Help Center User GuideGetting StartedFAQ
 
X
User Guide
Getting Started
FAQ

Customer Portal Getting Started

Congratulations on choosing CSO for Contrail SD-WAN, SD-LAN, Next Generation Firewall, and NFV lifecycle management. This guide is designed to help you quickly learn the basics of the Contrail Service Orchestration Customer Portal.

Customer Portal Capabilities

The Customer Portal helps you:

With these capabilities, you can add and manage all elements of CSO tenant sites and the devices dedicated to those sites. With RBAC control, sites and devices belonging to one tenant cannot be seen by other tenants or customers.

Administration in the Customer Portal

The following tasks describe administration-related functions that can be performed in the Customer Portal.

Manage Users

Procedure

You can assign the following user types:

  • Tenant Operator—Able to view the list of users and certain details about them.

  • Tenant Administrator—Can add new tenant users as either an Operator or Administrator, and reset the password for existing users.

To add users:

  1. Navigate to Administration > Users.

    The Add Tenant User page appears, as shown in Figure 1.

    Figure 1: Add Tenant User Page

    Add Tenant User Page
  2. Fill out the required information including whether the new user is an Operator or an Administrator.
  3. Click OK when finished.

    If you leave the user status as Enabled, an e-mail is sent from CSO to the user informing them that their account was created and giving them a Set your password link that they can click to set their own password on CSO. If the user is not enabled, it is shown as disabled in the list of users. A tenant administrator can later enable the user, at which time the Set your password e-mail is sent.

Manage Roles

Procedure

CSO uses Role-Based Access Control (RBAC) to isolate control of certain features to specific roles (groups of users). The following task describes how to add a custom role to your tenant.

  1. Click Administration > Roles.

    The Roles page appears, as shown in Figure 2.

    Figure 2: Roles Page

    Roles Page
  2. Click the Add icon (+).

    The Add Role page appears, as shown in Figure 3.

    Figure 3: Add Role Page

    Add Role Page
  3. Specify the details for the role.

    Pay particular attention to the Access Privileges. There are six sections of access privileges:

    • Monitor

    • Resources

    • Configuration

    • Sites

    • Reports

    • Administration

    All sections appear collapsed at first. You can expand the sections by clicking the > next to the desired section. This expands the capabilities within that section as shown in Figure 3. For more information regarding roles and their abilities, see Adding User-Defined Roles for Tenant Users.

  4. Click OK.

    A status message appears about the new role.

Manage Audit Logs

Procedure

CSO automatically logs changes to an audit log. Tenant administrators can view, export, and purge audit logs based on date range.

To view or manage audit logs:

Upload Device Licenses

Procedure

To upload a license:

  1. Click Administration > Licenses > Device Licences.

    The License Files page appears.

  2. Click the Add icon (+).

    The Add License page appears, as shown in Figure 4.

    Figure 4: Add License Page

    Add License Page
  3. Click the Browse button and locate the license file.

    (Optional) Add a description for this particular license file.

  4. Click OK.
  5. The newly added license appears in the list of device licenses.

Push Device Licenses

Procedure

To push a license to a device:

  1. Click Administration > Licenses > Device Licences.

    The License Files page appears.

  2. Click the checkbox next to the license file that you want to push to the device(s).
  3. Click the Push License pull-down menu and select Push.

    The Push License window appears, as shown in Figure 5.

    Figure 5: Push License Window

    Push License Window

    This window shows all devices on which the license is already deployed. If it is not installed on any devices, an X is shown in the installed column.

  4. Select the checkboxes next to the device or devices to which you want to push the license.

    A job status notification appears. Another notification will alert you when the job is complete.

Manage the Signature Database

A tenant administrator or operator can view the currently installed version of the IPS signature database by navigating to Administration > Signature Database. On the Signature Database page, the active database version appears. It shows the publish date, detector versions and a count of how many devices have this version installed.

Procedure

A tenant administrator can install the Active Database onto devices:

  1. Navigate to Administration > Signature Database.
  2. Click the Install Signatures button.

    The Install Signatures window appears.

  3. Select the device(s) on which you want to install the signatures by clicking the checkbox next to the device name(s).
  4. (Optional) Change the Type from Run now to Schedule at a later time to have CSO install the signatures later.
  5. Click OK.

    A notification appears letting you know that the job is either starting now or scheduled for later.

Manage Certificates

Tenant operators and administrators can view a list of available SSL certificates by navigating to Administration > Certificate Management > Certificates. On the Certificates page is a list of the imported certificates. A tenant administrator can also install the imported certificates on CPE devices, uninstall certificates from devices, and view the sites at which certificates are installed. All of these capabilities are available by selecting the appropriate option from the More pull-down menu.

SSL certificates are used for SSL forward proxy.

Identity Management

CSO provides the ability to integrate Active Directory user identification for user-based firewall policy intents on SRX devices. To do this, CSO integrates with Juniper Identity Management System (JIMS). JIMS can be downloaded from within CSO by navigating to Administration > Identity Management and clicking the Download JIMS button.

Once downloaded and installed on a Microsoft Windows server, you can complete the JIMS to CSO configuration and the SRX-to-JIMS configuration by clicking the Proceed with Configuration button.

These configurations allow JIMS to provide Active Directory user identity information to SRX Series devices and to work in combination with CSO to allow the use of that information to create the firewall policy intents.

For more information, see Configuring CSO and JIMS Connection.

Manage WiFi Settings

CSO provides integration with the Mist WiFi portal to allow administrators to manage Mist WiFi access points connected to EX Series switches at remote sites.

Procedure

Tenant users in the Customer Portal can only view this setting while tenant administrators in the Customer Portal can change this setting.

To change the setting:

  1. Navigate to Administration > WiFi Settings.
  2. On the WiFi Settings page, click the Enable button.

    The slider turns blue.

  3. Fill in the appropriate Username and Password for your Mist account.
  4. Click Save.

    Once completed, you can access the details about the access point by navigating to the Devices tab of the Resources > Site Management > Site Name page and click the access point name.

Manage Reports

CSO provides two pre-defined security report definitions and one pre-defined SD-WAN report definition that are available at the Reports > Report Definitions > Security and Reports > Report Definitions > SD-WAN pages respectively.

Tenant users in the Customer Portal can only view the details of the report definitions.

Tenant administrators can run the reports by clicking the Run Now button. From the More pull-down menu, tenant administrators can also preview report definitions, send the reports by e-mail to a list of recipients, and so on. From the Add pull-down menu, tenant administrators can also add the following types of custom reports:

Multiple instances of each report type can be added. New and cloned reports can have different contents and different schedules.

At the Reports > Generated Reports > Security and Reports > Generated Reports > SD-WAN pages, both tenant operators and tenant administrators can view the reports that have been generated. Administrators can also delete generated reports.

Manage Resources

The following tasks describe the resource management functions that can be performed in the Customer Portal.

Note After adding a site, you can change the following settings:

  • Address and contact information

  • NTP server

  • Site information

  • Site capabilities

  • Provider Hub and Enterprise Hub configuration

  • On-Demand VPN threshold

  • Device templates

  • Device information

  • WAN links (such as IP addresses)

  • Advanced WAN settings (such as Internet breakout and backup)

  • Mesh tags

  • OAM overlays

  • LAN segments

  • Trunk ports

Add a Provider Hub

To allow for secure OAM communications between sites and CSO, each tenant must have at least one provider hub with OAM capabilities. Additional provider hubs can be added as needed; these additional hubs can be of type DATA_ONLY, OAM_ONLY, or OAM_AND_DATA. All of these shared hub devices are added to CSO by an administrator in the Administration Portal and assigned to a POP.

The procedure below describes adding a pre-provisioned provider hub site to your tenant.

Procedure

To add a provider hub site:

  1. Select Resources > Site Management.
  2. Click the Add pull-down menu and select Add Provider Hub.

    The Add Provider Hub for Site Name page appears, as shown in Figure 6.

    Figure 6: Add Provider Hub Page

    Add Provider Hub Page
  3. Select a POP.

    Selecting a POP populates the Hub Device Name pull-down menu with the names of provider hub devices available in that POP.

  4. Select a Provider Hub device.

    Note If no devices are shown on the pull-down menu, contact your Juniper account manager or your OpCo administrator.

  5. Click OK when finished.

    An add job message appears followed by a success or failure message for the device add job.

Add an On-Premises Spoke Site (Manual)

This task describes how to add an on-premises site. You can add two types of on-premises sites—On-Premises Spoke and Enterprise Hub. An on-premises spoke site can be added manually or with the use of a template that was previously added from the Resources > Templates > Site Templates page. This task can only be performed by a tenant administrator.

Procedure

To add an on-premises spoke site:

  1. Click Resources > Site Management.

    The Sites page appears. Any sites that already exist are listed on this page.

  2. Click Add > On-Premises Spoke (Manual).

    The Add On-Premises Spoke Site for Tenant-Name page appears.

  3. Specify the configuration for the on-premises site until you reach the configuration summary.

    As shown in Figure 7, the summary page shows all of the configuration that was entered for the on-premises site.

    Figure 7: Add On-Premises Spoke Summary Page

    Add On-Premises Spoke Summary Page
  4. Click OK.

    The status of the add operation is displayed.

Add an On-Premises Spoke Site using a Site Template

Procedure

The following task describes how to add an on-premises spoke site by using a previously-defined site template. This task can only be performed by a tenant administrator. If no templates are defined, CSO takes you to the Resources > Templates > Site Templates page to add a template before proceeding.

  1. Click Resources > Site Management.

    The Site page appears. Any sites that already exist are listed on this page.

  2. Click on the Add pull-down menu and select On-Premises Spoke Site (Using Template).

    The Add On-Premises Spoke Site page appears with large icons depicting the available templates, as shown in Figure 8.

    Figure 8: Add On-Premises Spoke Site Page

    Add On-Premises Spoke Site Page
  3. Click the desired template icon or icons.
  4. Click Continue.

    The page changes and requests Site Data.

    You can upload the site data from a JSON file or add the site data manually by filling in the fields that were left blank in the template.

  5. Click the Add Manually radio button.

    The page changes to reveal site configuration information.

  6. Complete the required fields (marked by *).
  7. Click Save.

    Site add job notifications appear as the job is started and when completed (success or failure).

Add a Cloud Spoke Site

Procedure

The following task describes how to add a cloud spoke site. This task can only be performed by a tenant administrator.

Note Adding a cloud spoke site requires that you have an Amazon Web Services (AWS) virtual private cloud (VPC) in place with the following elements:

  • 2 available elastic IP addresses in the AWS VPC.

  • 4 available subnets in the AWS VPC.

  1. Navigate to Resources > Site Management.

    The Sites page appears. Any sites that already exist are listed on this page.

  2. From the Add pull-down menu, select Add Cloud Spoke.

    The Add On-Premises Spoke Site for Tenant-Name window appears.

  3. Complete the configuration settings.

    Note Fields marked with an asterisk (*) are mandatory and include configuration information regarding the AWS VPC.

    For more information, see Adding Cloud Spoke Sites for SD-WAN Deployment and Provisioning a Cloud Spoke Site in AWS VPC.

  4. (Optional) You can review the configuration in the Summary tab and modify the settings, if required.
  5. Click OK.

    The status of the add operation is displayed.

Add an Enterprise Hub

This task describes how to add an Enterprise Hub. This task can only be performed by a tenant administrator.

Procedure

To add an Enterprise Hub:

Note You can add Enterprise Hub sites only for tenants with real-time optimized SD-WAN mode.

  1. Click Resources > Site Management.

    The Sites page appears. Any sites that already exist are listed on this page.

  2. Click the Add pull-down menu and select Enterprise Hub.

    The Add Enterprise Hub for Tenant-Name page appears, as shown in Figure 9.

    Figure 9: Add Enterprise Hub Page

    Add Enterprise Hub Page
  3. Complete the configuration settings.

    Note Fields marked with an asterisk (*) are mandatory.

  4. (Optional) You can review the configuration in the Summary tab and modify the settings, if required.
  5. Click OK.

    You are returned to the Sites page and a message indicating that the site creation job was triggered is displayed. You can click the job ID link to view the progress of the job. After the job is completed successfully, a confirmation message is displayed and the site that you added is displayed on the Sites page.

Manage Devices

The Resources > Devices page shows a list of all spoke devices across all sites for your tenant. Tenant administrators and operators in CSO can see a list of all spoke devices. Tenant administrators can perform a number of operations on any one device by selecting the checkbox next to the device name and then selecting an operation from the More pull-down menu, as shown in Figure 10.

Figure 10: More Pull-down Menu on the Devices Page

More Pull-down Menu on the Devices Page

If you click the device name link, you are taken to the OVERVIEW tab of the device details page for that particular device. On this page, you can see a lot of information about a device including:

The information on these charts can be adjusted to display over specific time periods.

The device details page also includes a CONFIGURATION TEMPLATE page which shows the configuration options managed by CSO through a variety of pre-made, stage-2 device templates. A tenant administrator can make changes to the available templates and then deploy them to the device. The administrator can also view a deployment history for the device.

You can deploy configuration templates as part of site onboarding or within a site template. You can also rollback a configuration template (which removes any configuration pushed to the device by the template) or undo the association (which leaves the configuration on the device but removes the template).

Manage Device Images

CSO provides tenant operators and administrators the ability to view device software images on the Resources > Images page. Tenant administrators can stage and deploy device images to CPE and hub devices by clicking the appropriate button. Tenant administrators can also see image upgrade history by clicking the appropriate button.

Staging device images prior to deployment is recommended for sites with slow links.

Manage Site Groups

CSO allows tenant administrators to use the Site Groups page to view, create, and delete site groups for a tenant at Resources > Site Groups. Site groups enable you to group sites logically, thereby easing site management. You can use site groups to apply policies at the site group level.

Manage Mesh Tags

CSO uses mesh tags to allow direct site-to-site communication (without a hub) using dynamic VPNs in SD-WAN environments. For this to happen, each site must have a matching mesh tag assigned.

Only tenant administrators have access to the Resources > Mesh Tags page at Resources > Mesh Tags. CSO ships with the pre-defined mesh tags, MPLS and INTERNET. These tags can not be deleted or modified. Administrators can add new tags for use in their network by clicking the Add icon (+) and filling out the information in the window that pops up.

Manage Templates

CSO uses templates to allow for fast, repeatable site additions, to define device characteristics and capabilities, and to allow for expanded device configuration after a device is provisioned. CSO ships with a set of pre-defined device and configuration templates. These templates are available at Resources > Templates > Device Templates, and Resources > Templates > Configuration Templates, respectively.

Tenant operators can only view the available templates and their details, while tenant administrators can import new templates, clone existing templates, and edit cloned and unused templates. Templates that are already in use cannot be changed, but can be cloned.

Procedure

The following procedure describes how to add a site template. Only tenant administrators can add site templates. Tenant operators can only view existing templates.

  1. Click Resources > Templates > Site Templates.

    The Site Templates page appears.

  2. Click the large Add New Template button.

    The Add Site Template for Tenant Name appears and starts the process at the General tab.

  3. Fill out the information on the General part of the form, as shown in Figure 11.

    Figure 11: Add Site Template Page

    Add Site Template Page
  4. Click Next.

    The page advances to WAN configuration form, as shown in Figure 12.

    Figure 12: WAN Configuration Form

    WAN Configuration Form
  5. Fill out the information on the WAN form.

    Required field names are marked with an asterisk (*). You must select at least one item from the Site Capabilities section.

  6. Click Next.

    If your tenant has LAN services available, the page advances to the LAN configuration form, as shown in Figure 13. If not, the LAN configuration section is automatically bypassed and the page advances to the Summary form.

    Figure 13: LAN Configuration Form

    LAN Configuration Form
  7. (Optional) Fill out the LAN form.
  8. Click Next.

    The page advances to Summary.

  9. Review the summary page.
  10. Click Save.

Deploy and Start Network Services

Procedure

Network Service deployment can only be performed by tenant administrators.

To deploy network services:

  1. Click Resources > Site Management.

    The Sites page appears.

  2. Click the name of the site for which you want to deploy network services.

    Note The site must have an NFX Series device as a CPE so that network services can be deployed.

    The Site-Name page appears.

  3. In the Services tab, click View Services.

    The Deploy Network Services pane appears on the right side of the page.

  4. Select a service and an attachment point. Alternatively, drag and drop a service on to an attachment point.

    The Deploy Network Service: Site-Name page appears.

  5. Specify the parameters for the service that you want to deploy.
  6. Click Deploy to deploy the service.

    The status of the deploy operation is displayed.

  7. Select the deployed service and click Start Service.

    The status of the service is displayed.

Manage Policy Configuration

The following tasks describe how to add, view, manage, and deploy policies. There are many types of policies and supporting shared objects. CSO keeps policy and profile management similar across the different policy types. Not all policies, profiles, or options are covered in the getting started panel.

Note You must be logged in as a tenant administrator to do anything other than view the various policies, profiles, and shared objects available on the configuration tab.

Add and Deploy an Intent-based Firewall Policy

Intent-based firewall policies can control traffic in a number of ways:

Procedure

To add an intent-based firewall policy:

  1. Prepare the endpoints that you want to use in the firewall policy:
    • Source endpoints can be IP addresses, IP address groups, sites, site groups, or departments.

    • Destination endpoints can be IP addresses, IP address groups, sites, site groups, departments, Layer 7 (L7) applications, or services.

  2. Add one or more firewall intents (by using the available endpoints):

    Procedure

    1. Click Configuration > Firewall > Firewall Policy.

      The Firewall Policy page appears.

    2. Click the Add icon (+).
    3. Specify the parameters for the firewall intent.

      Best Practice In order for CSO to receive security monitoring data, we recommend that you enable Logging on all firewall policies.

    4. Click Save.

      The status of the save operation is displayed.

  3. Deploy the firewall policy:

    Procedure

    1. Click Configuration > Firewall > Firewall Policy.

      The Firewall Policy page appears.

    2. Click the Deploy button to deploy the firewall policy.

      The Deploy page appears.

    3. Specify whether you want to deploy the policy immediately or schedule the deployment for later.
    4. Click Deploy.

      The status of the deployment operation is displayed.

      The Deployments page (Configuration > Deployments) displays the information about all deployments.

Create NAT Policy

Procedure

To create a NAT policy:

  1. Click Configuration > NAT > NAT Policies.

    The NAT Policies page appears.

  2. Click the Add icon (+).

    The Create NAT Policy page appears.

  3. Give the policy a name.
  4. In the Sites Applied On section, select the checkbox next to all sites on which you want to apply this policy.

    Note The Sites Applied On list only shows active sites for this tenant. You must activate at least one site in order to create a NAT policy.

  5. Click the right arrow button (>) between the Available and Selected sites lists.

    Any site checked in the available list moves to the selected list.

  6. Click OK.

    The new policy now shows in the list of policies.

Create and Deploy a NAT Policy Rule

Procedure

To view and manage a NAT policy:

  1. Prepare the endpoints that you want to use in the NAT policy:
    • Source endpoints can be IPv4 and IPv6 addresses, or port numbers.

    • Destination endpoints can be IPv4 and IPv6 addresses, or port numbers.

  2. Create a NAT policy rule:

    Procedure

    1. Select Configuration > NAT > NAT Policies.

      The NAT Policies page appears, displaying the existing NAT policies.

    2. Click the name of the NAT policy for which you want to create rules. Alternately, you can click on the number or the Add Rule link listed under Rules against a NAT policy.

      The Single NAT Policy page appears.

    3. Click Create and select either Source, Static, or Destination. The page displays fields for creating a NAT rule.
    4. Specify the parameters for NAT rules.
    5. Click OK

      The status of the create operation is displayed.

  3. Create NAT pools:

    Procedure

    1. Select Configuration > NAT > Pools.

      The NAT Pools page appears.

    2. Click the Add icon (+).

      The Create NAT Pool page displays fields required for creating and configuring a NAT pool.

    3. Specify the parameters for NAT pools.
    4. Click OK.

      The status of the create operation is displayed.

  4. Deploy the NAT policy:

    Procedure

    1. Select Configuration > NAT > NAT Policies.

      The NAT Policies page appears.

    2. Click on the NAT policy that you want to deploy.

      The NAT Policy Rules page appears.

    3. Select one or more NAT policy rules, and click Deploy.

      Note Even though you select one or more NAT policy rules, when you click Deploy, all NAT policy rules that are associated with the NAT policy are deployed.

      The status of the deployment operation is displayed.

Add and Deploy an SD-WAN Policy

Procedure

To add and deploy an SD-WAN policy intent:

  1. Prepare the endpoints that you want to use in the SD-WAN policy:
    • Source endpoints can be sites, site groups, or departments.

    • Destination endpoints can be applications or application groups.

  2. Add an SD–WAN policy intent and associate it with the SLA profile:

    Procedure

    1. Click Configuration > SD-WAN > SD-WAN Policy.

      The SD-WAN Policy page appears.

    2. Click the Add icon (+).
    3. Specify the parameters for the SD-WAN policy intent.
    4. Click Save.

      The status of the save operation is displayed.

  3. Deploy the SD-WAN policy intent:

    Procedure

    1. Click Configuration > SD-WAN > SD-WAN Policy.

      The SD-WAN Policy page appears.

    2. Click the Deploy button to deploy the policy intent.

      The Deploy page appears.

    3. Specify whether you want to deploy the policy immediately or schedule the deployment for later.
    4. Click Deploy.

      The status of the deployment operation is displayed.

      The Deployments page (Configuration > Deployments) displays the information about all deployments.

Add a Breakout Profile

Procedure

To add a breakout profile:

  1. Click Configuration > SD-WAN > Breakout Profiles.

    The Breakout Profiles page appears.

    Note You must have at least one Traffic Type Profile in the enabled state to complete the rest of this procedure. Traffic type profiles are managed by the SP administrator in the Administration Portal.

  2. Click the Add icon (+).

    The Add Breakout Profile page appears.

  3. Specify the parameters for the breakout profile.
  4. (Optional) Set Advanced Configuration Parameters for Rate Limiting.
  5. Click OK.

Manage Shared Objects

Many of the policies and profiles under the Configuration tab use shared objects. To manage shared objects, navigate to Configuration > Shared Objects. The available types of shared objects are: Addresses, Departments, Services, and Application Signatures. All of these object types can be used in the creation of firewall intents.

Monitor Activities and Status

CSO provides the ability to monitor the your sites, security events, link switch events, and more. The following list describes what can be seen using the CSO monitoring feature.

Procedure

Dashboard

CSO provides a dashboard, which is the default landing page upon successful login. The dashboard can display various graphical information about tenants and sites.

You can customize the dashboard by dragging widgets from the top carousel down to the main dashboard. Different users can have their own dashboards. A user can also have multiple dashboards defined.

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit