Next-Generation Firewall (NGFW) Deployment
NGFW Deployment Overview
The NGFW deployment focuses on providing remote network security through the use of SRX Series NGFW devices as CPE at the spoke site; unlike the SD-WAN WAN deployment that focuses on secure site-to-site connectivity and remote VNF deployment. A high-level view of the spoke site with NGFW is shown in Figure 1.
An NGFW deployment is carried out in the Customer Portal of CSO as a site deployment. The tenant under which the site is deployed must have the NGFW service available. This service is included in the tenant configuration by the tenant administrator during tenant onboarding. The remainder of this document provides a brief discussion of the architecture, and the steps that you need to perform in order to complete a NGFW deployment in CSO.
NGFW Deployment Architecture
The architecture used in this example is described below.
The architecture for a cloud-hosted, CSO-managed NGFW deployment is very similar to any standalone firewall deployment as shown in Figure 1. There is only one WAN port needed for communication with CSO. This port must get its IP address and gateway information from an available DHCP server. The gateway must provide a path to the Internet so that the NGFW can communicate with Juniper’s redirect server.
CSO provisions the device and adds logging functionality. Optionally, default FW and NAT policies can be added during the initial provisioning process. After provisioning the site administrator can push additional GE, NAT, UTM, or IPS policies to the device.
Device monitoring is supported via the CSO GUI where you can view application and security logging data.
The remaining ports on the NGFW can be used for LAN communication at the site. Additionally, an EX Series access switch can be added after the NGFW deployment. This addition allows for further LAN management within the site, including the ability to add CSO-managed Mist WiFi access points to the site.
Table 1 shows the security devices supported in an NGFW deployment.
Table 1: Hardware and Software Matrix for Devices in an NGFW Deployment
Junos OS Software Release Versions
SRX Series Security Gateways
For the most up to date information on hardware and software support for CSO, see the Contrail Service Orchestration Release Notes.
The procedure you follow to complete this task varies slightly depending on whether you are in the role of a CSO tenant administrator or OpCo administrator. A note is used where needed to account for these variances.
This procedure makes the following assumptions:
You have already established your login credentials for CSO.
The tenant for which you are creating the NGFW site is called Example_Company, and has already been created.
The Example_Company tenant was added with NGFW WAN services capabilities.
There is a working DHCP server available from which the WAN port of the NGFW device will obtain:
Address of a gateway router that can route traffic to the Internet
The steps to deploy an NGFW site are as follows:
- Login to CSO using your login credentials.
If you are an OpCo administrator, navigate to Tenants in the left-navigation panel and select Example_Company from the list of tenants on the tenants page. If you are the tenant administrator, you will be placed in the Customer Portal for Example_Company.
- In the Customer Portal for Example_Company,
Navigate to Resources > Site Management.
The Sites page appears.
- Click the Add button and select Add On-Premise
Spoke (Manual) from the list of options.
The Add On-Premise Spoke Site for Example_Company page appears.
- In the Site Information section, give the site a name such as NGFW-Site1.
- In the Site Capabilities section, click the Next Gen Firewall icon.
Depending on the configuration of the Example_Company tenant, there may be other icons available. Only select Next Gen Firewall for this example.
- Click the right arrow icon > next to Address
and Contact Information to expand this section.
None of the fields are required, but adding address information for the site allows CSO to place an icon in the correct location for the site on maps on the monitoring page and show how it is linked to CSO. Without an address, CSO will place an icon at a default site.
- Click the right arrow icon > next to Advanced
The two required fields, Name Server IP List and NTP Server are both pre-populated for you. Make changes as needed for your network to any of the fields.
- Click Next.
The wizard advances to the WAN page.
- In the Device Information section, fill in the serial number of the SRX device you are onboarding.
- The Auto Activate button is turned on by default.
Turn it off if you want to disable auto-activation and use an activation
Auto-activation, if left on, begins immediately after this add spoke site procedure is completed.
- The Zero Touch Provisioning (ZTP) button is
turned on by default. Turn it off if you want to pre-stage the device.
ZTP, if left on, begins immediately after the activation procedure, if enabled.
- Select the appropriate In-Band Management port
from the pull-down list.
In-Band Management refers to management traffic that uses a connection that also carries non-management traffic. In this case, the in-band management port is the WAN port over which the device communicates with both CSO and the Internet.
- Select a firewall policy from the pull-down list.
CSO has a built-in firewall policy called Default_Fw_Policy that is provided for you. This policy is a zone-based policy intent that allows all traffic from any address in the trust zone to reach any address in the untrust zone.
- Select a NAT policy from the pull-down list.
CSO has a built-in NAT policy called Default_NAT_Policy that is provided for you. This policy is a Source-NAT policy that translates the source IP address of any traffic originating in the trust zone to the IP address of the trust-zone interface. ¯¯˘
- Click Next.
The wizard advances to the Summary page.
- Review the configuration on the Summary page
as shown in Figure 2.
The summary lists in text everything could be set in the wizard’s GUI.
At the bottom of the summary page a Save JSON link is shown that allows you to download a JSON file of this site configuration. This JSON configuration can be modified for other sites so that they can be quickly imported without using the wizard workflow.
- Click OK when satisfied, or click Back as needed to make any changes.
If you need to edit anything, you can click the Edit links within the summary to go directly to that page of the wizard.
The Site Activation wizard appears when you click OK.
- If you left auto-activate turned on, the activation procedure
begins at this point with the Site Activation page appearing.
If you turned off ZTP, you must copy the set commands from the Pre-Stage Device section of the Site Activation wizard. If you left ZTP on, it will begin as part of the site activation wizard.
- The Site Activation window proceeds through Prestage Device to Detect Device to Bootstrap Device and, finally to Provision Device.
Each stage will report success as it completes its operation. The window can be closed at any point. While the activation process is running, the Site Status column in the site list reports Activating and provides a link to View the activation wizard’s progress. The Site Status changes to Provisioned once all the steps are successfully completed.