Adding and Provisioning a Next Generation Firewall Overview
You can use Contrail Service Orchestration (CSO) to
Add a firewall site for the next generation firewall device.
Configure a CPE device (SRX Series services gateway) as a next generation firewall device.
Add firewall policies for the standalone firewall site.
Deploy the firewall policies for the standalone firewall site.
The topology to add an on-premise spoke site with next generation firewall capabilities is shown in Figure 1.
The following workflow describes the steps that are required to set up a firewall site and provision the firewall device associated with the site.
To set up a next generation firewall site and provision the firewall device:
- Add a standalone next generation firewall site. See Add a Standalone Next Generation Firewall Site.
Before proceeding to the next step ensure that the ZTP process is complete and the firewall device status is set to Provisioned state.
- Configure the firewall device. See Configuring the Firewall Device.
- Add firewall policies for the site. See Adding a Firewall Policy.
- Add firewall policy intents for the firewall policies that you added. See Adding Firewall Policy Intents.
- Deploy firewall policies to the site. See Deploying Firewall Policies.