Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adding and Provisioning a Next Generation Firewall Overview

Overview

You can use Contrail Service Orchestration (CSO) to

  • Add a firewall site for the next generation firewall device.

  • Configure a CPE device (SRX Series services gateway) as a next generation firewall device.

  • Add firewall policies for the standalone firewall site.

  • Deploy the firewall policies for the standalone firewall site.

Topology

The topology to add an branch site with next generation firewall capabilities is shown in Figure 1.

Figure 1: Branch site with next generation firewall Branch site with next generation firewall

Workflow

The following workflow describes the steps that are required to set up a firewall site and provision the firewall device associated with the site.

To set up a next generation firewall site and provision the firewall device:

  1. Add a standalone next generation firewall site. See Add a Standalone Next-Generation Firewall Site.

    Note:

    Before proceeding to the next step ensure that the ZTP process is complete and the firewall device status is set to Provisioned state.

  2. Configure the firewall device. See Configuring the Firewall Device.

  3. Add firewall policies for the site. See Adding a Firewall Policy.

  4. Add firewall policy intents for the firewall policies that you added. See Adding Firewall Policy Intents.

  5. Deploy firewall policies to the site. See Deploying Firewall Policies.