Help Center User GuideGetting StartedFAQ
 
X
User Guide
Getting Started
FAQ
Contents  

Importing Policies Overview

CSO supports importing policy configurations from next-generation firewall devices. You can discover existing policy configuration while onboarding next-generation firewall device (without enabling ZTP) or import policy configurations from Firewall and NAT policy pages (after ZTP).. For more information about overview and configuration of ZTP on SRX Series devices, see Zero Touch Provisioning on SRX Series Devices.

CSO uses object name as the unique identifier for an object (such as addresses, services, schedulers, SSL profiles, unified threat management (UTM), and Layer 7 applications). During policy import, all objects that are supported by CSO are imported and all objects names are compared between what is in CSO and what is on the next generation firewall device. A conflict occurs when the name of the object to be imported matches an existing object, but the value of the object does not match. The object conflict resolution (OCR) operation is triggered to resolve the object name conflicts.

The following section provides an example for importing policies. Here we use Address as an object type and see how to resolve the object name conflicts.

The existing objects in CSO are listed inTable 186.

Table 186: Existing address in CSO

Object Name

Existing Value

Address1

198.51.100.10

Address2

198.51.100.20

Address3

198.51.100.30

The existing objects in the next generation firewall device are listed inTable 187.

Table 187: Existing address in next-generation firewall device

Object Name

Existing Value

Address1

203.0.113.10/32

Address2

203.0.113.20/32

Address3

203.0.113.30/32

During policy import, OCR is triggered and the object conflicts between next generation firewall device and CSO. The resolution that we have chosen is listed in Table 188.

Table 188: OCR while importing policies to CSO

Object Name in CSO

Object Type in CSO

Existing Value in CSO

Imported Value to CSO

Conflict Resolution

New Object Name in CSO

Address1

Address

198.51.100.10

203.0.113.10

Keep Existing Object

Address1_1

Address2

Address

198.51.100.20

203.0.113.20

Overwrite with Imported value

Address2_1

Address3

Address

198.51.100.30

203.0.113.30

Rename Object

Address3_1

The object values and the result after resolving conflicts are listed in Table 189.

Table 189: After importing policies to CSO

Discovered Object Name in CSO

Discovered Value in CSO

Result

Address1

198.51.100.10

No change

Address2

203.0.113.20

Content changed

Address3

198.51.100.30

No change

Address3_1

203.0.113.30

Address3_1 created

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!
  • Contrail Service Orchestration (CSO) Deployment Guide

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit