Configure Enterprise Hub Site

Explanation of Procedure

The workflow for configuring the enterprise hub site is as follows:

Add the enterprise hub site.
After the enterprise hub site is provisioned successfully, perform the following post-provisioning tasks:
1. Upload and install device licenses.
2. Install the signature database.
3. Add and deploy a firewall policy.
4. Add an SD-WAN breakout profile.Note
  In general, adding breakout profiles is optional. If you choose not to break out traffic, you don’t need to add a breakout profile. In this use case, we add breakout profiles to show how you can configure local breakout.
5. Add and deploy an SD-WAN policy intent.

Add Enterprise Hub Site

An enterprise hub is an SD-WAN site that is used to carry site-to-site traffic between branch sites and to break out backhaul (also called central breakout) traffic from branch sites. An enterprise hub typically has a data center department behind it; however, this is not enforced in CSO.

For more information, see the Enterprise Hubs Overview topic in the Customer Portal User Guide (available on the CSO Documentation page).

Note

Before you add the enterprise hub site, check the cable connections, review the NAT and firewall ports and protocols, and check the Junos OS version of the enterprise hub device as explained in Supported Devices, and Ports and Protocols to Open.

To add an enterprise hub site:

Click Resources > Site Management.
The Sites page appears.
Click Add, and select Enterprise Hub.
The Add Enterprise Hub wizard appears, displaying the General settings to be configured.
Configure the General settings as explained in Table 4, and click Next.
You are taken to the WAN section of the workflow.
Note
Fields marked with an asterisk (*) are mandatory.
Configure the WAN settings as explained in Table 5, and click Next.
You are taken to the LAN section of the workflow.
Add a LAN segment:
1. Click the Add (+) icon.
  The Create LAN Segment page appears.
2. Configure the LAN segment settings as explained in Table 6
3. Click OK.
  You are returned to the LAN section of the workflow, and the LAN segment that you added is displayed.
Click Next.
You are taken to the Summary section of the workflow.
Review the configuration in the Summary section and, if required, modify the settings.
Click Finish.
The Site Activation: Enterprise-Hub-Site-Name page appears, and the site activation process proceeds through the tasks explained in Table 7.
Note
The time taken for site activation varies depending on the device that CSO is activating.
Click OK to close the Site Activation page.Note
If you don’t want to wait for the site activation to finish, you can close the Site Activation page and monitor the status of the site activation from the Jobs page (Monitor > Jobs).

Table 4: General Information (Add Enterprise Hub)

Field	Guideline
Site Information
Site Name	Enter a unique name for the site. The name can contain alphanumeric characters and hyphens (-), and cannot exceed 10 characters.
Device Host Name	The device host name is auto-generated and uses the format `tenant-name.host-name`. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Site Group	Use the default setting (None), which indicates that you’re not using site groups.
Site Capabilities	Because we’re adding an enterprise hub site with only SD-WAN, we select only SD-WAN as the site capability.
Site Capabilities	For this deployment, choose Secure SD-WAN Advanced. The following SD-WAN service types are available: Secure SD-WAN Essentials—(Available for tenants with SD-WAN Essentials service level) Provides basic SD-WAN services. The SD-WAN Essentials service does not support multihoming, dynamic mesh tunnels, cloud breakout profiles, SLA-based steering profiles, pool based source NAT rules, IPv6, MAP-E, or underlay BGP. Secure SD-WAN Advanced—(Available for tenants with SD-WAN Advanced service level) Provides complete SD-WAN services. All sites of the tenant are connected in full mesh or hub-and-spoke topology. This service includes Secure SD-WAN Essentials service.
Configuration
Primary Provider Hub	If the OpCo Administrator has configured additional DATA-only provider hubs and you want to have a backup for the enterprise hub, you can select a DATA-only provider hub as the primary provider hub.
Secondary Provider Hub	Note: Not applicable to sites with SD-WAN Essentials service. If you want provider hub redundancy and if the OpCo Administrator has configured additional DATA-only provider hubs, select another DATA-only provider hub as the secondary provider hub.
Advanced Configuration	Use the defaults for the on-demand VPN thresholds. Note: Sites with Secure SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.
Address and Contact Information	Enter the address and contact information in the fields provided. Although it is not mandatory, providing an address lets you visualize where the site is located on a geographical map on the Monitor Overview page.
Advanced Configuration	For the DNS and NTP servers, you can either use the defaults or specify DNS and NTP servers.
Domain Name Server	If needed, specify the IPv4 addresses of one or more DNS servers.
NTP Server	If needed, specify the IP addresses of one or more NTP servers.
Select Timezone	Select a time zone for the site.

Table 5: Device Settings (Add Enterprise Hub)

Field	Guideline
Device Information
Device Template	Ensure that you select the correct device template from the carousel; the template depends on the device that you are using as the enterprise hub. For example, for an SRX4100 device, select SRX4x00 as SD-WAN CPE (or a modified version of that template) as the device template.
Serial Number	Enter the serial number of the device.
Zero Touch Provisioning	By default, Zero Touch Provisioning is enabled. If you want to disable ZTP, click the toggle button. To use ZTP, ensure the following: Device must have connectivity to CSO and Juniper phone-home server (https://redirect.juniper.net) Use telnet to verify connectivity: telnet redirect.juniper.net:443 telnet CSO Hostname/IP:443 If the connection is established, the device has connectivity to the phone-home server and CSO. Required certificates for phone-home server and CSO must be present on the device. If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the device is upgraded to the image that you select for the Boot Image. If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device. Use any of the following options to copy the stage-1 configuration: Click the Click to copy stage-1 config link next to Prestage Device task in the Site Activation Progress page. If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site under the Site Status column. On the Devices page (Resources > Devices), select the device and click Stage1 Config. If the device is not prestaged or preconfigured, then you must provide the IP address and interface details under the Management Connectivity section.
Auto Activate	This setting is enabled by default in device templates. Therefore, ensure that automatic activation is enabled.
Boot Image	If you want to upgrade the enterprise hub device with the latest supported Junos OS version, select the boot image from the list. The boot image is used to upgrade the device when CSO starts the zero touch provisioning (ZTP) process. If you don't specify a boot image, which is the default option (Use Image on Device) in the list, then the CSO skips the procedure to upgrade the device during ZTP.
WAN Links	You can configure a maximum of four WAN links. In this use case, we configure two WAN links: one Internet and one MPLS.
WAN_0 (`WAN-Interface-Name`)	The first WAN link is enabled by default. Fields marked with an asterisk (*) must be configured to proceed.
Link Type	For the first WAN link, we use the default (Internet) for the underlay network type to ensure reachability to the redirect server.
Egress Bandwidth	Enter the maximum egress bandwidth (in megabits per second [Mbps]) that is allowed for the WAN link.
Underlay Address Families
IPv4	By default, IPv4 address assignment is enabled for the WAN link. The WAN link requires an IPv4 address to connect to an IPv4 network.
Address Assignment Method	Displays the method of assigning an IP address to the WAN link (STATIC). You cannot modify this field. You must provide an IP address prefix and the gateway address for the WAN link.
Static IP Prefix	Enter the IPv4 address prefix of the WAN link; for example, 192.0.2.8/24.
Gateway IP Address	Enter the IP address of the gateway of the WAN link’s service provider.
Public IP Address	Note: You should provide a public IP address only if the static IP prefix is a private IP address and 1:1 NAT is configured. Enter the public IPv4 address for the link, if needed.
Advanced Settings	Only the settings that need to be configured for this WAN link are included here. Use the defaults for the other settings.
Address Family (Tunnel Creation)	Displays the underlay address family (IPv4) that is used to establish the overlay tunnel.
Provider	Enter the name of the WAN link’s service provider.
Cost/Month	Leave this as the default because this field is currently not used in CSO.
Enable Local Breakout	Click the toggle button to enable the WAN link to be used for local breakout. Local breakout is an SD-WAN feature that enables Internet links to break out traffic directly from a site. For example, if you want to provide guests who visit your enterprise with Internet access, you can use local breakout to break out guest traffic locally from the site directly to the Internet. Note: If you enable local breakout, this only means that the WAN link can be used for local breakout. To enable traffic to break out from the site, you must also configure a breakout profile, reference that profile in an SD-WAN policy intent, and deploy the SD-WAN policy. If you enable local breakout, additional fields appear: Breakout Options: Retain the default setting of using the WAN link for both breakout and WAN traffic. Autocreate Source NAT Rule: When you enable local breakout on a link, this setting is enabled. Retain the default setting. Enabling this setting triggers automatic creation of source NAT rules for the site. Note: If NAT is not enforced by a separate device in your network (for example, an Internet gateway firewall), then we recommend that you enable this setting because it allows CSO to automatically create a NAT policy for the site. Translation: Select the type of NAT to be used on the traffic on the WAN link. For this use case, retain the default setting (Interface). Preferred Breakout Link: Retain the default setting (Disabled). Retain the default settings for the rest of the local breakout parameters.
Use for Fullmesh	Click the toggle button to enable the WAN link to be part of a full mesh topology. Configure the two additional fields that appear: Mesh Overlay Link Type: Retain the default selection (GRE over IPsec) as the type of encapsulation to be used for the overlay tunnels in the full mesh topology. Note: For links with public IP addresses, we recommend that you use GRE over IPsec as the mesh overlay link type. Mesh Tags: Select one or more mesh tags for the WAN link. Note: The tunnels between the enterprise hub site and the branch site are added based on matching mesh tags. So, if you want meshing to take place between a WAN link on the enterprise hub and a WAN link on the branch site, the mesh tags must be the same for both sites. Even if you enable this option, sites with SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.
Use for OAM traffic	Click the toggle button to enable the use of the WAN link for Operation, Administration, and Maintenance (OAM) traffic. The WAN link is then used to establish an OAM tunnel for communication between the enterprise hub site and CSO. Note: To ensure redundancy, we recommend that you configure at least two WAN links that can be used for OAM traffic.
WAN_1 (`WAN-Interface-Name`)	Click the toggle button to configure a second WAN link. Fields related to the WAN link appear. Note: Only the fields for which the settings are different from the first WAN link are listed here. For the rest of the fields, see the explanations for the first WAN link.
Link Type	For the second WAN link, select MPLS as the link type. Configure the egress bandwidth, static IP prefix, gateway IP address, and (if applicable) public IP address. See the explanations for the first WAN link.
Advanced Settings
Enable Local Breakout	Because we’ve already enabled local breakout on the first WAN link, retain this as disabled, which means that the WAN link won’t be used for local breakout.
Use for Fullmesh	Click the toggle button to enable the WAN link to be part of a full mesh topology. Configure the additional fields that appear, as explained for the first WAN link.
Use for OAM Traffic	To ensure redundancy for OAM tunnels, click the toggle button to enable the WAN link to be used for sending OAM traffic.
DVPN Threshold for Tunnel Creation	Use the defaults for the on-demand VPN thresholds. Note: Sites with Secure SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.
DVPN Threshold for Tunnel Deletion	Use the defaults for the on-demand VPN thresholds. Note: Sites with Secure SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.
OAM IP Prefix	We recommend that you don’t configure this setting (leave the IP Prefix field blank) because management connectivity is handled automatically by CSO.

Table 6: LAN Segment Settings (Enterprise Hub)

Field	Guideline
Name	Enter a unique name for the LAN segment, which can contain alphanumeric characters and underscores (_), and cannot exceed 15 characters.
CPE Port	Note: Applicable to SRX Series devices. Select the CPE port to be added in the LAN segment.
Type	Because the enterprise hub is connected to a data center, select Dynamic Routed to indicate that the LAN segment is not directly connected to the hub device and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.
Department	Click Create Department to add a new data center department. On the Add Department page appears, enter a name for the department (for example, DC-Dept), and click OK to add the department. The department is added, and the department name is displayed in the Department field.
Protocol	Select the routing protocol (BGP or OSPF) to be used by the data center department to learn routes from the data center. For this use case, we’ll select BGP and configure the parameters related to BGP.
Advertise LAN Prefix	Click the toggle button to advertise the LAN prefixes of the SD-WAN branch sites to the data center through the data center department that is associated with the enterprise hub. By default, this field is disabled. Note: Route advertisements from the data center to SD-WAN branch sites take place irrespective of whether this field is enabled or disabled. You must avoid overlapping IP addresses between the LAN network of the SD-WAN branch sites and the data center network.
Gateway Address/Mask	Enter a valid gateway IP address and subnet mask for the LAN segment. This address will be the default gateway for the endpoints in this LAN segment. For example: 192.0.2.8/24.
CPE Ports	Note: Applicable to NFX150 and NFX250 devices. Select the port (on the enterprise hub device) that peers with the data center gateway.
BGP Configuration
Authentication	Select the BGP route authentication method to be used: None—Indicates that no authentication should be used. This is the default setting. Use MD5—Indicates that MD5 is to be used for authentication. If you select this option, you must specify an authentication key.
Peer IP Address	Enter the IP address of the BGP neighbor.
Peer AS Number	Enter the autonomous system (AS) number of the BGP neighbor. CSO uses the default AS number 64512. If the AS number of the data center’s router is different from CSO’s AS number, an external BGP (eBGP) peering session is established. If the AS number is the same, an internal BGP (iBGP) peering session is established.
Auth Key	If you specified that MD5 should be used for authentication, specify an MD5 authentication key (password), which is used to verify the authenticity of BGP packets.

Table 7: Site Activation Tasks and Troubleshooting

Site Activation Tasks	Troubleshooting
Model Site: CSO first models the site to begin the activation process.
Prestage Device: Depending on the type of device used, you might need to copy the configuration that is generated by CSO and commit the configuration on the device. For such devices, CSO can move to the next step (detecting the device) only after the configuration is committed successfully on the device.	This step typically goes through without problems. However, if you encounter a problem, log in to the device (using a console or a management interface), access the CLI, and verify that the stage-1 configuration was committed on the device.
`Detect Device`: The device reaches out to CSO, and communication with CSO is established. This task typically takes a few minutes. If the status shows as Pending after about 10 minutes, try the troubleshooting steps.	If the device is not detected: Check that the correct interfaces on the device are connected. Log in to the device, and access the CLI. Check the system time that is configured on the device by executing the show system uptime command, and ensure that the system time is accurate. A mismatch in time might mean that the device is unable to connect to the redirect server. Note: This step is applicable only for branch sites. Execute the show interfaces terse command. In the command output, verify whether the device received a DHCP IP address. If the device did not receive an IP address, try to reconnect. If the device has a valid IP address, then verify that the device can reach the Internet by using the ping command. For example, ping www.juniper.net. If the ping command executes successfully, this means that the device can reach the Internet, and DNS resolution is working. Verify whether the device has the permissions required for outgoing connections on port 443 by executing the telnet redirect.juniper.net 443 command. If the device has the required permissions, you should see an output similar to the following: Trying 192.0.2.155... Connected to telnet-host.example.com. Escape character is '^]'.
`Bootstrap Device`: This task comprises the following sub-tasks: A secure OAM tunnel (using IPsec) from the device to the OAM hub is established. An outbound SSH connection from the device is established with CSO. An Internal BGP (iBGP) peering between the device and the virtual route reflector (VRR) is established. The device sends a Bootstrap Complete message to CSO, which CSO receives and marks the bootstrap as completed. The device is now managed by CSO. This task typically takes a few minutes to finish. If the status shows as Pending after about 10 minutes, try the troubleshooting steps.	If the bootstrap device task does not finish successfully: Verify whether the stage-1 configuration was deployed on the device by executing the show configuration \| display set \| match outbound-ssh \| match 7804 command. If the resulting output is similar to the following sample output, it means that the stage-1 configuration was deployed successfully. set system services outbound-ssh client CSO-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 192.0.2.100 port 7804 Check if the secure OAM tunnels are up by executing the following commands: show security ike sa command. If the State field in the output doesn't display UP, it means that port 500 is blocked. Ensure that you open 500 and retry the activation job (from the Jobs page). show security ipsec sa command. If the State field in the output doesn't display UP, it means that port 4500 is blocked. Open port 4500, and retry the activation job (from the Jobs page). Verify whether the device has established BGP peering with the VRR by executing the show bgp summary command. If the State field in the output displays Establ, it means that BGP peering is established successfully. Verify whether the secure OAM session is established by executing the show security flow session destination-port 7804 command. If the resulting output is similar to the following output, it means that the secure OAM session was established successfully. Session ID: 430000098, Policy name: default-policy-00/2, Timeout: 1778, Valid In: 192.0.2.10/15190 --> 192.0.2.20/23;tcp, If: ge-7/1/0.0, Pkts: 109, Bytes: 5874, CP Session ID: 430000093 Out: 192.0.2.20/23 --> 192.0.2.10/15190;tcp, If: ge-7/1/1.0, Pkts: 64, Bytes: 4015, CP Session ID: 430000093 Total sessions: 1
Manage Device: After CSO applies the configuration on the device, the status of the device changes to Managed. If the status is showing Pending after about 10 minutes, try the troubleshooting steps.	Go to the Jobs page (Monitor > Jobs), search for the ZTP job, and check the status. Click the `job-name` link to view the tasks associated with the job and their status. You can drill down further by clicking the `task-name` link. If the status of the job or task is In Progress, wait until the job or task finishes. If the job failed, you can retry the job by selecting the job, and clicking the Retry Job button.

WHAT'S NEXT

After the enterprise hub is successfully provisioned, you must carry out the post-provisioning tasks, the first of which is to upload and install device licenses.

Upload and Install Device Licenses

After a site is successfully provisioned, you must upload the required device licenses into CSO, and then install the licenses on the device (that is associated with the site).

To upload and install device licenses:

Upload the device license file:Note
Device license files can be uploaded by the managed services provider (OpCo) Administrator or by the tenant.
1. Select Administration > Device Licenses.
  The Device License Files page appears.
2. Click the Add (+) icon.
  The Add License page appears.
3. Click Browse to select the license file, and click Open.
  The License File field displays the license file that you selected.
  Note
  A license file can contain only one license key.
4. (Optional) Enter a description for the license file in the Description field.
5. Click OK.
  CSO parses the license file, and verifies whether the license file format is valid. If the format is valid, CSO uploads the license file, and returns you to the Device License Files page.
If needed, upload additional device license files.
Install (push) the license to the device:
1. Select the device license file that you want to push to the device.
2. Click Push License, and select Push.
  The Push License page appears, displaying the sites and devices to which the license can be pushed.
3. Select the device to which you want to push the license, and click OK.
  CSO initiates a job to push the license to the device and displays a confirmation message. After the job completes successfully, the license is pushed to the device. You can view the status of the job on the Jobs page (Monitor > Jobs).

WHAT'S NEXT

The next step after installing licenses is to install the signature database on the device.

Install the Signature Database

Because SD-WAN uses application identification, you must install the active signature database (downloaded by the Juniper team to CSO) on the device.

Tip

The signature database also contains intrusion detection prevention (IDP) or intrusion prevention system (IPS) signatures, which are used in CSO’s IDP or IPS features. For more information, see the About the IPS Profiles Page in the Customer Portal User Guide (available at the CSO Documentation page).

To install the active signature database:

Select Administration > Signature Database.
The Signature Database page appears.
Click Install Signatures.
The Install Signatures page appears, displaying the signature database version and the devices on which you can install the signature database.
Select the check boxes corresponding to the devices on which you want to install the signature database.
You can also search for, filter, or sort the devices that are displayed.
From the Type field:
- Select Run now to trigger the installation of the signature database immediately.
- Select Schedule at a later time to install the signature database later, and specify a date and time at which you want the installation to be triggered.
Click OK.
- If you specified that the database must be installed immediately, a job is triggered. In the Job Tasks page that appears, the tasks associated with the signature database installation are displayed. Click OK to exit and return to the Signature Database page.
- If you specified that the database must be installed later, a job is triggered and you are returned to the Signature Database page. A confirmation message (with the job ID) is displayed at the top of the page.

WHAT'S NEXT

After the signature database is installed successfully, you must add a firewall policy to allow traffic.

Add and Deploy Firewall Policy

Because Juniper’s SD-WAN devices are tightly integrated with security features, you must configure a firewall policy to allow traffic that traverses zones. By default, traffic between one site and another site, and traffic from a site to the Internet is not allowed and must be explicitly allowed by using a firewall policy. CSO supports intent-based policies, which makes it simple for you to configure firewall policies.

To add and then deploy a firewall policy:

Add a firewall policy:
1. Select Configuration > Firewall > Firewall Policy.
  The Firewall Policy page appears.
2. Click the Add (+) icon.
  The Add Firewall Policy page appears.
3. Complete the configuration according to the guidelines provided in Table 8.Note
  Fields marked with an asterisk (*) are mandatory.
4. Click OK.
  The firewall policy is added and displayed in the grid.
Add one or more firewall policy intents to the policy:
1. Click the Firewall-Policy-Name link.
  The Firewall-Policy-Name page appears.
2. Click the Add (+) icon.
  The fields for adding an intent are displayed inline.
3. Complete the configuration according to the guidelines provided in Table 9.
4. Click Save.
  The intent is saved, and a confirmation message is displayed.
Deploy the firewall policy:
1. Click the Deploy button.
  The Deploy page appears.
2. From the Choose Deployment Time field:
  - Select Run now to trigger the deployment of the policy immediately.
  - Select Schedule at a later time to schedule the deployment for later.
    If you schedule the deployment for later, enter the date (in MM/DD/YYYY format) and time (in HH:MM:SS 24-hour or AM/PM format) at which you want the deployment to be triggered. You specify the time in the local time zone of the client from which you access the CSO GUI.
You are returned to the Firewall Policy page, and a job to deploy the policy is triggered. You can check the status of the deployment on the Jobs page (Monitor > Jobs).

Table 8: Add Firewall Policy Settings

Field	Guideline
Name	Enter a unique name for the firewall policy.
Description	(Optional) Enter a description for the firewall policy.
All Sites	Select the Enable check box to apply the firewall policy to all sites.
Select Sites	To apply the firewall policy only to specific sites, select the sites from the Available column, and click the right arrow icon (>).

Table 9: Add Firewall Policy Intent Settings

Field	Guideline
Name	Enter a name for the policy intent or use the name generated by CSO.
Description	(Optional) Enter a description for the policy intent.
Source	From the Site category, select the name of the site as the source. You can select one or more sites in the Source field. Note: You can select other options for the source (for example, a department). For more information, see Adding Firewall Policy Intents in the Customer Portal User Guide (available at the CSO Documentation page).
Action	Select Permit as the action to allow traffic.
Destination	From the Address category (Addr), select Any to specify that traffic to any Internet address or to a data center department is allowed. Note: Selecting Any does not mean that site-to-site traffic is allowed. To allow site-to-site traffic, you must explicitly add intents to allow such traffic. For example, if you want traffic from Site A to Site B to be allowed in both directions (from A to B and from B to A), you must add two intents: one allowing traffic from Site A to Site B and another allowing traffic from Site B to Site A.

WHAT'S NEXT

Because we enabled local breakout on the WAN links (Internet) of the enterprise hub and the SD-WAN branch sites, the next step is to add an SD-WAN breakout profile.

Add SD-WAN Breakout Profile

Note

You can use one breakout profile for the enterprise hub site and a different profile (or two different profiles) for the SD-WAN branch sites, or you can use one breakout profile for all three sites.

As explained previously, if you enable a site’s WAN link for local breakout, the WAN link can be used for local breakout. However, the decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent. So, for traffic to break out locally, you must:

Add an SD-WAN breakout profile.
Add an SD-WAN policy intent that references the breakout profile.
Deploy the SD-WAN policy.

To learn about breakout and breakout profiles in CSO, see Breakout and Breakout Profiles Overview in the Customer Portal User Guide (available at the CSO Documentation page).

To add an SD-WAN breakout profile:

Select Configuration > SD-WAN > Breakout Profiles.
The Breakout Profiles page appears.
On the Breakout Profiles tab, click the Add (+) icon.
The Add Breakout Profile page appears.
Complete the configuration according to the guidelines provided in Table 10.Note
Fields marked with an asterisk (*) are mandatory.
Click OK.
You are returned to the Breakout Profiles page, and a message confirming that the breakout profile was added is displayed. The page refreshes to display the breakout profile that you added.

Table 10: Fields on the Add Breakout Profile Page

Field	Guideline
Type	Select Local Breakout (Underlay) because we want traffic to break out locally (on the underlay) from the site.
Name	Enter a unique name for the breakout profile. You can use alphanumeric characters and hyphens (-); the maximum length is 15 characters.
Description	Enter a description for the breakout profile.
Traffic Type Profile	Select a traffic type profile to apply class of service (CoS) parameters to the breakout traffic.
Preferred Path	Because we’ve enabled only Internet WAN links (on the previously configured sites) to be used for breakout traffic, select Internet as the preferred path to be used for breaking out the traffic.
Advanced Configuration	You can optionally configure parameters for rate limiting the breakout traffic for cacheable applications. By default, rate limiting is disabled.

Note

Sites with the Secure SD-WAN Essentials service does not support cloud breakout profiles.

WHAT'S NEXT

The next step is to add an SD-WAN policy intent that references the breakout profile.

Add and Deploy SD-WAN Policy Intent

After you add an SD-WAN breakout profile, you must add an SD-WAN policy intent, and then deploy the SD-WAN policy intent to ensure that traffic breaks out locally from the WAN link that you configured for local breakout.

To add and deploy an SD-WAN policy intent:

Add the SD-WAN policy intent:
1. Select Configuration > SD-WAN > SD-WAN Policy.
  The SD-WAN Policy page appears.
2. Click the Add icon (+).
  The parameters for an SD-WAN policy intent appear inline on the SD-WAN Policy page.
3. Enter the policy intent information according to the guidelines provided in Table 11.
4. Click Save.
  The SD-WAN policy intent is added, and a confirmation message is displayed. The Undeployed field is incremented by one, indicating that the policy intent must be deployed.
Deploy the SD-WAN policy intent:
1. Click the Deploy button.
  The Deploy page appears.
2. From the Choose Deployment Time field:
  - Select Run now to deploy the policy immediately.
  - Select Schedule at a later time to schedule the deployment for later.
    If you schedule the deployment for later, enter the date (in MM/DD/YYYY format) and time (in HH:MM:SS 24-hour or AM/PM format) at which you want the deployment to be triggered. You specify the time in the local time zone of the client from which you access the CSO GUI.
You are returned to the SD-WAN Policy page, and a job to deploy the policy is triggered. You can check the status of the deployment on the Jobs page (Monitor > Jobs).
After the SD-WAN policy is successfully deployed, traffic can break out directly from the site.

Table 11: SD-WAN Intent Policy Settings

Field	Guideline
Name	Enter a name for the policy intent, or use the name generated by CSO.
Description	(Optional) Enter a description for the policy intent.
Source	If the SD-WAN policy intent is: For the enterprise hub, select the name of the enterprise hub site. For the branch site, select the name of the branch site. Note: You can select other options for the source (for example, a department). For more information, see Creating SD-WAN Policy Intents in the Customer Portal User Guide (available at the CSO Documentation page).
Application	Select the applications for which you want to break out traffic locally. Note: You can also select Any, which means that this policy intent is applicable to all applications. However, you'd typically do this if you were matching on a guest department (that is the Source would be the guest department) where you want all guest traffic to break out to the Internet through the underlay.
Traffic Steering Profile	Click inside the text box, and select the local breakout profile that you added earlier.

WHAT'S NEXT

If you haven’t yet configured the SD-WAN branch sites, the next step is to do so; see Configure SD-WAN Branch Sites.
If you have finished configuring the SD-WAN branch sites, see Monitor Sites and Devices.

ON THIS PAGE

Configure Enterprise Hub Site

Explanation of Procedure

Add Enterprise Hub Site

WHAT'S NEXT

Upload and Install Device Licenses

WHAT'S NEXT

Install the Signature Database

WHAT'S NEXT

Add and Deploy Firewall Policy

WHAT'S NEXT

Add SD-WAN Breakout Profile

WHAT'S NEXT

Add and Deploy SD-WAN Policy Intent

WHAT'S NEXT