Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Add an On-Premise Spoke Site for Next Generation Firewall


The following image shows a simple network topology for a standalone next-generation firewall site.

Complete the connections as shown in the topology diagram and power up the device.

This task assumes that the device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.


When you configure the SRX device, ensure that you configure either the first port (ge-0/0/0) or the last port (ge-0/0/7 or ge-0/0/15 based on the SRX model) for Internet connectivity.

For more information about connecting the cables and connecting a console to the device, see the documentation for the firewall device. Links to the hardware documentation for the supported models are provided in Table 1.


Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see the Release Notes for that Release.

Device Model

Hardware Documentation

SRX3xx device and SRX550M






To add a next-generation firewall site:

  1. From the Sites page (Resources > Site Management) of the CSO portal, click Add and select On-Premise Spoke Site.

    The Add Site wizard appears.

  2. Complete the configuration as explained in Table 2.
  3. Click Next to review the settings and then, click OK to add the site.

    When the site is successfully created, the Site Status in the Sites page changes to Provisioned.

    Table 2: SD-WAN On-Premise Spoke Site Settings




    Site Name

    Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters.

    Site Capabilities

    Select Next Gen Firewall.


    Serial Number

    Enter the serial number of the device.

    Auto Activate

    Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.

    Zero Touch Provisioning

    Zero Touch Provisioning is enabled by default. When Zero Touch Provisioning is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. Note that the SRX device must support phone home client for ZTP to work. If the device does not support phone home client, disable Zero Touch Provisioning and manually copy-paste the stage-1 configuration from the device CLI.

After you add the site, you can complete the following tasks as required:


The device must be activated before you install licenses or signatures, or deploy policies.

  • Upload and install licenses. For example, Administration > Licenses.

  • Install signatures. For example, Administration > Signature Database.

  • Add, modify, and deploy firewall policies. For example, Configuration > Firewall Policy .

  • Monitor alerts, alarms, and jobs. For example, Monitor > Jobs.

For more information about these tasks, see the Contrail Service Orchestration documentation at documentation/product/en_US/contrail-service-orchestration.