Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Administration Portal FAQ


This topic presents frequently asked questions and answers about Administration Portal.

What is the difference between hybrid WAN deployment and SD-WAN deployment?

Table 1: Differences in Hybrid WAN and SD-WAN deployment

Hybrid WAN deployment

SD-WAN deployment

The CPE device provides connectivity between multiple sites of the same tenant.

The CPE device provides software-defined WAN connectivity services for each site of the tenant.

Each site can have up to two WAN links, of which one is an MPLS link while the other can be an Internet link. By default, the site traffic goes through the MPLS link. If the MPLS connection fails, the site traffic goes through an IPsec tunnel created over an Internet link.

Each site can have up to four WAN links and supports both MPLS and internet links. A tenant can create intent-based policies to define SLA requirements for various applications; these policies help the tenant manage the use of WAN links by each application.

Are passwords that I configure for tenant users stored in the database?

If the authentication method for tenants is local, the passwords are stored in the local keystone database. If the authentication is done by using an SSO server, the passwords are not stored locally.

I forgot my password and I am unable to log in. What should I do?

You can reset your password from the login page. Access the login page and enter your username in the first field (Username). Click the Forgot Password? link and follow the instructions to reset your password.

What is the default password for Contrail Service Orchestration (CSO)?

There is no default password. When an account is created for you, you receive an account activation e-mail that contains a link to access the portal. You can access the portal by using the link and set a password of your choice. If you forget your password, you must reset the password by using the forgot password option.

How do I get started with configuring the Cloud CPE Solution?

See the Quick Start Guide for instructions to get started with CSO.

Is there a recommended browser for accessing CSO GUIs?

We recommend that you use Google Chrome Version 60 or later to access CSO GUIs.

What is the character limit for a tenant name?

The tenant name can contain alphanumeric characters and hyphens (-) and must not exceed 15 characters.

How do I know whether Administration Portal has created an object successfully?

When you finish creating an object, a message detailing the status of the object creation appears at the top of the page. The object then appears in the table on the page for that type of object.

How can I view information about or perform actions on a specific object, such as a tenant?

The Administration Portal menu bar is displayed on the left side of every page and has the following entries at the first level:

  • Dashboard

  • Monitor

  • Resources

  • Configuration

  • Tenants

  • Administration

Depending on the object, select the first-level menu item and, if applicable, select the second-level menu item to access the page for that object. For example, you can access tenants by selecting Tenants (first level), and access devices by selecting Resources and then Tenant Devices (second level). You can then select objects and perform various actions related to those objects.

In addition, on the Jobs page (Monitor > Jobs), you can view information about the different jobs that are triggered.

Can I create multiple objects simultaneously?

You can import a JSON file of data for multiple tenants, or multiple CPE devices. You can also create a single object by clicking the add (+) icon on the main page for that object.

Can I activate CPE devices from Administration Portal?

No. Only tenant administrators can activate devices.

Where can I add sites for a customer?

Only tenant administrators can add sites. In CSO Release 5.0.0 onward, sites are configured as part of the Add Site workflow and only tenant administrators have access to it.

Where can I upload licenses for CPE devices?

You can upload licenses from the Licenses page (Administration > Licenses). For more information, see Uploading a Device License File.

When you deploy a network service on a site, what is the difference between the Save and Deploy buttons?

When you drag and drop a service on to an attachment point, you can specify configuration parameters for the services. After specifying the parameters, click Save to save the configuration without deploying it; you can then deploy the configuration later. Click Deploy to save and deploy the configuration.

What is a provider hub?

A provider hub is a multi-tenant device that can be shared between multiple tenants of an SP Administrator or an OpCo Administrator. In releases earlier than CSO 5.0.0, provider hubs was called cloud hub.

How can I modify device templates?

You cannot modify device templates. However, you can clone device templates and create your own template from the Device Templates page (Resources > Device Templates) in Administration Portal.

What is the difference between stage-1 and stage-2 configuration?

The initial configuration that allows basic connectivity to a device, which is pushed to the device when it calls home, is called stage-1 configuration. The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.

Is it mandatory to specify an activation code in Administration Portal that customers must enter in Customer Portal when they activate their CPE devices?

No; specifying an activation code for CPE devices is optional. If you do not want to specify an activation code, on the Template Settings page (Resources > Device Template > Device-Template-Name > Edit Device Template > Template Settings), disable the ACTIVATION_CODE_ENABLED field and save the changes.

What is the expected switchover time for traffic that breaches the SLA in an SD-WAN implementation?

Average link metrics are analyzed every one minute, and if the traffic violates the SLA three times, the link is switched. With AppQoE (real-time optimized SD-WAN mode) enabled networks, the switchover time is much faster and the link is switched within few seconds.

What is a department?

A department is a grouping of LAN segments within a site. You use departments to apply specific policies to LAN segments that are members of a department.

How do I log into Network Service Designer?

Using a Web browser, access the URL for the Network Services Designer. For example, if the IP address of the host on which the Network Service Designer resides is, then the URL would be

What are application traffic type profiles?

Traffic type profiles enable you to configure class-of-service parameters for various types of traffic based on your specific business requirements. Traffic type profiles enable you to assign priority and service level criteria for traffic types.

How do I monitor the progress of a device activation during stage-1 configuration?

You can view the bootstrap logs to monitor the progress of device activation during stage-1 configuration. From CSO Release 4.0.0 onward, the bootstrap (stage-1 configuration and device availability) logs are included in Zero Touch Provisioning (ZTP) job logs.

What is the significance of a loopback IP address of the CPE device in case of secure OAM connection?

For secure OAM communication, the loopback IP address of the CPE device is fixed and unique across the entire deployment, and is always reachable (from CSO) over the IPsec tunnel. Even if the WAN interfaces are behind NAT and are assigned private IP addresses (using DHCP), the OAM connectivity between the SD-WAN on-premise spoke site and the cloud hub is not impacted. The IPsec tunnel can still be established over the Internet WAN link including the LTE access type.

What are the prerequisites for a service provider (SP) administrator to view the OpCo or OpCo tenant in global or tenant switcher view?

By default, an SP administrator does not have access to OpCo. The OpCo administrator must explicitly add the SP administrator user name in the OpCo.

Can I configure APN setting while onboarding the CPE device?

No, you cannot configure the APN setting while onboarding the CPE device. After successful device activation, you can configure the APN setting through stage-2 configuration template.

How do I activate SRX4100 and SRX4200 CPE devices?

Since phone-home client (PHC) is not present on SRX4100 and SRX4200 CPE devices, you must manually activate the device by copying the stage-1 configuration from CSO and pasting it to the console of the SRX4100 and SRX4200 CPE device.

What topologies are supported in real-time optimized mode?

If you select the real time-optimized option, all sites in the tenant are connected in full-mesh or hub-and-spoke topology.

What are audit logs? For how long are audit logs saved?

An audit log is a record of a sequence of activities that have affected a specific operation or procedure. Audit logs are useful for tracing events and for maintaining historical data. Audit logs are retained indefinitely until an administrator purges the logs.