.1X46-D10.2-domestic.ova
Picture 3 - Extracting OVA File
Starting at version 0.12, Qemu-kvm has native support for VMware virtual machines disks. When we have a closer look at the virtual disk we will find that the disk type is streamOptimized read only disk.
Picture 4 - StreamOptimized Virtual Machine Disk
As you can see, Qemu refuses to open streamOptimized virtual disks complaining that VMDK version 3 must be read only.
Picture 5 - Qemu fails to open StreamOptimized Virtual Machine Disk
A workaround consists of the conversion from streamOptimized vmdk disk to the copy and writeqcow2 virtual machine disk type tha is recognized by Qemu.
$ qemu-img convert -O qcow2 junos-vsrx-12.1X46-D10.2-domestic-disk1.vmdk junos-vsrx-12.1X46-D10.2-domestic.img
Picture 6 - Converting from VMDK to QCOW2 Virtual Machine Disk
Part 1.2 GNS3 Qemu General and Guest Settings Configuration for Firefly Permiter
Start GNS3 0.8.7 and create a new project. Navigate to Edit -> Preferences -> Qemu -> Qemu General Settings. Configure Qemu general parameters and click test button.
Picture 7 - GNS3 General Qemu Settings
Go ahead and configure GNS3 Guest settings. Navigate to Edit -> Preferences -> Qemu -> Qemu Guest. Configure vSRX parameters according to the picture below.
Picture 8 - Qemu Guest Settings
Note Do not omit Qemu option -smp 2. According to my test, it is required to configuretwo CPUs for VM otherwise all Gigabit Ethernet interfaces are not recognized.
In this part we are going to convert Firefly Perimeter installed on VMware virtual machine disk (VMDK) to the native Virtualbox disk format - Virtual Disk Image (VDI). Then we will create a VirtualBox Firefly Perimeter VM and attach a virtual disk with installed Firefly Perimeter to this machine. At the end, we will configure GNS3 VirtualBox General Settings and VirtualBox VMs Settings to support our newly created Firefly Perimeter Vm.
Note As the new GNS3 1.0 version supports VirtualBox we will use it.
2.1. Extract Vmdk Virtual Disk from OVA File
$ tar xvf junos-vsrx-12.1X46-D10.2-domestic.ova
Convert VMware VMDK disk to VirtualBox disk VDI.
$ vboxmanage clonehd -format VDI junos-vsrx-12.1X46-D10.2-domestic-disk1.vmdk junos-vsrx-12.1X46-D10.2-domestic.vdi
Start VirtualBox Manager with the command below.
$ sudo virtualbox
Navigate to Machine-> New and select Type and Version as it is shown on the picture below.
Picture 9 - Creating New VirtualBox VM
Assign at least 1024 MB RAM to our VM. Continue to the Hard Drive window and select path to VDI disk.
Picture 10 - Selecting Hard Drive for VM
Left click on Firefly Perimeter VM and press Ctrl-S to open VM settings window. Navigate to System-> Processor and increase number of CPU to 2. This is need otherwise Junos fails to recognize Gigabit Ethernet interfaces.
Picture 11 - Increasing Number of CPU to 2
Note For each Firefly Perimeter network device inside GNS3 project, VirtualBox VM must be created first. For this reason we consider the Firefly Perimeter VM we have just created as the base image and we will used for cloning any other Firefly Perimeter VMs. Left click on Firefly Perimeter VM and press Ctrl-O.
Picture 12 - Cloning Firefly Perimeter Base VM
Select the Full Clone option a continue with pressing Clone button.
2.2 GNS3 VirtualBox General and Guest Settings Configuration for Firefly Permiter
Start GNS3 1.x and create a new project. If you run GNS3 on Linux, navigate to Edit -> Preferences -> VirtualBox -> General Settings. Configure path to VirtualBox wrapper.
Picture 13 - VirtualBox General Settings
Switch to VirtualBox VMs menu. Click on Refresh VM List button an select our virtual machine from the list. Change the default NIC type from Automatic to Paravirtualized (virtio-net) type otherwise connection will not be working.
Picture 14 - VirtualBox VMs Preferences
We are going to connect two instances of Firefly Perimeter vSRX routers via Gigabit Ethernet interfaces em0. The interface em0 represents an interface GigabiEthernet 0/0/0 in vSRX cli. We will assign IP address to the interfaces and issue the ping command on the vSRX-I router pinging the IP address 192.168.1.2 of the second router.
Picture 15 - Testing Topology
Start the routers and login as root without the blank password. Type the command cli to enter vSRX CLI. Check the available GigabitEthernet interfaces with the command:
root> show interfaces ge-0/0/* terse
Picture 16 - Firefly Perimeter Gigabit Ethernet Interfaces
They are seven GigabitEthernet interfaces presented in CLI output. Now assign particular IP address to the interface ge-0/0/0 on both routers.
vSRX-I Configuration
root@%
root@% cli
root> configure
[edit]
root# set system host-name vSRX-I
root# set system root-authentication plain-text-password
root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
root# set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services ping
root# commit
root@vSRX-I> exit
vSRX-II Configuration
root@%
root@% cli
root> configure
[edit]
root# set system host-name vSRX-II
root# set system root-authentication plain-text-password
root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24
root# set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services ping
root# commit
root@vSRX-II> exit
To test connectivity between router, ping IP address 192.168.1.2 from the router vSRX-I.
Picture 17 - Successful Ping Between Routers
End.