Installing Juniper Firefly Perimeter (vSRX) in VirtualBox and GNS3
November 11, 2014 39 Comments
Note: I have a followup post about doing the same thing but using Vagrant to create the initial VM instead of doing vmdk conversions for those having issues converting the vmdk.
=============================
The following instructions are how I was able to install a Juniper Firefly Perimeter (vSRX) into Virtual Box and then into GNS3 to test it. There are many similar articles out there that say similar instructions, this one at Radovan Brezula’s blog was the most helpful, but these are the steps I took and am recording them here for my safe keeping. The Firefly Perimeter, also called vSRX is a virtual firewall of Juniper’s SRX product line, which are security and firewall devices. My basic test is to try and set up a basic network where a PC on the inside(trusted zone) can ping out, but a PC on the outside(untrusted zone) can’t ping in.
Note: These instructions are run on my Windows 7 Desktop. If you are running any other OS, the instructions should be similar except for the path to the binaries.
1. Get OVA file from http://www.juniper.net/support/downloads/?p=firefly#sw
2. Extract contents of OVA file using 7-zip or other extracting tool. You should see something like the following.
certchain.pem
junos-vsrx-12.1X46-D25.7-domestic.cert
junos-vsrx-12.1X46-D25.7-domestic.mf
junos-vsrx-12.1X46-D25.7-domestic.ovf
junos-vsrx-12.1X46-D25.7-domestic-disk1.vmdk
3. Convert the vmdk virtual drive to vdi so it can be used by Virtual Box.
"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonehd -format VDI junos-vsrx-12.1X46-D25.7-domestic-disk1.vmdk junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi
4. Create new VM in VirtualBox. These are the settings I used and work for me.
- General:
- Name: base-vSRX
- Type: Linux
- Version: Other Linux (32bit)
- System:
- Memory: 1024MB
- CPU: 2 (very important it is not 1 CPU)
- Enable PAE/NX
- Enable I/O APIC
- Hard Drive: IDE Primary master
- Use an existing virtual hard Drive file (Choose the junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi you converted)
- Network: (You can choose if you want each interface to be NAT, BIND, LocalHost, etc.)
- Enable all 4 adapters and set the ‘Adapter Type’ to ‘Paravirtualized Network (virt-io net)’
- I’m going to set Adapter 1 to Host Only to test connectivity
- Audio:
- Off
- Serial Ports:
- Enable Serial Port 1
- Port Number: COM1
- Port Mode: Disconnected
5. Boot up the VM.
6. The default login is ‘root’ with no password.
7. Test connectivity
Amnesiac (ttyd0) login: root --- JUNOS 12.1X46-D25.7 built 2014-09-06 01:40:34 UTC root@% ping -c 2 192.168.56.1 PING 192.168.56.1 (192.168.56.1): 56 data bytes 64 bytes from 192.168.56.1: icmp_seq=0 ttl=128 time=6.971 ms 64 bytes from 192.168.56.1: icmp_seq=1 ttl=128 time=0.875 ms --- 192.168.56.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.875/3.923/6.971/3.048 ms
This shows that I can ping from the vSRX to the Virtual Box host only device on the outside.
Now to do some more testing, I am going to use GNS3 and add the vSRX in.
1. Create a clone of the base-vSRX. I want to keep a clean base for cloning.
- Name: vSRX-1
- Check the ‘Reinitialize the MAC address of all network cards’.
- Linked Clone
2. Start GNS3
3. Add the vSRX-1 VM to the VirtualBox VM list in preferences.
Edit->Preferences->VirtualBox->VirtualBox VMs->New
4. Select the vSRX-1 VM from the list and click finish.
5. Choose the vSRX-1 in the VM list in the preferences and click on the Edit button
- General settings:
- Start VM in headless mode
- Network:
- Adapters: 4
- Start at: 0
- Type: ‘Paravirtualized Network (virt-io net)’
6. Add the vSRX-1 and four VPCS to the canvas.
vSRX e0(ge0/0/0.0) -> PC2 e0
vSRX e1(ge0/0/1.0) -> PC1 e0
vSRX e2(ge0/0/2.0) -> PC4 e0
vSRX e3(ge0/0/3.0) -> PC3 e0
7. Start the vSRX and connect to console.
8. Login and configure the interfaces. For this test, I am configuring ge-0/0/0 as the outside untrust interface(which is the config default) and the other three interfaces will be added to the trust zone.
root@% root@% cli root> edit Entering configuration mode [edit] root# set system host-name vSRX-1 root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24 root# set interfaces ge-0/0/2 unit 0 root# set interfaces ge-0/0/3 unit 0 root# set system services web-management http interface ge-0/0/1.0 root# set security zones security-zone trust host-inbound-traffic system-services http root# set security zones security-zone trust host-inbound-traffic system-services https root# set security zones security-zone trust host-inbound-traffic system-services ping root# set security zones security-zone trust host-inbound-traffic system-services ssh root# set security zones security-zone trust interfaces ge-0/0/1.0 root# set security zones security-zone trust interfaces ge-0/0/2.0 root# set security zones security-zone trust interfaces ge-0/0/3.0
9. Add a new local user and set root password
root# set system login user admin class super-user
root# set system login user admin authentication plain-text-password
root# set system root-authentication plain-text-password
10. Commit config
root# commit
11. Configure two VPCS using their consoles
PC1> ip 192.168.2.2 192.168.2.1 24
PC2> ip 192.168.1.2 192.168.1.1 24
12. Test that PC1 can get out but PC2 can’t get in.
#PC1 on trust zone pinging out to PC2 PC1> ping 192.168.1.2 192.168.1.2 icmp_seq=1 ttl=63 time=0.500 ms 192.168.1.2 icmp_seq=2 ttl=63 time=0.500 ms #PC2 on untrust zone pinging in to PC1 PC2> ping 192.168.2.2 192.168.2.2 icmp_seq=1 timeout 192.168.2.2 icmp_seq=2 timeout
So my basic network works for this basic test. So when you use the vSRX in your testing, remember that this is not just a plain router. This is a security firewall. So if you are just hooking it up as a router and can’t figure out why nothing works, remember that there are trust and untrust zones. Check which zone your interface is in.
One note. I tried to configure the other two port for switching and create a SVI using the following configuration.
vSRX-1:
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
set interfaces vlan unit 0 family inet address 192.168.3.1/24
set interfaces interface-range interfaces-trust member ge-0/0/2
set interfaces interface-range interfaces-trust member ge-0/0/3
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
set security zones security-zone trust interfaces vlan.0
VPCS:
PC4> ip 192.168.3.2 192.168.3.1 24
PC3> ip 192.168.3.3 192.168.3.1 24
But I found out after, that the vSRX(Firefly Perimeter) platform does not yet support Ethernet switching.
Anyway, I had fun trying this out and will keep playing with it. Enjoy.
This post ‘Installing Juniper Firefly (vSRX) in VirtualBox’ first appeared on https://techandtrains.com/.
Tech and Trains 
halo. i hava same problem when install firefly on virtualbox. i cant convert vmdk to vdi. do u cant give me firefly in vdi file?thanks
What problem are you having converting the vmdk file to vdi? Also, I am not willing to share product downloads. You must obtain the OVA yourself.
Yes, i cant convert vmdk file to vdi using command prompt. any idea to convert vmdk to vdi file?
Hi, I tried this on VirtualBox on MAC but got unlucky, during the boot up it went to db> instead of
root%, any idea?
thanks
Sorry, can’t say that it looks familiar to me. Are you getting this prompt as soon as it boots up or after you login as root? Hope to hear back how things went.
Having same problem. As soon it boots up
I am facing issue in the interfaces. when i am typing the command show interfaces terse, it does not shows me the ge-0/0/0.0, ge-0/0/1.0, ge-0/0/2.0 & ge-0/0/3.0. any idea???
What is the Adapter Type set to in VirtualBox? Are they all set to ‘Paravirtualized Network (virt-io net)’ ? There may be driver issues getting the interfaces to show up if not set properly. I just started another vSRX with three adapters set to Paravirtualized Network (virt-io net) and they all show up in the ‘interfaces terse’.
Thank you for the great article.
But I am also facing the same issue.
Don’t know how to troubleshoot.
No interfaces are shown in get int terse.
I’ll need more information to help troubleshoot. At what stage are you trying this? Is this while you are running standalone in VirtualBox or when it is from via GNS3? What was the adapter type that you chose? Please see the post on the type of adapter you need.
The issue was coming in both Virtualbox & GNS3.
I was using virt-io type network card.
The issue was resolved when using Qemu.
I think there may be a bug in Virtualbox with this card type.
Glad you got it working. I checked and I have all the interfaces using VB. I’m using 4.3.20 of VirtualBox.
Thank you for such a nice article..
I got weird issue. When I create clone of vSRX-base and run this in GNS3 (2 instances of vsrx) and run it for first time all is working good (ge interface are visible in ifconfig and in show int te) but after I reboot my interfaces are disappearing. If I remove vrsx base and linked clone and re-add them once again for the first run all is working good and after reboot BAM interfaces are missing.
Can’t say I’ve seen this issue before. Is it just the clone that has this problem? Make a snapshot of your base and see if the base has the same issue. When you cloned, did you make sure the MAC addresses were reinitialized.
jhone, run your cmd as administrator, enter into the directory where you save the vmdk file and type below command, i have converted the file easily without any isue.
“c:\Program Files\Oracle\VirtualBox\VBoxManage.exe” clonehd -format VDI junos-vsrx-12.1X47-D15.4-domestic-disk1.vmdk junos-vsrx-12.1X47-D15.4-domestic-disk1.vdi
Tried converting into vdi format but got an below error. I have had my vmdk file in “E:\Server 2008 MCITP\vsrx”
E:\Server 2008 MCITP\vsrx>”C:\Program Files\Oracle\VirtualBox\VBoxManage.exe” cl
onehd -format VDI junos-vsrx-12.1I20130322_2104_slt-builder-domestic-disk1.vmdk
junos-vsrx-12.1I20130322_2104_slt-builder-domestic-disk1.vdi
The filename, directory name, or volume label syntax is incorrect.
Are those file names correct? Are you in the directory that the VMDK file exists?
Thanks for the article. It helps me a lot with my configuration.
I’ve got everything working from your example.
Now, I try to connect 2 x vSRX together, (just ping) but they’re not talking to each other. WireShark show srx1 sending the arp packet, but the srx2 is not responding. (vsrx2 show incoming packet from the interface) I wonder if you’ve able to get them to talk.
Oh… nevermind. When I clone my 2nd SRX, I forget to re-generate the new mac address. Now I can get the srx talking. Thanks for the article.
Hi All,
I followed the documents and converted the vmdk to vdi
I tried creating a VM in Oracle Virtual Box manager using the VDI and when i try to start
a window appears and it stays on the screen without any further action
Loading /boor/loader
/boor/loader tried
will boot from alternate path
loading /cf/boot/loader
BTX Loader 1.00 BTX version 1.02
Can someone help on this ?I have been trying to setup this for more than a day now .:(
plsss help
Did you enable a Serial Port for that VM. What you are seeing usually happens when there is no serial port enabled, which means the router has no serial console to output to.
Also note, I’m using 4.3.20 of VirtualBox.
Thanks a lot for this answer. I’ve been struggling with this for so long now.
Thanks for such a nice article, it really helped me to setup SRX firewall on Virtual Box.
The only i issue am facing , interfaces are not showing, i configured adapter to ‘Paravirtualized Network (virt-io net)’ as suggested.
Any clues to solve this.
Thanks in advance.
I’ve heard a few other mention the same thing in various formats. When you first created the VM did all the interfaces show up then and now they are gone? Also, which version of VirtualBox are you using? This sometimes makes a difference. Does it do this when you run with VB standalone or within GNS3 as well? I am currently running VB 4.3.20 and not having any issues of interfaces not appearing.
Yeah i installed 4.3.20 version also and tried latest VB , but still no luck.
On very first phase interface not showing in list, and even after integrating with GNS.
here the output
https://www.sendspace.com/file/0nhbxv
Thanks
One thing to watch out for with GNS3 is that it will change your VM settings in VB and disable network adapters. Make sure the adapters are enabled and the ‘cable connected’ is checked. Also, what version of vsrx are you using. Maybe my copy is different and something changed recently.
Hi
i am using below version
junos-vsrx-12.1X46-D30.2-domestic
Will be very thankful if you will share below information from your setup
1. Version of Vsrx
2. No. of CPU in VB settings
I read an article that with increasing of CPU no. can solve interface disappearing issue. but issue with mine that am even not able to increase the no. of CPU .
1. My VM currently is using junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi.
2. I have 2 CPU. I don’t believe it will work with 1 CPU as my post mentioned.
If I get a chance soon, I could try the D30.2 version that you mentioned.
Hi,
My VMs are running perfectly now.
However I am not able to onboard the VM that is running in Qemu in Juniper NSM.
On Analyzing, I found the issue as shown in the below links:
The VM running in Qemus is not having Serial Number.
Any idea what can be the issue & how to resolve it?
Unfortunately I don’t know. I have only used the vSRX in VirtualBox, so I can’t provide any tips. You could try asking at http://brezular.com/2014/07/22/how-to-run-juniper-firefly-perimeter-vsrx-on-gns3/ which used qemu with vSRX.
Thanks for the update..
I will do the same..
Pingback: Installing Juniper Firefly Perimeter (vSRX) in VirtualBox and GNS3 using Vagrant | Tech and Trains
Pingback: Juniper IJOS JRE JSEC Class
I am not able to create a VM with 2 CPUs in virtual box. When i try to create a VM it by default gives me 32bit VM no 64 bit option available.
I’m not sure why you can’t have 2 CPU unless your PC host you are running on doesn’t have 2. As for the 32bit, my instructions say to create a 32bit VM. How old is the PC you are trying to run this on?
I have a problem using Virtualbox5 and GNS3 1.3.9.
The above instructions works but I need a workaround to establish IP connectivity between SRX and VPC.
I noticed that the Giga interfaces has a MAC address of 0 :
“Current address: 00:00:00:00:00:00”
You can change it using the command in junos…..but it is still annoying.
thank bro
i have been searching for two day virtual box for srx firewall
how to configure properly
to firefly srx do not ping each other any clue