Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Customer Portal Getting Started

 

This guide is designed to help you quickly learn the basics of the Contrail Service Orchestration (CSO) Customer Portal, including SD-WAN and next-generation firewall services.

Customer Portal Capabilities

The Customer Portal helps you:

  • Add, manage, and maintain individual tenant sites in the service provider cloud and on-premises.

  • Monitor alerts, alarms, device events, security events, link-switch events, and more.

  • Manage existing CPE devices and software images.

  • Add, manage and maintain device policies and virtual network services.

  • Add security and SD-WAN reports.

  • Manage tenant-level and site-level users, settings, and configurations.

With these capabilities, you can add and manage all elements of CSO tenant sites and the devices dedicated to those sites. With Role-Based Access Control (RBAC) control, sites and devices belonging to one tenant cannot be seen by other tenants.

Note

All tasks mentioned in the CP getting Started guide can be done by Tenant Administrators only. A Tenant Operator cannot perform any of these tasks. For example, all types of adding sites must be performed by a tenant administrator.

About the Customer Portal Dashboard

CSO provides a dashboard, which is the default landing page upon successful login. The dashboard can display various graphical information about sites, devices, policies, and so on.

You can customize the dashboard by dragging widgets from the top carousel down to the main dashboard. Different users can have their own dashboards. A user can also have multiple dashboards defined.

Add Tenant Users

You can add and assign the following tenant user types:

  • Tenant operator—Able to view all objects (devices, sites, policies, templates, etc) in CSO.

  • Tenant administrator—Can add new tenant users as either an operator or administrator, and reset the password for existing users.

    Note

    Functions in the Customer Portal which can alter the settings and resources available always require tenant administrator user status.

To add tenant users:

  1. Navigate to Administration > Users.

    The Add Tenant User page appears.

  2. Fill out the required information including whether the new user is a tenant operator or a tenant administrator.
  3. Click OK when finished.

    A message confirms the status of the newly added tenant user.

Add Roles

CSO uses Role-Based Access Control (RBAC) to isolate control of certain features to specific roles (groups of users). The following task describes how to add a custom role:

  1. Click Administration > Roles.

    The Roles page appears.

  2. Click the Add icon (+).

    The Add Role page appears.

  3. Specify the details for the role.

    Pay particular attention to the Access Privileges. There are six sections of access privileges:

    • Monitor

    • Resources

    • Configuration

    • Sites

    • Reports

    • Administration

    All sections appear collapsed at first. You can expand the sections by clicking the > next to the desired section. This expands the capabilities within that section.

  4. Click OK.

    A message confirms the status of the newly added role.

Add Sites

Following are the different types of sites you can add.

Add an Enterprise Hub Site

An enterprise hub site is an SD-WAN site that is used to carry site-to-site traffic between on-premises spoke sites and to break out backhaul (central breakout) traffic from on-premises spoke sites.

To add an enterprise hub site:

  1. 1. Select Resources > Site Management.

    The Site Management page appears.

  2. Click Add and select Enterprise Hub.

    The Add enterprise hub for Tenant-Name page appears.

  3. Complete the configuration settings according to the guidelines provided in the following table:

    Table 1: Enterprise Hub Site Settings

    Field

    Description

    General

    Site Name

    Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.

    Site Capabilities

    SD-WAN capability is selected by default. You cannot clear the selection.

    WAN

    Device Series

    Select the device series to which the CPE device belongs—SRX, NFX150, or NFX250.

    Device Template

    Select a device template for the selected device series.

    The device template contains information for configuring a device.

    Serial Number

    Enter the serial number of the CPE device.

    You can also add the enterprise hub site but activate the site later. If you do not enter the serial number of the CPE device when creating the enterprise hub site, you must enter it while activating the site, using the Activate Site link.

    Auto Activate

    If the selected device template supports auto activation, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added.

    The Activation Code field appears if the selected device template does not support auto activation or if you disable the Auto Activate option.

    In such cases, specify the activation code of the device to manually activate a device.

    IP Prefix

    Enter the IPv4 prefix to be used for the management network. This IP address must be unique across the entire management network.

    • For NFX150 and NFX250 devices, if the USE_SINGLE_SSH_TO_NFX parameter is disabled in the device template, then enter the IP address prefix as /29 or lower based on the number of VNFs.

    • For all other devices, enter the IP address prefix as /32.

    WAN Links

    WAN_0

    This field is enabled by default.

    You can configure up to 4 WAN links as required.

    Link Type

    Select whether the link would be an MPLS link or Internet link.

    Note: If the enterprise hub and the SD-WAN branch site are not in the same network, that is if these devices are not directly reachable, select one link as Internet and assign a public IP to the Internet-type link.

    Egress Bandwidth

    Enter the maximum bandwidth, in Mbps, allowed on the WAN link.

    Range: 1 through 10,000.

    Address Assignment

    Select the method of assigning an IP address to the WAN link—DHCP or STATIC.

    If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link.

    Static IP Prefix

    If you configured the address assignment method as STATIC, enter the IP address prefix of the WAN link.

    Note: If the enterprise hub and the SD-WAN branch site are not in the same network, assign a public IP to the Internet-type link

    Gateway IP Address

    If you configured the address assignment method as STATIC, enter the IP address of the gateway of the WAN service provider.

    Advanced Settings

    Use For Fullmesh

    Click the toggle button to specify whether the WAN link can be a part of a full mesh topology.

    A site can have a maximum of three links enabled for meshing.

    Add LAN Segment

    Name

    Enter a name for the LAN segment.

    The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length is 15 characters.

    Type

    Select the type of LAN segment:

    • Directly Connected—Indicates that the LAN segment is directly connected to the site. This is the default.

    • Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.

    Department

    Select a department to which the LAN segment is to be assigned.

    Alternatively, click the Create Department link to create a new department and assign the LAN segment to it.

    You group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.

    Gateway Address/Mask

    Enter a valid gateway IP address and mask for the LAN segment; for example, 192.0.2.8/24.

    CPE Ports

    Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

  4. Click OK.

    After the site is successfully added to CSO, the Site Status on the Sites page changes to Provisioned.

WHAT'S NEXT

If you did not enter serial number while creating the enterprise hub site, you must manually enter it through Resources > Site Management in order to activate it.

Add an On-Premises Spoke Site

You can add an on-premises spoke site either manually or with the use of a template that was previously added from the Resources > Templates > Site Templates page.

Before you add an on-premises spoke site:

  • Connect cables to the device according to your network design and power on the device.

    Note

    This task assumes that the device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.

  • Ensure that ESP protocol traffic is allowed on the network.

  • Ensure that the ports listed in the following table are open on the network.

    Note

    Also ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see the Release Notes for that release.

    Table 2: CPE Devices, Port Information, and Documentation Links

    Device Model

    NAT/Firewall Ports

    CPE WAN Link Ports

    SRX4x000 devices

    50

    51

    53

    123

    443

    500

    4500

    xe-0/0/0

    xe-0/0/1

    xe-0/0/2

    xe-0/0/3

    SRX3xx devices, SRX550M, and vSRX devices

    50

    51

    53

    123

    443

    500

    4500

    ge-0/0/0

    ge-0/0/1

    ge-0/0/2

    ge-0/0/3

    NFX250

    50

    51

    443

    500

    514

    2216

    3514

    4500

    7804

    ge-0/0/10

    ge-0/0/11

    xe-0/0/12

    xe-0/0/13

    NFX150

    50

    51

    443

    500

    4500

    heth4

    heth5

    heth2

    heth3

  • If you are using a GRE-only overlay between an SRX CPE and a hub device, ensure that GRE Traffic is enabled between CPE and the hub device.

To add an on-premises spoke site:

  1. From the Sites page (Resources > Site Management) of the CSO portal, click Add and select On-Premise Spoke Site.

    The Add On-Premise Spoke Site page appears.

  2. Complete the settings as explained in the following table:

    Table 3: SD-WAN On-Premises Spoke Site Settings

    Field

    Description

    General

    Site Name

    Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.

    Site Capabilities

    Select SD-WAN.

    Primary Hub

    Select an enterprise hub site as the primary hub from the list of available hub sites. If there is only one hub site available, that one is selected by default.

    WAN

    Device Series

    Select the CPE device.

    Device Template

    Select a device template for the CPE device.

    Serial Number

    Enter the serial number of the CPE device.

    You can also add the on-premises spoke site but activate the site later. If you do not enter the serial number of the CPE device when creating the on-premises spoke site, you must enter it while activating the site, using the Activate Site link.

    Auto Activate

    If the selected device template supports ZTP, Auto Activate is enabled. When Auto Activate is enabled, zero-touch provisioning of the device is automatically triggered when the site is added.

    The Activation Code field appears if the selected device template does not support ZTP or if you disable the Auto Activate option.

    In such cases, specify the activation code of the device to manually activate a device.

    Link Type

    Select whether the link is an MPLS link or Internet link.

    Access Type

    Select the access type for the underlay link:

    • If you’ve selected Internet as the link type, you can select Ethernet (default), LTE, ADSL, or VDSL as the access type.

    • If you’ve selected MPLS as the link type, you can select Ethernet (default) or LTE as the access type.

    You can select the LTE, ADSL, or VDSL access type only for one WAN link.

    Note:

    • You cannot configure LTE, ADSL, or VDSL as the access type if you are using the Dual SRX and Dual NFX device templates; Ethernet is configured as the access type for the underlay link.

    • SRX300 does not support LTE and ADSL access types.

    • On SRX300 line of Services Gateways (except SRX300 devices) and NFX150 devices, the LTE WAN link is supported through a SIM card that is inserted in the SIM slot of the Mini-Physical Interface Module (Mini-PIM). On NFX250 devices, the LTE WAN link is supported through a USB dongle (Vodafone K5160 dongle) that is plugged into the USB port of the CPE device.

    PPPoE/PPP

    Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet) or PPP (Point-to-Point Protocol). By default, this toggle button is disabled.

    PPPoE works with Ethernet, ADSL, and VDSL access types while PPP works with the LTE access type.

    Note: This toggle button is not available for Internet links with LTE as the access type.

    If you’ve enabled this toggle button, you must specify the PPPoE or PPP parameters (username, password, and authentication protocol) for the PPPoE or PPP server, respectively. The PPPoE or PPP server assigns an IP address to the WAN link after successful authentication.

    If you’ve disabled this toggle button, select a method (DHCP or STATIC) to assign an IP address to the WAN link from the Address Assignment list.

    Access Point Name (APN)

    If you choose to use a private APN with the current LTE service provider or to use a different LTE service provider, enter the APN for the CPE device (as specified by the service provider).

    This field is displayed only if you have enabled PPPoE/PPP for MPLS links with LTE as the access type. If you have disabled PPPoE/PPP for these links, CSO uses the default APN settings.

    Egress Bandwidth

    Specify the maximum bandwidth allocated for the WAN link.

    Note: This option is not available for Internet and MPLS links with LTE access type.

    Address Assignment

    Specify whether to use DHCP or Static addresses.

    If you select Static, specify a Static IP Prefix and Gateway IP Prefix.

    This field is displayed only if you have disabled the PPPoE/PPP toggle button.

    Service Provider

    Enter the name of the service provider.

    Cost per month

    Enter the per month cost of the link. This information is used to identify the least expensive link when link switch occurs.

    LAN Segment

    Add LAN Segment

    Click to add a LAN segment.

    Name

    Enter a unique name for the LAN segment.

    Gateway Address/Mask

    Enter a valid gateway IP address andmask for the LAN segment; for example, 192.0.2.8/24.

    Department

    Select a department from the list; if no department is available, click Create Department and add one.

    A department is a grouping of LAN segments within a site. You use departments to apply specific policies to LAN segments that are members of a department.

    CPE Port

    Select at least one CPE port.

  3. Click OK to add the site.

    When the site is successfully created, the Site Status in the Sites page changes to Provisioned.

WHAT'S NEXT

If you did not enter serial number while creating the on-premises spoke site, you must manually enter the serial number to the configuration after adding the spoke site, in order to activate the site.

Add a Next-Generation Firewall Site

You can add a next-generation firewall site to manage a standalone SRX device that is configured as a firewall device. You can also create a next-generation firewall site for branch networks to manage an SRX firewall device.

This task assumes that the device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.

Note

When you configure the SRX device, ensure that you configure either the first port (ge-0/0/0) or the last port (ge-0/0/7 or ge-0/0/15 based on the SRX model) for Internet connectivity.

For more information about connecting the cables and connecting a console to the device, see the documentation for the firewall device.

Note

Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see the Release Notes for that Release.

Table 4: Next-Generation Firewall Devices, Port Information, and Documentation Links

Device Model

NAT/Firewall

SRX3xx devices, SRX550M, SRX1500, SRX4100, and SRX4200

443

444 (not needed for CSO SaaS instances)

514

6514

7804

8060 (needed if using PKI authentication to validate CRL)

To add a next-generation firewall site:

  1. From the Sites page (Resources > Site Management) of the CSO portal, click Add and select On-Premise Spoke Site.

    The Add Site wizard appears.

  2. Complete the configuration as explained in the following table:

    Table 5: Next-Generation Firewall Site Settings

    Field

    Description

    General

    Site Name

    Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.

    Site Capabilities

    Select Next Gen Firewall.

    WAN

    Serial Number

    Enter the serial number of the device.

    You can also add the next-generation firewall site but activate the site later. If you choose to not enter the serial number of the CPE device when creating the next-generation firewall site, you must enter it while activating the site, using the Activate Site link.

    Auto Activate

    Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device.

    Zero Touch Provisioning (ZTP)

    Zero Touch Provisioning is enabled by default. When Zero Touch Provisioning is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. Note that the SRX device must support phone home client for ZTP to work. If the device does not support phone home client, disable Zero Touch Provisioning and manually copy-paste the stage-1 configuration from the device CLI.

  3. Click Next to review the settings and then, click OK to add the site.

    When the site is successfully created, the Site Status in the Sites page changes to Provisioned.

WHAT'S NEXT

If you did not enter serial number while creating the next-generation firewall site, you must manually enter the serial number after adding the firewall site, in order to activate the site.

Add a Spoke Site by Using a Site Template

To use a previously-defined site template to add an on-premises spoke site, follow this procedure. If no site templates are defined, CSO takes you to the Resources > Templates > Site Templates page to add a site template before proceeding.

  1. Select Resources > Site Management.

    The Sites page appears.

  2. Click Add and select Add On-Premise Spoke Site (Using Site Template).

    The Add Spoke Site page appears listing the existing site templates.

  3. Select the site template and click Continue.

    The Add Spoke Site page appears.

  4. The Site Template field displays the name of the site template that you have selected. If you want to change the site template, click the Change link and select another site template of your preference from the Add Spoke Site page.
  5. Do one of the following to add on-premise spoke sites:
    • To add on-premise spoke sites in bulk by importing the JSON file:

      1. Select Import from file in the Site Data field.

      2. (Optional) Click Download sample JSON file to download a sample JSON template and use it to specify site data that you can later import.

      3. Click Browse to upload the JSON file.

      4. Navigate to the folder and select the JSON file.

      5. Click Open.

    • To manually add on-premise spoke sites in bulk, select Add Manually in the Site Data field.

    The Site 0 tab appears listing the fields based on the capabilities that were selected for the site template.

  6. Complete the configuration for Site0.
  7. Click the Add icon (+) to add more sites and complete the configuration for each site.
  8. Review the sites.

    If there are validation errors, an error icon appears in the left pane (next to the site name ). You must ensure that all errors are resolved before proceeding.

  9. (Optional) You can remove a site by clicking the X icon when you hover over the site name in the left pane.
  10. Click Add.

    A confirmation message is displayed indicating that the job is created for adding sites in bulk.

Add a Cloud Spoke Site

To add a cloud spoke site.

Note

Adding a cloud spoke site requires that you have an Amazon Web Services (AWS) virtual private cloud (VPC) in place with the following elements:

  • Two available elastic IP addresses in the AWS VPC.

  • Four available subnets in the AWS VPC.

  1. Select Resources > Site Management.

    The Site Management page appears. Any sites that already exist are listed on this page.

  2. Click Add and select Add Cloud Spoke.

    The Add On-Premises Spoke Site for Tenant-Name window appears.

  3. Complete the configuration settings, as defined in the following table.Note

    Fields marked with an asterisk (*) are mandatory and include configuration information regarding the AWS VPC.

    Table 6: Fields on the Add Cloud Spoke Site Page

    Field

    Description

    General

    Site Information

    Site Name

    Enter a unique name for the site. Enter a unique string of alphanumeric characters and special character (-). The maximum length is 32 characters.

    Site Group

    (Optional) Select a site group to which you want to assign the site.

    Site Capabilities

     

    WAN Capabilities

    Select SD-WAN to include SD-WAN capabilities in the cloud spoke site

    Configuration

     

    Primary Provider Hub

    Select the hub site to which the spoke site must connect.

    Advanced Configuration

     

    Name Server IP List

    Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.

    NTP Server

    Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. The site must have DNS reachability to resolve the FQDN during site configuration.

    Select Timezone

    Select the time zone for the site.

    WAN 

    Device Template

    Click a device template to select the plan for WAN connectivity.

    A device template contains information such as device family, a list of SD-WAN features supported, and the number of links supported.

    Note: vSRX as SD-WAN spoke in AWS template supports cloud spoke site for AWS VPC.

    Cloud Information

    Region

    Select the region to which the site belongs. The regions in CSO are mapped to the regions in the AWS account.

    VPC ID

    Enter the VPC ID from the AWS account.

    Ensure that the VPC is connected to an Internet gateway.

    Management Subnet

    Specify whether CSO must create a new subnet or use an existing subnet from the AWS account. The management subnet of vSRX is used to push the initial stage-1 configuration.

    IP Prefix

    Enter the management IP prefix. The first four IP addresses in the subnet are reserved by AWS. For example, IP addresses x.x.x.0/x through x.x.x.3/x are always reserved by AWS. Hence, provide an IP address prefix other than the reserved IP address prefix.

    Device Information

    Activation Code

    Enter the activation code of the primary device that your service provider supplied for the device. If you do not want to specify an activation code, on the Template Settings page, disable the ACTIVATION_CODE_ENABLED field and save the changes.

    WAN Links

    WAN_0 (ge-0/0/0)

    WAN_1 (ge-0/0/1)

    Select the check boxes to configure the WAN links. You can configure up to two WAN links per site that support SD-WAN.

    Link Type

    Displays the connection type for WAN underlays. Only Internet link is supported.

    Egress Bandwidth

    Enter the maximum bandwidth (in Mbps) to be allowed for a specific WAN link.

    Address Assignment

    Select the method of assigning an IP address to the WAN link—DHCP or STATIC.

    • If you select DHCP, the IP address is provided by using the DHCP server of the service provider of the WAN link.

    • If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link.

    Static IP Prefix

    If you configure the address assignment method as STATIC, enter the private IPv4 address of the WAN link from the subnet. For example, if the IPv4 CIDR address is 105.0.2.0/24 for a WAN interface in the AWS account, then enter any IP address within the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.

    Gateway IP

    If you configured the address assignment method as STATIC, enter the IPv4 address for the gateway of the WAN service provider. Typically, the first IP address in the subnet is selected for gateway IP address.

    Elastic IP

    Elastic IP address is a public, static IPv4 address designed for dynamic cloud computing. The public IP address is mapped to the private subnet IP using one-to-one NAT. You must allocate the IP addresses based on the number of WAN links that are enabled. For example, If two WAN links are enabled, then you must allocate two elastic IP addresses.

    Advanced Settings

    Based on the connectivity requirement, the following fields are populated:

    Provider

    Enter the name of the service provider (SP).

    Cost/Month

    Enter the cost per month of the subscribed bandwidth in the specified currency. In bandwidth-optimized SD-WAN, this information is used to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters.

    Enable Local Breakout

    Click the toggle button to enable or disable (default) local breakout on the WAN link.

    • If you enable this option, the WAN link can be used for local breakout. The decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent.

    • If you do not enable local breakout on at least one WAN link for a single CPE connection plan and at least two WAN links for a dual CPE connection plan, then local breakout is disabled for the site.

    Breakout Options

    Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

    Autocreate Source NAT Rule

    If the WAN link is enabled for local breakout, you can click the toggle button to automatically create an interface-based source NAT rule on the WAN link. The automatically-created source NAT rule is implicitly defined and applied to the site and is not visible on the NAT Policies page.

    By default, this field is disabled.

    Preferred Breakout Link

    Click the toggle button to enable the WAN link as the preferred breakout link.

    If you disable this option, then the breakout link is chosen using ECMP from the available breakout links.

    Use for OAM Traffic

    If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link.

    This WAN link is then used to establish the OAM tunnel.

    Overlay Tunnel Type

    Select the mesh overlay tunnel type—GRE and GRE_IPSEC.

    MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.

    Overlay Peer Device

    Displays the peer hub device to which the site is connected.

    Overlay Peer Interface

    Select the interface name of the hub device to which the WAN link of the site is connected.

    Backup Link

    Select a backup link through which traffic can be routed when the primary links are unavailable. You cannot select the default link as the backup link. Note that you cannot assign the backup link for exclusive breakout traffic (the Use only for breakout traffic option). If local breakout is enabled for the site, the breakout traffic is also routed through the backup link when the breakout link is not available.

    When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, note that the SLA data is not monitored for the backup link.

    Default Links

    Select the default links that must be used for routing traffic. The site can have multiple default links to the hub site as well as to the Internet.

    Default links are used primarily for overlay traffic but can be used for local breakout traffic as well. A default link cannot be used exclusively for local breakout traffic. The default link is optional and in case it is not chosen, all links are used through equal-cost multipath (ECMP).

    Management Connectivity

     

    IP Prefix

    Enter an IPv4 address prefix for the loopback interface on the CPE device. The IP address prefix must be a /32 IP address prefix and must be unique across the entire management network. If you do not specify an IPv4 address prefix, CSO automatically assigns the IP prefix from the reserved pool 100.124.0.0/14

    LAN

    Add at least one LAN segment.

    LAN Segment

    Displays the LAN segment that you configure on the switch.

    To add a LAN segment, click the Add (+) icon on the top, right corner of the LAN table. The Add LAN Segment page appears.

    Table 7: Fields on the Add LAN Segment Page

    Field

    Description

    Add LAN Segment

    Name

    Enter a name for the LAN segment.

    The name for a LAN segment should be a unique string of alphanumeric characters. No spaces are allowed and the maximum length is 15 characters.

    Department

    Select a department to which the LAN segment is to be assigned.

    Alternatively, click the Create Department link to create a new department and assign the LAN segment to it.

    You group LAN segments as departments for ease of management and for applying policies at the department-level.

    Gateway Address/Mask

    Enter a valid gateway IP address and mask for the LAN segment.

    CPE Ports

    Click the toggle button to include or exclude the CPE in the LAN segment. When you include the CPE in the LAN segment CPE ports that you can include in the LAN segment are listed.

    Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

    Note: You can select only one port if the CPE is an SRX Series device.

  4. (Optional) You can review the configuration in the Summary tab and modify the settings, if required.
  5. Click OK.

    The status of the add operation is displayed.

Manage Device Licenses

To use devices in CSO, they must be licensed and activated. This process requires:

  • Uploading a license file to CSO

  • Installing (pushing) the license to the device

  • Activating the device

Upload a Device License

To upload a license:

  1. Navigate to Administration > Licenses > Device Licences.

    The License Files page appears.

  2. Click the Add icon (+).

    The Add License page appears.

  3. Click the Browse button and locate the license file.

    (Optional) Add a description for this particular license file.

  4. Click OK to upload the license file.

    The newly added license appears in the list of device licenses.

Push a Device License

To install a license, you need to push the license to the device:

  1. Navigate to Administration > Licenses > Device Licences.

    The License Files page appears.

  2. Click the check box next to the license file that you want to push to one or more devices.
  3. Click the Push License pull-down menu and select Push.

    The Push License window appears, showing all devices on which the license is already deployed. If it is not installed on any devices, an X is shown in the installed column.

  4. Select the check boxes next to the device or devices to which you want to push the license.

    The push license job status notification appears. Another notification will alert you when the job is complete.

Activate a Device

To manually activate a device, follow these steps:

  1. From the Customer Portal, click Sites.

    The Sites page appears.

  2. Click the site with which the device that you want to activate is associated.

    The Site page for the selected site appears.

  3. Go to the Devices tab of the Site page.
  4. Select the device that you want to activate and click Activate Device.

    The Activate Device page appears.

  5. On the Activate Device page, enter the activation code for the device. The activation code must match the activation code that was provided during the site addition workflow.
  6. Click Next.

    The progress of the device activation task is displayed.

  7. Click OK when the device activation is complete.

    The sites page appears. The status of the device is set to PROVISIONED if the device is successfully activated. Once the device is provisioned, you can use the device to route traffic.

Install a Signature Database

On the Signature Database page, the active database version appears. It shows the publish date, detector versions and a count of how many devices have this version installed.

To install the Active Database onto devices:

  1. Navigate to Administration > Signature Database.
  2. Click the Install Signatures button.

    The Install Signatures window appears.

  3. Select one or more devices on which you want to install the signatures by clicking the check box next to the device name(s).
  4. (Optional) Change the Type from Run now to Schedule at a later time to have CSO install the signatures later.
  5. Click OK.

    A notification appears letting you know that the job is either starting now or scheduled for later.

Add and Deploy a Firewall Policy

A firewall policy enforces rules for transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on traffic as it passes through the firewall.

To add a firewall policy and deploy it to one or more sites:

  1. Navigate to Configuration > Firewall > Firewall Policy.

    The Firewall Policy page appears.

  2. Click the Add icon (+).

    The Add Firewall Policy page appears.

  3. Specify the parameters for the firewall policy. Fields marked with an asterisk (*) are mandatory.
  4. Click OK. The new firewall policy is created and a confirmation message is displayed.

To deploy a firewall policy:

  1. Select Configuration > Firewall > Firewall Policy.

    The Firewall Policy page appears, displaying the intents associated with the policy.

  2. Click Deploy.

    The Deploy page appears.

  3. In Choose Deployment Time options, you can select Run Now to deploy the policy immediately, or select Schedule at a later time to deploy the policy at a later date and time.

Add a Breakout Profile

To add a breakout profile:

  1. Click Configuration > SD-WAN > Breakout Profiles.

    The Breakout Profiles page appears.

    Note

    You must have at least one Traffic Type Profile in the enabled state to complete the rest of this procedure. Traffic type profiles are managed by the SP administrator in the Administration Portal.

  2. Click the Add icon (+).

    The Add Breakout Profile page appears.

  3. Specify the parameters for the breakout profile.
  4. (Optional) Set Advanced Configuration Parameters for Rate Limiting.
  5. Click OK.

Add Policy Intents

Add a Firewall Policy Intent

Intent-based firewall policies can control traffic in a number of ways:

  • Between security zones such as trust and untrust

  • Between departments such as marketing and accounting

  • Between specific addresses or address groups

  • Between sites or site groups belonging to the same tenant

  • Combinations of the above options

  • Additional options for the sources and destinations

To add and deploy an intent-based firewall policy:

  1. Prepare the endpoints that you want to use in the firewall policy:
    • Source endpoints can be IP addresses, IP address groups, sites, site groups, or departments.

    • Destination endpoints can be IP addresses, IP address groups, sites, site groups, departments, Layer 7 (L7) applications, or services.

  2. Add one or more firewall intents (by using the available endpoints):
    1. Click Configuration > Firewall > Firewall Policy.

      The Firewall Policy page appears.

    2. Click the Add icon (+).
    3. Specify the parameters for the firewall intent.Best Practice

      In order for CSO to receive security monitoring data, we recommend that you enable the Logging toggle button on all firewall policies.

    4. Click Save.

      The status of the save operation is displayed.

  3. Deploy the firewall policy:
    1. Click Configuration > Firewall > Firewall Policy.

      The Firewall Policy page appears.

    2. Click the Deploy button to deploy the firewall policy.

      The Deploy page appears.

    3. Specify whether you want to deploy the policy immediately or schedule the deployment for later.
    4. Click Deploy.

      The status of the deployment operation is displayed.

      The Deployments page (Configuration > Deployments) displays the information about all deployments.

Add an SD-WAN Policy Intent

You can create policy intents for SD-WAN policies from the SD-WAN Policy page. To add an intent-based SD-WAN policy:

  1. Navigate to Configuration > SD-WAN > SD-WAN Policy. The SD-WAN Policy page appears.
  2. Click the Add icon (+). The options to create policy intents appear in-line on the SD-WAN Policy page.
  3. Specify the parameters for the SD-WAN policy intent.
  4. Click Save to create the policy intent. The SD-WAN policy intent is saved and a confirmation message is displayed.
Note

After the policy intent is created, you must deploy the policy to ensure that the changes take effect on the applicable sites, departments, or applications. When an SD-WAN policy intent is created, the Undeployed field is incremented by one, indicating that intents are pending deployment.

Monitor Activities and Status

CSO provides you the ability to monitor the CSO system and its tenant networks.

To view highlights of the CSO monitoring feature:

  • Navigate to the Monitor tab on the left-navigation panel.
  • Select Overview to see a map of the CSO POPs and their status.

    The map can be zoomed and filtered by alarm severity by selecting the appropriate check box from the POPs pull–down menu at the upper left corner of the map.

  • Select Alerts & Alarms > Alerts to see alerts generated by CPE or hub devices.

    You can see the severity, time, tenant, site, and a description of the alerts, if any.

  • Select Alerts & Alarms > Alert Definitions to see what alert definitions have been added. There are SD-WAN alerts and security alerts available.

    The cspadmin user (or equivalent) can create new alert definitions by clicking the Add icon (+) and filling out the fields in the create alert definition window.

  • Select Alerts & Alarms > Alarms to see alarm notifications generated by CPE and hub devices.

    The graph at the top of the page shows a count of alarms over a specified time period. You can adjust the time range for the graph to filter the alarms and create additional filters by tenant, site, source, and severity.

  • Select Tenants SLA Performance to see performance metrics filtered by tenant.

    You can choose between card display and grid display and filter the metrics by time.

  • Select Jobs to see a list of all jobs performed by CSO and the outcome of those jobs.

    You can see a job history or see upcoming jobs that have been scheduled for a future time.

    Clicking on an individual Job Name shows the details about that job. Further details may be available by clicking additional links within the job details pop-up window.