CSO Next-Generation Firewall (NFGW) Deployment Workflow
The Contrail Service Orchestration (CSO) next generation firewall (NGFW) deployment focuses on providing remote network security through the use of SRX Series NGFW devices as the customer premises equipment (CPE) at the on-premise spoke site. In CSO, you can add two types of NGFW devices:
Greenfield—Greenfield devices are generally devices on which you’ve not deployed any configuration. When you add a greenfield NGFW site, CSO provisions the device by using Zero Touch Provisioning (ZTP). You can then configure and use the NGFW as needed.
Brownfield—Brownfield devices are generally devices that are already configured and operational. When you add a brownfield NGFW site, CSO does not provision the device by using ZTP. This allows you to import existing policies on the device into CSO and deploy the policies. You can then manage the NGFW by using CSO.
Ensure that the pre-deployment tasks related to NGFW are carried out before you follow the procedure outlined in this topic. See Pre-Deployment Tasks for CSO SD-WAN and Next-Generation Firewall.
The following tasks must be performed in the tenant scope in Customer Portal:
- If you are a Tenant Administrator, log in to Customer Portal. If you are an SP Administrator (CSO on-premises) or OpCo Administrator (with appropriate permissions), switch scope to the tenant. See Switch Scope or Log in as Tenant Administrator.
- (Optional) Customize configuration templates. See Configuration Templates Workflow.
- (Optional) Customize device templates. See Device Templates Workflow.
- Depending on
whether you’re using a greenfield or a brownfield device:
To add a greenfield next-generation firewall site, select the SRX_Standalone_Pre_Staged_ZTP (or a modified version) as the device template. See Add Next-Generation Firewall (On-Premise Spoke) Sites.
To add a brownfield next-generation firewall site, select SRX_Standalone_Pre_Staged_NonZTP (or a modified version) as the device template. CSO generates a stage-1 configuration that you must commit on the device, so that CSO can take over the management of the device. See Add Next-Generation Firewall (On-Premise Spoke) Sites.
- Upload and install device licenses. See Add and Install (Push) Device Licenses.
- Install the signature database. See Install the Signature Database on Devices.
- (Greenfield only) Before you add firewall and NAT policies, you must add interfaces (physical and logical), routing instances, and zones for the device. You can do this on the Configuration tab of the Device-Name page (Resource > Devices > Device-Name). See Configuring the Firewall Device in the CSO Customer Portal User Guide (available on the CSO Documentation page).
- (Brownfield only)
If you specified that policies should be imported during the activation
process, you must deploy the imported policies in CSO:
If a firewall policy was imported, deploy the firewall policy. See Deploy a Firewall Policy.
If a NAT policy was imported, deploy the NAT policy. See Deploy a NAT Policy.
CSO imports the existing routing instances, interfaces, and zones on the brownfield device into CSO.
- (Brownfield only) If you did not import the policies
as part of the site activation, you can import the policies manually
and deploy the policies:
To import firewall policies, go to the Firewall Policy page (Configuration > Firewall > Firewall Policy) and click Import. For more information, see Importing Firewall Policies in the CSO Customer Portal User Guide.
To import NAT policies, go to the NAT Policy page (Configuration > NAT> NAT Policy) and click Import. For more information, see Importing NAT Policies in the CSO Customer Portal User Guide.
Deploy the manually imported policies, as explained in step 8.
- (Optional) Configure unified threat management (UTM) on the next-generation firewall. See Configure Unified Threat Management (UTM) in CSO.
- (Optional) Configure SSL proxy on the next-generation firewall site. See Configure and Deploy SSL Proxy Policy in CSO.
- (Optional) Configure intrusion prevention system (IPS) on the next-generation firewall. See Configure Intrusion Prevention System (IPS) in CSO.
- Add a firewall policy and zone-based intents and deploy the firewall
policy. See Add and Deploy Firewall Policies.
You can also use the default firewall policy in CSO by either deploying the policy as-is or modifying the intents as required and deploying the policy.
This step is optional for the brownfield device if you’ve already imported the firewall policies previously configured on the device.
- (Optional) Add a NAT policy and rules and deploy the NAT policy.
See Add and Deploy NAT Policies.
You can also use the default NAT policy in CSO by either deploying the policy as-is or modifying the rules as required and deploying the policy.
This step is optional for the brownfield device if you’ve already imported the NAT policies previously configured on the device.
- Monitor the NGFW sites and devices. See Monitor Next-Generation Firewall Sites and Devices.