Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Your First Hybrid WAN (Distributed) Deployment


Install Junos Software onto NFX from USB Port

This section details how to install Junos OS software version 15.1X53-D496.0 onto an NFX250 from a USB drive. Doing this sets the device to the factory default state. We also perform some confirmation steps and obtain the device’s serial number. This procedure is for an NFX250 device.

Before You Begin

In order for this procedure to succeed, you must have the following

  • Physical access to the USB port of the NFX device

  • A USB drive of at least 4GB containing the Junos OS Software image, 15.1X53-D496.0, inserted into the USB port of the NFX

  • Access to the console port of the NFX device (This can be physical access or access over a terminal server)

  • A DHCP server that is reachable from the ge-0/0/11 interface of the NFX250. This DHCP server must be able to provide IP address, name server, and default gateway to the NFX upon request.

The following procedures contain comments that are added to clarify the steps that are discussed.

  1. Ensure that the USB drive containing the Junos OS software image is inserted in the USB port of the NFX device.

    This allows you to boot the NFX from the USB drive.

  2. Access the NFX console either directly or using a terminal server.

    You do not need to login; just ensure that you are actively connected.

  3. Power off the NFX device.
  4. Power on the NFX device.
  5. Immediately return to the session that you have open to the console port of the nfx1 device.

    From the console of the nfx1 device, press the ESC key every second until the following message appears: Esc is pressed. Go to boot options.


    If you do not see this message in the console and the NFX appears to be booting normally, you need to wait for the boot to complete and then go back to step 1.

  6. A menu appears after a brief time. Use the down arrow key to select Boot Manager, then press Enter.
  7. When the Boot Manager menu appears, press Enter to boot from the USB00 drive.
  8. When the GNU GRUB menu appears, use the up or down arrow keys to select Install Juniper Linux with secure boot support and then press Enter.

At this point, the NFX will install the software contained on the USB drive. Installation takes some time. You can keep your console connection active to watch the installation process.

The NFX is made up of multiple components that load and boot in a specific order. See NFX 250 Overview for details. The PFE of the NFX may take a few minutes to complete the boot and allow the jsxe0 interface to obtain its address from DHCP.

You can login to the console of the NFX as root and confirm that the jsxe0 interface has received its address using the following procedure:

  1. Press Enter to refresh the login prompt
  2. At the jdm login prompt, type root and press Enter.Note

    There is no password assigned to the root user at this point. For the purposes of this deployment exercise, do not set a root password at this time.

  3. At the root@jdm:~# prompt, type cli and press Enter.
  4. Type show interfaces jsxe0 and press Enter.

The jsxe0 interface has a number of logical interfaces used internally by the NFX for different purposes. You are looking for the jsxe0.0 logical interface. Confirm that the DHCP server has provided an address in the proper range before continuing.

At this point, you can confirm that the DNS name server and default gateway are working by issuing the ping command to some host on the Internet.

The last part of this procedure is to login to the Junos Control Plane (jcp) in order to obtain the device serial number which will be used later in the SD-WAN deployment.

The device serial number is listed on the Chassis line of the output. In this example, it is partly obscured for security purposes. Make note of the serial number for later use.

Modify Device Templates

From this point on in this deployment example, we assume that your CSO software is installed at and that you know the login credentials for the cspadmin user of the Administration Portal.

In this section, we modify an existing device template so that it works for this example.

  1. Open your web browser and in the URL field, enter
  2. Enter the login credentials for the Administration Portal.

    By default, the username is cspadmin and the password is randomly generated during installation. If this is the first time logging into the Administration Portal, you must set a new password for the cspadmin user.

  3. Navigate to Resources > Device Templates
  4. Find the device template named NFX250 as Managed Internet CPE.
  5. Select the check-box next to the template and then select Template Settings from the Edit Device Template pull-down menu.

    A new window titled Template Settings appears

  6. In the Template Settings window, ensure that the following things are set:

      By requiring an activation code, a CPE device will not be allowed to communicate with CSO until the tenant has activated a site using the activation code. The value of the activation code will be set later in the process.


      Stage 2 configurations are configurations that can be added to a device after the initial, stage 1, provisioning of the device. This setting prevents the automatic deployment of a stage 2 configuration.


      This setting ensures that the jmgmt0 interface is not enabled on the NFX device. Since this is a managed Internet service and the NFX device will be sitting on the customer’s premise, this might be a useful setting to prevent unwanted login by the tenant.

    • WAN_0ge-0/0/11

    Do not change any other settings.

  7. Select Save when finished.

Create and Configure a New Tenant

In this section we use the Administrator Portal to add a tenant to CSO.

  1. Select Tenants from the left-nav panel
  2. Click the Add Tenant button

    If there are no tenants created yet, Add Tenant will be a button. If there are tenants, click the “+” to create a new tenant.

  3. In the Add Tenant window that appears:
    • Enter a name for your tenant such as Tenant1

    • Fill in the Admin User information

    • Select the check-boxes next to all three Roles in the Available section and click the arrow link to move them to the Selected section

    • Set the User Password to never expire

      If needed, you can configure password expiry rules here.

    • Click Next

    • In the Deployment Type window, select the check-box next to Hybrid WAN Sites

    • Click Next

      The window advances to the Tenant Properties section. For this example, browse the Tenant properties but do not make any changes

    • Click Next

      The window advances to the Summary section. Review the summary.

    • Click OK

      A pop-up message appears that tells you that the Add Tenant job was started. After some time, your new tenant appears in the list of tenants.

Create and Configure a Site for the Tenant

In this section, we move to the Customer Portal for the newly configured tenant in order to create a site.

This procedure begins in the Tenants window of the Administration Portal, at the list of tenants.

  1. Click on the name of the tenant that you just created

    This will take you to the Customer Portal for that tenant. The Dashboard is displayed

  2. Select Sites link from the left-nav bar
  3. In the Sites window that appears, click the Add Spoke Site - Hybrid

    A new window titled Add Site for <Tenant> appears.

  4. Fill out the information in the Site Information section.

    The only required information in this window is the site name. Enter a site name that makes sense, like: site1

    If you fill in the address information, CSO will use it to display the site on maps in some of the monitoring windows.

  5. Click Next

    This brings up the Connectivity Requirements section.

  6. Under Connection Plan, click the left (<) or right (>) arrow until you see the NFX250 as MAnaged Internet CPE box. Click on that box.

    This activates the Connectivity Requirements for the Selected Plan section.


    You cannot modify any settings for the WAN_0 interface because there are strict requirements for this device template that the WAN_0 must be an Internet-facing interface.

  7. Click Next when finished

    The window advances to the Summary

  8. Review the Summary section
  9. Click OK when you’re finished reviewing

    You will see pop-up messages appear for site-creation job start and site-creation job finished.

  10. Click the check-box next to the site you just created
  11. Click the Configure Site button

    This brings up a new window titled Configure Site <site-name>.

  12. In the Configuration Section, click the Advanced Config tab.

    On this tab, fill in the following information:

    • Name Server IP List: <Click the pull-down menu, if no results are found, enter the IP address of a DNS name server>.

      This is a required field.


      You must press enter when you have completed the IP address entry. If you don’t the entry will be lost.

    • Ntp server IP LIst: <This is an optional field. However, it is a good idea to enable NTP whenever possible. Enter the IP address of an NTP server.>

    • Select timezone: <This is an optional field. However, it is a good idea to set this to the appropriate time zone. Select the appropriate time zone for this site.>

  13. Click the Devices tab

    On this tab, fill in the following information:

    • Serial Number: <Enter the serial number of your NFX250 device>

      This is a required field.

    • Activation Code:

We create the spoke site first so that we can establish the departments (security zones) that will be used by the tenant. We cannot create a hub site until this is determined. If you attempt to create a hub site before creating a spoke site, CSO displays an error.

One of the steps in configuring the spoke site is to associate it with a hub. Therefore, we cannot configure the site until after the hub has been created.