Add Branch or Enterprise Hub Sites Without Provisioning a Service
Starting from CSO Release 6.0.0, you can use the Device Management option to add a branch or enterprise hub site without specifying a service.
After you add the site, the status of the site changes to MANAGED. The site can remain in this state for any duration. You can perform the following tasks when the device is in the MANAGED state:
Apply stage-2 configuration or configuration templates
Access the device console
Reboot the device
Install licenses and certificates on the device
Install application signatures
You can deploy either a single or dual SRX CPE without adding a service. CSO Release 6.0.0 supports automatic cluster formation on SRX devices.
You cannot add a cloud spoke site with only device management capability. You must select a service for a cloud spoke site.
To configure SD-WAN or security features, you must assign a service to the device. You can edit the site to assign the services. After the service is assigned, the status of the device changes to PROVISIONED.
To add a site with only device management capability:
- Select Resources > Site Management.
The Site Management page appears.
- Click Add and select Branch Site (Manual) or Enterprise Hub.
The Add Branch Site or Add Enterprise Hub page appears.
- Complete the configuration settings according to the guidelines
provided in Table 1.
Fields marked with an asterisk (*) are mandatory.
- Click Next.
A summary page is displayed.
- Review the configuration and modify the settings, if needed, from the Summary tab.
- If you
did not enter serial number while creating the site, you must manually
enter the serial number after adding the site, in order to activate
To manually activate the site:
- Click Activate Site link that appears next
to Site Status.
The Activate Site page appears.
- Enter the serial number of the device associated with the site.
- Click OK.
The Site Activation Progress page appears displaying the progress of steps executed for activating the CPE device.
- Click Activate Site link that appears next to Site Status.
- If you enabled the Zero Touch Provisioning field,
CSO pushes the prescript and stage-1 configurations, and the site
status changes to MANAGED in the Sites page.
If you disabled the Zero Touch Provisioning field for the device, you must copy the stage-1 configuration from CSO and commit it on the device.
- Click the Click to copy stage-1 config link
next to the Prestage Device task in the Site Activation Progress page.
If you close the Site Activation Progress page inadvertently, you
can access the page from the Site Management page. Click the View link next to the status of the site, under the Site Status
You can also copy the configuration from the Devices page (Resources > Devices). Select the device and click Stage1 Config.
The Stage-1 Configuration page appears displaying the stage-1 configuration.
- Copy the stage-1 configuration.
- Log in to the device and enter Junos OS configuration mode.
- Paste the configuration that you copied and commit the
CSO applies the prescript and stage-1 configuration (includes the device configuration). The status of the site changes to MANAGED on the Sites page.
- Click the Click to copy stage-1 config link next to the Prestage Device task in the Site Activation Progress page. If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site, under the Site Status column.
You can also add a site using the site templates. For more information, see Add Branch Sites by Using a Site Template.
Table 1: Fields on the Add Branch Site or Add Enterprise Hub Page (Only Device Management Capability)
Enter a unique name for the firewall site. You can use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Device Host Name
The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Select a site group to assign the site.
Device Management is selected by default. You need not select the service.
Address and Contact Information
Enter the street address of the site.
Enter the name of the city where the site is located.
Select the state or province where the site is located.
Enter the postal code for the site.
Select the country where the site is located. Click the Validate button to verify the address that you specified.
Enter the name of the contact person for the site.
Enter the e-mail address of the contact person for the site.
Enter the phone number of the contact person for the site.
Domain Name Server (DNS)
Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.
Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net. The site must have DNS reachability to resolve the FQDN during site configuration.
Select the time zone for the site.
Note: Some fields in this section are displayed only if you enable the Device Redundancy option.
Disabled by default. Enable this option for dual CPEs.
The following prerequisites are necessary for enabling device redundancy:
Select the device series.
Based on the device series that you select, the supported device templates (containing information for configuring devices) are listed.
Select a device template for the selected device series.
Select the device model.
Enter the serial number of the device. Note that the serial numbers are case-sensitive.
If you do not enter the serial number, the branch site is created but not activated. See 6 to enter the serial number and activate the branch site later.
Node 0 Serial Number
For dual CPEs, enter the serial number of the primary CPE device. The serial number is case sensitive.
Node 1 Serial Number
For dual CPEs, enter the serial number of the secondary CPE device. The serial number is case sensitive.
Zero Touch Provisioning
Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default.
To use ZTP, ensure the following:
If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the device is upgraded to the image that you select for the Boot Image.
If you disable ZTP, ensure that the device has connectivity to CSO. If the device is not prestaged or preconfigured, then you must provide the details under the Management Connectivity section so that CSO can generate the configuration as part of the stage-1 configuration. You can skip the Management Connectivity section if the device has connectivity to CSO.
If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device to start the onboarding process. Use any of the following options to copy the stage-1 configuration:
Is Cluster Already Formed?
Select No if the cluster is not configured.
Enter the device Cluster ID. The value is ignored if the cluster is already formed on the device. Cluster ID should be unique in case more than one cluster is connected through the same Ethernet switch.
Click the toggle button to enable or disable automatic activation of the device. This option is enabled by default.
If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.
Primary Activation Code
If the automatic activation of dual CPEs is disabled, enter the activation code to manually activate the primary CPE device.
Secondary Activation Code
If the automatic activation of dual CPEs is disabled, enter the activation code to manually activate the secondary CPE device.
Management Interface Family
Select the IP address type (IPv4 or IPv6) for the management interface. This field is displayed only if you have enabled Zero Touch Provisioning.
When the Zero Touch Provisioning field is enabled, select the boot image from the drop-down list to upgrade the image on the firewall device to a version that supports Phone-Home client.
The boot image is the device image that was previously uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process. If the boot image is not provided, then the device skips the automatic upgrade procedure. The boot image is populated based on the device template that you selected while creating a site.
By default, the Use Image on Device option is selected.
Select a device template, which contains information for configuring a device.
Note: This section is displayed only when Zero Touch Provisioning is disabled. If you are adding a chassis cluster, then you must provide the interface details for both the nodes.
Select the IP address type (IPv4 or IPv6).
This is a WAN interface that the device uses to connect to CSO.
Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link.
DHCP is selected by default. If you want to provide a static IP address, select STATIC.
Management VLAN ID
Enter a VLAN ID for the WAN link.
Range: 0 through 4094
Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet).
Configuration Templates (Optional)
Configuration Templates List
(Optional) Select one or more configuration templates from the list. This list is filtered based on the device that you select.
Configuration templates are stage-2 templates that are added by your OpCo administrators, or SP administrators, or Tenant administrators.
To set the parameters for the selected configuration templates: