Next-Generation Firewall Sites
You can add a next-generation firewall site to manage a standalone SRX device that is configured as a firewall device. You can also create a next-generation firewall site with LAN for branch networks to manage an SRX firewall device and an EX Series switch.
This topic explains how you can:
Add an On-Premise Spoke Site for Next Generation Firewall
The following image shows a simple network topology for a standalone next-generation firewall site.
Complete the connections as shown in the topology diagram and power up the device.
This task assumes that the device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.
When you configure the SRX device, ensure that you configure
either the first port (ge-0/0/0) or the
last port (ge-0/0/7 or ge-0/0/15 based on the SRX model) for Internet connectivity.
For more information about connecting the cables and connecting a console to the device, see the documentation for the firewall device. Links to the hardware documentation for the supported models are provided in Table 1.
Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see the Release Notes for that Release.
Table 1: Next Generation Firewall Devices, Port Information, and Documentation Links
Device Model | Hardware Documentation |
|---|---|
SRX3xx device | SRX340 SRX345 SRX3400 SRX3600 |
To add a next-generation firewall site:
- From the Sites page (Resources > Site
Management) of the CSO portal, click Add and select On-Premise Spoke Site.
The Add Site wizard appears.
- Complete the configuration as explained in Table 2.
- Click Next to review the settings and then,
click OK to add the site.
When the site is successfully created, the Site Status in the Sites page changes to Provisioned.
Table 2: SD-WAN On-Premise Spoke Site Settings
Field
Description
General Site Name
Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters.
Site Capabilities
Select Next Gen Firewall.
WAN Serial Number
Enter the serial number of the device.
Auto Activate
Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.
Zero Touch Provisioning
Zero Touch Provisioning is enabled by default. When Zero Touch Provisioning is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. Note that the SRX device must support phone home client for ZTP to work. If the device does not support phone home client, disable Zero Touch Provisioning and manually copy-paste the stage-1 configuration from the device CLI.
After you add the site, you can complete the following tasks as required:
The device must be activated before you install licenses or signatures, or deploy policies.
Upload and install licenses. For example, Administration > Licenses.
Install signatures. For example, Administration > Signature Database.
Add, modify, and deploy firewall policies. For example, Configuration > Firewall Policy .
Monitor alerts, alarms, and jobs. For example, Monitor > Jobs.
For more information about these tasks, see the Contrail Service Orchestration documentation at https://www.juniper.net/ documentation/product/en_US/contrail-service-orchestration.
Add an On-Premise Spoke Site with Next-Generation Firewall and LAN Capabilities
You can add a next-generation firewall site with LAN capabilities to manage an SRX device that is configured as a firewall device along with an EX series switch that is configured for the LAN network.
The following image shows a simple network topology for an on-premise spoke site with next-generation firewall and LAN capabilities.
Complete the connections as shown in the topology diagram and power up the devices.
This task assumes that the firewall device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.
When you configure the SRX device, ensure that you configure
either the first port (ge-0/0/0) or the
last port (ge-0/0/7 or ge-0/0/15 based on the SRX model) for Internet connectivity.
For more information about connecting the cables and connecting a console to the device, see the documentation for the firewall device. Links to the hardware documentation for the supported models are provided in Table 3.
Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see the Release Notes for that Release.
Table 3: Documentation Links for the Supported Hardware Devices
Device Model | Hardware Documentation |
|---|---|
SRX3xx devices | SRX340 SRX345 |
| LAN Switches | |
EX2300 | |
EX3400 | |
EX4300 | |
- From the Sites page (Resources > Site
Management) of the CSO portal, click Add and select On-Premise Spoke Site.
The Add Site wizard appears.
- Complete the configuration as explained in Table 4.
- Click OK to add the site.
If the Zero Touch Provisioning (ZTP) toggle button is enabled (default), CSO pushes the stage-1 and stage-2 configurations and provisions the switch.
This process occurs immediately after the activation process, for which you entered the activation code or selected auto-activation.
Note Stage-1 configuration is the initial configuration that allows basic connectivity to a device, which is pushed to the device.
The configuration that is pushed to the device after it has connected to CSO is called stage-2 configuration.
If you disabled the Zero Touch Provisioning (ZTP) toggle button, you must manually configure the stage-1 configuration (as provided by CSO) on the switch.
To manually configure the stage-1 configuration:
- On the Site Activation: Site-Name page, the Click to copy stage-1 configuration link appears after the Prestage Device step completes successfully.
- Click the Click to copy stage-1 configuration link.
The stage-1 configuration page appears displaying the stage-1 configuration to be copied to the EX Series device.
- Copy the stage-1 configuration and log in to the console of the EX Series switch.
- Enter the configuration mode, paste, and commit the configuration.
After the stage-1 configuration is committed, the switch has the outbound SSH configuration to connect with CSO.
CSO then provisions the switch.
When the site is successfully created, the Site Status in the Sites page changes to Provisioned.
Table 4: SD-WAN On-Premise Spoke Site Settings
Field | Description |
|---|---|
| General | |
Site Name | Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 10 characters. |
Site Capabilities | Select Next Gen Firewall. |
| WAN | |
Serial Number | Enter the serial number of the device. |
Auto Activate | Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device. |
Zero Touch Provisioning | Zero Touch Provisioning is enabled by default. When Zero Touch Provisioning is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. Note that the SRX device must support phone home client for ZTP to work. If the device does not support phone home client, disable Zero Touch Provisioning and manually copy-paste the stage-1 configuration from the device CLI. |
In Band Management | Use the same port that you have configured for Internet
connectivity for in-band management. Based on the SRX device, the
port can be the first port ( |
| LAN | |
Device Name | Enter a unique name for the device. |
Device Type | Select the type of the device. |
Trunk Ports | Select at least two trunk ports on the CPE device to connect with the switch. |
Switch Management Subnet | Specify the subnet that the DHCP can use to assign IP addresses. |
Serial Number | Enter the serial number of the device. |
Auto Activate | If the selected device supports ZTP, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. The Activation Code field appears if the selected device template does not support ZTP or if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device. |
After you add the site, you can complete the following tasks as required:
The device must be activated before you install licenses or signatures, or deploy policies.
If the EX Series switch has Mist access points associated with that, you could integrate the Mist access points with CSO. For more information about integrating Mist access points with CSO, see Enabling Integration with Mist Access Points.
Upload and install licenses. For example, Administration > Licenses.
Install signatures. For example, Administration > Signature Database.
Add, modify, and deploy firewall policies. For example, Configuration > Firewall Policy .
Create and generate reports. For example, Reports > Report Definitions > .
For more information about these tasks, see the Contrail Service Orchestration documentation at https://www.juniper.net/ documentation/product/en_US/contrail-service-orchestration.