New and Changed Features

This section describes the new features or enhancements to existing features in Cloud CPE Solution Release 3.1.

SD-WAN

• Support for managing and deploying SD-WAN policies—From Cloud CPE Solution Release 3.1 onward, you can define and deploy SD-WAN policies for applications or application groups based on service-level agreement (SLA) requirements. SD-WAN policies help in optimum utilization of the WAN links and efficient distribution of traffic. Policies are applied at site, site group, or department level. You can also schedule your policy deployment for a later date and time.
• Support for creating SLA profiles for applications and application groups—From Cloud CPE Solution Release 3.1 onward, you can create tenant-level SLA profiles and associate the SLA profiles with applications or application groups. (In this context, the term applications refers to applications that do not need a Secure Sockets Layer (SSL) inspection.) An SLA profile consists of defined target metrics, which include the following:
  • Throughput, latency, packet loss, jitter, and delay
  • An assured class of service
  • Upstream and downstream rates for its applications
• Support for creating hub sites—Cloud CPE Solution Release 3.1 supports the creation of hub sites for tenants. You create a hub site by selecting the site type as an on-premise hub or during the creation of the site.
• Support for four SD-WAN-enabled links per site—Starting with Cloud CPE Solution Release 3.1, you can configure up to four WAN links per site that support SD-WAN. You can configure these links as MPLS or broadband links. In releases before Cloud CPE Solution Release 3.1, you can configure only two WAN links.
• Support for monitoring SLA performance—Cloud CPE Solution Release 3.1 supports the SLA-performance monitoring of tenants, sites, and applications that have met and those that have not met their defined SLA values in a specified period.
• Support for monitoring SD-WAN events—Cloud CPE Solution Release 3.1 supports the monitoring of SD-WAN events. SD-WAN events are triggered when the SLA requirements for a site are not met on its designated WAN link and the site switches WAN links to meet its SLA requirements.
• Support for SD-WAN alert definitions—From Cloud CPE Solution Release 3.1 onward, you can create, edit, and delete SD-WAN alert definitions. An alert definition consists of data criteria for triggering alerts that warn you about issues in your SD-WAN environment. Alert definitions also define the necessary action required to resolve issues based on the severity of the alert.
• Support for creating site groups—Cloud CPE Solution Release 3.1 enables you to create site groups, which are a collection of one or more sites, for policy management. A site group enables you to apply a policy to all the sites in a group simultaneously. You create site groups from the Create Site Group page (Site > Site Groups > Create Site Group).
• Viewing the bandwidth capacity of a WAN link—From Cloud CPE Solution Release 3.1 onward, you can view the maximum bandwidth capacity of a WAN link. To view bandwidth capacity of a WAN link, hover over the WAN link connected to a site on the WAN tab of the Site-Name page (Sites > Site Management > Site-Name > WAN).
• Support for grouping LAN segments into departments—From Cloud CPE Solution Release 3.1 onward, you can group LAN segments within a site into departments. You use departments to apply specific policies to LAN segments that are members of a department. You can create, view, edit, or delete departments from the Departments page (Configuration > Shared Objects > Departments).

Security Management

• Support for NAT policy management—Cloud CPE Solution Release 3.1 enables you to create, modify, and delete Network Address Translation (NAT) policies and rules. In Cloud CPE Solution Release 3.1, only source-NAT and static-NAT management are supported.
• Support for intent-based firewall policy—Cloud CPE Solution Release 3.1 enables you to create, modify, and delete firewall intents associated with a firewall policy. Firewall policies are intent-based, which means that they can incorporate both Transport Layer (Layer 4) and Application Layer (Layer 7) application firewall constructs in a single intent. In addition, policies are automatically assigned to devices based on the endpoints chosen in the definition of the intent, and do not need to be assigned to specific devices manually. Firewall intents consist of source and destination endpoints; the endpoints can be applications (L7), sites, IP addresses, IP address groups, site groups, departments, and services. (In this context, the term applications refers to applications that do not need an SSL inspection.)
• Support for schedules in firewall policy—From Cloud CPE Solution Release 3.1 onward, you can create, modify, clone, and delete firewall policy schedules. A schedule enables you to run an intent for a specified period either on a one-time or on a recurring basis based on how the schedule is created.
• Support for services in firewall and NAT policies—From Cloud CPE Solution Release 3.1 onward, you can create, modify, clone, and delete services or service groups.

  A service refers to an application on a device, such as Domain Name System (DNS). Services are based on protocols and ports used by an application, and when added to a policy, a configured service can be applied across all devices. The protocols available to create a service include TCP, UDP, SUN-RPC, MS-RPC, ICMP, ICMPv6, and so on.

  You can combine services together to form a service group. Service groups are useful when you want to apply the same policy to multiple services because by doing this you can create and work with fewer policies.

• Support for security dashboards—From Cloud CPE Solution Release 3.1 onward, a security dashboard page displays information such as top events, top denials, top applications, top source and destination IP addresses, top traffic, and top infected hosts.
• Support for application visibility—From Cloud CPE Solution Release 3.1, you can view information on bandwidth consumption, session establishment, and the risks associated with your network applications. Analyzing your network applications provides useful security management information, such as applications that can lead to data loss, bandwidth overconsumption, time-consuming applications, and personal applications that can elevate business risks.
• Support for security alerts—From Cloud CPE Solution Release 3.1, you can create, edit, and delete security alert definitions. Alerts are used to notify administrators about significant events within the system and warn them about problems in your monitored environment.

  An alert definition consists of data criteria for triggering an alert. An alert is triggered when the event threshold exceeds the defined data criteria.

• Support for security events and system log messages—From Cloud CPE Solution Release 3.1 onward, you can view security events associated with firewall, Web filtering, IPsec VPN, content filtering, antispam, antivirus, and IPS events.

  Security events include the system log messages of the device and critical information such as the number of events, virus instances found, interfaces that are down, attacks, CPU spikes, reboots, and sessions.

• Ability to collect and view device events—From Cloud CPE Solution Release 3.1 onward, you can troubleshoot a device by using device events. Device events include the following:
  • Routine operations—for example, user login into the configuration database
  • Failure and error conditions—for example, failure to access a configuration file
  • Emergency or critical conditions—for example, device power failure due to excessive temperature
• Support for generating reports—From Cloud CPE Solution Release 3.1 onward, you can generate reports to view the summary of network activity and overall network status of CPE devices. Using reports, you can:
  • Create, edit, delete, and clone reports, preview reports in PDF, and send reports by e-mail
  • Schedule reports based on the defined filters
  • Schedule reports based on the available default reports
  • Generate reports with multiple sections, where each section has its own criteria
• Support for application signature management—Cloud CPE Solution Release 3.1 enables you to create, modify, clone, delete, and view custom application signature groups, and view predefined application signatures.
• Support for active database—From Cloud CPE Solution Release 3.1, you can download and install the application firewall signature database on CPE devices. This database includes signature definitions of attacks and applications that can be used to identify applications for tracking firewall policies and quality of service prioritization.
• Support for address management—Cloud CPE Solution Release 3.1 enables you to create, edit, and delete addresses and address groups. Addresses and address groups are used in firewall and NAT services.

Unified Portal

• Support for a unified Administration and Customer Portal—Cloud CPE Solution Release 3.1 now supports a unified portal for both service provider users and tenant users and for the services managed and consumed by the administrators and tenants.

  The unified portal contains the features of vCPE, uCPE, and SD-WAN for both the Administration and Customer Portals; enforces RBAC, which prevents tenants from accessing administrator data; and supports different backend authentication methods for service provider users and tenant users.

• Support for SSO authentication—Cloud CPE Solution Release 3.1 supports single sign-on (SSO) authentication for the unified portal. You can authenticate and authorize users by using one of the following authentication methods:
  • Local—User accounts are maintained locally in Contrail Service Orchestration (CSO), and users are authenticated and authorized by CSO.
  • Authentication by using an SSO server—User accounts are maintained in the service provider’s SSO server, but authorization information is stored in CSO. Users are authenticated by using the SSO server.
  • Authentication and authorization by using an SSO server—User accounts and user roles are maintained in the service provider’s SSO server. Users are authenticated by using the SSO server and authorized by CSO by using Security Assertion Markup Language (SAML) attributes.

  You can configure one SSO server for a service provider and another for all its tenants. The following SSO servers are supported:

  • Okta
  • OneLogin
• Support for role-based access control (RBAC)—Cloud CPE Solution Release 3.1 enables you to add, view, edit, and delete tenant and service provider users. The following roles are available:
  • MSP Administrator—Users with the MSP Administrator role have full access to the Administration Portal UI or API capabilities. They can use the UI or APIs to add one or more users with MSP Administrator or MSP Operator roles, onboard tenants, and add the first tenant administrator during the onboarding process. They can also add tenant administrators or operators by switching the scope to a specific tenant.
  • MSP Operator—Users with the MSP Operator role have read-only access to the Administration Portal and APIs.
  • Tenant Administrator—Users with the Tenant Administrator role have full access to the Customer Portal and APIs. They can add one or more users with Tenant Administrator or Tenant Operator roles.
  • Tenant Operator—Users with the Tenant Operator role have read-only access to the Customer Portal and APIs.

  You can assign MSP roles to service provider users and Tenant roles to tenant users.

• Security enhancements related to login credentials—Cloud CPE Solution Release 3.1 includes the following security-related enhancements:
  • You can use the Forgot Password link on the Login page to reset your password.
  • After you log in for the first time, you are prompted to change your password.

    Passwords must conform to the password rules specified in the UI.

  • You can specify the duration (in days) after which the password expires and must be changed. Users who do not change their password before the specified duration elapses are automatically logged out.
  • Your account is locked after five consecutive unsuccessful login attempts.
• Support for switching the tenant scope— From Cloud CPE Solution Release 3.1 onward, Administration Portal users can change the tenant scope from all tenants to a specific tenant by using the tenant switcher displayed on the banner. When you switch scope from all tenants to a specific tenant, the menu and pages displayed are almost the same as those displayed for Customer Portal users, with some additional actions visible to the Administration Portal users. When you switch back to the All Tenants scope, the menu and pages for the Administration Portal are displayed.

Miscellaneous

• Full-service chaining support on the NFX Series CPE device—From Cloud CPE Solutions Release 3.1 onward, Network Service Controller (NSC) offers an European Telecommunications Standards Institute (ETSI) NFV-compliant virtualized infrastructure manager (VIM) to instantiate VNFs on NFX Series CPE devices.

  This instantiation method provides optimal activation of third-party VNFs and full-service chaining on NFX Series CPE devices. Consequently, all traffic from a LAN connected to an NFX Series CPE device first traverses the VNF on the device, and then passes through the vSRX gateway device, and finally exits through the WAN link.

• Activation process for CPE devices—From Cloud CPE Solution Release 3.1 onward, you can activate SRX300 Services Gateway and NFX250 Network Services Platform devices in the following ways:
  • By connecting a computer to the LAN port of the device and entering the activation code through your browser
  • By specifying the activation code in Customer Portal
• Support for upgrading and deploying an image—From Cloud CPE Solution Release 3.1 onward, you can upgrade and deploy an image on a single device or multiple devices on a per-site basis or across all sites of a tenant. A device can be a physical network function (PNF) or a virtual network function (VNF).

  You can also schedule the deployment of images.

• Support for configuration deployment—From Cloud CPE Solution Release 3.1 onward, you can deploy SD-WAN and security policies immediately or schedule the deployment for a later date and time.
• Support for viewing policies at the device level and site level—From Cloud CPE Solution Release 3.1 onward, you can view the policies assigned to a CPE device (Resources > Devices > Device-Name > Policies) and the policies assigned to a tenant site (Sites > Site Management > Site-Name > Policies). You can view the following information about policies:
  • List of all policies applicable to a tenant or site
  • Details about the tenant user who last updated the policy
  • Time when the policy was last updated
  • Deployment status of the policy
  • Number of intents applicable to the site compared to the total number of intents applicable to the tenant
• Support for job management—From Cloud CPE Solution Release 3.1 onward, you can view the list of jobs that are currently running and the jobs that are scheduled to run later. You can also specify whether you want to run a job immediately or schedule it for a later date and time.
• Customer Portal Dashboard—From Cloud CPE Solution Release 3.1 onward, you can view a customized view of network services by using the widgets on the user-configurable Dashboard page.

  You can drag the widgets from the carousel at the top of your dashboard to your workspace, where you can add, remove, and rearrange them. The dashboard automatically adjusts the placement of the widgets to dynamically fit on your browser window without changing their order. You can manually reorder the widgets by using the drag and drop option. In addition, you can press and hold the top portion of the widget to move it to a new location.