Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Administration Portal FAQ


This topic presents frequently asked questions and answers about Administration Portal.

What is the difference between hybrid WAN deployment and SD-WAN deployment?

In a hybrid-WAN environment, the CPE device provides connectivity between multiple sites of the same tenant. Each site can have up to two WAN links, of which one is an MPLS link while the other can be an Internet link. By default, the site traffic goes through the MPLS link. If the MPLS connection fails, the site traffic goes through an IPsec tunnel created over an Internet link. In an SD-WAN deployment, the CPE device provides software-defined WAN connectivity services for each site of the tenant. Each site can have up to four WAN links and supports both MPLS and internet links. A tenant can create intent-based policies to define SLA requirements for various applications; these policies help the tenant manage the use of WAN links by each application.

How do you configure an SD-WAN deployment?

The workflow to configure an SD-WAN deployment is as follows:

  1. Create a traffic type profile.
  2. Create an SLA profile and associate it with the traffic type profile.
  3. Create an SDWAN policy and associate it with SLA profile.
  4. Deploy the SD-WAN policy.

Are passwords that I configure for tenant users stored in the database?

If the authentication method for tenants is local, the passwords are stored in the local keystone database. If the authentication is done by using an SSO server, the passwords are not stored locally.

I forgot my password and I am unable to log in. What should I do?

You can reset your password from the login page. Access the login page and enter your username in the first field (Username). Click the Forgot Password? link and follow the instructions to reset your password.

What is the default password for Contrail Service Orchestration (CSO)?

There is no default password. When an account is created for you, you receive an account activation e-mail that contains a link to access the portal. You can access the portal by using the link and set a password of your choice. If you forget your password, you must reset the password by using the forgot password option.

How do I get started with configuring the Cloud CPE Solution?

See the Quick Start Guide for instructions to get started with CSO.

How do I know whether Administration Portal has created an object successfully?

When you finish creating an object, a message detailing the status of the object creation appears at the top of the page. The object then appears in the table on the page for that type of object.

How can I view information about or perform actions on a specific object, such as a tenant?

The Administration Portal menu bar is displayed on the left side of every page and has the following entries at the first level:

  • Dashboard

  • Monitor

  • Resources

  • Configuration

  • Tenants

  • Administration

Depending on the object, select the first-level menu item and, if applicable, select the second-level menu item to access the page for that object. For example, you can access tenants by selecting Tenants (first level), and access devices by selecting Resources and then Tenant Devices (second level). You can then select objects and perform various actions related to those objects.

In addition, on the Jobs page (Monitor > Jobs), you can view information about the different jobs that are triggered.

Can I create multiple objects simultaneously?

You can import a JSON file of data for multiple tenants, or multiple CPE devices. You can also create a single object by clicking the add (+) icon on the main page for that object.

Can I activate CPE devices from Administration Portal?

No. Only tenant administrators can activate devices.

Where can I add sites for a customer?

Only tenant administrators can add sites. In CSO Release 5.0.0 onward, sites are configured as part of the Add Site workflow and only tenant administrators have access to it.

Where can I upload licenses for CPE devices?

You can upload licenses from the Licenses page (Administration > Licenses).

From CSO Release 3.1R1 onward, you can also upload and install vSRX and SRX Series licenses for VNFs and CPE devices through the license tool, For more information, see Installing Licenses with the License Tool section in the Deployment Guide.

From CSO Release 3.3 R1 onward, you can push licenses to CPE devices from the Licenses page (Administration > Licenses).

When you deploy a network service on a site, what is the difference between the Save and Deploy buttons?

When you drag and drop a service on to an attachment point, you can specify configuration parameters for the services. After specifying the parameters, click Save to save the configuration without deploying it; you can then deploy the configuration later. Click Deploy to save and deploy the configuration.

What is a provider hub?

A provider hub, known as cloud hub in previous, on-premise releases of CSO, is the tenant's view of the shared hub, which references the services provider (MSP) device. In CSO Release 5.0.0, the provider hub device is owned and managed by Juniper Networks. Tenants can select an available provider hub device when they create provider hub sites.

How can I modify device templates?

You cannot modify device templates. However, you can clone device templates and create your own template from the Device Templates page (Resources > Device Templates) in Administration Portal.

What is the difference between stage-1 and stage-2 configuration?

The initial configuration that allows basic connectivity to a device, which is pushed to the device when it calls home, is called stage-1 configuration. The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.

Is it mandatory to specify an activation code in Administration Portal that customers must enter in Customer Portal when they activate their CPE devices?

No; specifying an activation code for CPE devices is optional. If you do not want to specify an activation code, on the Template Settings page (Resources > Device Template > Device-Template-Name > Edit Device Template > Template Settings), disable the ACTIVATION_CODE_ENABLED field and save the changes.

What is the expected switchover time for traffic that breaches the SLA in an SD-WAN implementation?

Average link metrics are analyzed every one minute, and if the traffic violates the SLA three times, the link is switched. With AppQoE (real-time optimized SD-WAN mode) enabled networks, the switchover time is much faster and the link is switched within few seconds.

What is a department?

A department is a grouping of LAN segments within a site. You use departments to apply specific policies to LAN segments that are members of a department.

How do I log into Network Service Designer?

Using a Web browser, access the URL for the Network Services Designer. For example, if the IP address of the host on which the Network Service Designer resides is, then the URL would be

What are application traffic type profiles?

Traffic type profiles enable you to configure class-of-service parameters for various types of traffic based on your specific business requirements. Traffic type profiles enable you to assign priority and service level criteria for traffic types.

How do I monitor the progress of a device activation during stage-1 configuration?

You can view the bootstrap logs to monitor the progress of device activation during stage-1 configuration. From CSO Release 4.0.0 onward, the bootstrap (stage-1 configuration and device availability) logs are included in Zero Touch Provisioning (ZTP) job logs.

What is the significance of a loopback IP address of the CPE device in case of secure OAM connection?

The loopback IP address is always reachable over the IPsec tunnel and will not change. Even if the WAN interfaces are behind NAT and are assigned private IP addresses (using DHCP), it does not impact the OAM connectivity between the SD-WAN site and the Hub.

What are the prerequisites for a service provider (SP) administrator to view the OpCo or OpCo tenant in global or tenant switcher view?

By default, an SP administrator does not have access to OpCo. The OpCo administrator must explicitly add the SP administrator user name in the OpCo.

Can I configure APN setting while onboarding the CPE device?

No, you cannot configure the APN setting while onboarding the CPE device. After successful device activation, you can configure the APN setting through stage-2 configuration template.

How do I activate SRX4100 and SRX4200 CPE devices?

Since phone-home client (PHC) is not present on SRX4100 and SRX4200 CPE devices, you must manually activate the device by copying the stage-1 configuration from CSO and pasting it to the console of the SRX4100 and SRX4200 CPE device.

What topologies are supported in real-time optimized mode?

If you select the real time-optimized option, all sites in the tenant are connected in full-mesh or hub-and-spoke topology.