Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add Next-Generation Firewall (On-Premise Spoke) Sites

 Note

Before you add the next generation firewall (NGFW) spoke site, check the cable connections, review the NAT and firewall ports and protocols, and check the Junos OS version of the NGFW device. For details, see Supported Devices for NGFW, and Ports and Protocols to Open.

To add a NGFW on-premise spoke site:

  1. Click Resources > Site Management.

    The Sites page appears.

  2. Click Add, and select Add On-Premise Spoke (Manual).

    The Add On-Premise Spoke Site wizard appears, displaying the General settings to be configured.

    Note

    Fields marked with an asterisk (*) are mandatory.

  3. Configure the General settings as explained in Table 2, and click Next.

    You are taken to the WAN section of the workflow.

  4. Configure the WAN settings as explained in Table 3, and click Next.

    You are taken to the Summary section of the workflow.

  5. Review the configuration in the Summary section and, if required, modify the settings.
  6. Click Finish.

    CSO triggers the activation of the site. See Table 1 for how the site activation proceeds for greenfield and brownfield sites.

    Table 1: Site Activation Process for Greenfield and Brownfield NGFW Sites

    Type of NGFW

    Serial Number

    Auto-Activate

    Site Activation Process

    Greenfield or Brownfield

    Not specified

    Disabled

    You are returned to the Sites page. CSO triggers a job and displays a confirmation message with a job link. Click the link to view the status of the job.

    After the job is finished, CSO displays a confirmation message and the status of the site changes to CREATED and an Activate Site link is displayed. You must manually activate the site to finish the activation process.

    For more information, see Manually Activate a Site.

    Greenfield or Brownfield

    Not specified

    Enabled

    Greenfield or Brownfield

    Specified

    Disabled

    Brownfield

    Specified

    Enabled

    CSO triggers the site activation and the Site Activation: Progress page appears. The site activation process proceeds through the tasks explained in Site Activation Tasks and Troubleshooting.

    Note: Because you’re adding a brownfield NGFW site, you must copy the stage-1 configuration that CSO generates, paste it, and commit it on the NGFW device for the activation to proceed.

    Greenfield

    Specified

    Enabled

    CSO triggers the site activation and the Site Activation Progress page appears. The site activation process proceeds through the tasks explained in Site Activation Tasks and Troubleshooting.

    If you don’t want to wait for the site activation to finish, you can close the Site Activation Progress page and monitor the status of the site activation from the Jobs page (Monitor > Jobs). The time taken for site activation varies depending on the device that CSO is activating.

Table 2: General Settings (Add On-Premise Spoke Site Page)

Field

Guideline

Site Information

 

Site Name

Enter a unique name for the site. The name can contain alphanumeric characters, and hyphens (-) and cannot exceed 32 characters.

Site Group

If you want the site to be part of a site group, select the site group. By default, None is selected, which means that the site doesn’t belong to any site group.

Site Capabilities

 

WAN Capabilities

Because we’re configuring a next-generation firewall site, click the Next-Gen Firewall card.

Address and Contact Information

Enter the address of the on-premise spoke site and contact information in the fields provided. Although it is not mandatory, providing an address lets you visualize where the site is located on the geographical map on the Monitor Overview page.

Advanced Configuration

For the DNS and NTP servers, you can either use the defaults or specify DNS and NTP servers.

Domain Name Server (DNS)

Specify the IPv4 addresses of one or more DNS servers.

NTP Server

If needed, specify the IP addresses of one or more NTP servers.

Select Timezone

Select a time zone for the site.

Table 3: WAN Settings (Add On-Premise Spoke Site )

Field

Guideline

Device Series

Because only SRX Series devices can be configured as NGFW sites, this field displays SRX.

You must choose the device template that you want to use for the site from the carousel. For NGFW, the following predefined templates are available.

  • SRX_Standalone_Pre_Staged_NonZTP—Select this template if you want to use a brownfield device, which is a device that already has existing firewall and NAT configurations that you want to import into CSO. If you select this template, CSO does not perform ZTP for the site.

  • SRX_Standalone_Pre_Staged_ZTP—Select this template if you’re using a greenfield device, which means that CSO will provision the device.

Note: If modified versions of these templates are available, you can choose a different template.

Device Information

 

Serial Number

If you want CSO to proceed with the site activation immediately after you complete the site addition workflow, enter the serial number. If the serial number that you entered is already present in the system, CSO displays an error message. If the serial number is not present, then CSO displays a green check mark.

If you want CSO to only model the site, leave this field blank. If you don’t enter a serial number, you must manually activate the site later.

Auto Activate

Click the toggle button to specify whether the site activation requires an activation code or not:

  • Enabled—The site is activated automatically without an activation code. This is the default setting.

  • Disabled—The site activation proceeds only after you enter an activation code. If you choose this setting, enter the activation code (in the Activation Code field) that must be entered to activate the device.

Boot Image

This field is displayed only if you selected SRX_Standalone_Pre_Staged_ZTP (or a modified version of that template) as the device template.

If you want to upgrade the next-generation firewall device with the latest supported Junos OS version, select the boot image from the list. The boot image is used to upgrade the device when CSO starts the zero touch provisioning (ZTP) process.

If you don't specify a boot image, which is the default option (Use Image on Device) in the list, then the CSO skips the procedure to upgrade the device during ZTP.

In-band Management Port

This field displays the default interface to be used for in-band management of the device, If you want to use a different interface, remove the default and select a different interface from the list.

Firewall Policies

This field is displayed only if you selected SRX_Standalone_Pre_Staged_ZTP (or a modified version of that template) as the device template.

By default, CSO applies a default firewall policy to the next-generation firewall device. If you don’t want to apply the default policy, select None.

NAT Policies

This field is displayed only if you selected SRX_Standalone_Pre_Staged_ZTP (or a modified version of that template) as the device template.

By default, CSO applies a default NAT policy to the next-generation firewall device. If you don’t want to apply the default policy, select None.

Import Policy Configuration

This field is displayed only if you selected SRX_Standalone_Pre_Staged_NonZTP (or a modified version of that template) as the device template.

Click the toggle button to enable the automatic import of previously configured NAT and firewall policies from the device to CSO, after the site is provisioned. By default, the automatic import of policies is disabled. However, you can import firewall and NAT policies manually using the Import workflow.

For more information, see Importing Policies Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Additional Configuration

If you want to deploy additional configuration during the ZTP process, you can select one or more configuration templates and set the parameters for each template.

Configuration Templates List

For each configuration template that you select:

  1. Select one or more configuration templates from the list that you want to deploy on the device during ZTP.
  2. Click Set Parameters.

    The Device Configurations page appears. The names and configuration parameters of the configuration templates that you selected are displayed in the Configure tab.

  3. For each configuration template, enter values for the parameters.
  4. (Optional) Click the Summary tab to view the Junos OS configuration commands that will be deployed on the device for the different configuration templates.
  5. Click Save.

    You are returned to the WAN tab. The Junos OS configuration commands will be deployed on the device during the ZTP process.