Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add a Standalone Next Generation Firewall Site

 

From CSO release 5.4.0 onward, the on-premises spoke site addition and site activation can be optionally separated, giving more flexibility to on-site installation of CPE.

In SD-WAN deployments with Next-Generation Firewall capability enabled in SRX templates, tenant administrators can add on-premises spoke sites without entering serial number of the CPE device. Once the spoke site is added, you can use the Activate Site link displayed in the Site Management page to activate the spoke site anytime later, by entering serial number of the CPE.

You add the standalone firewall site from the Site Management page.

To add a standalone firewall site:

  1. Select Resources > Site Management.

    The Site Management page appears.

  2. Click Add and select Add On-Premise Spoke (Manual).

    The Add On-Premise Spoke Site for Tenant-Name page appears.

  3. Complete the configuration settings according to the guidelines provided in Table 1.Note

    Fields marked with an asterisk (*) are mandatory.

  4. Click Next.

    A summary page is displayed.

  5. Review the configuration and modify the settings, if needed, from the Summary tab.
  6. If you did not enter serial number while creating the next-generation firewall site, you must manually enter the serial number after adding the firewall site, in order to activate the site.

    To manually activate the site:

    1. Click Activate Site link that appears next to Site Status.

      The Activate Site page appears.

    2. Enter the serial number of the device associated with the site.
    3. Click OK.

    The Site Activation Progress page appears displaying the progress of steps executed for activating the CPE device. On successful activation of the site, the Site Status changes from Created to Provisioned.

    • If you have disabled the Zero Touch Provisioning (ZTP) field for the firewall device, you must manually configure the stage-1 configuration on the firewall device.

      To manually configure the stage-1 configuration:

      1. On the Site Activation: Site-Name page, after the Prestage Device step completes successfully, the click to copy stage-1 config link appears .
      2. Click the click to copy stage-1 config link.

        The Stage-1 Configuration page appears displaying the stage-1 configuration.

      3. Copy the stage-1 configuration and log in to the CLI of the firewall device.
      4. Enter the configuration mode, paste, and commit the configuration.

        After the stage-1 configuration is committed, the firewall device establishes the outbound SSH connection to connect with CSO. After the firewall device is detected, CSO executes the bootstrap and provisioning processes and completes provisioning the firewall device. The standalone firewall site status is set to Provisioned in the Sites page.

    • If you have enabled the Zero Touch Provisioning field, CSO pushes the stage-1 and stage-2 configuration and provisions the firewall device. The standalone firewall site status is set to Provisioned in the Sites page.

      Note

      The firewall device is activated automatically,if you have already provided the activation code and device serial number while creating the firewall site.

Note

You can also add a standalone firewall site using the site templates. For more information, see Add On-Premise Spoke Sites by Using a Site Template.

Table 1: Fields on the Add On-Premise Spoke Site for Tenant-Name Page (Standalone Firewall)

Field

Description

General

Site Information

 

Site Name

Enter a unique name for the firewall site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.

Site Group

Select a site group to which you want to assign the site.

Site Capabilities

 

WAN Capabilities

Select the WAN capability as Next Gen Firewall as you are adding a next generation firewall site.

Address and Contact Information

 

Street Address

Enter the street address of the site.

City

Enter the name of the city where the site is located.

State/Province

Select the state or province where the site is located.

ZIP/Postal Code

Enter the postal code for the site.

Country

Select the country where the site is located.

You can click the Validate button to verify the address that you specified:

  • The site address verification successful message is displayed if the address can be verified. You can click the View location on a map link to see the address location.

  • If the address cannot be verified, the Site address could not be validated message is displayed .

Contact Name

Enter the name of the contact person for the site.

Email

Enter the e-mail address of the contact person for the site.

Phone

Enter the phone number of the contact person for the site.

Click Next to continue.

Advanced Configuration

 

Name Server IP List

Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.

NTP Server

Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration.

Select Timezone

Select the time zone for the site.

WAN

Device Information

 

Serial Number

Enter the serial number of the firewall device. Note that the serial numbers are case-sensitive.

If you do not enter serial number, the spoke site is created but not activated. See 6 to enter serial number and activate the spoke site later.

Auto Activate

Click the toggle button to enable or disable automatic activation of the device. This option is enabled by default.

Activation Code

If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.

Zero Touch Provisioning

Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default.

If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image.

If ZTP is disabled, you must manually copy (by using CLI), the Stage-1 configuration on to the firewall device.

Boot Image

When the Zero Touch Provisioning field is enabled, select the boot image from the drop-down list to upgrade the image on the firewall device to a version that supports Phone-Home client.

The boot image is the device image that was previously uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process. If the boot image is not provided, then the device skips the automatic upgrade procedure. The boot image is populated based on the device template that you have selected while creating a site.

By default, the Use Image on Device option is selected.

In-band Management Port

Select the port that you want to configure as management interface and connect it to the management device. You can configure any of the ge-0/0/x ports, where x ranges from 0 to 14, as in-band management interfaces.

Firewall Policies

Select the firewall policy that you want to deploy to the standalone firewall site. The firewall policy list is populated from the Configuration > Firewall > Firewall Policy page.

Default: Factory_Default_Fw_Policy

NAT Policies

Select the NAT policy that you want to deploy to the standalone firewall site. The NAT policy list is populated from the Configuration > NAT > NAT Policies page.

Default: Factory_Default_NAT_Policy

Import Configuration

Click the toggle button to automatically import firewall policies and NAT policies from a next generation firewall device to CSO. By default, this field is disabled.

Note: This field is available only when Zero Touch Provisioning is disabled.

Additional Configuration

Configuration Templates List

Select one or more configuration templates from the list. This list is filtered based on the device that you select.

Configuration templates are stage-2 templates that are added by your OpCo administrators or SP administrators or Tenant administrators.

Note: You must set the parameters of the configuration templates that you have selected before you move to the LAN section.

To set the parameters for the selected configuration templates:

  1. After you select one or more configuration templates, click Set Parameters.

    The Device Configurations page appears. This page consists of two tabs—Configure and Summary

  2. In the Configure tab fill in the attributes for each of the configuration templates.

    (Optional) View the CLI commands in the Summary tab.

  3. Click OK.

    You have added and set the parameters for the configuration templates that are part of the site template that you are creating.

Additional Configuration

Configuration Templates List

Select one or more configuration templates from the list. This list is filtered based on the device that you select.

Configuration templates are stage-2 templates that are added by your OpCo administrators or SP administrators or Tenant administrators.

Note: You must set the parameters of the configuration templates that you have selected before you move to the LAN section.

To set the parameters for the selected configuration templates:

  1. After you select one or more configuration templates, click Set Parameters.

    The Device Configurations page appears. This page consists of two tabs—Configure and Summary

  2. In the Configure tab fill in the attributes for each of the configuration templates.

    (Optional) View the CLI commands in the Summary tab.

  3. Click OK.

    You have added and set the parameters for the configuration templates that are part of the site template that you are creating.