Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Administration Portal FAQ


This topic presents frequently asked questions and answers about Administration Portal.

What is the difference between hybrid WAN deployment and SD-WAN deployment?

In a hybrid-WAN environment, the CPE device provides connectivity between multiple sites of the same tenant. Each site can have up to two WAN links, of which one is an MPLS link while the other can be an Internet link. By default, the site traffic goes through the MPLS link. If the MPLS connection fails, the site traffic goes through an IPsec tunnel created over an Internet link. In an SD-WAN deployment, the CPE device provides software-defined WAN connectivity services for each site of the tenant. Each site can have up to four WAN links and supports both MPLS and internet links. A tenant can create intent-based policies to define SLA requirements for various applications; these policies help the tenant manage the use of WAN links by each application.

How do you configure an SD-WAN deployment?

The workflow to configure an SD-WAN deployment is as follows:

  1. Create a traffic type profile.
  2. Create an SLA profile and associate it with the traffic type profile.
  3. Create an SDWAN policy and associate it with SLA profile.
  4. Deploy the SD-WAN policy.

What is the difference between a centralized deployment and a distributed deployment in the Cloud CPE Solution?

In a centralized deployment, virtualized network functions (VNFs) reside in a cloud in a network point of presence (POP). In a distributed deployment, VNFs reside on a CPE device located at a customer’s site.

Can I configure a hybrid model that combines a centralized deployment and a distributed deployment?

You can use one Contrail Service Orchestration (CSO) installation to manage both a centralized deployment and a distributed deployment. You must configure the centralized deployment and the distributed deployment separately, although you can use the same tenants in both deployments. You must create separate POPs and network services for the centralized deployment and for the distributed deployment.

Does changing the password in Administration Portal change the passwords for other CSO GUIs?

Changing the password in Administration Portal changes the OpenStack Keystone password, and consequently changes the password for Network Service Designer.

Are passwords that I configure for tenant users stored in the database?

If the authentication method for tenants is local, the passwords are stored in the local keystone database. If the authentication is done by using an SSO server, the passwords are not stored locally.

I forgot my password and I am unable to log in. What should I do?

You can reset your password from the login page. Access the login page and enter your username in the first field (Username). Click the Forgot Password? link and follow the instructions to reset your password.

What is the default password for Contrail Service Orchestration (CSO) Release 3.3?

The default password is encrypted and collected from the CSO installer.

How do I get started with configuring the Cloud CPE Solution?

You can view the Getting Started Guide by clicking the help icon (?) in the top right of an Administration Portal page. The guide explains how to configure a centralized deployment and how to configure a distributed deployment.

How do I know whether Administration Portal has created an object successfully?

When you finish creating an object, a message detailing the status of the object creation appears at the top of the page. The object then appears in the table on the page for that type of object.

How can I view information about or perform actions on a specific object, such as a specific POP or tenant?

The Administration Portal menu bar is displayed on the left side of every page and has the following entries at the first level:

  • Dashboard

  • Monitor

  • Resources

  • Configuration

  • Tenants

  • Administration

Depending on the object, select the first-level menu item and, if applicable, select the second-level menu item to access the page for that object. For example, you can access tenants by selecting Tenants (first level), and access POPs by selecting Resources and then POPs (second level). You can then select objects and perform various actions related to those objects.

In addition, on the Jobs page (Monitor > Jobs), you can view information about the different jobs that are triggered.

Why am I unable to view certain objects and actions that I was able to in previous releases?

In CSO Release 3.1, objects and actions that can be performed on those objects have been segregated based on whether they are applicable to all tenants (All Tenants scope) or are applicable to a single tenant (single tenant scope). The scope switcher, which is a dropdown list on the banner, lets you select the scope in which you want to work. An MSP Administrator user can see tenant-specific objects and perform the tasks that a Tenant Administrator user can by switching the scope to a single tenant.

Can I create multiple objects simultaneously?

You can import a JSON file of data for multiple POPs, multiple tenants, or multiple CPE devices. You can also create a single object by clicking the add (+) icon on the main page for that object.

Can I activate CPE devices from Administration Portal?

Yes, you can activate CPE devices from the Administration Portal. The activation process is same for both NFX and SRX devices.

  • For SRX Services Gateways and vSRX on an x86 server, the end user at the tenant’s site configures and activates the device through its console and Customer Portal. You do not need to add any data through Administration Portal.

  • For NFX250 devices, you must configure data about NFX250 devices in Administration Portal. You must also send the activation code to the customer, who must provide this information when installing the NFX250. The central CSO server transmits this data to the regional server for the deployment. Actual activation of the device occurs when the person installing the NFX250 powers on the device, which then communicates with the Redirect Service. After authenticating the device, the Redirect Service sends details about the regional server to the NFX250 and the NFX250 obtains a boot image and configuration image from the regional server.

What type of sites can I configure for a customer?

You configure Cloud sites for a centralized deployment and On-Premise sites for a distributed deployment.

  • Three types of cloud sites can be added:

    • Cloud hub site

    • Regional service edge—You create a regional service edge site if one or more customer’s sites in a centralized deployment access the Internet through the VPN. You create this site when you have to assign common services, such as NAT or UTM to multiple sites. The traffic from customer site is serviced and forwarded to common service and then to Internet.

    • Local service edge—You create a local service edge site when the site is directly connected to the Internet or when you access the Internet through a corporate VPN.

  • Two types of on-premise sites can be added:

    • On-premise spoke

    • On-premise hub

Where can I configure sites for a customer?

To configure sites, you must switch the scope from the All Tenants scope to a single tenant, and then access the Sites page (Sites > Site Management).

Can I configure a dedicated OpenStack Keystone for CSO through Administration Portal?

By default, a centralized deployment uses the Contrail OpenStack Keystone to authenticate CSO operations and a distributed deployment uses a dedicated OpenStack Keystone on the central CSO server. You can also configure a dedicated OpenStack Keystone for a centralized deployment. To do so, you configure each VIM to include service profiles that specify settings to access the infrastructure components. You then associate the service profile and VIM with each tenant.

Where can I upload licenses for CPE devices?

From CSO Release 3.1R1 onward, you can upload licenses from the Licenses page (Administration > Licenses). In CSO Release 3.0 and earlier, the Licenses page was accessible by selecting Resources > Software Images > License. After uploading the license, you must install the license by using REST APIs.

From CSO Release 3.1R1 onward, you can also upload and install vSRX and SRX Series licenses for VNFs and CPE devices through the license tool, For more information, see Installing Licenses with the License Tool section in the Deployment Guide.

From CSO Release 3.3 R1 onward, you can push licenses to CPE devices from the Licenses page (Administration > Licenses).

When you deploy a network service on a site, what is the difference between the Save and Deploy buttons?

When you drag and drop a service on to an attachment point, you can specify configuration parameters for the services. After specifying the parameters, click Save to save the configuration without deploying it; you can then deploy the configuration later. Click Deploy to save and deploy the configuration.

I am unable to see cloud or data center sites any more. Are they no longer supported?

From Contrail Service Orchestration Release 3.3 onward, cloud sites have been renamed as local service edge and regional service edge sites.

What is a cloud hub?

A cloud hub is the tenant's view of the shared hub, which references the managed services provider (MSP) device. This enables MSPs to restrict access to the device.

The MSP Administrator can provision and allocate resources for a specific tenant within a tenant-specific cloud hub. In addition, the MSP Administrator can view the resources allocated for the tenants within the tenant's cloud hub.

How can I modify device templates?

From Contrail Service Orchestration Release 3.0 onward, you can modify device templates on the Device Templates page (Resources > Device Templates) in Administration Portal. In releases before Release 3.0, you must use the REST API.

What is the difference between stage-1 and stage-2 configuration?

The initial configuration that allows basic connectivity to a device, which is pushed to the device when it calls home, is called stage-1 configuration. The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration. The templates for stage-2 configuration must be designed by the MSP Administrator user but the configuration can be pushed to the device by the Tenant Administrator user.

Is it mandatory to specify an activation code in Administration Portal that customers must enter in Customer Portal when they activate their CPE devices?

No; specifying an activation code for CPE devices is optional. If you do not want to specify an activation code, on the Template Settings page (Resources > Device Template > Device-Template-Name > Edit Device Template > Template Settings), disable the ACTIVATION_CODE_ENABLED field and save the changes.

What is the expected switchover time for traffic that breaches the SLA in an SD-WAN implementation?

Average link metrics are analyzed every one minute, and if the traffic violates the SLA three times, the link is switched. With AppQoE (real-time optimized SD-WAN mode) enabled networks, the switchover time is much faster and the link is switched within few seconds.

What is a department?

A department is a grouping of LAN segments within a site. You use departments to apply specific policies to LAN segments that are members of a department.

How do I log into Network Service Designer?

Using a Web browser, access the URL for the Network Services Designer. For example, if the IP address of the host on which the Network Service Designer resides is, then the URL would be

What are application traffic type profiles?

Traffic type profiles enable you to configure class-of-service parameters for various types of traffic based on your specific business requirements. Traffic type profiles enable you to assign priority and service level criteria for traffic types.

How do I monitor the progress of a device activation during stage-1 configuration?

You can view the bootstrap logs to monitor the progress of device activation during stage-1 configuration. From CSO Release 4.0.0 onward, the bootstrap (stage-1 configuration and device availability) logs are included in Zero Touch Provisioning (ZTP) job logs.

Can I assign a cloud hub to a tenant site in full mesh topology?

Yes, you can assign a cloud hub to a tenant site in full-mesh topology for centralized Internet breakout as well as a backup option for site-to-site communication in case the site-to-site overlay tunnel fails.

A cloud hub in full-mesh topology is mandatory to be used as an OAM Hub.

What is the significance of a loopback IP address of the CPE device in case of secure OAM connection?

The loopback IP address is always reachable over the IPsec tunnel and will not change. Even if the WAN interfaces are behind NAT and are assigned private IP addresses (using DHCP), it does not impact the OAM connectivity between the SD-WAN site and the Hub.

What are the prerequisites for a service provider (SP) administrator to view the OpCo or OpCo tenant in global or tenant switcher view?

By default, an SP administrator does not have access to OpCo. The OpCo administrator must explicitly add the SP administrator user name in the OpCo.

Can I configure APN setting while onboarding the CPE device?

No, you cannot configure the APN setting while onboarding the CPE device. After successful device activation, you can configure the APN setting through stage-2 configuration template.

How do I activate SRX4100 and SRX4200 CPE devices?

Since phone-home client (PHC) is not present on SRX4100 and SRX4200 CPE devices, you must manually activate the device by copying the stage-1 configuration from CSO and pasting it to the console of the SRX4100 and SRX4200 CPE device.

What topologies are supported in real-time optimized and bandwidth-optimized mode?

If you select the real time-optimized option, all sites in the tenant are connected in full-mesh or hub-and-spoke topology. If you select the bandwidth-optimized option, all sites in the tenant are connected only in hub-and-spoke topology.