Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Usecase for Setting Up and Provisioning a Firewall SIte and Adding a Switch Behind the Firewall


This topic provides an high-level overview and step-by-step instructions for setting up a standalone firewall site and configuring a switch behind the firewall.


This section provides an overview of how the various building blocks act together to provide a comprehensive solution for the use case.

Figure 1 shows the use case topology for setting up a standalone firewall site and configuring a switch behind the firewall.

Figure 1: Use case for Configuring a Switch behind a Firewall
Use case for Configuring
a Switch behind a Firewall

The details about the various building blocks are listed below:

  • AWS—Contrail Service Orchestration (CSO) provides on-demand services in the Amazon Web Services (AWS) cloud that is hosted by Juniper networks. Services range from Infrastructure as a Service (IaaS) and Software as a Service (SaaS), to Application and Database as a Service. AWS is a highly flexible, scalable, and reliable cloud platform. In AWS, you can host servers and services on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license (BYOL) service.

    CSO uses the OAM hubs (cloud hubs) as SD-WAN hubs to setup tunnels and provision site-to-site or site-to-hub traffic. You can add an MX Series router, an SRX Series services gateway, or a vSRX instance as a provider hub (SD-WAN) device in a hub-and-spoke topology and full mesh topology.

  • Juniper Redirect Server—The redirect server plays an important role in the initial setup of on-premise devices. It is hosted by Juniper Networks. One of the key features of the CSO solution is the ability to “plug-and-play” new on-premise devices using ZTP. The on-premise devices, firewall and switch, in this case, must be able to establish the communication with CSO. This is done using the Redirect Server or a phone-home client (PHC). If Juniper Networks Redirect Tool is used, in the Redirect Tool GUI you must specify the CSO activation server IP address (regional microservices virtual machine IP address for large deployments; central microservices virtual machine IP address for small and medium deployments), activation server certificate, and the CPE serial numbers on the GUI. For more information, see Using Redirect Tool for Zero touch Provisioning.

  • Next Generation Firewall —It is a security device that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. The next generation firewall device includes standard features of core security, including core firewall, IPsec VPN, NAT, CoS, and routing services, as well as advanced Layer 4 through 7 security services such as AppSecure features of AppID, AppFW, AppQoS, and AppTrack, IPS, UTM, and rich routing capabilities.

    You can add an SRX Series services gateways or NFX Series device as a next generation firewall device.

  • Switching Device—The EX Series devices are added as Layer 2 switches to deliver switching services. Contrail Service Orchestration (CSO) supports provisioning, configuring, and monitoring switching devices either behind a Juniper CPE device, or a stand-alone switch that is connected to third-party device. For more information, see Adding and Provisioning Switches Overview.


To set up a standalone next generation firewall site, provision the firewall, and add a switch behind the firewall:

  1. Add a standalone next generation firewall site. See Adding a Standalone Firewall Site.
  2. Configure the firewall device. See .Configuring the Firewall Device
  3. Prepare the endpoints that you want to use in the firewall policy. See Selecting Firewall Source and Selecting Firewall Destination.
  4. Create firewall policies for the site. See Creating a Firewall Policy.
  5. Create firewall policy intents. See Creating Firewall Policy Intents.
  6. Deploy firewall policy intents. See Deploying Firewall Policy Intents.
  7. Deploy firewall policies to the site. See Deploying Firewall Policies.
  8. Add a switch behind the firewall. See Adding a Switch to an Existing Site
  9. Activate the switch. ((Optional). Execute this step only if you had disabled the Auto-activate Switch button in step 8). See Manually Activating a Switch.
  10. Monitor the jobs. See About the Jobs Page.
  11. Monitor security alarms and events. See About the Generated Alerts Page, About the Alert Definitions Page, and About the Alarms Page.