Download This Guide
Features Supported on Firefly Perimeter with VMware
Firefly Perimeter inherits many features from the SRX Series product line. However, because some SRX Series features are not directly applicable in a virtualized environment, they have been excluded from the Firefly Perimeter product line. Table 1 describes the available features on Firefly Perimeter as of Junos OS Release 12.1X47-D10. For feature roadmap details, contact your Juniper Networks representative.
Table 1: Features Supported on Firefly Perimeter
Feature | Support on Firefly Perimeter |
|---|---|
| Address Books and Address Sets | |
Address books | Yes |
Address sets | Yes |
Global address objects or sets | Yes |
Nested address groups | Yes |
| Administrator Authentication | |
Local authentication | Yes |
RADIUS | Yes |
TACACS+ | Yes |
| Alarms | |
Chassis alarms | Yes |
Interface alarms | Yes |
System alarms | Yes |
| Application Layer Gateways | |
DNS ALG | Yes |
DNS doctoring support | Yes |
DNS, FTP, RTSP, and TFTP ALGs (Layer 2) with chassis clustering | Yes |
DSCP marking for SIP, H.323, MGCP, and SCCP ALGs | Yes |
FTP | Yes |
H.323 | Yes |
Avaya H.323 | No |
IKE | Yes |
MGCP | Yes |
PPTP | Yes |
RSH | Yes |
RTSP | Yes |
SCCP | Yes |
SIP | Yes |
SIP ALG–NEC | Yes |
SQL | Yes |
MS RPC | Yes |
SUN RPC | Yes |
TALK | Yes |
TFTP | Yes |
| Attack Detection and Prevention | |
Bad IP option | Yes |
Block fragment traffic | Yes |
FIN flag without ACK flag set protection | Yes |
ICMP flood protection | Yes |
ICMP fragment protection | Yes |
IP address spoof | Yes |
IP address sweep | Yes |
IP record route option | Yes |
IP security option | Yes |
IP stream option | Yes |
IP strict source route option | Yes |
IP timestamp option | Yes |
Land attack protection | Yes |
Large size ICMP packet protection | Yes |
Loose source route option | Yes |
Ping of death attack protection | Yes |
Port scan | Yes |
Source IP-based session limit | Yes |
SYN-ACK-ACK proxy protection | Yes |
SYN and FIN flags set protection | Yes |
SYN flood protection | Yes |
SYN fragment protection | Yes |
TCP address sweep | Yes |
TCP packet without flag set protection | Yes |
Teardrop attack protection | Yes |
UDP address sweep | Yes |
UDP flood protection | Yes |
Unknown IP protocol protection | Yes |
Whitelist for SYN flood screens | Yes |
WinNuke attack protection | Yes |
| Autoinstallation | |
Autoinstallation | Yes |
| Class of Service | |
Classifiers | Yes |
Code-point aliases | Yes |
Egress interface shaping | Yes |
Forwarding classes | Yes |
High-priority queue on Services Processing Card | No |
Ingress interface policer | Yes |
Schedulers | Yes |
Simple filters | Yes |
Transmission queues | Yes |
Tunnels Note: GRE and IP-IP tunnels only. | Yes |
Virtual channels | Yes |
| Diagnostics Tools | |
CLI terminal | Yes |
Flow monitoring cflowd version 5 and flow monitoring cflowd version 8 | Yes |
Flow monitoring cflowd version 9 | No |
Ping host | Yes |
Ping MPLS | Yes |
Traceroute | Yes |
Ping Ethernet (CFM) | No |
Traceroute Ethernet (CFM) | No |
| DNS Proxy | |
DNS proxy cache | Yes |
DNS proxy with split DNS | Yes |
Dynamic DNS | No |
| Dynamic Host Configuration Protocol | |
DHCPv6 client | No |
DHCPv4 client | Yes |
DHCPv6 relay agent | No |
DHCPv4 relay agent | Yes |
DHCPv6 server | Yes |
DHCPv4 server | Yes |
DHCP server address pools | Yes |
DHCP server static mapping | Yes |
| Ethernet Link Aggregation | |
Routing mode | |
LACP in chassis cluster pair | No |
LACP in standalone device | No |
Layer 3 LAG on routed ports | No |
Static LAG in chassis cluster mode | No |
Static LAG in standalone mode | No |
| Ethernet Link Fault Management | |
Interfaces supported | |
LACP in chassis cluster pair | No |
LACP in standalone mode | No |
Static LAG in chassis cluster mode | No |
Static LAG in standalone mode | No |
Physical interface (encapsulations) | |
ethernet-ccc | No |
extended-vlan-ccc | No |
ethernet-tcc | No |
extended-vlan-tcc | No |
Interface family: | |
inet | Yes |
mpls | Yes |
ccc | No |
tcc | No |
iso | Yes |
ethernet-switching | No |
inet6 | Yes |
Aggregated Ethernet interface | |
Static LAG | No |
LACP enabled LAG | No |
Interface family: | |
ethernet-switching | No |
inet | Yes |
inet6 | Yes |
iso | Yes |
mpls | Yes |
| File Management: | |
Clean up unnecessary files | Yes |
Delete backup software image | Yes |
Delete individual files | Yes |
Download system files | Yes |
Encrypt/decrypt configuration files | Yes |
Manage account files | Yes |
Rescue | Yes |
System zeroize | Yes |
Monitor start | Yes |
Archive files | Yes |
Calculate checksum | Yes |
Compare files | Yes |
Rename files | Yes |
| Firewall Authentication | |
Firewall authentication on Layer 2 transparent authentication | Yes |
LDAP authentication server | Yes |
Local authentication server | Yes |
Pass-through authentication | Yes |
RADIUS authentication server | Yes |
SecurID authentication server | Yes |
Web authentication | Yes |
| Flow-Based and Packet-Based Processing | |
Alarms and auditing | Yes |
End-to-end packet debugging | No |
Flow-based processing | Yes |
Network processor bundling | No |
Packet-based processing | Yes |
Selective stateless packet-based services | Yes |
| Interfaces | |
Physical and Virtual Interface | |
Ethernet interface | Yes |
Gigabit Ethernet interface | Yes |
Services | |
Aggregated Ethernet interface | No |
GRE interface | Yes |
IEEE 802.1X dynamic VLAN assignment | No |
IEEE 802.1X MAC bypass | No |
IEEE 802.1X port-based authentication control with multisupplicant support | No |
Interleaving using MLFR | No |
Internally configured interface used by the system as a control path between the WXC Integrated Services Module and the Routing Engine (RE). | No |
Internally generated GRE interface (gr-0/0/0) | Yes |
Internally generated IP-over-IP interface (ip-0/0/0) | Yes |
Internally generated link services interface | Yes |
Internally generated Protocol Independent Multicast de-encapsulation interface | Yes |
Internally generated Protocol Independent Multicast encapsulation interface | Yes |
Link fragmentation and interleaving interface | Yes |
Link services interface | Yes |
Loopback interface | Yes |
Management interface | Yes |
PPP interface | No |
PPPoE-based radio-to-router protocol | No |
PPPoE interface | No |
Promiscuous mode on interfaces | Yes Note: Promiscuous mode needs to be enabled on hypervisor. |
Secure tunnel interface | Yes |
| IP Monitoring | |
IP monitoring with route failover (for standalone devices and redundant Ethernet interfaces) | Yes |
IP monitoring with interface failover (for standalone devices) | Yes |
Track IP enhancements (IP monitoring using RPM) | No |
| IP Security | |
Acadia - Clientless VPN | No |
Alarms and auditing | Yes |
Antireplay (packet replay attack prevention) | Yes |
Authentication | Yes |
Authentication Header (AH) | Yes |
Autokey management | Yes |
Automated certificate enrollment using SCEP | Yes |
Automatic generation of self-signed certificates | Yes |
Bridge domain and transparent mode | Yes |
Certificate - Configure local certificate sent to peer | Yes |
Certificate - Configure requested CA of peer certificate | Yes |
Certificate - Encoding: PKCS7, X509, PEM, DERs | Yes |
Certificate - RSA signature | Yes |
Class of service | Yes |
CRL update at user-specified interval | Yes |
Config Mode (draft-dukes-ike-mode-cfg-03) | Yes |
Dead peer detection (DPD) | Yes |
Diffie-Hellman (PFS) Group 1 | Yes |
Diffie-Hellman (PFS) Group 2 | Yes |
Diffie-Hellman (PFS) Group 5 | Yes |
Diffie-Hellman Group 1 | Yes |
Diffie-Hellman Group 2 | Yes |
Diffie-Hellman Group 5 | Yes |
Digital signature generation | Yes |
Dynamic IP address | Yes |
Dynamic IPsec VPNs | No |
Encapsulating Security Payload (ESP) protocol | Yes |
Encryption algorithms 3DES | Yes |
Encryption algorithms AES 128, 192, and 256 | Yes |
Encryption algorithms DES | Yes |
Encryption algorithms NULL (authentication only) | Yes |
Entrust, Microsoft, and Verisign certificate authorities (CAs) | Yes |
External Extended Authentication (Xauth) to a RADIUS server for remote access connections | Yes |
Group Encrypted Transport (GET VPN) | No |
Group VPN with dynamic policies | No |
Hard lifetime limit | Yes |
Hardware IPsec (bulk crypto) Cavium/RMI | No |
Hash algorithms MD5 | Yes |
Hash algorithms SHA-1 | Yes |
Hash algorithms SHA-2 (SHA-256) | Yes |
Hub & spoke VPN | Yes |
Idle timers for IKE | Yes |
Improvements in VPN debug capabilities | Yes |
Initial contact | Yes |
Invalid SPI response | Yes |
IKE Diffie-Hellman Group 14 support | Yes |
IKE Phase 1 | Yes |
IKE Phase 1 lifetime | Yes |
IKE Phase 2 | Yes |
IKE Phase 2 lifetime | Yes |
IKE and IPsec predefine proposal sets to work with dynamic VPN client | No |
IPsec tunnel termination in routing-instances | Yes Note: Supported on Virtual Router, only. |
IKE support | Yes |
IKEv1 | Yes |
IKEv1 authentication, preshared key | Yes |
IKEv2 with NAT-T and dynamic endpoint VPN | Yes |
IKEv2 | Yes |
Local IP address management - VPN XAuth support | Yes |
Local IP address management support for DVPN | No |
Manual installation of DER-encoded and PEM-encoded CRLs | Yes |
Manual key management | Yes |
Manual proxy-ID (Phase 2 ID) configuration | Yes |
Multiple traffic selectors on a route-based VPN | Yes |
NHTB - Next Hop Tunnel Binding | Yes |
New IPsec Phase 2 authentication algorithm | Yes |
Online CRL retrieval through LDAP and HTTP | Yes |
Package dynamic VPN client | No |
Policy-based VPN | Yes |
Preshared key (PSK) | Yes |
Prioritization of IKE packet processing | Yes |
Reconnect to dead IKE peer | Yes |
Remote access | Yes |
Remote access user IKE peer | Yes |
Remote access user-group IKE peer - group IKE ID | Yes |
Route-based VPN | Yes |
SHA-2 IPsec support | Yes |
Soft lifetime | Yes |
Static IP address | Yes |
Suites: standard, compatible, basic, and custom-created | Yes |
Support for NHTB when the st0.x interface is bound to a routing instance | Yes |
Support for remote access peers with shared IKE identity + mandatory XAuth | Yes |
Support group IKE IDs for dynamic VPN configuration | No |
TOS/DSCP honoring/coloring (inner/outer) | Yes |
Tunnel mode with clear/copy/set Don't Fragment bit | Yes |
UAC Layer 3 enforcement | Yes |
Virtual router support for route-based VPNs | Yes |
VPN monitoring (proprietary) | Yes |
X.509 encoding for IKE | Yes |
XAuth (draft-beaulieu-ike-xauth-03) | Yes |
| IPv6 Support | |
Flow-based forwarding and security features | |
Advanced flow | Yes |
DS-Lite concentrator (aka AFTR) | No |
DS-Lite initiator (aka B4) | No |
Firewall filters | Yes |
Forwarding option: flow mode | Yes |
Multicast flow | Yes |
Screens | Yes |
Security policy (firewall) | Yes |
Security policy (IDP) | Yes |
Security policy (user role firewall) | No |
Zones | Yes |
IPv6 ALG support for FTP Routing, NAT, NAT-PT support | Yes |
IPv6 ALG support for ICMP Routing, NAT, NAT-PT support | Yes |
IPv6 NAT NAT-PT, NAT support | Yes |
IPv6 NAT64 | Yes |
IPv6–related protocols BFD, BGP, ECMPv6, ICMPv6, ND, OSPFv3, RIPng | Yes |
IPv6 ALG support for TFTP | Yes |
System services DHCPv6, DNS, FTP, HTTP, ping, SNMP, SSH, syslog, Telnet, traceroute | Yes |
Packet-based forwarding and security features | |
Class of service | Yes |
Firewall filters | Yes |
Forwarding option: packet mode | Yes |
| IPv6 IP Security | |
4in4 and 6in6 policy-based site-to-site VPN, AutoKey IKEv1 | Yes |
4in4 and 6in6 policy-based site-to-site VPN, manual key | Yes |
4in4 and 6in6 route-based site-to-site VPN, AutoKey IKEv1 | Yes |
4in4 and 6in6 route-based site-to-site VPN, manual key | Yes |
| Log File Formats | |
System (control plane) log file formats | |
Binary format (binary) | No |
Structured syslog (sd-syslog) | Yes |
Syslog (syslog) | Yes |
WebTrends Enhanced Log Format (WELF) | No |
Security (data plane) log file formats | |
Binary format (binary) | Yes |
Structured syslog (sd-syslog) | Yes |
Syslog (syslog) | Yes |
WebTrends enhanced log format (WELF) | Yes |
| MPLS | |
CCC and TCC | No |
CLNS | Yes |
Interprovider and carrier-of-carriers VPNs | Yes |
Layer 2 VPNs for Ethernet connections | Yes Note: Promiscuous mode must be enabled on hypervisor. |
Layer 3 MPLS VPNs | Yes |
LDP | Yes |
MPLS VPNs with VRF tables on provider edge routers | Yes |
Multicast VPNs | Yes |
OSPF and IS-IS traffic engineering extensions | Yes |
P2MP LSPs | Yes |
RSVP | Yes |
Secondary and standby LSPs | Yes |
Standards-based fast reroute | Yes |
| Multicast | |
Filtering PIM register messages | Yes |
IGMP | Yes |
PIM RPF routing table | Yes |
Primary routing mode (dense mode for LAN and sparse mode for WAN) | Yes |
Protocol Independent Multicast Static RP | Yes |
Session Announcement Protocol (SAP) | Yes |
SDP | Yes |
| Multicast VPN | |
Basic multicast features in C-instance | Yes |
Multicast VPN membership discovery with BGP | Yes |
P2MP LSP support | Yes |
P2MP OAM - P2MP LSP ping | Yes |
Reliable multicast VPN routing information exchange | Yes |
| Network Address Translation | |
Destination IP address translation | Yes |
Disabling source NAT port randomization | Yes |
Interface source NAT pool port | Yes |
NAT address pool utilization threshold status | Yes |
NAT traversal (NAT-T) for site-to-site IPsec VPNs (IPv4) | Yes |
Persistent NAT | Yes |
Persistent NAT binding for wildcard ports | Yes |
Persistent NAT hairpinning | Yes |
Maximize persistent NAT bindings | No |
Pool translation | Yes |
Proxy ARP (IPv4) | Yes |
Proxy NDP (IPv6) | Yes |
Removing persistent NAT query bindings | Yes |
Rule-based NAT | Yes |
Rule translation | Yes |
Source address and group address translation for multicast flows | Yes |
Source IP address translation | Yes |
Static NAT | Yes |
| Network Operations and Troubleshooting | |
Event policies | Yes |
Event scripts | Yes |
Operation scripts | Yes |
XSLT commit scripts | Yes |
| Network Time Protocol | |
NTP support | Yes |
| Packet Capture | |
Packet capture Note: Packet capture, in this context, refers to standard interface packet capture. It is not part of the IDP. Packet capture is supported only on physical interfaces and tunnel interfaces; for example, gr, ip, st0. Packet capture is not supported on redundant Ethernet interfaces (reth). | Yes |
| Real-Time Performance Monitoring Probe | |
RPM probe | Yes |
One-way timestamps | Yes |
| Routing | |
BGP | Yes |
BGP extensions for IPv6 | Yes |
BGP Flowspec | No |
Compressed Real-Time Transport Protocol (CRTP) | No |
ECMP flow-based forwarding | No |
Internet Group Management Protocol (IGMP) | Yes |
IPv4 options and broadcast Internet diagrams | Yes |
IPv6 routing, forwarding, global address configuration, and Internet Control Message Protocol (ICMP) | Yes |
IS-IS | Yes |
Multiple virtual routers | Yes |
Neighbor Discovery Protocol (NDP) and Secure NDP | Yes |
OSPF v2 | Yes |
OSPF v3 | Yes |
RIP next generation (RIPng) | Yes |
RIP v1, v2 | Yes |
Static routing | Yes |
Virtual Router Redundancy Protocol (VRRP) | Yes |
| Secure Web Access | |
CAs | Yes |
HTTP | Yes |
HTTPS | Yes |
| Security Policy Support | |
Address books/address sets | Yes |
Custom policy applications | Yes |
Global policy | Yes |
Policy application timeouts | Yes |
Policy applications and application sets | Yes |
Policy hit-count tracking | Yes |
Schedulers | Yes |
Security policies for self-traffic | Yes |
SSL proxy | No |
User role firewall | No |
Common predefined applications | Yes |
Shadow policy | Yes |
| Security Zone | |
Functional zone | Yes |
Security zone | Yes |
| Session Logging | |
Accelerating security and traffic logging | Yes |
Aggressive session aging | Yes |
Getting information about sessions | Yes |
Logging to a single server | Yes |
Session logging with NAT information | Yes |
| SMTP | |
SMTP support | Yes |
| SNMP | |
SNMP support | Yes |
| Stateless Firewall Filters | |
Stateless firewall filters (ACLs) | Yes |
Stateless firewall filters (simple filter) | No |
| System Log Files | |
Archiving system logs | Yes |
Configuring system log messages | Yes |
Disabling system logs | Yes |
Filtering system log messages | Yes |
Multiple system log servers (control-plane logs) | Yes |
Sending system log messages to a file | Yes |
Sending system log messages to a user terminal | Yes |
Viewing data plane logs | Yes |
Viewing system log messages | Yes |
| Upgrading and Rebooting | |
Autorecovery | No |
Boot device configuration | No (N.A.) |
Boot device recovery | No (N.A.) |
Chassis components control | Yes |
Chassis restart | Yes |
Download manager | Yes |
Dual-root partitioning | No |
In-band cluster upgrade | No |
Low-impact cluster upgrades | No |
Software upgrades and downgrades | Yes |
| User Interfaces | |
CLI | Yes |
J-Web user interface | Yes |
Junos XML protocol | Yes |
Network and Security Manager | No |
Junos Space Security Director | Yes |
SRC application | No |
Junos Space Virtual Director | Yes |
| VPLS | |
Filtering and Policing (Packet-Based) | Yes |
| Authentication with IC Series Devices | |
Captive Portal | Yes |
Junos OS Layer 3 enforcement in UAC deployments | Yes |
Junos OS Layer 2 enforcement in UAC deployments Note: UAC-IDP and UAC-UTM also are not supported. | No |
| Chassis Cluster Support on VMWare | |
Active-active | Yes |
Active-passive | Yes |
Multicast flow | Yes |
ALGs | Yes |
Chassis cluster formation | Yes |
Control plane failover | Yes |
Dampening time between back-to-back redundancy group failover | Yes |
Data plane failover | Yes |
Dual control links | No |
Dual fabric links | Yes |
In-band cluster upgrade | No |
Junos OS flow-based routing functionality | Yes |
Layer 2 Ethernet switching capacity | No |
Layer 2 LAG | No |
Layer 3 LAG | No |
LACP support for Layer 2 | No |
LACP support for Layer 3 | No |
Low-impact cluster upgrade (ISSU Light) | No |
Low latency firewall | No |
Multicast routing | Yes |
PPPoE over redundant Ethernet interface | No |
Redundant Ethernet interfaces | Yes |
Redundant Ethernet interface LAGs | No |
Redundant Ethernet or aggregate Ethernet interface monitoring | Yes |
Redundancy group 0 (backup for Routing Engine) | Yes |
Redundancy group 1 through 128 | Yes |
Stateful failover - IPsec VPN (policy based) | Yes |
Stateful failover - IPsec VPN (route based) | Yes |
Upstream device IP address monitoring | Yes |
Upstream device IP address monitoring on a backup interface | Yes |
| Chassis Management Support | |
Chassis management | Yes |
| Intrusion Detection and Prevention (IDP) | |
Access Control on IDP audit log | Yes |
IDP alarms and auditing | Yes |
IDP application identification | No |
IDP application DDoS rule base | No |
Differentiated Services code point (DSCP) marking | No |
IDP cryptographic key handling | No |
IDP and UAC coordinated threat | Yes |
IDP class-of-service action | Yes |
IDP in an active/active chassis cluster | Yes |
IDP operational mode - inline tap | No |
IDP logging | Yes |
IDP monitoring and debugging | Yes |
IDP policy | Yes |
IDP security packet capture | Yes |
IDP signature database | Yes |
IDP SSL inspection | No |
IPS rule base | Yes |
Jumbo frames | Yes |
Nested application identification | No |
Performance and capacity tuning for IDP | No |
SNMP MIB for IDP monitoring | Yes |
| Transparent Mode | |
Application DDoS (AppDDoS) | No |
Application firewall (AppFW) | No |
Application QoS (AppQoS) | No |
Application tracking (AppTrack) | No |
Bridge domain and transparent mode | Yes |
Chassis clusters (active/backup and active/active) | Yes |
Class of service | Yes |
IPv6 flows | Yes |
User role firewall | No |
Unified Threat Management (UTM) | Yes |
| Public Key Infrastructure (PKI) | |
Certificate chaining (8-deep) | Yes |
| Unified Threat Management (UTM) | |
AS | Yes |
AV full | Yes |
AV Sophos | Yes |
Content Filtering (CF) | Yes |
Web Filtering (WF) | Yes |
EWF | Yes |
WELF | Yes |
Chassis cluster | Yes |
Transparent Mode | No |
Express Antivirus (Express AV) | No |
AppSecure | No |
IPsec | Yes |
Table 2 lists additional features that are not supported on Firefly Perimeter.
Table 2: Firefly Perimeter Feature Support Information
Feature | Firefly |
|---|---|
Application identification (Junos OS) | No |
General Packet Radio Service | No |
Logical systems | No |
Power over Ethernet | No |
Public key infrastructure | Yes |
Remote device access | No |
BGP Route Reflector | No |
Services offloading | No |
USB modem | No |
Wireless local area network | No |
Group VPN | No |
Multicast for AutoVPN | No |
Dynamic VPN (DVPN). | No |
Hardware acceleration | No |
Virtio vNIC | No |
In-service software upgrade | No |
| Network Management and Analysis | |
Suite B implementation for IPsec VPN | No |
