Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Release 12.1X47-D20
6 March 2015
Revision 1
The Firefly Suite is designed to address the need for compelling and robust security for
diverse virtualized environments by bringing together three products Firefly Perimeter,
Firefly Host, and Junos Space Virtual Director. These release notes accompany Release
12.1X47-D20 for Firefly Perimeter. They describe supported features and known issues
with Firefly Perimeter.
For the latest, most complete information about outstanding and resolved issues with
Firefly Perimeter, see the Juniper Networks online software defect search application at
http://www.juniper.net/prsearch.
You can also find these release notes on the Firefly Perimeter Documentation webpage,
which is located at https://www.juniper.net/techpubs/firefly-perimeter.
Firefly Perimeter is a virtual security appliance that provides security and networking
services at the perimeter in virtualized private or public cloud environments. It runs as a
virtual machine (VM) on a standard x86 server and enables advanced security and routing
at the network edge in a multitenant virtualized environment.
Firefly Perimeter is built on Junos OS and delivers similar security and networking features
available on branch SRX Series devices.
Starting with Firefly Perimeter 12.1X47D20 and later, the Firefly Perimeter Open
Virtualization Format Archive (OVA) image is securely signed. You can validate the OVA
image, if necessary. However, you can install or upgrade Firefly Perimeter without
validating the OVA image. Before you validate the OVA image, ensure that the Linux/UNIX
PC on which you are performing the validation has the following utilities available: tar,
openssl, and ovftool You can download the VMware Open Virtualization Format (OVF)
tool from the following location: https://my.vmware.com/web/vmware/details?
productId=353&downloadGroup=OVFTOOL351
1. Download the Firefly Perimeter OVA image and the Juniper Networks Root certificate
file (JuniperRootRSACA.pem) from the Firefly Perimeter downloads page at
https://www.juniper.net/support/downloads/?p=firefly#sw
NOTE: You only need to download the Juniper Networks Root certificate
file once; you can use the same file to validate OVA images for future
releases of Firefly Perimeter.
2. (Optional) If you downloaded the OVA image and the certificate file to a PC running
Windows, copy the two files to a temporary directory on a PC running Linux or UNIX.
You can also copy the OVA image and the certificate file to a temporary directory
(/var/tmp or /tmp) on a Firefly Perimeter node.
Ensure that the OVA image file and the Juniper Networks Root certificate file are not
modified during the validation procedure. You can do this by providing write access
to these files only to the user performing the validation procedure. This is especially
important if you use an accessible temporary directory, such as /tmp or /var/tmp,
because such directories can be accessed by several users. Take precautions to ensure
that the files are not modified by other users during the validation procedure.
tar xf ova-filename
5. Verify that the unpacked OVA image contains a certificate chain file (certchain.pem)
and a signature file (vsrx.cert ).
6. Validate the signature in the unpacked OVF file (extension .ovf) by running the following
command:
ovftool ovf-filename
where ovf-filename is the filename of the unpacked OVF file contained within the
previously downloaded OVA image.
7. After the unpacked OVF file is validated, validate the signing certificate with the Juniper
Networks Root CA file by running the following command:
-bash-4.1$ ls
JuniperRootCA.pem junos-vsrx-12.1X47-D20.4-domestic.ova
-bash-4.1$ mkdir tmp
-bash-4.1$ cd tmp
-bash-4.1$ tar xf ../junos-vsrx-12.1X47-D20.4-domestic.ova
-bash-4.1$ ls
certchain.pem junos-vsrx-12.1X47-D20.4-domestic.cert
junos-vsrx-12.1X47-D20.4-domestic-disk1.vmdk junos-vsrx-12.1X47-D20.4-domestic.mf
junos-vsrx-12.1X47-D20.4-domestic.ovf
-bash-4.1$ /usr/lib/vmware-ovftool/ovftool junos-vsrx-12.1X47-D20.4-domestic.ovf
OVF version: 1.0
VirtualApp: false
Name: Firefly Perimeter
Version: JUNOS 12.1
Vendor: Juniper Networks Inc.
Product URL:
http://www.juniper.net/us/en/products-services/software/security/vsrxseries/
Vendor URL: http://www.juniper.net/
Download Size: 227.29 MB
Deployment Sizes:
Flat disks: 2.00 GB
Sparse disks: 265.25 MB
Networks:
Name: VM Network
Description: The VM Network network
Virtual Machines:
Name: Juniper Virtual SRX
Operating System: freebsdguest
Virtual Hardware:
Families: vmx-07
Number of CPUs: 2
Cores per socket: 1
Memory: 2.00 GB
Disks:
Index: 0
Instance ID: 5
Capacity: 2.00 GB
Disk Types: IDE
NICs:
Adapter Type: E1000
Connection: VM Network
Deployment Options:
Id: 2GvRAM
Label: 2G vRAM
Description:
2G Memory
a. Determine if the contents of the OVA image have been modified. If the contents
have been modified, download the OVA image from the Firefly Perimeter downloads
page.
c. Retry the preceding validation steps using one or both new files.
The Firefly Perimeter.jva format includes an embedded digital signature that can be
validated to ensure authenticity of the content. In order to do so, along with the .jva file,
you will need a copy of Juniper's root certificate. Once you have downloaded both, you
will need to run a set of commands to extract the contents within the .jva file, authenticate
the embedded signature with the signing certificate, and authenticate the signing
certificate with Juniper's root certificate.
Once you have the .jva file and Juniper root certificate file in the same directory, use the
following commands:
2. ls (to show the newly created directory containing the .jva contents)
3. cd(to enter into the newly created directory containing .jva contents)
4. openssl x509 -pubkey -noout -in vsrx.cert > public.pem (this extracts the public key
from the signing certificate)
5. head -1 vsrx.cert | awk '{print $2}' | xxd -p -r > signature.binary (this converts the
hex-encoded signature to binary format)
6. openssl dgst -sha1 -verify public.pem -signature signature.binary vsrx.sig (This command
will validate the signature with the signing certifcate. A successful validation will result
in the message 'Verified OK'.)
A sample of the JVA signature validation procedure using Linux commands is as follows:
-bash-4.1$ ls
JuniperRootCA.pem junos-vsrx-12.1X47-D20.4-domestic.jva
-bash-4.1$ bash junos-vsrx-12.1X47-D20.4-domestic.jva -x
Accept?[y/n]y
Extracting ...
Image dumped:
junos-vsrx-12.1X47-D20.4-domestic/junos-vsrx-12.1X47-D20.4-domestic.img
-rw-r--r-- 1 dkan nscn 278659072 Aug 15 10:05
junos-vsrx-12.1X47-D20.4-domestic/junos-vsrx-12.1X47-D20.4-domestic.img
-bash-4.1$ ls
JuniperRootCA.pem junos-vsrx-12.1X47-D20.4-domestic
junos-vsrx-12.1X47-D20.4-domestic.jva
-bash-4.1$ cd junos-vsrx-12.1X47-D20.4-domestic
-bash-4.1$ ls
certchain.pem junos-vsrx-12.1X47-D20.4-domestic.img vsrx.cert vsrx.sig vsrx.xml
-bash-4.1$ openssl verify -CAfile ../JuniperRootCA.pem -untrusted certchain.pem vsrx.cert
vsrx.cert: OK
-bash-4.1$ openssl x509 -pubkey -noout -in vsrx.cert > public.pem
-bash-4.1$ head -1 vsrx.cert | awk '{print $2}' | xxd -p -r > signature.binary
-bash-4.1$ openssl dgst -sha1 -verify public.pem -signature signature.binary vsrx.sig
Verified OK
Transparent mode Filters packets that traverse the VMware and KVM
device without modifying any of
the source or destination
information in the IP packet
headers.
For more information, refer to
http://www.junos.com/techpubs/
en_US/junos12.1x45/topics/
concept/security-layer2-bridging
-transparent-mode-overview.html
Deterministic NAT Identifies attackers and deals with VMware and KVM
abuse without NAT translation
logging for each connection or
port blocks.
For more information, refer to
http://www.juniper.net/techpubs/
en_US/junos12.1x47/
information-products/
pathway-pages/security/
security-nat.html#overview
Licensing
Starting with Junos OS Release 12.1X47-D20 for Firefly Perimeter, licenses are required
for advanced security features such as UTM, IPS, and AppSecure.
Licenses are usually ordered when the software application is purchased, and this
information is bound to a customer ID. If you did not order the licenses when you purchased
your software application, contact your account team or Juniper Networks Customer
Care for assistance. Licenses can be procured from the Juniper Networks License
Management System (LMS). To continue using Firefly Perimeter features after an optional
30-day evaluation period (see Firefly Perimeter Evaluation License Installation Process
on page 12), you must purchase and install the license on the device. Otherwise, the
features are disabled.
License Key License authorization code issued with purchase. The key
is obtained with the authorization code.
License Key Validity License key is valid for multiple instances and contains a
customer ID.
Juniper Networks provides a 30-day evaluation license for Firefly Perimeter advanced
security features. You can download the evaluation license from the Evaluation Download
link. Installation of the evaluation license is similar to the regular license installation using
the CLI. See Firefly Perimeter License Installation Process.
NOTE: The 30-day evaluation license period begins from the day you enable
the enhanced security features after installing the evaluation licenses.
You can install Firefly Perimeter licenses using the following options:
J-Web interface
Junos OS CLI
2. Click Add. The Add License window is displayed as shown in Figure 2 on page 13.
3. Enter the full URL to the destination file containing the license key in the License File
URL box or paste the license key text, in plain-text format, in the License Key Text box.
The Add License window is displayed as shown in Figure 2 on page 13.
4. Click OK to add the license key. The License Details window is displayed as shown in
Figure 3 on page 13.
1. View the details of the license by entering the show system license command.
2. Install the license by entering the request system license add terminal command.
3. Enter the license key and press CTRL+D to end your input.
root@host>
root@host> show system license
Licenses installed:
License identifier: E413012057
License version: 4
Software Serial Number: FFPVSRXESXCN
Customer ID: TEST-USER-SYSTEM
Features:
wf_key websense_ewf - Web Filtering EWF
date-based, 2014-11-01 08:00:00 CST - 2015-12-31 08:00:00 CST
NOTE: You can save the license key to a file and upload this file to the
Firefly Perimeter file system through File Transfer Protocol (FTP) or Secure
Copy (SCP). Install the license, and then use the show system license
command to view the updated license information.
You can update the Firefly Perimeter licenses using the following two methods.
3. Contact your account team or Juniper Networks Customer Care for assistance.
root@host>
system {
license {
autoupdate {
url https://url.of.license.server;
}
renew before-expiration 30 interval 6;
}
}
The configuration allows Firefly Perimeter to contact the license server 30 days before
the current license expires and sends an automatic update request every 6 hours.
1. Update the license by entering the request system license update url
https://url.of.license.server command.
2. Check the status of the license by entering the show system license.
This command sends a license update request to the license server immediately.
For information about how to purchase a software license, contact your Juniper Networks
sales representative at http://www.juniper.net/in/en/contact-us/.
The same license-key can be installed on multiple devices as long as it is not installed
on more devices than the license was purchased for. Table 3 on page 15 describes the
Firefly Perimeter features that require licenses.
Juniper-Sophos Antivirus
Juniper-Sophos Antispam
Each license allows you to run the specified advanced software features on Firefly
Perimeter.
Administrator Authentication:
Local authentication Yes
RADIUS Yes
TACACS+ Yes
Alarms:
Chassis alarms Yes
DNS, FTP, RTSP, and TFTP ALGs (Layer 2) with chassis Yes
clustering
DSCP marking for SIP, H.323, MGCP, and SCCP ALGs Yes
FTP Yes
H.323 Yes
Avaya H.323 No
IKE Yes
MGCP Yes
PPTP Yes
RSH Yes
RTSP Yes
SCCP Yes
SIP Yes
SQL Yes
MS RPC Yes
TALK Yes
TFTP Yes
Autoinstallation:
Autoinstallation Yes
Class of Service:
Classifiers Yes
Schedulers Yes
Tunnels Yes
Diagnostics Tools:
CLI terminal Yes
Traceroute Yes
DNS Proxy:
DNS proxy cache Yes
Dynamic DNS No
ethernet-ccc No
extended-vlan-ccc No
ethernet-tcc No
extended-vlan-tcc No
Interface family:
inet Yes
mpls Yes
ccc No
tcc No
iso Yes
ethernet-switching No
inet6 Yes
Static LAG No
Interface family:
ethernet-switching No
inet Yes
inet6 Yes
iso Yes
mpls Yes
File Management:
Clean up unnecessary files Yes
Rescue Yes
Firewall Authentication:
Firewall authentication on Layer 2 transparent authentication Yes
Interfaces:
Physical and Virtual Interface:
Services:
PPP interface No
PPPoE interface No
IP Monitoring:
IP monitoring with route failover (for standalone devices and Yes
redundant Ethernet interfaces)
IP Security:
Acadia - Clientless VPN No
Authentication Yes
IKEv1 Yes
IKEv2 Yes
Support for NHTB when the st0.x interface is bound to a routing Yes
instance
Support for remote access peers with shared IKE identity + Yes
mandatory XAuth
IPv6 Support:
Flow-based forwarding and security features:
Screens Yes
Zones Yes
Chassis Cluster
Chassis Cluster Support on VMware:
Active-active Yes
Active-passive Yes
ALGs Yes
Layer 2 LAG No
Layer 3 LAG No
Chassis Management
Chassis management (support on VMware) Yes
IPv6 IP Security:
4in4 and 6in6 policy-based site-to-site VPN, AutoKey IKEv1 Yes
MPLS:
CCC and TCC No
CLNS Yes
LDP Yes
RSVP Yes
Multicast:
Filtering PIM register messages Yes
IGMP Yes
Primary routing mode (dense mode for LAN and sparse mode Yes
for WAN)
SDP Yes
Multicast VPN:
Basic multicast features in C-instance Yes
Packet Capture:
Packet capture Yes
Routing:
BGP Yes
BGP Flowspec No
IS-IS Yes
OSPF v2 Yes
OSPF v3 Yes
HTTP Yes
HTTPS Yes
Schedulers Yes
SSL proxy No
Security Zone:
Functional zone Yes
Session Logging:
SMTP:
SMTP support Yes
SNMP:
SNMP support Yes
IDP/IPS
For SRX Series IDP/IPS configuration details, see:
https://www.juniper.net/techpubs/en_US/
junos12.1x46/information-products/
pathway-pages/security/security-idp-index.html.
Transparent Mode:
For information on configuring transparent mode Firefly Perimeter, see
http://www.juniper.net/techpubs/en_US/
junos12.1x46/information-products/pathway-pages/
security/security-layer2-bridging-transparent-mode.pdf.
UTM Yes
UTM
For SRX Series UTM configuration details, see:
https://www.juniper.net/techpubs/en_US/junos12.1x46/information-products/
pathway-pages/security/security-utm-index.html.
https://www.juniper.net/techpubs/en_US/junos12.1x46/information-products/
pathway-pages/security/security-utm-antispam.html.
AV Full No
AV Sophos Yes
EWF Yes
Transparent mode No
AppSecure Yes
Ipsec Yes
Dual-root partitioning No
User Interfaces:
CLI Yes
SRC application No
VPLS:
Filtering and policing (Packet-Based) Yes
Table 5 on page 40 lists additional features that are not supported on Firefly Perimeter.
Group VPN No
Hardware Acceleration No
Logical Systems No
Services Offloading No
USB Modem No
Known Behavior
The known behavior in Firefly Perimeter are as follows:
On Firefly Perimeter, maximum performance can be achieved using two vNICs. If you
add more vNICs you can expect a decrease in the total performance due to the interface
driver overhead. The performance behavior is applicable to both VMware and KVM
environments.
On Firefly Perimeter with a KVM chassis cluster, the secondary mode crashes into
database (db) mode after startup and synchronizing with the primary mode.
On Firefly Perimeter, the system halts after the login prompt from the virsh console or
the vnc console. It is unable to ping/ssh/telnet to an interface or a service. Ideally, the
system should start without a halt.
Firefly Perimeter requires a configuration with 2 vCPUs, up to 10 vNICs, 2GB RAM, and
2 GB disk space. When using IPS or UTM, the required memory size is 3 GB RAM.
Firefly Perimeter supports VMware ESXi 5.0, 5.1, and 5.5. For KVM, Firefly Perimeter
supports CentOS 6.3, Ubuntu 14.04, and Contrail 1.0.
On Firefly Perimeter, configuring XAuth with AutoVPN secure tunnel (st0) interfaces
in point-to-multipoint mode and dynamic IKE gateways is not supported.
On Firefly Perimeter, the generic routing encapsulation (GRE) interface is down when
ge-0/0/0 is set in the routing instance. [PR 1035957]
On Firefly Perimeter, there is a problem while handling large labels if the remote provider
edge (PE) router disables the vrf-label-label command. [PR 974942]
For a Firefly Perimeter running on Ubuntu 14.04, the commit operation time is slow.
[PR 1060459]
Chassis Cluster
On Firefly Perimeter with a chassis cluster, proxy-ndp on a reth interface fails if the
IPv6 multicast is set to 33:33:0:0:0:0. [PR 993888]
On Firefly Perimeter, cluster connection is unstable over a control or fabric link. [PR
1066969]
On Firefly Perimeter with KVM VirtIO Interface, packet distribution is not evenly
processed for all queues. [PR 925300]
On Firefly Perimeter, the UDP throughput for 2vNICs on 16 VSRX more then 2 vNICs in
a Single VSRX device. [PR 930500]
Chassis Cluster
In a Firefly Perimeter Layer 2 chassis cluster, when the ping command is used to retrieve
self-traffic details, a 100% packet loss is displayed. [PR 964069]
On Firefly Perimeter, RT_IDS logging fails. The issue is related to an IPv6 extension
header introduced in Junos OS Release 12.1X46. [PR 959922]
IPS
IPS
On Firefly Perimeter, the permitted range of values to be entered in the CLI command
set security idp sensor-configuration detector protocol-name TELNET tunable-name
sc_telnet_failed_logins tunable-value incorrectly ranges from 33554432 to 1677721600.
The appropriate range is 2 to 100. This results in commit check error out of range when
a value in the appropriate range has been configured. This issue is fixed. [PR 954372]
On Firefly Perimeter, TCP packet re-ordering causes traffic issues when sub-interfaces
on reth are used. This issue is fixed. [PR 1026130]
On Firefly Perimeter, after sending telnet traffic, some incorrect source ports and
destination ports are populating in the log messages. This issue is fixed. [PR 1058838]
Chassis Cluster
On Firefly Perimeter with VMware, there is an issue with the chassis cluster set up in
the VMware 5.5 environment. This issue is fixed. [PR 936992]
On Firefly Perimeter, source MAC learning might fail in Layer 2 mode if redundancy
group failover occurs immediately after an RG0 failover. Waiting 3 to 5 minutes fixed
this issue. [PR 962905]
On Firefly Perimeter, transferring UDP traffic from the same source and destination
results in a loop for further forwarding sessions. This issue is fixed. [PR 981170]
On Firefly Perimeter, source MAC learning might fail when there is a failover in node
RG0. This issue is fixed. [PR 972358]
On Firefly Perimeter, proxy-ndp is inactive on the reth interface. This issue is fixed.[PR
985093]
Chassis Cluster
On Firefly Perimeter with a KVM chassis cluster, one of the interface cards shows
offline. The issue occurs because of a control link failure. This issue is fixed. [PR 966469]
On Firefly Perimeter with a KVM chassis cluster, when the secondary node is rebooted
after a manual failure, the flowd fabric monitor or interface displays a link status as
Down. This issue is fixed. [PR 973945]
On Firefly Perimeter, with a VMware ESXi chassis cluster, a core file is generated during
a failover. This issue is fixed. [PR 976757]
On Firefly Perimeter, the system is unable to capture the attack packets. This issue is
fixed. [PR 980858]
On Firefly Perimeter, the secondary node might print SIGTERM or exit information in
the console and crash into db mode. This issue is fixed. [PR 971280]
On Firefly Perimeter, the reth port looses its aggregate physical interface. In this case,
no traffic is able to transit the physical interface. This issue is fixed. [PR 978546]
IPS
If the information in the latest release notes differs from the information in the
documentation, follow the Junos OS Release Notes.
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
Juniper Networks supports a technical book program to publish books by Juniper Networks
engineers and subject matter experts with book publishers around the world. These
books go beyond the technical documentation to explore the nuances of network
architecture, deployment, and administration using the Junos operating system (Junos
OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,
published in conjunction with O'Reilly Media, explores improving network security,
reliability, and availability using Junos OS configuration techniques. All the books are for
sale at technical bookstores and book outlets around the world. The current list can be
viewed at http://www.juniper.net/books.
Documentation Feedback
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
JTAC hours of operationThe JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Revision History
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.