New and Changed Features in Cloud CPE Solution Release 3.2

This section describes the new features or enhancements to existing features in Cloud CPE Solution Release 3.2.

SD-WAN

• Support for Full Mesh Topology—Cloud CPE Solution Release 3.2 supports the full mesh topology on tenants. In full mesh topology, all sites in a tenant are connected to one another through GRE and IPsec tunnels. The topology is selected when the tenant is created and cannot be modified later. The following two connection modes are supported in the full mesh topology type:
  • Sparse mode—In sparse mode, an interface of a specific type, MPLS or internet, is connected to only one other interface of the same type in all other sites.
  • Dense mode—In dense mode, an interface of a specific type, MPLS or internet, is connected to all other interfaces of the same type in all other sites.
• Support for Local Breakout on Sites—Cloud CPE Solution Release 3.2 supports local breakout directly on the sites. Local breakout is the ability of the site to route Internet traffic directly from the site. Local breakout is supported on sites of both full mesh topology and hub and spoke topology tenants.
• Support for remote activation of SRX Series Services Gateway—Cloud CPE Solution Release 3.2 supports remote activation and reverse SSH on high-end SRX Series devices acting as SD-WAN hub device. The list of SRX Series devices that are supported are SRX1500 device, SRX5000 line of devices, and vSRX instances.
• Support for MX Series routers as SD-WAN Hub devices— Cloud CPE Solution Release 3.2 supports MX Series routers, with MS-MIC support as SD-WAN hub devices in a hub-and-spoke topology. A new device template, MX_Advanced_SDWAN_HUB_option_1, has been added to support this feature.
• Support for Multihoming with SRX and MX Series routers—Cloud CPE Solution Release 3.2 supports multihoming feature. Multihoming is the ability of a spoke site to connect to two different hub devices in a hub and spoke topology, thereby providing redundancy. The hub devices function as the primary and the secondary hub devices, respectively. The hub device must be an MX series or an SRX series router. To enable multihoming for a site, you must select the hub and spoke topology when you create the tenant. If you enable multihoming for a site, you must specify a primary and back up site when you configure the site.
• Configuring a Spoke Site— When you configure a hub site with WAN0 (Internet) and WAN1 (MPLS) links, the information about a site should be displayed in the detailed view of the page before you configure a spoke site.

Security Management

• Offline Support for Downloading Application Signatures — From Cloud CPE Solution Release 3.2 onward, you can download a signature manager offline. You need to start a local web server to host the signature package. You can use any of the following methods to download application signatures:
  • Python server—You can use the python -m SimpleHTTPServer 8000 command to start an HTTP server on port 8000. You need to log in as the root user and then execute the command at the root directory of the server. You must keep the signature package in the /space/2/version/signature-package location. Therefore, the URL of the downloaded signature package is IP address: portnumber /space/2/version/signature-package.

    For example, 10.213.18.101:8000/space/2/2981/signature-package.tgz

  • Apache server—In Mac OS, you must keep the signature package in the /Library/WebServer/Documents/space/2/version/signature-package location.
  • Other servers—For other servers, place the signature package in the following location, regardless of the location of the root directory: /space/2/version/directory location.
• Support for UTM Profiles—From Cloud CPE Solution Release 3.2 onward, you can view and manage unified threat management (UTM) profiles, which can then be applied to a firewall policy intent. UTM is a consolidation of several security features to protect against multiple threat types, and is a streamlined installation and management of these multiple security capabilities. The following security features are provided as part of the UTM solution:
  • Antispam—Examines transmitted e-mail messages to identify e-mail spam.
  • Full file-based antivirus—Scans for viruses. A virus is an executable code that infects or attaches itself to other executable code to reproduce itself.
  • Express antivirus—Offers a less CPU-intensive alternative to the full file-based antivirus feature.
  • Content filtering—Blocks or permits certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type.
  • Web filtering—Lets you manage Internet usage by preventing access to inappropriate Web content.
• Support for live threats map—From Cloud CPE Solution Release 3.2 onward, you can visualize incoming and outgoing threats between geographic regions. You can view blocked and allowed threat events based on feeds from IPS, antivirus, and antispam engines, and unsuccessful login attempts and screen options. You can also click a specific geographical location to view the event count and the top five inbound and outbound IP addresses.
• Support for screen events—From Cloud CPE Solution Release 3.2 onward, you can view and monitor screen events on the Screen Events page. You can view information related to screen events, including information about Internet Control Message Protocol (ICMP) screening, IP screening, TCP screening, and UDP screening.
• Support for SSL certificate management—From Cloud CPE Solution Release 3.2 onward, you can view and manage SSL certificates from the Certificates page. You can import a certificate (directly from a file or by pasting the content), install a certificate on one or more sites, and uninstall a certificate from one or more sites.
• Support for intent-based SSL proxy policy—From Cloud CPE Solution Release 3.2 onward, you can create, modify, and delete SSL forward proxy policy intents associated with an SSL forward proxy policy. SSL Forward Proxy intents consist of source and destination endpoints, and an SSL proxy profile; the endpoints can be IP addresses, IP address groups, sites, site groups, and departments.
• Support for SSL forward proxy profiles—From Cloud CPE Solution Release 3.2 onward, you can create, modify, clone, and delete SSL forward proxy profiles. When you create an SSL forward proxy profile, you must specify the root certificate to be used. SSL forward proxy profiles are applied through the intent-based SSL proxy policy.
• Support for destination and persistent NAT policy management—From Cloud CPE Solution Release 3.2 onward, destination-NAT and persistent-NAT management is supported, in addition to the existing support for source-NAT and static-NAT management.
• Support for NAT pools—From Cloud CPE Solution Release 3.2 onward, you can create, modify, clone, and delete NAT pools. A NAT pool is a set of IP addresses that you can define and use for translation.

Unified Portal

• Multitenant CPE Device Support—Cloud CPE Solution Release 3.2 enables a single NFX Series device to be mapped to serve across multiple tenants (departments) within a single tenant. Each tenant has its own Layer 3 VPN and all Layer 3 VPNs at a tenant site are carried over using a shared overlay to the hub and the traffic is segregated to each tenant. A single overlay of IPsec or GRE tunnels must be used to carry all tenant traffic from the site through MPLS-based traffic separation.

Miscellaneous

• Rebooting a Device—From Cloud CPE 3.2 onward, you can reboot a device from Administration and Customer portals.

  To reboot a device, select Resources > Devices > More > Reboot Device. A Device Reboot job link is created and the Status Message column in the Devices page displays the reboot status of a device.

• Security enhancements related to login credentials—Starting with Cloud CPE 3.2, the Password and Confirm Password fields are removed from the Add Users page.

  To enhance the security related to your login credentials, an automatically generated password is sent to the e-mail address that you have specified on the Add Users page. You are prompted to change the password when you log in with the automatically generated password.

Unsupported Features

The Cloud CPE Solution Release 3.2 documentation describes some features that are present in the application but that have not yet been fully qualified by Juniper Networks. If you use any of these features before they have been fully qualified, it is your responsibility to ensure that the feature operates correctly in your targeted configuration.

The following features are present but unsupported in this release:

• Support for Defining Services by Uploading Configuration in YANG file—Cloud CPE Solution Release 3.2 enables you to create services by specifying custom parameters in a YANG file and uploading it to add services to a service definition. The user interface for creating services is generated depending on the parameters specified in the YANG file.
• Support for Multi-vendor Device Discovery—Cloud CPE Solution Release 3.2 supports discovery of both Juniper Networks and non-Juniper Networks devices. You can discover devices in the network by specifying the IP address of the device or an IP address range. You can discover devices from the Resources > Devices > Discovered Devices page.