Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 

New and Changed Features in Contrail Service Orchestration Release 3.3.0

This section describes the new features or enhancements to existing features in CSO Release 3.3.0.

Centralized Deployment

  • Support for multiple regions in a centralized deployment—From CSO Release 3.3.0 onward, you can configure a maximum of three regions for centralized deployments. The regions are used to group services for various business reasons such as location, proximity, service distribution, and load. During CSO installation, you can add the regions and deploy the infrastructure services on the regions. You can assign the regions while creating a point of presence (POP). If you do not select the regions, then the default region regional is selected.

Device Management

  • Support for Return Material Authorization (RMA) for a device—From CSO Release 3.3.0 onward, you can recall a defective device, and replace it with a new or restored device by using the RMA process. Configurations that are customized using configuration templates are automatically restored during this process.

    Note: In CSO Release 3.3.0, the RMA process is not completely automated. You must manually push licenses, application signatures, certificates, and policies to complete the RMA process.

    When the new or restored device is in the PROVISIONED state:

    • In SD-WAN deployments, you can proceed to configure the device by manually pushing application signatures, certificates, and policies.

    • In hybrid WAN deployments, service chains are restored automatically.


  • Device redundancy support—CSO Release 3.3.0 supports device redundancy for large enterprise SD-WAN on-premise spoke sites. You can configure an SD-WAN site with two CPE devices to act as primary and secondary devices and protect the site against device and link failures. If the primary device fails, the secondary device takes over the traffic processing.

    Note: You must use the same device model of the NFX Series or SRX Series device and the devices (primary and secondary) must have the same version of Junos OS installed.

  • Support for configuring the backup link during site addition—From CSO Release 3.3.0 onward, you can optionally specify a backup link when you add a site. When the primary links are down, the site can use the backup link to route traffic. When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, SLA data is not monitored for the backup link.

  • Support for LTE as a backup link on NFX250 devices—CSO Release 3.3.0 supports LTE as a backup link on NX250 devices. If an LTE access type is configured for a WAN link, then, by default, the WAN link is used only as a backup link. You can configure the LTE access type while creating an on-premise spoke site.

  • High availability for virtual route reflectors—CSO Release 3.3.0 supports high availability (HA) for virtual route reflectors (VRRs). In an SD-WAN solution, multiple VRRs can be installed on the regional servers. BGP sessions are established between hub-and-spoke devices and VRRs.

  • Support for traffic type profiles—CSO Release 3.3.0 introduces traffic type profiles that enable MSP administrators and tenant administrators to configure CoS parameters that meet specific business requirements. Traffic type profiles enable you to define a traffic type and to configure parameters such as priority, buffer and bandwidth allocations, probe parameters, and DiffServ code point (DSCP) values for the traffic type.

  • Support for cloud spoke sites on AWS VPC—From CSO Release 3.3.0 onward, a tenant administrator can create and configure a cloud spoke site for an SD-WAN endpoint in an Amazon Web Services (AWS) virtual private cloud (VPC). To create a cloud spoke site, log in to Customer Portal and select Sites > Site Management > Add > Cloud Spoke. You must select the vSRX_AWS_SDWAN_Endpoint_option_1 device template while creating a cloud spoke site.

  • Support for generating SD-WAN reports—From CSO Release 3.3.0 onward, you can generate SD-WAN reports to view the SLA performance of all sites in a tenant and specific sites in a tenant. Using SD-WAN report definitions, you can generate the following SD-WAN reports:

    • SD-WAN Tenant Performance Reports—Enable you to view the parameters that measure the SLA performance across all sites in a tenant.

    • SD-WAN Site Performance Reports—Enable you to view the parameters that measure the SLA performance of specific sites in a tenant. You can generate reports for up to five sites in a tenant.

  • Support for viewing application visibility filtered based on departments—From CSO Release 3.3.0 onward, you can filter and view the application visibility data for departments within a single tenant.

Security Management

  • Support for offline download of signature database—From CSO Release 3.3.0 onward, when there is no Internet connectivity, CSO provides the option to download the signature database either from a local webserver hosted on your PC, or from any webserver accessible through the intranet.

    Note: You must first download the signature database from the Juniper Networks-hosted webserver to your local webserver, before performing an offline download.

  • Support for user-based firewall policy intents—From CSO Release 3.3.0 onward, you can define user-based firewall policy intents, which enable you to permit, reject, or deny traffic based on users or user groups, on SRX Series devices and vSRX instances.

  • Support for Juniper Identity Management Service—CSO Release 3.3.0 supports the Juniper Identity Management Service (JIMS). JIMS collects user identity information from a configured Active Directory and makes it available to SRX Series devices or vSRX instances.

    You can download and install JIMS, configure the CSO client on JIMS to obtain user identity information from the configured Active Directory, and use CSO and JIMS to manage user-based firewall policy intents on SRX Series devices and vSRX instances.

Unified Portal

  • Support for single-sign on (SSO) initiated by an Identity Provider (IdP)—From CSO Release 3.3.0 onward, the Identity Provider (IdP) initiation method is supported to authenticate MSP and tenant users. In this method, users are authenticated by using the SSO Server and then the CSO application is launched.

  • Personalizing the unified Administration and Customer Portal—From CSO 3.3.0 onward, you can personalize the unified Administration and Customer Portal. You can personalize the login page, top-left logo, and reports, and apply a font style and color palette to the left navigation bar and menu. You can also create, edit, and delete a custom color palette. You can also upload custom font styles and preview the custom color palette settings before you apply the settings.


  • Health check for infrastructure components—From CSO Release 3.3.0 onward, you can run a script ( to perform a health check of all infrastructure components. This script detects whether any infrastructure component has failed and displays the health status of each infrastructure component.

  • Provisioning VMware ESXi VMs by using the provisioning tool—From CSO Release 3.3.0 onward, if you use VMware ESXi VMs, you can use the provisioning tool——to create and configure VMs for CSO.

  • Ability to push a license to devices—From CSO Release 3.3.0 onward, MSP administrators can apply licenses to devices from Administration portal. MSP administrators can select any of the uploaded licenses from the License Files page, click Push License, and select the devices to which they want to apply the license.

    If licenses are available for a tenant, the licenses are pushed to the device as part of the ZTP workflow.

Unsupported Features

The CSO Release 3.3.0 documentation describes some features that are present in the application but that have not yet been fully qualified by Juniper Networks. If you use any of these features before they have been fully qualified, it is your responsibility to ensure that the feature operates correctly in your targeted configuration.

The following features are present but unsupported in this release:

  • Support for Application Quality of Experience (AppQoE)—CSO Release 3.3.0 supports AppQoE (on SRX series devices and vSRX instances) to improve the user experience at the application level. AppQoE is enabled when the SD-WAN mode for the tenant is set to Real-time Optimized. In real-time-optimized mode, CSO monitors the end-to-end application traffic for class-of-service (CoS) and SLA compliance.

    Note: Because AppQoE is an unsupported feature, SD-WAN with full mesh topology for dynamic policies is also not supported.

  • Support for RMA on dual CPE SRX devices

Modified: 2018-07-29