Adding and Provisioning a Next Generation Firewall Overview
You can use Contrail Service Orchestration (CSO) to
Add a firewall site for the next generation firewall device.
Configure a CPE device (SRX Series services gateway) as a next generation firewall device.
Add firewall policies for the standalone firewall site.
Deploy the firewall policies for the standalone firewall site.
The topology to add an on-premise spoke site with next generation firewall capabilities is shown in Figure 1.
The topology to add an on-premise spoke site with next generation firewall and LAN capabilities is shown in Figure 2.
The following workflow describes the steps that are required to set up a firewall site and provision the firewall device associated with the site.
To set up a next generation firewall site and provision the firewall device:
- Add a standalone next generation firewall site. See Adding a Standalone Firewall Site.
To add a site with next generation firewall and switch, see Adding an On-Premise Spoke Site with Next Generation Firewall and LAN Capabilities.
Before proceeding to the next step ensure that the ZTP process is complete and the firewall device status is set to Provisioned state.
- Configure the firewall device. See Configuring the Firewall Device.
- Add firewall policies for the site. See Adding a Firewall Policy.
- Add firewall policy intents for the firewall policies that you added. See Adding Firewall Policy Intents.
- Deploy firewall policies to the site. See Deploying Firewall Policies.