Installing Juniper Firefly Perimeter (vSRX) in VirtualBox and GNS3

Note: I have a followup post about doing the same thing but using Vagrant to create the initial VM instead of doing vmdk conversions for those having issues converting the vmdk.

=============================

The following instructions are how I was able to install a Juniper Firefly Perimeter (vSRX) into Virtual Box and then into GNS3 to test it.  There are many similar articles out there that say similar instructions, this one at Radovan Brezula’s blog was the most helpful, but these are the steps I took and am recording them here for my safe keeping.  The Firefly Perimeter, also called vSRX is a virtual firewall of Juniper’s SRX product line, which are security and firewall devices.  My basic test is to try and set up a basic network where a PC on the inside(trusted zone) can ping out, but a PC on the outside(untrusted zone) can’t ping in.

Note: These instructions are run on my Windows 7 Desktop.  If you are running any other OS, the instructions should be similar except for the path to the binaries.

1. Get OVA file from http://www.juniper.net/support/downloads/?p=firefly#sw

2. Extract contents of OVA file using 7-zip or other extracting tool. You should see something like the following.

certchain.pem
junos-vsrx-12.1X46-D25.7-domestic.cert
junos-vsrx-12.1X46-D25.7-domestic.mf
junos-vsrx-12.1X46-D25.7-domestic.ovf
junos-vsrx-12.1X46-D25.7-domestic-disk1.vmdk

3. Convert the vmdk virtual drive to vdi so it can be used by Virtual Box.

"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonehd -format VDI junos-vsrx-12.1X46-D25.7-domestic-disk1.vmdk junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi

4. Create new VM in VirtualBox.  These are the settings I used and work for me.

  • General:
    • Name: base-vSRX
    • Type: Linux
    • Version: Other Linux (32bit)
  • System:
    • Memory: 1024MB
    • CPU: 2  (very important it is not 1 CPU)
    • Enable PAE/NX
    • Enable I/O APIC
  • Hard Drive: IDE Primary master
    • Use an existing virtual hard Drive file (Choose the junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi you converted)
  • Network: (You can choose if you want each interface to be NAT, BIND, LocalHost, etc.)
    • Enable all 4 adapters and set the ‘Adapter Type’ to ‘Paravirtualized Network (virt-io net)’
    • I’m going to set Adapter 1 to Host Only to test connectivity
  • Audio:
    • Off
  • Serial Ports:
    • Enable Serial Port 1
    • Port Number: COM1
    • Port Mode: Disconnected

5. Boot up the VM.

6. The default login is ‘root’ with no password.

7. Test connectivity

 Amnesiac (ttyd0)

login: root

--- JUNOS 12.1X46-D25.7 built 2014-09-06 01:40:34 UTC
 root@% ping -c 2 192.168.56.1
 PING 192.168.56.1 (192.168.56.1): 56 data bytes
 64 bytes from 192.168.56.1: icmp_seq=0 ttl=128 time=6.971 ms
 64 bytes from 192.168.56.1: icmp_seq=1 ttl=128 time=0.875 ms

--- 192.168.56.1 ping statistics ---
 2 packets transmitted, 2 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 0.875/3.923/6.971/3.048 ms

This shows that I can ping from the vSRX to the Virtual Box host only device on the outside.

Now to do some more testing, I am going to use GNS3 and add the vSRX in.
1. Create a clone of the base-vSRX.  I want to keep a clean base for cloning.

  • Name: vSRX-1
  • Check the ‘Reinitialize the MAC address of all network cards’.
  • Linked Clone

2. Start GNS3

3. Add the vSRX-1 VM to the VirtualBox VM list in preferences.
Edit->Preferences->VirtualBox->VirtualBox VMs->New

4. Select the vSRX-1 VM from the list and click finish.

5. Choose the vSRX-1 in the VM list in the preferences and click on the Edit button

  • General settings:
    • Start VM in headless mode
  • Network:
    • Adapters: 4
    • Start at: 0
    • Type: ‘Paravirtualized Network (virt-io net)’

6. Add the vSRX-1 and four VPCS to the canvas.
vSRX e0(ge0/0/0.0) -> PC2 e0
vSRX e1(ge0/0/1.0) -> PC1 e0
vSRX e2(ge0/0/2.0) -> PC4 e0
vSRX e3(ge0/0/3.0) -> PC3 e0

vsrx

7. Start the vSRX and connect to console.

8. Login and configure the interfaces. For this test, I am configuring ge-0/0/0 as the outside untrust interface(which is the config default) and the other three interfaces will be added to the trust zone.

 root@%
 root@% cli
 root> edit
 Entering configuration mode

[edit]
 root# set system host-name vSRX-1
 root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
 root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
 root# set interfaces ge-0/0/2 unit 0
 root# set interfaces ge-0/0/3 unit 0
 root# set system services web-management http interface ge-0/0/1.0
 root# set security zones security-zone trust host-inbound-traffic system-services http
 root# set security zones security-zone trust host-inbound-traffic system-services https
 root# set security zones security-zone trust host-inbound-traffic system-services ping
 root# set security zones security-zone trust host-inbound-traffic system-services ssh
 root# set security zones security-zone trust interfaces ge-0/0/1.0
 root# set security zones security-zone trust interfaces ge-0/0/2.0
 root# set security zones security-zone trust interfaces ge-0/0/3.0

9. Add a new local user and set root password

 root# set system login user admin class super-user
 root# set system login user admin authentication plain-text-password
 root# set system root-authentication plain-text-password

10. Commit config

 root# commit

11. Configure two VPCS using their consoles

 PC1> ip 192.168.2.2 192.168.2.1 24
 PC2> ip 192.168.1.2 192.168.1.1 24

12. Test that PC1 can get out but PC2 can’t get in.

#PC1 on trust zone pinging out to PC2
PC1> ping 192.168.1.2
192.168.1.2 icmp_seq=1 ttl=63 time=0.500 ms
192.168.1.2 icmp_seq=2 ttl=63 time=0.500 ms

#PC2 on untrust zone pinging in to PC1
PC2> ping 192.168.2.2
192.168.2.2 icmp_seq=1 timeout
192.168.2.2 icmp_seq=2 timeout

So my basic network works for this basic test.  So when you use the vSRX in your testing, remember that this is not just a plain router.  This is a security firewall. So if you are just hooking it up as a router and can’t figure out why nothing works, remember that there are trust and untrust zones.  Check which zone your interface is in.

One note.  I tried to configure the other two port for switching and create a SVI using the following configuration.
vSRX-1:

 set vlans vlan-trust vlan-id 3
 set vlans vlan-trust l3-interface vlan.0
 set interfaces vlan unit 0 family inet address 192.168.3.1/24
 set interfaces interface-range interfaces-trust member ge-0/0/2
 set interfaces interface-range interfaces-trust member ge-0/0/3
 set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
 set security zones security-zone trust interfaces vlan.0

VPCS:

PC4> ip 192.168.3.2 192.168.3.1 24
PC3> ip 192.168.3.3 192.168.3.1 24

But I found out after, that the vSRX(Firefly Perimeter) platform does not yet support Ethernet switching.

Anyway, I had fun trying this out and will keep playing with it.  Enjoy.

This post ‘Installing Juniper Firefly (vSRX) in VirtualBox’ first appeared on https://techandtrains.com/.

Advertisements

38 Responses to Installing Juniper Firefly Perimeter (vSRX) in VirtualBox and GNS3

  1. jhone says:

    halo. i hava same problem when install firefly on virtualbox. i cant convert vmdk to vdi. do u cant give me firefly in vdi file?thanks

  2. nanto says:

    Hi, I tried this on VirtualBox on MAC but got unlucky, during the boot up it went to db> instead of
    root%, any idea?

    thanks

  3. usman Ahmed says:

    I am facing issue in the interfaces. when i am typing the command show interfaces terse, it does not shows me the ge-0/0/0.0, ge-0/0/1.0, ge-0/0/2.0 & ge-0/0/3.0. any idea???

    • gregorygee says:

      What is the Adapter Type set to in VirtualBox? Are they all set to ‘Paravirtualized Network (virt-io net)’ ? There may be driver issues getting the interfaces to show up if not set properly. I just started another vSRX with three adapters set to Paravirtualized Network (virt-io net) and they all show up in the ‘interfaces terse’.

      • Thank you for the great article.
        But I am also facing the same issue.
        Don’t know how to troubleshoot.
        No interfaces are shown in get int terse.

      • gregorygee says:

        I’ll need more information to help troubleshoot. At what stage are you trying this? Is this while you are running standalone in VirtualBox or when it is from via GNS3? What was the adapter type that you chose? Please see the post on the type of adapter you need.

      • Aman says:

        The issue was coming in both Virtualbox & GNS3.
        I was using virt-io type network card.
        The issue was resolved when using Qemu.
        I think there may be a bug in Virtualbox with this card type.

      • gregorygee says:

        Glad you got it working. I checked and I have all the interfaces using VB. I’m using 4.3.20 of VirtualBox.

      • Aman says:

        Thank you for such a nice article..

    • blank says:

      I got weird issue. When I create clone of vSRX-base and run this in GNS3 (2 instances of vsrx) and run it for first time all is working good (ge interface are visible in ifconfig and in show int te) but after I reboot my interfaces are disappearing. If I remove vrsx base and linked clone and re-add them once again for the first run all is working good and after reboot BAM interfaces are missing.

      • Gregory Gee says:

        Can’t say I’ve seen this issue before. Is it just the clone that has this problem? Make a snapshot of your base and see if the base has the same issue. When you cloned, did you make sure the MAC addresses were reinitialized.

  4. usman Ahmed says:

    jhone, run your cmd as administrator, enter into the directory where you save the vmdk file and type below command, i have converted the file easily without any isue.

    “c:\Program Files\Oracle\VirtualBox\VBoxManage.exe” clonehd -format VDI junos-vsrx-12.1X47-D15.4-domestic-disk1.vmdk junos-vsrx-12.1X47-D15.4-domestic-disk1.vdi

    • tsu says:

      Tried converting into vdi format but got an below error. I have had my vmdk file in “E:\Server 2008 MCITP\vsrx”

      E:\Server 2008 MCITP\vsrx>”C:\Program Files\Oracle\VirtualBox\VBoxManage.exe” cl
      onehd -format VDI junos-vsrx-12.1I20130322_2104_slt-builder-domestic-disk1.vmdk
      junos-vsrx-12.1I20130322_2104_slt-builder-domestic-disk1.vdi
      The filename, directory name, or volume label syntax is incorrect.

  5. Xavier says:

    Thanks for the article. It helps me a lot with my configuration.
    I’ve got everything working from your example.

    Now, I try to connect 2 x vSRX together, (just ping) but they’re not talking to each other. WireShark show srx1 sending the arp packet, but the srx2 is not responding. (vsrx2 show incoming packet from the interface) I wonder if you’ve able to get them to talk.

    • Xavier says:

      Oh… nevermind. When I clone my 2nd SRX, I forget to re-generate the new mac address. Now I can get the srx talking. Thanks for the article.

  6. Nikhil says:

    Hi All,

    I followed the documents and converted the vmdk to vdi
    I tried creating a VM in Oracle Virtual Box manager using the VDI and when i try to start
    a window appears and it stays on the screen without any further action

    Loading /boor/loader
    /boor/loader tried
    will boot from alternate path
    loading /cf/boot/loader

    BTX Loader 1.00 BTX version 1.02

    Can someone help on this ?I have been trying to setup this for more than a day now .:(

    plsss help

    • Gregory Gee says:

      Did you enable a Serial Port for that VM. What you are seeing usually happens when there is no serial port enabled, which means the router has no serial console to output to.

      Also note, I’m using 4.3.20 of VirtualBox.

  7. Pali says:

    Thanks for such a nice article, it really helped me to setup SRX firewall on Virtual Box.
    The only i issue am facing , interfaces are not showing, i configured adapter to ‘Paravirtualized Network (virt-io net)’ as suggested.

    Any clues to solve this.

    Thanks in advance.

    • Gregory Gee says:

      I’ve heard a few other mention the same thing in various formats. When you first created the VM did all the interfaces show up then and now they are gone? Also, which version of VirtualBox are you using? This sometimes makes a difference. Does it do this when you run with VB standalone or within GNS3 as well? I am currently running VB 4.3.20 and not having any issues of interfaces not appearing.

      • Pali says:

        Yeah i installed 4.3.20 version also and tried latest VB , but still no luck.
        On very first phase interface not showing in list, and even after integrating with GNS.

        here the output
        https://www.sendspace.com/file/0nhbxv

        Thanks

      • Gregory Gee says:

        One thing to watch out for with GNS3 is that it will change your VM settings in VB and disable network adapters. Make sure the adapters are enabled and the ‘cable connected’ is checked. Also, what version of vsrx are you using. Maybe my copy is different and something changed recently.

      • Pali says:

        Hi

        i am using below version
        junos-vsrx-12.1X46-D30.2-domestic

        Will be very thankful if you will share below information from your setup
        1. Version of Vsrx
        2. No. of CPU in VB settings

        I read an article that with increasing of CPU no. can solve interface disappearing issue. but issue with mine that am even not able to increase the no. of CPU .

      • Gregory Gee says:

        1. My VM currently is using junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi.
        2. I have 2 CPU. I don’t believe it will work with 1 CPU as my post mentioned.

        If I get a chance soon, I could try the D30.2 version that you mentioned.

  8. Hi,

    My VMs are running perfectly now.

    However I am not able to onboard the VM that is running in Qemu in Juniper NSM.

    On Analyzing, I found the issue as shown in the below links:

    The VM running in Qemus is not having Serial Number.
    Any idea what can be the issue & how to resolve it?

  9. Pingback: Installing Juniper Firefly Perimeter (vSRX) in VirtualBox and GNS3 using Vagrant | Tech and Trains

  10. Pingback: Juniper IJOS JRE JSEC Class

  11. VB says:

    I am not able to create a VM with 2 CPUs in virtual box. When i try to create a VM it by default gives me 32bit VM no 64 bit option available.

    • Gregory Gee says:

      I’m not sure why you can’t have 2 CPU unless your PC host you are running on doesn’t have 2. As for the 32bit, my instructions say to create a 32bit VM. How old is the PC you are trying to run this on?

  12. Marx says:

    I have a problem using Virtualbox5 and GNS3 1.3.9.
    The above instructions works but I need a workaround to establish IP connectivity between SRX and VPC.

    I noticed that the Giga interfaces has a MAC address of 0 :
    “Current address: 00:00:00:00:00:00”

    You can change it using the command in junos…..but it is still annoying.

  13. nda says:

    thank bro
    i have been searching for two day virtual box for srx firewall
    how to configure properly

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: