Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Adding and Provisioning a Next Generation Firewall Overview

 

Overview

You can use Contrail Service Orchestration (CSO) to

  • Add a firewall site for the next generation firewall device.

  • Configure a CPE device (SRX Series services gateway) as a next generation firewall device.

  • Add firewall policies for the standalone firewall site.

  • Deploy the firewall policies for the standalone firewall site.

Topology

The topology to add an on-premise spoke site with next generation firewall capabilities is shown in Figure 1.

Figure 1: On-premise spoke site with next generation firewall
On-premise
spoke site with next generation firewall

The topology to add an on-premise spoke site with next generation firewall and LAN capabilities is shown in Figure 2.

Figure 2: On-premise spoke site with next generation firewall and LAN
On-premise
spoke site with next generation firewall and LAN

Workflow

The following workflow describes the steps that are required to set up a firewall site and provision the firewall device associated with the site.

To set up a next generation firewall site and provision the firewall device:

  1. Add a standalone next generation firewall site. See Adding a Standalone Firewall Site.

    To add a site with next generation firewall and switch, see Adding an On-Premise Spoke Site with Next Generation Firewall and LAN Capabilities.

    Note

    Before proceeding to the next step ensure that the ZTP process is complete and the firewall device status is set to Provisioned state.

  2. Configure the firewall device. See Configuring the Firewall Device.
  3. Add firewall policies for the site. See Adding a Firewall Policy.
  4. Add firewall policy intents for the firewall policies that you added. See Adding Firewall Policy Intents.
  5. Deploy firewall policies to the site. See Deploying Firewall Policies.