Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

CSO Next-Generation Firewall (NFGW) Deployment Workflow

 

The Contrail Service Orchestration (CSO) next generation firewall (NGFW) deployment focuses on providing remote network security through the use of SRX Series NGFW devices as the customer premises equipment (CPE) at the on-premise spoke site. In CSO, you can add two types of NGFW devices:

  • Greenfield—Greenfield devices are generally devices on which you’ve not deployed any configuration. When you add a greenfield NGFW site, CSO provisions the device by using Zero Touch Provisioning (ZTP). You can then configure and use the NGFW as needed.

  • Brownfield—Brownfield devices are generally devices that are already configured and operational. When you add a brownfield NGFW site, CSO does not provision the device by using ZTP. This allows you to import existing policies on the device into CSO and deploy the policies. You can then manage the NGFW by using CSO.

Note

Ensure that the pre-deployment tasks related to NGFW are carried out before you follow the procedure outlined in this topic. See Pre-Deployment Tasks for CSO SD-WAN and Next-Generation Firewall.

The following tasks must be performed in the tenant scope in Customer Portal:

  1. If you are a Tenant Administrator, log in to Customer Portal. If you are an SP Administrator (CSO on-premises) or OpCo Administrator (with appropriate permissions), switch scope to the tenant. See Switch Scope or Log in as Tenant Administrator.
  2. (Optional) Customize configuration templates. See Configuration Templates Workflow.
  3. (Optional) Customize device templates. See Device Templates Workflow.
  4. Depending on whether you’re using a greenfield or a brownfield device:
  5. Upload and install device licenses. See Add and Install (Push) Device Licenses.
  6. Install the signature database. See Install the Signature Database on Devices.
  7. (Greenfield only) Before you add firewall and NAT policies, you must add interfaces (physical and logical), routing instances, and zones for the device. You can do this on the Configuration tab of the Device-Name page (Resource > Devices > Device-Name). See Configuring the Firewall Device in the CSO Customer Portal User Guide (available on the CSO Documentation page).
  8. (Brownfield only) If you specified that policies should be imported during the activation process, you must deploy the imported policies in CSO:Note

    CSO imports the existing routing instances, interfaces, and zones on the brownfield device into CSO.

  9. (Brownfield only) If you did not import the policies as part of the site activation, you can import the policies manually and deploy the policies:
    1. To import firewall policies, go to the Firewall Policy page (Configuration > Firewall > Firewall Policy) and click Import. For more information, see Importing Firewall Policies in the CSO Customer Portal User Guide.

    2. To import NAT policies, go to the NAT Policy page (Configuration > NAT> NAT Policy) and click Import. For more information, see Importing NAT Policies in the CSO Customer Portal User Guide.

    3. Deploy the manually imported policies, as explained in step 8.

  10. (Optional) Configure unified threat management (UTM) on the next-generation firewall. See Configure Unified Threat Management (UTM) in CSO.
  11. (Optional) Configure SSL proxy on the next-generation firewall site. See Configure and Deploy SSL Proxy Policy in CSO.
  12. (Optional) Configure intrusion prevention system (IPS) on the next-generation firewall. See Configure Intrusion Prevention System (IPS) in CSO.
  13. Add a firewall policy and zone-based intents and deploy the firewall policy. See Add and Deploy Firewall Policies.Note

    You can also use the default firewall policy in CSO by either deploying the policy as-is or modifying the intents as required and deploying the policy.

    This step is optional for the brownfield device if you’ve already imported the firewall policies previously configured on the device.

  14. (Optional) Add a NAT policy and rules and deploy the NAT policy. See Add and Deploy NAT Policies.Note

    You can also use the default NAT policy in CSO by either deploying the policy as-is or modifying the rules as required and deploying the policy.

    This step is optional for the brownfield device if you’ve already imported the NAT policies previously configured on the device.

  15. Monitor the NGFW sites and devices. See Monitor Next-Generation Firewall Sites and Devices.