Step 2: Up and Running
Now that you’ve successfully logged in to CSO, let’s use CSO’s intuitive GUI to do the initial configuration.
If you’re an OpCo Administrator, add one or more tenants and assign CSO licenses to the tenants. See Add Tenants (OpCo Administrator) and Assign the CSO License to the Tenant (OpCo Administrator).
If you’re a Tenant Administrator, deploy the SD-WAN or NGFW service. See Deploy the SD-WAN Service (Tenant Administrator) or Deploy the NGFW Service (Tenant Administrator).
When in doubt, hover over the ? (Help) icon displayed next to the page title or fields on the CSO GUI to know more about a page or a field on the page.
Add Tenants (OpCo Administrator)
Here’s how to add a tenant:
- From the main menu, go to the Tenants page (Tenants
> Tenants View) and click +.
The Add Tenant page opens.
- Configure the following settings. After you complete the
configuration in each of the tabs, click Next.
Tab
Field
Action
General
Name
Enter a unique name for the tenant. You can use alphanumeric characters and underscore; the maximum length allowed is 32 characters.
General
First Name
Enter the first name of the tenant.
General
Last Name
Enter the last name of the tenant.
General
Username (E-mail)
Enter the e-mail address, which will be used as the tenant's username.
General
Roles
Select one or more of the available roles to assign to the tenant.
Deployment Info
Services for Tenant
Based on your tenant’s requirements, select either or both of the following services for the tenant:
SD-WAN—To enable Tenant Administrators to deploy and manage sites that have up to four WAN links with intelligent, SLA-based traffic routing among the WAN links
Next Gen Firewall—To enable Tenant Administrators to deploy and manage NGFW sites
- Click Finish to add the tenant.
An Add Tenant job is created. When the job completes, the tenant is listed on the Tenants page.
Your tenant will receive an account activation e-mail.
Assign the CSO License to the Tenant (OpCo Administrator)
- From the main menu, go to the CSO Licenses page (Administration > Licenses > CSO Licenses) and click the Assign link corresponding to the license
that you want to assign.
The Assign CSO License page opens.
- For the Tenants List field, click +.
A row is added in the grid.
- In the Tenant column, select the tenant to which you want
to assign the license. In the Device Quantity column, enter the quantity
that you want to assign to the tenant.
Note The sum of the assigned quantities must be less than or equal to the total quantity.
Then, click √ to save your changes.
- Click Assign.
A job is triggered to assign the licenses to the tenants. When the job completes, the CSO Licenses page displays the updated information in the Available and Assigned columns.
Deploy the SD-WAN Service (Tenant Administrator)
To deploy the SD-WAN service, you'll need to add an enterprise hub site or a provider hub site, and an on-premises spoke site. Before you begin:
Ensure that the Encapsulating Security Payload (ESP) protocol traffic is allowed on the network.
Ensure that Network Address Translation (NAT) and firewall ports are open on the network. Here are the ports that must be open for your CPE device:
Device Model
NAT/Firewall Ports
CPE WAN Link Ports
SRX4x00
50, 51, 53, 123, 443, 500 or 4500, 514 or 3514, 7804
xe-0/0/0
throughxe-0/0/3
SRX3xx, SRX550M, and vSRX
50, 51, 53, 123, 443, 500 or 4500, 514 or 3514, 7804
ge-0/0/0
throughge-0/0/3
NFX250
50, 51, 443, 500 or 4500, 514 or 3514, 2216, 7804
ge-0/0/10
,ge-0/0/11
,xe-0/0/12
, andxe-0/0/13
NFX150
50, 51, 443, 500 or 4500, 514 or 3514, 7804
heth2
throughheth5
Add an Enterprise Hub Site
If you intend to use an existing Juniper Networks provider hub site, adding an enterprise hub site is optional.
- From the main menu, go to the Site Management page (Resources > Site Management), click Add, and select Add Enterprise Hub.
The Add Enterprise Hub page opens.
- Configure the following settings. After you complete the
configuration in each of the tabs, click Next.
Tab
Field
Action
General
Site Name
Give the enterprise hub site a unique name. You can use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Example: E-hub1
General
Site Capabilities
Select SD-WAN.
WAN
Device Series
Select SRX.
WAN
Device Template
Select a device template for the SRX Series device.
The SRX Series device template contains information for configuring the SRX Series device.
For example, for an SRX4100 device, select SRX4x00 as SD-WAN CPE (or a modified version of that template) as the device template.
WAN
Use for Fullmesh
Click the toggle button to enable the WAN link to be part of a full-mesh topology.
You typically implement a full-mesh topology to connect remote offices within an organization. A full-mesh topology is not commonly used to connect separate organizations because it allows each site to communicate directly with other sites.
Note: A site can have all WAN links enabled for meshing. For link redundancy, you must enable at least two WAN links for meshing.
Configure the two additional fields that appear:
Mesh Overlay Link Type: Keep the default selection (GRE over IPsec) as the type of encapsulation to be used for the overlay tunnels in the full-mesh topology.
Note: For links with public IP addresses, we recommend that you use GRE over IPsec as the mesh overlay link type.
Mesh Tags: Select one or more mesh tags for the WAN link.
The tunnels between the enterprise hub site and the on-premises spoke site are added based on matching mesh tags. So, if you want meshing to take place between a WAN link on the enterprise hub and a WAN link on the on-premises spoke site, the mesh tags must be the same for both sites.
LAN
Add LAN Segment
Add the LAN segment by specifying the Name, Department, Gateway Address/Mask, and CPE Ports.
- Click Finish to add the site.
When the site is added, the Site Status on the Site Management page changes to Provisioned.
Add an SD-WAN On-Premises Spoke Site
You must either add an enterprise hub site before adding an on-premises spoke site or use the existing Juniper Networks provider hub site.
- From the main menu, go to the Site Management page (Resources > Site Management), click Add, and select Add On-Premises Spoke (Manual).
The Add On-Premises Spoke Site page opens.
- Configure the following settings. After you complete
the configuration in each of the tabs, click Next.
Tab
Field
Action
General
Site Name
Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
WAN
Device Series
Select the device family that your CPE device belongs to—SRX, NFX150, or NFX250.
WAN
Device Template
Select a device template for the CPE device.
For example, for an SRX300 device, select SRX as SD-WAN CPE (or a modified version of that template) as the device template.
WAN
Use for Fullmesh
Click the toggle button to enable the WAN link to be part of a full-mesh topology.
You typically implement a full-mesh topology to connect remote offices within an organization. A full-mesh topology is not commonly used to connect separate organizations because it allows each site to communicate directly with other sites.
Note: A site with a single-CPE device can have a maximum of three WAN links enabled for meshing. A site with dual-CPE devices can have a maximum of four WAN links enabled for meshing.
Configure the two additional fields that appear:
Mesh Overlay Link Type: Keep the default selection (GRE over IPsec) as the type of encapsulation to be used for the overlay tunnels in the full-mesh topology.
Note: For links with public IP addresses, we recommend that you use GRE over IPsec as the mesh overlay link type.
Mesh Tags: Select a mesh tag for the WAN link.
Note: You can select only one mesh tag, so ensure that you select the correct mesh tag.
The tunnels between the enterprise hub and the on-premises spoke site or between two on-premises spoke sites are added based on matching mesh tags.
- Click Finish to add the site.
When the site is added, the Site Status on the Site Management page changes to Provisioned.
Upload and Push the Device License
- From the main menu, go to the Device License Files page
(Administration > Licenses > Device Licenses) and click +.
The Add License page opens.
- Click Browse to select the license file, and
click Open.
The License File field displays the license file that you selected.
Note A license file can contain only one license key.
- Click OK.
CSO parses the license file and verifies whether the license file format is valid. If the format is valid, CSO uploads the license file and you’re redirected to the Device License Files page.
- Select the license that you added. Click Push License and select Push.
The Push License page appears.
- Select the device to which you want to push the license,
and click OK.
CSO initiates a job to push the license to the device. When the job completes, the license is pushed to the device.
Install the Active Signature Database
The signature database contains intrusion detection prevention (IDP) and intrusion prevention system (IPS) signature definitions of predefined attack objects and groups. CSO uses IDP and IPS signatures to detect known attack patterns and protocol anomalies within the network traffic. You'll need to install the active signature database on one or more of your network devices. Juniper Networks downloads this database to CSO.
Here’s how to install the active signature database:
- From the main menu, go to the Signature Database page
(Administration > Signature Database) and click Install
Signatures.
The Install Signatures page opens displaying the active signature database version and the devices on which you can install the active signature database.
- Select the check boxes corresponding to the devices on which you want to install the active signature database. You can also search for, filter, or sort the devices displayed in the table.
- For the Type field, select one of the following
options:
Run now—To immediately trigger the installation of the active signature database on the devices that you selected
Schedule at a later time—To install the active signature database later and specify a date and the time at which you want to trigger the installation
- Click OK.
The active signature database is installed on your devices.
Add and Deploy a Firewall Policy
A firewall policy enforces rules for transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on traffic as it passes through the firewall. You can deploy a firewall policy to all sites or specific sites.
Here’s how to add and deploy a firewall policy:
- From the main menu, go to the Firewall Policy page (Configuration > Firewall > Firewall Policy), and click the
firewall policy to which you want to add the firewall policy intent.
The Firewall-Policy-Name page opens.
- Click + to add a firewall policy intent.
The options to add a firewall policy intent appear inline on the Firewall-Policy-Name page.
- Complete the following configuration:
To
Do this
Select the source endpoints for which you want to apply the firewall policy intent
Click the add icon (+) to select from the list of addresses, departments, sites, site groups, users, zones, or the Internet
Select the destination endpoints for which you want to apply the firewall policy intent
Click the add icon (+) to select from the list of addresses, applications, application groups, departments, services, sites, site groups, zones, or the Internet
Choose whether you want to allow, deny, or reject traffic between the source and destination endpoints
Click the add icon (+) and select one of the following: Allow, Deny, or Reject
Add advanced security features
Click the add icon (+) to select from advanced security features such as unified threat management (UTM) Profiles and IPS Profiles
- Click Save to save the changes to the firewall policy intent.
- Select the firewall policy intent that you added, and
click Deploy.
The Deploy page opens.
- Choose whether you want to deploy the firewall policy
intent at the current time (Run Now) or schedule the deployment
for later (Schedule at a Later Time).
To schedule the deployment for later, enter the date (in MM/DD/YYYY format) and the time (in HH:MM:SS 24-hour or AM/PM format) that you want to trigger the deployment. Be sure to specify the time in the local time zone where you access the CSO GUI.
- Click Deploy.
The firewall policy is deployed.
Deploy SD-WAN Policy Intents
SD-WAN policy intents optimize how the network uses WAN links and distributes traffic.
CSO provides predefined SD-WAN policy intents for tenants.
Here’s how to deploy an SD-WAN policy intent:
- From the main menu, go to the SD-WAN Policy page (Configuration > SD-WAN > SD-WAN Policy), select the SD-WAN
policy intent that you wish to deploy, and click Deploy.
The Deploy page opens.
- Choose whether you want to deploy the SD-WAN policy intent
at the current time (Run Now) or schedule the deployment
for later (Schedule at a Later Time).
To schedule the deployment for later, enter the date (in MM/DD/YYYY format) and the time (in HH:MM:SS 24-hour or AM/PM format) that you want to trigger the deployment. Be sure to specify the time in the local time zone where you access the CSO GUI.
- Click OK.
The SD-WAN policy intent is deployed.
Deploy the NGFW Service (Tenant Administrator)
Before you add an NGFW site:
Ensure that the required ports are open on the network. Here are the ports that must be open for your NGFW device:
Device Model
NAT/Firewall
SRX3xx, SRX550M, SRX1500, SRX4100, and SRX4200
443, 500 or 4500, 514 or 3514, 6514, 7804, 8060 (needed if using PKI authentication to validate CRL)
Note When you configure the SRX Series device, ensure that you configure either the first port (
ge-0/0/0
) or the last port (ge-0/0/7
orge-0/0/15
based on the model) for Internet connectivity.
Add an NGFW Site
- From the main menu, go to the Site Management page (Resources > Site Management), click Add, and select Add On-Premises Spoke (Manual).
The Add On-Premises Spoke Site page opens.
- Configure the following settings. After you complete the
configuration in each of the tabs, click Next.
Tab
Field
Action
General
Site Name
Give the NGFW site a unique name. You can use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Example: Ngfw-1
General
Site Capabilities
Select Next Gen Firewall.
WAN
Device Template
Select the device template for your SRX Series device.
For example, select SRX_Standalone_Pre_Staged_ZTP (or a modified version of that template) as the device template.
WAN
In-band Management Port
Select the port that you want to configure as management interface and connect it to the management device. You can configure any of the ge-0/0/x ports, where x ranges from 0 to 14, as in-band management interfaces.
WAN
Import Policy Configuration
Click the toggle button to automatically import firewall and NAT policies from the NGFW device to CSO after zero-touch provisioning (ZTP) is complete. By default, this option is disabled.
If you do not see this toggle button, you can select the firewall policy and NAT policy that you want to deploy from the Firewall Policies drop-down list and the NAT Policies drop-down list respectively. Select None if you want to deploy the policies after you add the site.
- Click OK to add the NGFW site.
When the site is added, the Site Status on the Site Management page changes to Provisioned.
Upload and Push the Device License
- From the main menu, go to the Device License Files page
(Administration > Licenses > Device Licenses) and click +.
The Add License page opens.
- Click Browse to select the license file, and
click Open.
The License File field displays the license file that you selected.
Note A license file can contain only one license key.
- Click OK.
CSO parses the license file and verifies whether the license file format is valid. If the format is valid, CSO uploads the license file and the Device License Files page opens.
- Select the license that you added and click Push
License > Push.
The Push License page appears.
- Select the device to which you want to push the license,
and click OK.
CSO initiates a job to push the license to the device. When the job completes, the license is pushed to the device.
Install the Active Signature Database
The signature database contains intrusion detection prevention (IDP) and intrusion prevention system (IPS) signature definitions of predefined attack objects and groups. CSO uses IDP and IPS signatures to detect known attack patterns and protocol anomalies within the network traffic. You'll need to install the active signature database on one or more of your network devices. Juniper Networks downloads this database to CSO.
See Install the Active Signature Database.
Add and Deploy a Firewall Policy
A firewall policy enforces rules for transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on traffic as it passes through the firewall. You can deploy a firewall policy to all sites or specific sites.