You can use Contrail Service Orchestration (CSO) to
Add a firewall site for the next generation firewall device.
Configure a CPE device (SRX Series services gateway) as a next generation firewall device.
Add firewall policies for the standalone firewall site.
Deploy the firewall policies for the standalone firewall site.
The topology to add an on-premise spoke site with next generation firewall capabilities is shown in Figure 7.
Figure 7: On-premise spoke site with next generation firewall
The topology to add an on-premise spoke site with next generation firewall and LAN capabilities is shown in Figure 8.
Figure 8: On-premise spoke site with next generation firewall and LAN
The following workflow describes the steps that are required to set up a firewall site and provision the firewall device associated with the site.
To set up a next generation firewall site and provision the firewall device:
To add a site with next generation firewall and switch, see Add an On-Premise Spoke Site with Next Generation Firewall and LAN Capabilities.
Note Before proceeding to the next step ensure that the ZTP process is complete and the firewall device status is set to Provisioned state.
© 2020 Juniper Networks, Inc. All rights reserved