CSO Next-Generation Firewall Topology
Figure 1 shows the CSO standalone next-generation firewall (NGFW) topology. On the WAN side, the NGFW site, which is a standalone SRX Series or vSRX device, establishes the following connections:
Data connection for Internet traffic.
Management connection to CSO for establishing connectivity between CSO and the device, and for sending encrypted syslogs to CSO.
On the LAN side, which is not shown in the figure, the NGFW site can connect to LAN hosts. For NGFW sites, CSO allows you to provision greenfield devices or brownfield devices, with an option to import existing firewall and NAT policies into CSO for brownfield devices.