Help Center User GuideGetting StartedFAQ
User Guide
Getting Started

Workflow for Onboarding a Device Using ZTP

Zero Touch Provisioning (ZTP) enables you to configure and provision devices automatically, minimizing the manual intervention required for adding devices to a network.


This topic provides a sequential list of tasks that you need to perform for successfully onboarding a device to the network using ZTP:

  1. From Customer Portal, add an on-premise site (SD-WAN deployment or a Hybrid WAN deployment) or a gateway site, and associate a device with the site . Choose the appropriate device template, WAN links, and so on.

    For more information, see Adding On-Premise Spoke Sites for SD-WAN Deployment and Adding Spoke Sites for Hybrid WAN Deployment.

    After you add a site, the site status is set to Created.

  2. Configure the site that you created in the previous step.

    After you configure the site:

    • CSO prepares the stage-1 configuration.

    • The status of the device changes to Detected, which indicates the device is ready for activation.

    For more information, see Configuring a Single Site.

  3. For CSO to establish a communication with the device, you must configure the Redirect Server or a phone-home client (PHC):
    • If you use the Juniper Networks Redirect Server, see Using the Redirect Server for Zero Touch Provisioning.

    • If you use a phone-home client:


      1. Contact your SP administrator or OpCo administrator for the phone-home server URL and the certificate.
      2. Log in to the CLI of the device and enter the configuration mode.
      3. Configure the phone-home server and commit.

      CSO will be able to establish a communication with the device.

    If you are using GUI installer with a custom-generated certificate to install CSO, the fully qualified domain name (FQDN) hostname for the central or regional microservice might be different.

  4. Activate the device:
    • To activate NFX250 and NFX150 Series, and SRX300, SRX320, SRX340, SRX345, SRX1500, and SRX550 High Memory (SRX550M) devices:


      1. Select Sites > Site Management.

        The Sites page appears.

      2. Hover over the device icon on the Site page. Proceed to c if you see the message Device Status: Expected, which indicates that the device is ready to be activated.

        If you see the message Device Status: Undefined, contact Juniper Networks for assistance. If the device icon is gray, the device is inactive.

      3. On the Device Status column, click Activate Device.

        The Activate Device page appears. The Activate Device page consists of Device Information and Device Activation pages.

      4. On Device Information page, specify the activation code.
      5. Click Next.

        On the Device Activation page, the device is activated through the following steps:

        • Detecting the device

        • Applying stage-1 configuration to the device

        • Bootstrap process of device

        • Activating the device

        After each step is successful a green check mark appears. If any of these steps fails, a red exclamation mark appears.

      6. Click OK.

      The device is activated.

    • To activate a vSRX or SRX4X00 Services Gateway devices:

      1. Select Sites > Site Management.

        The Sites page appears.

      2. Click the site that you want to activate.

        The Site-Name page appears.

      3. On the Devices tab, select the device that you want to activate and click Stage1 Config.

        A new page appears displaying the stage-1 configuration of the device.

      4. Click Copy to Clipboard to copy the stage-1 configuration of the device.

      5. Log in to the CLI of the device and enter the configuration mode.

      6. Paste the stage-1 configuration and commit.


    The Phone-Home client or the Redirect Server that you have configured authenticates the device and establishes a communication between the device and CSO.

    After the device activation is complete, CSO applies the stage-1 configuration. The status of the device is changed from Expected to Active, which indicates the device is authenticated but not yet operational.

  5. After authenticating the device, CSO automatically triggers a job to push the provisioning and stage-2 (optional) configurations.

    You can use the Activation Logs page (Resources > Tenant Devices > More > Activation Logs) to view bootstrap logs (stage-1 configuration and device activation) and ZTP logs (provisioning and stage-2 configurations), and their status.

    After the job is completed successfully:

    • The provisioning configuration and stage-2 configuration (optional) are applied.

    • The device state changes from Active to Provisioned, which indicates that the device is functional.

    Note To prevent ZTP from timing out on low-bandwidth connections such as satellite links, manually stage the image to a device before deploying the image. You can use the Stage button in the Images page of the Administration Portal to manually stage the image to a device. For more information about staging an image to a device, see Staging an Image.

The newly-added device is provisioned and is onboarded to the network. You can apply SD-WAN and security policies, if applicable.

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support