Customer Portal Getting Started

Customer Portal Capabilities

The Customer Portal helps you:

• Add, manage, and maintain individual tenant sites in the service provider cloud and on-premises.

• Monitor alerts, alarms, device events, security events, link-switch events, and more.

• Manage existing CPE devices and software images.

• Add, manage and maintain device policies and virtual network services.

• Add security and SD-WAN reports.

• Manage tenant-level and site-level users.

With these capabilities, you can add and manage all elements of CSO tenant sites and the devices dedicated to those sites. With RBAC control, sites and devices belonging to one tenant cannot be seen by other tenants or customers.

Administration in the Customer Portal

The following tasks describe administration-related functions that can be performed in the Customer Portal.

Manage Users

Procedure

1. Navigate to Administration > Users.

   The Add Tenant User page appears, as shown in Figure 1.

   Figure 1: Add Tenant User Page

   
2. Fill out the required information including whether the new user is an Operator or an Administrator.
3. Click OK when finished.

   If you leave the user status as Enabled, an e-mail is sent from CSO to the user informing them that their account was created and giving them a Set your password link that they can click to set their own password on CSO. If the user is not enabled, it is shown as disabled in the list of users. A tenant administrator can later enable the user, at which time the Set your password e-mail is sent.

Manage Roles

Procedure

1. Click Administration > Roles.

   The Roles page appears, as shown in Figure 2.

   Figure 2: Roles Page

   
2. Click the Add icon (+).

   The Add Role page appears, as shown in Figure 3.

   Figure 3: Add Role Page

   
3. Specify the details for the role.

   Pay particular attention to the Access Privileges. There are six sections of access privileges:

   • Monitor

   • Resources

   • Configuration

   • Sites

   • Reports

   • Administration

   All sections appear collapsed at first. You can expand the sections by clicking the > next to the desired section. This expands the capabilities within that section as shown in Figure 3. For more information regarding roles and their abilities, see Adding User-Defined Roles for Tenant Users.

4. Click OK.

   A status message appears about the new role.

Manage Audit Logs

Procedure

• Navigate to Administration > Audit Logs.

  The Audit Logs page appears.

• To see details of recorded logs, select the checkbox next to the desired log.
• From the More menu, select Details.

  Audit log details are displayed on the right part of the page.

• To export or purge a range of logs, click the appropriate button.

  The export or purge audit logs window appears.

Upload Device Licenses

Procedure

1. Click Administration > Licenses > Device Licences.

   The License Files page appears.

2. Click the Add icon (+).

   The Add License page appears, as shown in Figure 4.

   Figure 4: Add License Page

   
3. Click the Browse button and locate the license file.

   (Optional) Add a description for this particular license file.

4. Click OK.
5. The newly added license appears in the list of device licenses.

Push Device Licenses

Procedure

1. Click Administration > Licenses > Device Licences.

   The License Files page appears.

2. Click the checkbox next to the license file that you want to push to the device(s).
3. Click the Push License pull-down menu and select Push.

   The Push License window appears, as shown in Figure 5.

   Figure 5: Push License Window

   

   This window shows all devices on which the license is already deployed. If it is not installed on any devices, an X is shown in the installed column.

4. Select the checkboxes next to the device or devices to which you want to push the license.

   A job status notification appears. Another notification will alert you when the job is complete.

Manage the Signature Database

A tenant administrator or operator can view the currently installed version of the IPS signature database by navigating to Administration > Signature Database. On the Signature Database page, the active database version appears. It shows the publish date, detector versions and a count of how many devices have this version installed.

Procedure

1. Navigate to Administration > Signature Database.
2. Click the Install Signatures button.

   The Install Signatures window appears.

3. Select the device(s) on which you want to install the signatures by clicking the checkbox next to the device name(s).
4. (Optional) Change the Type from Run now to Schedule at a later time to have CSO install the signatures later.
5. Click OK.

   A notification appears letting you know that the job is either starting now or scheduled for later.

Manage Certificates

Tenant operators and administrators can view a list of available SSL certificates by navigating to Administration > Certificate Management > Certificates. On the Certificates page is a list of the imported certificates. A tenant administrator can also install the imported certificates on CPE devices, uninstall certificates from devices, and view the sites at which certificates are installed. All of these capabilities are available by selecting the appropriate option from the More pull-down menu.

SSL certificates are used for SSL forward proxy.

Identity Management

CSO provides the ability to integrate Active Directory user identification for user-based firewall policy intents on SRX devices. To do this, CSO integrates with Juniper Identity Management System (JIMS). JIMS can be downloaded from within CSO by navigating to Administration > Identity Management and clicking the Download JIMS button.

Once downloaded and installed on a Microsoft Windows server, you can complete the JIMS to CSO configuration and the SRX-to-JIMS configuration by clicking the Proceed with Configuration button.

These configurations allow JIMS to provide Active Directory user identity information to SRX Series devices and to work in combination with CSO to allow the use of that information to create the firewall policy intents.

For more information, see Configuring CSO and JIMS Connection.

Manage WiFi Settings

CSO provides integration with the Mist WiFi portal to allow administrators to manage Mist WiFi access points connected to EX Series switches at remote sites.

Procedure

1. Navigate to Administration > WiFi Settings.
2. On the WiFi Settings page, click the Enable button.

   The slider turns blue.

3. Fill in the appropriate Username and Password for your Mist account.
4. Click Save.

   Once completed, you can access the details about the access point by navigating to the Devices tab of the Resources > Site Management > Site Name page and click the access point name.

Manage Reports

CSO provides two pre-defined security report definitions and one pre-defined SD-WAN report definition that are available at the Reports > Report Definitions > Security and Reports > Report Definitions > SD-WAN pages respectively.

Tenant users in the Customer Portal can only view the details of the report definitions.

Tenant administrators can run the reports by clicking the Run Now button. From the More pull-down menu, tenant administrators can also preview report definitions, send the reports by e-mail to a list of recipients, and so on. From the Add pull-down menu, tenant administrators can also add the following types of custom reports:

• For Security Reports:

  • Log Report Definition

  • Bandwidth Report Definition

  • ANR Report Definition

• For SD-WAN Reports:

  • Tenant Performance

  • Site Performance

Multiple instances of each report type can be added. New and cloned reports can have different contents and different schedules.

At the Reports > Generated Reports > Security and Reports > Generated Reports > SD-WAN pages, both tenant operators and tenant administrators can view the reports that have been generated. Administrators can also delete generated reports.

Manage Resources

The following tasks describe the resource management functions that can be performed in the Customer Portal.

Add a Provider Hub

To allow for secure OAM communications between sites and CSO, each tenant must have at least one provider hub with OAM capabilities. Additional provider hubs can be added as needed; these additional hubs can be of type DATA_ONLY, OAM_ONLY, or OAM_AND_DATA. All of these shared hub devices are added to CSO by an administrator in the Administration Portal and assigned to a POP.

The procedure below describes adding a pre-provisioned provider hub site to your tenant.

Procedure

1. Select Resources > Site Management.
2. Click the Add pull-down menu and select Add Provider Hub.

   The Add Provider Hub for Site Name page appears, as shown in Figure 6.

   Figure 6: Add Provider Hub Page

   
3. Select a POP.

   Selecting a POP populates the Hub Device Name pull-down menu with the names of provider hub devices available in that POP.

4. Select a Provider Hub device.

   Note If no devices are shown on the pull-down menu, contact your Juniper account manager or your OpCo administrator.

5. Click OK when finished.

   An add job message appears followed by a success or failure message for the device add job.

Add an On-Premises Spoke Site (Manual)

This task describes how to add an on-premises site. You can add two types of on-premises sites—On-Premises Spoke and Enterprise Hub. An on-premises spoke site can be added manually or with the use of a template that was previously added from the Resources > Templates > Site Templates page. This task can only be performed by a tenant administrator.

Procedure

1. Click Resources > Site Management.

   The Sites page appears. Any sites that already exist are listed on this page.

2. Click Add > On-Premises Spoke (Manual).

   The Add On-Premises Spoke Site for Tenant-Name page appears.

3. Specify the configuration for the on-premises site until you reach the configuration summary.

   As shown in Figure 7, the summary page shows all of the configuration that was entered for the on-premises site.

   Figure 7: Add On-Premises Spoke Summary Page

   
4. Click OK.

   The status of the add operation is displayed.

Add an On-Premises Spoke Site using a Site Template

Procedure

1. Click Resources > Site Management.

   The Site page appears. Any sites that already exist are listed on this page.

2. Click on the Add pull-down menu and select On-Premises Spoke Site (Using Template).

   The Add On-Premises Spoke Site page appears with large icons depicting the available templates, as shown in Figure 8.

   Figure 8: Add On-Premises Spoke Site Page

   
3. Click the desired template icon or icons.
4. Click Continue.

   The page changes and requests Site Data.

   You can upload the site data from a JSON file or add the site data manually by filling in the fields that were left blank in the template.

5. Click the Add Manually radio button.

   The page changes to reveal site configuration information.

6. Complete the required fields (marked by *).
7. Click Save.

   Site add job notifications appear as the job is started and when completed (success or failure).

Add a Cloud Spoke Site

Procedure

1. Navigate to Resources > Site Management.

   The Sites page appears. Any sites that already exist are listed on this page.

2. From the Add pull-down menu, select Add Cloud Spoke.

   The Add On-Premises Spoke Site for Tenant-Name window appears.

3. Complete the configuration settings.

   Note Fields marked with an asterisk (*) are mandatory and include configuration information regarding the AWS VPC.

   For more information, see Adding Cloud Spoke Sites for SD-WAN Deployment and Provisioning a Cloud Spoke Site in AWS VPC.

4. (Optional) You can review the configuration in the Summary tab and modify the settings, if required.
5. Click OK.

   The status of the add operation is displayed.

Add an Enterprise Hub

This task describes how to add an Enterprise Hub. This task can only be performed by a tenant administrator.

Procedure

1. Click Resources > Site Management.

   The Sites page appears. Any sites that already exist are listed on this page.

2. Click the Add pull-down menu and select Enterprise Hub.

   The Add Enterprise Hub for Tenant-Name page appears, as shown in Figure 9.

   Figure 9: Add Enterprise Hub Page

   
3. Complete the configuration settings.

   Note Fields marked with an asterisk (*) are mandatory.

4. (Optional) You can review the configuration in the Summary tab and modify the settings, if required.
5. Click OK.

   You are returned to the Sites page and a message indicating that the site creation job was triggered is displayed. You can click the job ID link to view the progress of the job. After the job is completed successfully, a confirmation message is displayed and the site that you added is displayed on the Sites page.

Manage Devices

The Resources > Devices page shows a list of all spoke devices across all sites for your tenant. Tenant administrators and operators in CSO can see a list of all spoke devices. Tenant administrators can perform a number of operations on any one device by selecting the checkbox next to the device name and then selecting an operation from the More pull-down menu, as shown in Figure 10.

Figure 10: More Pull-down Menu on the Devices Page

If you click the device name link, you are taken to the OVERVIEW tab of the device details page for that particular device. On this page, you can see a lot of information about a device including:

• Recent Alarms

• Recent Alerts

• Resource Utilization

• Throughput

• and more

The information on these charts can be adjusted to display over specific time periods.

The device details page also includes a CONFIGURATION TEMPLATE page which shows the configuration options managed by CSO through a variety of pre-made, stage-2 device templates. A tenant administrator can make changes to the available templates and then deploy them to the device. The administrator can also view a deployment history for the device.

You can deploy configuration templates as part of site onboarding or within a site template. You can also rollback a configuration template (which removes any configuration pushed to the device by the template) or undo the association (which leaves the configuration on the device but removes the template).

Manage Device Images

CSO provides tenant operators and administrators the ability to view device software images on the Resources > Images page. Tenant administrators can stage and deploy device images to CPE and hub devices by clicking the appropriate button. Tenant administrators can also see image upgrade history by clicking the appropriate button.

Staging device images prior to deployment is recommended for sites with slow links.

Manage Site Groups

CSO allows tenant administrators to use the Site Groups page to view, create, and delete site groups for a tenant at Resources > Site Groups. Site groups enable you to group sites logically, thereby easing site management. You can use site groups to apply policies at the site group level.

Manage Mesh Tags

CSO uses mesh tags to allow direct site-to-site communication (without a hub) using dynamic VPNs in SD-WAN environments. For this to happen, each site must have a matching mesh tag assigned.

Only tenant administrators have access to the Resources > Mesh Tags page at Resources > Mesh Tags. CSO ships with the pre-defined mesh tags, MPLS and INTERNET. These tags can not be deleted or modified. Administrators can add new tags for use in their network by clicking the Add icon (+) and filling out the information in the window that pops up.

Manage Templates

CSO uses templates to allow for fast, repeatable site additions, to define device characteristics and capabilities, and to allow for expanded device configuration after a device is provisioned. CSO ships with a set of pre-defined device and configuration templates. These templates are available at Resources > Templates > Device Templates, and Resources > Templates > Configuration Templates, respectively.

Tenant operators can only view the available templates and their details, while tenant administrators can import new templates, clone existing templates, and edit cloned and unused templates. Templates that are already in use cannot be changed, but can be cloned.

Procedure

1. Click Resources > Templates > Site Templates.

   The Site Templates page appears.

2. Click the large Add New Template button.

   The Add Site Template for Tenant Name appears and starts the process at the General tab.

3. Fill out the information on the General part of the form, as shown in Figure 11.

   Figure 11: Add Site Template Page

   
4. Click Next.

   The page advances to WAN configuration form, as shown in Figure 12.

   Figure 12: WAN Configuration Form

   
5. Fill out the information on the WAN form.

   Required field names are marked with an asterisk (*). You must select at least one item from the Site Capabilities section.

6. Click Next.

   If your tenant has LAN services available, the page advances to the LAN configuration form, as shown in Figure 13. If not, the LAN configuration section is automatically bypassed and the page advances to the Summary form.

   Figure 13: LAN Configuration Form

   
7. (Optional) Fill out the LAN form.
8. Click Next.

   The page advances to Summary.

9. Review the summary page.
10. Click Save.

Deploy and Start Network Services

Procedure

1. Click Resources > Site Management.

   The Sites page appears.

2. Click the name of the site for which you want to deploy network services.

   Note The site must have an NFX Series device as a CPE so that network services can be deployed.

   The Site-Name page appears.

3. In the Services tab, click View Services.

   The Deploy Network Services pane appears on the right side of the page.

4. Select a service and an attachment point. Alternatively, drag and drop a service on to an attachment point.

   The Deploy Network Service: Site-Name page appears.

5. Specify the parameters for the service that you want to deploy.
6. Click Deploy to deploy the service.

   The status of the deploy operation is displayed.

7. Select the deployed service and click Start Service.

   The status of the service is displayed.

Manage Policy Configuration

The following tasks describe how to add, view, manage, and deploy policies. There are many types of policies and supporting shared objects. CSO keeps policy and profile management similar across the different policy types. Not all policies, profiles, or options are covered in the getting started panel.

Add and Deploy an Intent-based Firewall Policy

Intent-based firewall policies can control traffic in a number of ways:

• Between security zones such as trust and untrust

• Between departments such as marketing and accounting

• Between specific addresses or address groups

• Between sites or site groups belonging to the same tenant

• Combinations of the above options

• Additional options for the sources and destinations

Procedure

1. Prepare the endpoints that you want to use in the firewall policy:

   • Source endpoints can be IP addresses, IP address groups, sites, site groups, or departments.

   • Destination endpoints can be IP addresses, IP address groups, sites, site groups, departments, Layer 7 (L7) applications, or services.

2. Add one or more firewall intents (by using the available endpoints):

   Procedure

   1. Click Configuration > Firewall > Firewall Policy.

      The Firewall Policy page appears.

   2. Click the Add icon (+).
   3. Specify the parameters for the firewall intent.

      Best Practice In order for CSO to receive security monitoring data, we recommend that you enable Logging on all firewall policies.

   4. Click Save.

      The status of the save operation is displayed.

3. Deploy the firewall policy:

   Procedure

   1. Click Configuration > Firewall > Firewall Policy.

      The Firewall Policy page appears.

   2. Click the Deploy button to deploy the firewall policy.

      The Deploy page appears.

   3. Specify whether you want to deploy the policy immediately or schedule the deployment for later.
   4. Click Deploy.

      The status of the deployment operation is displayed.

      The Deployments page (Configuration > Deployments) displays the information about all deployments.

Create NAT Policy

Procedure

1. Click Configuration > NAT > NAT Policies.

   The NAT Policies page appears.

2. Click the Add icon (+).

   The Create NAT Policy page appears.

3. Give the policy a name.
4. In the Sites Applied On section, select the checkbox next to all sites on which you want to apply this policy.

   Note The Sites Applied On list only shows active sites for this tenant. You must activate at least one site in order to create a NAT policy.

5. Click the right arrow button (>) between the Available and Selected sites lists.

   Any site checked in the available list moves to the selected list.

6. Click OK.

   The new policy now shows in the list of policies.

Create and Deploy a NAT Policy Rule

Procedure

1. Prepare the endpoints that you want to use in the NAT policy:

   • Source endpoints can be IPv4 and IPv6 addresses, or port numbers.

   • Destination endpoints can be IPv4 and IPv6 addresses, or port numbers.

2. Create a NAT policy rule:

   Procedure

   1. Select Configuration > NAT > NAT Policies.

      The NAT Policies page appears, displaying the existing NAT policies.

   2. Click the name of the NAT policy for which you want to create rules. Alternately, you can click on the number or the Add Rule link listed under Rules against a NAT policy.

      The Single NAT Policy page appears.

   3. Click Create and select either Source, Static, or Destination. The page displays fields for creating a NAT rule.
   4. Specify the parameters for NAT rules.
   5. Click OK

      The status of the create operation is displayed.

3. Create NAT pools:

   Procedure

   1. Select Configuration > NAT > Pools.

      The NAT Pools page appears.

   2. Click the Add icon (+).

      The Create NAT Pool page displays fields required for creating and configuring a NAT pool.

   3. Specify the parameters for NAT pools.
   4. Click OK.

      The status of the create operation is displayed.

4. Deploy the NAT policy:

   Procedure

   1. Select Configuration > NAT > NAT Policies.

      The NAT Policies page appears.

   2. Click on the NAT policy that you want to deploy.

      The NAT Policy Rules page appears.

   3. Select one or more NAT policy rules, and click Deploy.

      Note Even though you select one or more NAT policy rules, when you click Deploy, all NAT policy rules that are associated with the NAT policy are deployed.

      The status of the deployment operation is displayed.

Add and Deploy an SD-WAN Policy

Procedure

1. Prepare the endpoints that you want to use in the SD-WAN policy:

   • Source endpoints can be sites, site groups, or departments.

   • Destination endpoints can be applications or application groups.

2. Add an SD–WAN policy intent and associate it with the SLA profile:

   Procedure

   1. Click Configuration > SD-WAN > SD-WAN Policy.

      The SD-WAN Policy page appears.

   2. Click the Add icon (+).
   3. Specify the parameters for the SD-WAN policy intent.
   4. Click Save.

      The status of the save operation is displayed.

3. Deploy the SD-WAN policy intent:

   Procedure

   1. Click Configuration > SD-WAN > SD-WAN Policy.

      The SD-WAN Policy page appears.

   2. Click the Deploy button to deploy the policy intent.

      The Deploy page appears.

   3. Specify whether you want to deploy the policy immediately or schedule the deployment for later.
   4. Click Deploy.

      The status of the deployment operation is displayed.

      The Deployments page (Configuration > Deployments) displays the information about all deployments.

Add a Breakout Profile

Procedure

1. Click Configuration > SD-WAN > Breakout Profiles.

   The Breakout Profiles page appears.

   Note You must have at least one Traffic Type Profile in the enabled state to complete the rest of this procedure. Traffic type profiles are managed by the SP administrator in the Administration Portal.

2. Click the Add icon (+).

   The Add Breakout Profile page appears.

3. Specify the parameters for the breakout profile.
4. (Optional) Set Advanced Configuration Parameters for Rate Limiting.
5. Click OK.

Manage Shared Objects

Many of the policies and profiles under the Configuration tab use shared objects. To manage shared objects, navigate to Configuration > Shared Objects. The available types of shared objects are: Addresses, Departments, Services, and Application Signatures. All of these object types can be used in the creation of firewall intents.

Monitor Activities and Status

CSO provides the ability to monitor the your sites, security events, link switch events, and more. The following list describes what can be seen using the CSO monitoring feature.

Procedure

• Navigate to the Monitor tab on the left-navigation panel.
• Select Overview to see a map of the your sites and their status.

  The map can be zoomed and filtered by site and/or alarm severity by selecting the appropriate checkbox from the Sites pull-down menu at the upper left corner of the map.

• Select Alerts & Alarms > Alerts to see alerts generated by CPE or hub devices.

  You can see the severity, time, tenant, site, and a description of the alerts, if any.

• Select Alerts & Alarms > Alert Definitions to see what alert definitions have been added. There are SD-WAN alerts and security alerts available.

  The OpCo or global administrator can create new alert definitions in the Administration Portal. Tenant operators and administrators can see the list and get details about each alert definition from the More menu.

• Select Alerts & Alarms > Alarms to see alarm notifications generated by CPE and hub devices.

  The graph at the top of the page shows a count of alarms over a specified time period. You can adjust the time range for the graph to filter the alarms and create additional filters by tenant, site, source, and severity.

• Select Link Switch Events to see a list of the times when failure to meet SLA parameters caused CSO to switch traffic to a different WAN link.

  The graph at the top can be filtered to show only events within a certain time period. The list shows the SLA violation time, link switch time, Site, reason for the switch, and so on.

• Select Traffic Logs to see a list of traffic logs from your various sites.
• Select Security Events > All Events to see a graph of events and a list of specific events. The graph can be filtered on time. The list shows all types of security events. You can filter the list to show only specific types of events by navigating to the specific security event type on the left-navigation panel. The available security event types are:

  • Firewall

  • Web Filtering

  • IPSec VPNs

  • Content Filtering

  • Antispam

  • Antivirus

  • IPS

  • Screen

  Each type of security event view can be further filtered and customized on the individual page.

• Select Application SLA Performance to view SLA performance of all sites in a single tenant that have met and all sites for that tenant that have not met the defined SLA values in the specified time range. You can customize your view and also the time range for which you want to view the SLA performance.
• Select Application Visibility to see a bubble graph of the types of traffic flowing through your sites. You can change the graph type and time span of the display as desired.
• Select User Visibility to view information about bandwidth consumption and number of sessions associated with various applications that are running on the devices.
• Select Threat Map (Live) to see a live threat map of incoming and outgoing threats between geographic regions. You can see the source and destination of threats along with the type of threat including IPS, Virus, Screen, and more.
• Select Jobs to see a list of all jobs performed by CSO and the outcome of those jobs.

  You can see a job history or see upcoming jobs that have been scheduled for a future time.
  Clicking on an individual Job Name shows the details about that job. Further details may be available by clicking additional links within the job details pop-up window.

Dashboard

CSO provides a dashboard, which is the default landing page upon successful login. The dashboard can display various graphical information about tenants and sites.

You can customize the dashboard by dragging widgets from the top carousel down to the main dashboard. Different users can have their own dashboards. A user can also have multiple dashboards defined.