Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Next-Generation Firewall Sites


You can add a next-generation firewall site to manage a standalone SRX device that is configured as a firewall device. You can also create a next-generation firewall site for branch networks to manage an SRX firewall device. This topic explains how you can, Add an On-Premises Spoke Site for Next Generation Firewall .

Add an On-Premises Spoke Site for Next Generation Firewall

The following image shows a simple network topology for a standalone next-generation firewall site.

Complete the connections as shown in the topology diagram and power up the device.

This task assumes that the device will get DHCP IP address and will have Internet connectivity along with DNS resolution when connected according to the network design.


When you configure the SRX device, ensure that you configure either the first port (ge-0/0/0) or the last port (ge-0/0/7 or ge-0/0/15 based on the SRX model) for Internet connectivity.

For more information about connecting the cables and connecting a console to the device, see the documentation for the firewall device. Links to the hardware documentation for the supported models are provided in Table 1.


Ensure that the devices are running the recommended version of Junos OS. For information about the supported Junos OS versions, see the Release Notes for that Release.

Device Model


Hardware Documentation

SRX3xx devices, SRX550M, SRX1500, SRX4100, and SRX4200


444 (not needed for CSO SaaS instances)




8060 (needed if using PKI authentication to validate CRL)







To add a next-generation firewall site:

  1. From the Sites page (Resources > Site Management) of the CSO portal, click Add and select On-Premise Spoke Site.

    The Add Site wizard appears.

  2. Complete the configuration as explained in Table 2.
  3. Click Next to review the settings and then, click OK to add the site.

    When the site is successfully created, the Site Status in the Sites page changes to Provisioned.

    If you did not enter serial number while creating the next-generation firewall site, you must manually enter the serial number after adding the firewall site, in order to activate the site. See Add a Standalone Next Generation Firewall Site for more information.

    Table 2: SD-WAN On-Premises Spoke Site Settings




    Site Name

    Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters.

    Site Capabilities

    Select Next Gen Firewall.


    Serial Number

    Enter the serial number of the device.

    You can also add the Next-Generation Firewall site but activate the site later. If you choose to not enter the serial number of the CPE device when creating the Next-Generation Firewall site, you must enter it while activating the site, using the Activate Site link.

    See Add a Standalone Next Generation Firewall Site for more information.

    Auto Activate

    Auto Activate is enabled by default. When Auto Activate is enabled, the device activation is automatically triggered when the site is added. The Activation Code field appears if you disable the Auto Activate option. In such cases, specify the activation code of the device to manually activate a device. For information about manually activating a device, see Activate a Device.

    Zero Touch Provisioning

    Zero Touch Provisioning is enabled by default. When Zero Touch Provisioning is enabled, zero-touch provisioning of the device is automatically triggered when the site is added. Note that the SRX device must support phone home client for ZTP to work. If the device does not support phone home client, disable Zero Touch Provisioning and manually copy-paste the stage-1 configuration from the device CLI.

After you add the site, you can complete the following tasks as required:


The device must be activated before you install licenses or signatures, or deploy policies.

  • Upload and install licenses. For example, Administration > Licenses.

  • Install signatures. For example, Administration > Signature Database.

  • Add, modify, and deploy firewall policies. For example, Configuration > Firewall Policy .

  • Monitor alerts, alarms, and jobs. For example, Monitor > Jobs.

For more information about these tasks, see the Contrail Service Orchestration documentation at documentation/product/en_US/contrail-service-orchestration.