You can add an on-premise spoke site with both firewall and LAN capabilities.
To add a site with both next generation firewall and LAN capabilities at the same time:
The Sites page appears.
The Add On-Premise Spoke Site for Tenant-Name page appears.
Note Fields marked with an asterisk (*) are mandatory.
A summary page is displayed.
The site activation job is initiated and the Site Activation: Site-Name page appears displaying the progress of the steps executed for activating the firewall device and the switch (when LAN capability is selected). The firewall device is activated first and then the process to activate the switch is initiated.
To activate the switch, you must manually configure the stage-1 configuration on the switch.
The Stage-1 Configuration page appears displaying the stage-1 configuration.
After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO. CSO then executes the bootstrap and provisioning processes on the switch and completes provisioning the switch.
Note You can also add a site with LAN and next generation firewall capabilities using the site templates. For more information, see Adding On-Premise Spoke Sites by Using a Site Template.
Table 77: Fields on the Add On-Premise Spoke Site for Tenant-Name Page (Firewall and LAN)
Field | Description |
|---|---|
| General | |
Site Information | |
Site Name | Enter a unique name for the firewall site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters. |
Site Group | Select a site group to which you want to assign the site. |
Site Capabilities | |
WAN Capabilities | Select the WAN capabilities as Next Gen Firewall for the site. |
LAN Capabilities | Select the LAN capability as LAN for the site. |
Address and Contact Information | |
Street Address | Enter the street address of the site. |
City | Enter the name of the city where the site is located. |
State/Province | Select the state or province where the site is located. |
ZIP/Postal Code | Enter the postal code for the site. |
Country | Select the country where the site is located. You can click the Validate button to verify the address that you specified:
|
Contact Name | Enter the name of the contact person for the site. |
Enter the e-mail address of the contact person for the site. | |
Phone | Enter the phone number of the contact person for the site. Click Next to continue. |
Advanced Configuration | |
Name Server IP List | Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses. |
NTP Server | Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration. |
Select Timezone | Select the time zone for the site. |
| WAN | |
Device Information | |
Serial Number | Enter the serial number of the firewall device. Note that the serial numbers are case-sensitive. |
Auto Activate | Click the toggle button to enable or disable automatic activation of the device. This option is enabled by default. |
Activation Code | If the Auto Activate feature is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site. |
Zero Touch Provisioning | Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default. If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image. If ZTP is disabled, you must manually copy (by using CLI), the Stage-1 configuration on to the firewall device. |
Boot Image | When the Zero Touch Provisioning field is enabled, select the boot image from the drop-down list to upgrade the image on the firewall device to a version that supports Phone-Home client. The boot image is the device image that was previously uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process. If the boot image is not provided, then the device skips the automatic upgrade procedure. The boot image is populated based on the device template that you have selected while creating a site. By default, the Use Image on Device option is selected. |
In-band Management Port | Select the port that you want to configure as management interface and connect it to the management device. You can configure any of the ge-0/0/x ports, where x ranges from 0 to 14, as in-band management interfaces. This field is applicable only when a switch is behind a CPE (SD-WAN or a next generation firewall device). |
Firewall Policies | Select the firewall policy that you want to deploy to the standalone firewall site. The firewall policy list is populated from the Configuration > Firewall > Firewall Policy page. Default: Factory_Default_Fw_Policy |
NAT Policies | Select the NAT policy that you want to deploy to the standalone firewall site. The NAT policy list is populated from the Configuration > NAT > NAT Policies page. Default: Factory_Default_NAT_Policy |
| LAN | |
Device Profile | |
Device Name | Enter a name for the switch. You can use alphanumeric characters and hyphen (-). The maximum length allowed is 15 characters. |
Device Type | Select the type of switch—EX2300, EX3400, and EX4300 . |
Device Model | Select the device model for the switch that you specified in the Device Type field. The models vary in the number and type of ports the switch contains. For example, If you selected EX3400, select a model such as EX3400-24P, EX3400-48P, EX3400-24T among others. |
CPE Settings | |
Trunk Ports | Select at least two trunk ports on the CPE device to connect with the switch. The trunk ports are used for the following:
|
Switch Management Subnet | Specify the subnet that the DHCP can use to assign IP addresses. The DHCP server runs on the following ports:
Example: 192.0.2.0/24 |
Switch Details | |
Serial Number | Specify the serial number of the switch The serial number is a 12-digit number present on the rear panel of the switch. |
Auto Activate | Click the toggle button to enable or disable automatic activation of the switch. When you enable this field, zero-touch provisioning of the switch is automatically triggered when the device communicates with CSO. Note: You must physically connect the switch to the CPE device (firewall) and power it on for the switch to be automatically activated when you enable this option. |
Activation code | When the Auto activate field is disabled, enter the activation code to be used for manually activating the switch. For information, see Manually Activating a Switch. |
Zero Touch Provisioning | ZTP must be disabled for all EX Series switches for the CSO 5.0.0 release. The Stage-1 configuration must be copied and pasted onto the CLI of the switch during site activation. See Step-by-Step Procedure for details. |
LAN Segment | Displays the LAN segment configured on the switch. To add a LAN segment, click the + icon on the top, right corner of the LAN table. The Add LAN Segment page appears. Specify values for the LAN segment based on guidelines provided in Table 78. Fields marked * are mandatory. Note: The same LAN segment is created on the CPE device (firewall)if the switch is connected to the CPE device (firewall) that is managed by CSO. |
Table 78: Fields on the Add LAN Segment Page when Adding a Switch along with CPE
Field | Description |
|---|---|
Add LAN Segment | |
Name | Enter a name for the LAN segment. The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length is 15 characters. |
VLAN ID | Enter the VLAN ID for the LAN segment. Range: 2 through 4093 |
Gateway Address/Mask | Enter a valid gateway IP address and mask for the LAN segment; for example, 192.0.2.8/24. |
DHCP | For directly connected LAN segments, click the toggle button to enable DHCP. DHCP is disabled by default. You enable DHCP if you want to assign IP addresses by using a DHCP sever. You disable DHCP if you want to assign a static IP address to the LAN segment. Note: If you enable DHCP, fields related to DHCP-related parameters appear and must be configured. |
[DHCP-Related Fields] | |
Address Range Low | Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment. |
Address Range High | Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to the LAN segment. |
Maximum Lease Time | Specify the maximum duration (in seconds) for which a client can request for and hold a lease on a DHCP server. Range: 0 through 4,294,967,295. |
Name Server | Specify or select one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses. |
Switch Ports | Select ports on the switch to be part of the LAN segment. Select the ports from the Available column and click the right-arrow to move the ports to the Selected column. If you create a LAN segment on a switch when the switch is connected to the CPE device (firewall), CSO automatically assigns LAN ports on the CPE device (firewall) and creates the same LAN segment on the CPE device (firewall). |