Add a Standalone Next-Generation Firewall Site
From CSO release 5.4.0 onward, the on-premises spoke (branch) site addition and site activation can be optionally separated, giving more flexibility to on-site installation of a CPE.
In SD-WAN deployments with next generation firewall (NGFW) capability comprising single or dual customer premises equipment (CPE), tenant administrators have an option to enter the serial number of the CPE device after adding the branch sites. The branch site can be added by a tenant administrator and activated manually by another authorized user. The authorized user must enter either the serial number and the activation code, or only the serial number when manually activating the CPE device later. The option to add branch sites without serial number of a CPE device is applicable to both SRX and NFX (NFX150 and NFX250) device templates.
You add the standalone NGFW site from the Site Management page.
To add a standalone NGFW site:
- Select Resources > Site Management.
The Site Management page appears.
- Click Add and select Add Branch Site (Manual).
The Add Branch Site page appears.
- Complete the configuration settings according to the guidelines
provided in Table 1.
Fields marked with an asterisk (*) are mandatory.
- Click Next.
A summary page is displayed.
- Review the configuration and modify the settings, if needed,
from the Summary tab. Click OK.
If you entered a serial number during activation and automatic activation is enabled, the Site Activation Progress page appears. The site activation process proceeds through the tasks explained in Troubleshooting Site Activation Issues.
Click OK to close the Site Activation Progress page.
If you did not enter a serial number and the automatic activation is disabled, you are returned to the Site Management page. CSO triggers a job and displays a confirmation message with a job link. Click the link to view the status of the job. After the job is finished, CSO displays a confirmation message with a job link. The status of the site changes to CREATED.
You must manually activate the device to finish the activation process.
The following procedure is applicable if zero touch provisioning (ZTP) is set true in the device template. If ZTP is disabled in the device template, you must copy the stage-1 configuration and commit it on the device for CSO to proceed with the activation.
To manually activate the CPE (branch site) device:
- Select the branch site CPE that has to be activated.
- Click Activate Site link in the Site Management
The Activate Site page appears.
- Enter the serial number(s) of the device and the activation
code. Click OK.
The Site Activation Progress page appears displaying the progress of steps executed for activating the CPE device. On successful activation of the device, the Site Status changes from Created to Provisioned.
- If you have
enabled the Zero Touch Provisioning field, CSO applies the stage-1
The device is activated automatically, if you have already provided the activation code and device serial number while creating the firewall site.
If you have disabled the Zero Touch Provisioning field for the device, you must manually configure the stage-1 configuration on the device.
- Click the Click to copy stage-1 config link
next to the Prestage Device task on the Site Activation Progress page.
If you close the Site Activation Progress page inadvertently, you
can access the page from the Site Management page. Click the View link next to the status of the site, under the Site Status
You can also copy the configuration from the Devices page (Resources > Devices). Select the device and click Stage1 Config.
The Stage-1 Configuration page appears displaying the stage-1 configuration.
- Copy the stage-1 configuration.
- Log in to the device and enter Junos OS configuration mode.
- Paste the configuration that you copied and commit the
CSO applies the pre-script and stage-1 configuration (includes the device configuration). The status of the site changes to MANAGED on the Sites page.
If you selected Security Services while adding the device, then CSO generates the service provisioning configuration and applies it on the device. The firewall site status changes to PROVISIONED in the Site Management page.
If you did not select Security Services while adding the device, then the device remains in the MANAGED state until you apply the service. You can edit the site and add the service. After you add the service, CSO applies the service provisioning configuration and the device is provisioned.
- Click the Click to copy stage-1 config link next to the Prestage Device task on the Site Activation Progress page. If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site, under the Site Status column.
You can also add a standalone firewall site using the site templates. For more information, see Add Branch Sites by Using a Site Template.
Table 1: Fields on the Add Branch Site Page (Standalone Firewall)
Enter a unique name for the firewall site. You can use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Device Host Name
The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Select a site group to which you want to assign the site.
Select Security Services as you are adding a NGFW site. Note that Device Management is selected by default.
Address and Contact Information
Enter the street address of the site.
Enter the name of the city where the site is located.
Select the state or province where the site is located.
Enter the postal code for the site.
Select the country where the site is located.
You can click the Validate button to verify the address that you specified:
Enter the name of the contact person for the site.
Enter the e-mail address of the contact person for the site.
Enter the phone number of the contact person for the site.
Domain Name Server (DNS)
Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.
Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration.
Select the time zone for the site.
Disabled by default. Enable this option only for dual CPEs.
SRX is displayed by default.
Select the device model.
Enter the serial number of the firewall device. Note that the serial numbers are case-sensitive.
If you do not enter the serial number, the branch site is created but the CPE device is not activated. See Step-by-Step Procedure for more information.
Zero Touch Provisioning
Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default.
To use ZTP, ensure the following:
If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image.
If you disable ZTP, ensure that the device has connectivity to CSO. If the device is not prestaged/preconfigured, then you must provide the details under the Management Connectivity section so that CSO can generate the configuration as part of the stage-1 configuration. You can skip the Management Connectivity section if the device has connectivity to CSO.
If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device to start the onboarding process. Use any of the following options to copy the stage-1 configuration:
Click the toggle button to enable or disable automatic activation of the device. This option is enabled by default.
If you disable automatic activation, refer Activate a Device topic to manually activate the CPE.
If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.
Management Interface Family
Select the IP address type (IPv4 or IPv6) for the management interface. This field is displayed only if you have enabled Zero Touch Provisioning.
When the Zero Touch Provisioning field is enabled, select the boot image from the drop-down list to upgrade the image on the firewall device to a version that supports the phone-home client.
The boot image is the device image that was previously uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process. If the boot image is not provided, then the device skips the automatic upgrade procedure. The boot image is populated based on the device template that you have selected while creating a site.
By default, the Use Image on Device option is selected.
Secure Log Source Interface
Select the port that you want to configure as management interface and connect it to the management device. You can configure any of the ge-0/0/x ports, where x ranges from 0 to 14, as in-band management interfaces.
This field is displayed only if you enable Zero Touch Provisioning. Select the firewall policy that you want to deploy to the standalone firewall site. The firewall policy list is populated from the Configuration > Firewall > Firewall Policy page.
This field is displayed only if you enable Zero Touch Provisioning. Select the NAT policy that you want to deploy to the standalone firewall site. The NAT policy list is populated from the Configuration > NAT > NAT Policies page.
Import Policy Configuration
This field is displayed only if you disable Zero Touch Provisioning.
By default, this field is disabled. Click the toggle button to automatically import firewall policies and NAT policies from a NGFW device to CSO.
The following are the firewall and NAT configurations that are imported for this site:
Firewall rules (zone rules):
NAT rules (Source/Destination/Static):
Note: This section is displayed only if you disable Zero Touch Provisioning.
Select the IP address type (IPv4 or IPv6).
Enter the management interface.
Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link.
By default, DHCP is selected. If you want to provide a static IP address, select STATIC.
Management VLAN ID
Enter a VLAN ID for the WAN link.
Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet).
Configuration Templates (Optional)
Configuration Templates List
(Optional) Select one or more configuration templates from the list. This list is filtered based on the device that you select.
Configuration templates are stage-2 templates that are added by your OpCo administrators or SP administrators or Tenant administrators.
To set the parameters for the selected configuration templates: