Step 2: Up and Running

Here’s how to add a tenant:

Deploy the SD-WAN Service (Tenant Administrator)

• Add an Enterprise Hub Site

• Add an SD-WAN Branch Site

• Upload and Push the Device License

• Install the Signature Database

• Add and Deploy a Firewall Policy

• Deploy SD-WAN Policy Intents

Add an Enterprise Hub Site

1. From the main menu, go to the Site Management page (Resources > Site Management), click Add, and select Enterprise Hub.

   The Add Enterprise Hub page opens.

2. Complete the configuration settings according to the following guidelines:

   Tab	Field	Action
   General	Site Name	Give the enterprise hub site a unique name. You can use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters. Example: E-hub1
   General	Device Host Name	The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen(-); the maximum length allowed is 32 characters.
   General	Site Capabilities	Note: Device Management, enabled by default, allows you to create a site with only device management capability (without any services) and add services later. To add an SD-WAN capability for this site, choose one of the following SD-WAN service types: Secure SD-WAN Essentials—(Available for tenants with SD-WAN Essentials service level) Provides basic SD-WAN services. You can upgrade an SD-WAN Essentials site to an SD-WAN Advanced site by editing the site information. Secure SD-WAN Advanced—(Available for tenants with SD-WAN Advanced service level) Provides the complete SD-WAN services. You cannot downgrade an SD-WAN Advanced site to an SD-WAN Essentials site.
   Device	Device Series	Select SRX.
   Device	Device Template	Select a device template for the SRX Series device. The SRX Series device template contains information for configuring the SRX Series device. For example, for an SRX4100 device, select SRX4x00 as SD-WAN CPE (or a modified version of that template) as the device template.
   Device	Use for Fullmesh	Click the toggle button to enable the WAN link to be part of a full-mesh topology. You typically implement a full-mesh topology to connect remote offices within an organization. A full-mesh topology is not commonly used to connect separate organizations because it allows each site to communicate directly with other sites. Configure the two additional fields that appear: Mesh Overlay Link Type: Keep the default selection (GRE over IPsec) as the type of encapsulation to be used for the overlay tunnels in the full-mesh topology. Mesh Tags: Select one or more mesh tags for the WAN link. The tunnels between the enterprise hub site and the branch site are added based on matching mesh tags. So, if you want meshing to take place between a WAN link on the enterprise hub and a WAN link on the branch site, the mesh tags must be the same for both sites.
   Device	Enable Local Breakout	Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled. Note: If you enable this option, the WAN link can be used for local breakout. You must enable local breakout on at least one WAN link for a single CPE connection plan and at least two WAN links for a dual CPE connection plan. Otherwise, the local breakout is disabled for the site.
   Device	Preferred Breakout Link	Click the toggle button to enable the WAN link as the most preferred breakout link. If you disable this option, the breakout link is chosen using ECMP from the available breakout links.
   Device	Connects to Provider Hubs	Note: The Connects to Provider Hubs field is available only if you have selected a provider hub. Click the toggle button to specify that the WAN link of the site connects to a provider hub. Note: For sites with a single CPE, you must enable at least one WAN link to connect to the hub so that OAM traffic can be transmitted. For sites with a dual CPE, you must enable at least one WAN link per device to connect to the hub so that OAM traffic can be transmitted.
   Device	Use for OAM Traffic	If you’ve specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link. Enable this field on at least two WAN links for redundancy. This WAN link is then used to establish the OAM tunnel.
   Device	Overlay Tunnel Type	This field is displayed when the Connects to Provider Hubs field is enabled. Select the mesh overlay tunnel type (GRE and GRE_IPSEC) of the tunnel to the hub. MPLS links can have both GRE and GRE_IPSEC as the overlay link type. However, Internet links can have only GRE_IPSEC as the overlay link type.
   Device	Overlay Peer Interface	This field is displayed when the Connects to Provider Hubs field is enabled. Select the interface name of the hub device to which the WAN link of the site is connected.
   Device	Link Priority	Enter a value in the range 1-255. A lower value indicates a more preferred link. A value of 1 indicates highest priority and a value of 255 indicates lowest priority. If you do not enter a value, the link priority is considered as 255.
   Device	Add LAN Segment	Add the LAN segment by specifying the Name, Department, Gateway Address/Mask, and CPE Ports.

3. Click Finish to add the site.

   If you selected a service while adding the device, the Site Status on the Site Management page changes to Provisioned. If you did not select a service, then the Site Status remains in the Managed state until you apply the service. You can edit the site and add the service. After you add the service, the Site Status changes to Provisioned.

   Note

   In Release 6.1.0, CSO moves a site to the PROVISIONED state when at least one of the WAN links obtains the IP address and is activated. You can activate the remaining DHCP WAN links later.

   Some of the other site states are as follows:

   • Created—Indicates that the site was added but not configured.

   • Configured—Indicates that the site was configured but not activated.

   • Maintenance—Indicates that the site upgrade is in progress; any deployments that might occur because of other jobs are skipped when the site status is under Maintenance.

Add an SD-WAN Branch Site

1. From the main menu, go to the Site Management page (Resources > Site Management), click Add, and select Branch Site (Manual).

   The Add Branch Site page opens.

2. Complete the configuration settings according to the following guidelines: .

   Tab	Field	Action
   General	Site Name	Enter a unique name for the site. You can use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
   General	Device Host Name	The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen(-); the maximum length allowed is 32 characters.
   General	Site Capabilities	Note: Device Management, enabled by default, allows you to create a site with only device management capability (without any services) and add services later. To add an SD-WAN capability for this site, choose one of the following SD-WAN service types: Secure SD-WAN Essentials—(Available for tenants with SD-WAN Essentials service level) Provides basic SD-WAN services. You can upgrade an SD-WAN Essentials site to an SD-WAN Advanced site by editing the site information. The SD-WAN Essentials service provides a subset of the Secure SD-WAN Advanced services. It does not support multihoming, dynamic mesh tunnels, cloud breakout profiles, SLA-based steering profiles, pool based source NAT rules, IPv6, MAP-E, or underlay BGP. Secure SD-WAN Advanced—(Available for tenants with SD-WAN Advanced service level) Provides complete SD-WAN services. You cannot downgrade an SD-WAN Advanced site to an SD-WAN Essentials site.
   Device	Device Series	Select the device family that your CPE device belongs to—SRX, NFX150, or NFX250.
   Device	Device Template	Select a device template for the CPE device. For example, for an SRX300 device, select SRX as SD-WAN CPE (or a modified version of that template) as the device template.
   Device	Use for Fullmesh	Click the toggle button to enable the WAN link to be part of a full-mesh topology. You typically implement a full-mesh topology to connect remote offices within an organization. A full-mesh topology is not commonly used to connect separate organizations because it allows each site to communicate directly with other sites. Note: A site with a single-CPE device can have a maximum of three WAN links enabled for meshing. A site with dual-CPE devices can have a maximum of four WAN links enabled for meshing. Configure the two additional fields that appear: Mesh Overlay Link Type: Keep the default selection (GRE over IPsec) as the type of encapsulation to be used for the overlay tunnels in the full-mesh topology. Note: For links with public IP addresses, we recommend that you use GRE over IPsec as the mesh overlay link type. Mesh Tags: Select a mesh tag for the WAN link. Note: You can select only one mesh tag, so ensure that you select the correct one. The tunnels between the enterprise hub and the branch site or between two branch sites are added based on matching mesh tags.
   Device	Enable Local Breakout	Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled. Note: If you enable this option, the WAN link can be used for local breakout. You must enable local breakout on at least one WAN link for a single CPE connection plan and at least two WAN links for a dual CPE connection plan. Otherwise, the local breakout is disabled for the site.
   Device	Preferred Breakout Link	Click the toggle button to enable the WAN link as the most preferred breakout link. If you disable this option, the breakout link is chosen using ECMP from the available breakout links.
   Device	Connects to Provider Hubs	Note: The Connects to Provider Hubs field is available only if you have selected a provider hub. Click the toggle button to specify that the WAN link of the site connects to a provider hub. Note: For sites with a single CPE, you must enable at least one WAN link to connect to the hub so that OAM traffic can be transmitted. For sites with a dual CPE, you must enable at least one WAN link per device to connect to the hub so that OAM traffic can be transmitted.
   Device	Use for OAM Traffic	If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link. Enable this field on at least two WAN links for redundancy. This WAN link is then used to establish the OAM tunnel.
   Device	Overlay Tunnel Type	This field is displayed when the Connects to Provider Hubs field is enabled. Select the mesh overlay tunnel type (GRE and GRE_IPSEC) of the tunnel to the hub. MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.
   Device	Overlay Peer Interface	This field is displayed when the Connects to Provider Hubs field is enabled. Select the interface name of the hub device to which the WAN link of the site is connected.
   Device	Link Priority	Enter a value in the range 1-255. A lower value indicates a more preferred link. A value of 1 indicates highest priority and a value of 255 indicates lowest priority. If you do not enter a value, the link priority is considered as 255.

3. Click Finish to add the site.

   If you selected a service while adding the device, the Site Status on the Site Management page changes to Provisioned. If you did not select a service, then the Site Status remains in the Managed state until you apply the service. You can edit the site and add the service. After you add the service, the Site Status changes to Provisioned. To know about some of the other site states, see Step 3 in the Add an Enterprise Hub Site section.

   Note

   In Release 6.1.0, CSO moves a site to the PROVISIONED state when at least one of the WAN links obtains the IP address and is activated. You can activate the remaining DHCP WAN links later.

Upload and Push the Device License

1. From the main menu, go to the Device License Files page (Administration > Licenses > Device Licenses) and click +.

   The Add License page opens.

2. Click Browse to select the license file, and click Open.

   The License File field displays the license file that you selected.

   Note

   A license file can contain only one license key.

3. Click OK.

   CSO parses the license file and verifies whether the license file format is valid. If the format is valid, CSO uploads the license file and you’re redirected to the Device License Files page.

4. Select the license that you added. Click Push License and select Push.

   The Push License page opens.

5. Select the device to which you want to push the license, and click OK.

   CSO initiates a job to push the license to the device. When the job completes, the license is pushed to the device.

Install the Signature Database

The signature database contains intrusion detection prevention (IDP) and intrusion prevention system (IPS) signature definitions of predefined attack objects and groups. CSO uses IDP and IPS signatures to detect known attack patterns and protocol anomalies within the network traffic. You'll need to install the signature database on one or more of your network devices. Juniper Networks downloads this database to CSO.

1. From the main menu, go to the Signature Database page (Administration > Signature Database) and click Install Signatures.

   The Install Signatures page opens displaying the signature database version and the devices on which you can install the signature database.

2. Select the check boxes corresponding to the devices on which you want to install the signature database. You can also search for, filter, or sort the devices displayed in the table.
3. For the Type field, select one of the following options:

   • Run now—To immediately trigger the installation of the signature database on the devices that you selected.

   • Schedule at a later time—To install the signature database later and specify a date and the time at which you want to trigger the installation.

4. Click OK.

   The signature database is installed on your devices.

Add and Deploy a Firewall Policy

A firewall policy enforces rules for transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on traffic as it passes through the firewall. You can deploy a firewall policy to all sites or specific sites.

1. From the main menu, go to the Firewall Policy page (Configuration > Firewall > Firewall Policy), and click the firewall policy to which you want to add the firewall policy intent.

   The Firewall-Policy-Name page opens.

2. Click + to add a firewall policy intent.

   The options to add a firewall policy intent appear inline on the Firewall-Policy-Name page.

3. Complete the following configuration:

   To	Do this
   Select the source endpoints for which you want to apply the firewall policy intent	Click the add icon (+) to select from the list of addresses, departments, sites, site groups, users, zones, or the Internet
   Select the destination endpoints for which you want to apply the firewall policy intent	Click the add icon (+) to select from the list of addresses, applications, application groups, departments, services, sites, site groups, zones, or the Internet
   Choose whether you want to allow, deny, or reject traffic between the source and destination endpoints	Click the add icon (+) and select one of the following: Allow, Deny, or Reject
   Add advanced security features	Click the add icon (+) to select from advanced security features such as unified threat management (UTM) Profiles and IPS Profiles

4. Click Save to save the changes to the firewall policy intent. 
5. Select the firewall policy intent that you added, and click Deploy.

   The Deploy page opens.

6. Choose whether you want to deploy the firewall policy intent at the current time (Run Now) or schedule the deployment for later (Schedule at a Later Time).

   To schedule the deployment for later, enter the date (in MM/DD/YYYY format) and the time (in HH:MM:SS 24-hour or AM/PM format) that you want to trigger the deployment. Be sure to specify the time in the local time zone where you access the CSO GUI.

7. Click Deploy.

   The firewall policy is deployed.

Deploy SD-WAN Policy Intents

SD-WAN policy intents optimize how the network uses WAN links and distributes traffic. CSO provides predefined SD-WAN policy intents for tenants.

1. From the main menu, go to the SD-WAN Policy page (Configuration > SD-WAN > SD-WAN Policy), select the SD-WAN policy intent that you wish to deploy, and click Deploy.

   The Deploy page opens.

2. Choose whether you want to deploy the SD-WAN policy intent at the current time (Run Now) or schedule the deployment for later (Schedule at a Later Time).

   To schedule the deployment for later, enter the date (in MM/DD/YYYY format) and the time (in HH:MM:SS 24-hour or AM/PM format) that you want to trigger the deployment. Be sure to specify the time in the local time zone where you access the CSO GUI.

3. Click OK.

   The SD-WAN policy intent is deployed.

Deploy the NGFW or Security Services (Tenant Administrator)

• Add an NGFW (Security Services) Site

• Upload and Push the Device License

• Install the Signature Database

• Add and Deploy a Firewall Policy

Add an NGFW (Security Services) Site

1. From the main menu, go to the Site Management page (Resources > Site Management), click Add, and select Branch Site (Manual).

   The Add Branch Site page opens.

2. Configure the settings. The following table lists the mandatory fields. You’ll find more details here.

   After you complete the configuration in each of the tabs, click Next.

   Tab	Field	Action
   General	Site Name	Give the NGFW site a unique name. You can use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters. Example: Ngfw-1
   General	Device Host Name	The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen(-); the maximum length allowed is 32 characters.
   General	Site Capabilities	Select Security Services. Note: You can choose to either onboard a device with security services (NGFW) configured on it or configure the service later.
   Device	Device Template	Select the device template for your SRX Series device. For example, select SRX_Standalone_Pre_Staged_ZTP (or a modified version of that template) as the device template.
   Device	In-band Management Port	Select the port that you want to configure as management interface and connect it to the management device. You can configure any of the ge-0/0/x ports, where x ranges from 0 to 14, as in-band management interfaces.
   Device	Import Policy Configuration	Click the toggle button to automatically import firewall and NAT policies from the NGFW device to CSO. For this zero-touch provisioning (ZTP) has to be disabled because CSO does not provision brownfield NGFW devices (devices which are already configured and operational) by using ZTP. By default, the Import Policy Configuration option is disabled. If you do not see this toggle button, you can select the firewall policy and NAT policy that you want to deploy from the Firewall Policies drop-down list and the NAT Policies drop-down list respectively. Select None if you want to deploy the policies after you add the site.

3. Click OK to add the NGFW site.

   If you selected a service while adding the device, the Site Status on the Site Management page changes to Provisioned. If you did not select a service, then the Site Status remains in the Managed state until you apply the service. You can edit the site and add the service. After you add the service, the Site Status changes to Provisioned.

Upload and Push the Device License

1. From the main menu, go to the Device License Files page (Administration > Licenses > Device Licenses) and click +.

   The Add License page opens.

2. Click Browse to select the license file, and click Open.

   The License File field displays the license file that you selected.

   Note

   A license file can contain only one license key.

3. Click OK.

   CSO parses the license file and verifies whether the license file format is valid. If the format is valid, CSO uploads the license file and the Device License Files page opens.

4. Select the license that you added and click Push License > Push.

   The Push License page opens.

5. Select the device to which you want to push the license, and click OK.

   CSO initiates a job to push the license to the device. When the job completes, the license is pushed to the device.

Install the Signature Database

The signature database contains intrusion detection prevention (IDP) and intrusion prevention system (IPS) signature definitions of predefined attack objects and groups. CSO uses IDP and IPS signatures to detect known attack patterns and protocol anomalies within the network traffic. You'll need to install the signature database on one or more of your network devices. Juniper Networks downloads this database to CSO.

See Install the Signature Database.

Add and Deploy a Firewall Policy

A firewall policy enforces rules for transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on traffic as it passes through the firewall. You can deploy a firewall policy to all sites or specific sites.

See Add and Deploy a Firewall Policy.