Adding a Site Template
You can add a site template for a branch site. A site template can be added with Security (also referred to as next-generation firewall or NGFW) or SD-WAN capabilities.
To add a site template:
The site template is added and listed in the Site Templates page. You can use the site template to add multiple branch sites.
Field |
Description |
Applicable To |
|---|---|---|
General Tab |
||
Template Name |
Specify a unique name for the site template that can contain alphanumeric characters and hyphens (-); the maximum length is 32 characters. |
|
Template Description |
Enter a description for the site template; the maximum length is 512 characters. |
|
Site Information |
||
Site Group |
Select a site group to which you want to assign the template. Example: sdwan-spoke |
|
Site Capabilities |
||
Site Capabilities |
Select one of the following capabilities for the site template:
Note:
|
|
Configuration |
||
Primary Enterprise Hub |
Select the primary enterprise hub with which you want to connect the branch site. If you specify a enterprise hub, then the initial site-to-site traffic as well as the central breakout (backhaul) traffic (if applicable) is sent through the enterprise hub instead of the hub site. |
SD-WAN |
Secondary Enterprise Hub |
Select the secondary enterprise hub for this branch site. The branch site connects with secondary enterprise hub when the primary enterprise hub is down. |
SD-WAN |
Create Threshold |
Enter the maximum number of sessions closed between the connected sites in a duration of two minutes at which full mesh is created between the two sites. The default value is 5. For example, if you specify the number of sessions as 5, dynamic mesh tunnels are created if the number of sessions closed between two branch sites in 2 minutes exceeds 5. |
SD-WAN |
Delete Threshold |
Enter the number of sessions closed between the connected sites in a duration of 15 minutes below which full mesh is deleted between the two sites. The default value is 2. For example, if you specify the number of sessions closed as 2, dynamic mesh tunnels are deleted if the number of sessions closed is lesser than or equal to 2. |
SD-WAN |
Address and Contact Information |
||
Street Address |
Enter the street address of the site. |
|
City |
Enter the city where the site is located. |
|
State/Province |
Select the state or province where the site is located. |
|
ZIP/Postal Code |
Enter the postal code for the site. |
|
Country |
Select the country where the site is located. Click the Validate button to verify the address. The If you enter the wrong address and click the Validate button to verify the address, the |
|
Contact Name |
Enter the name of the contact person at the site. |
|
Enter the e-mail address of the contact person at the site. |
||
Phone |
Enter the phone number for the site. |
|
Advanced Configuration |
||
Domain Name Server (DNS) |
Specify one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on.. DNS servers are used to resolve hostnames into IP addresses. |
|
NTP Server |
Specify the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration. |
|
Select Timezone |
Select the time zone in which the site is located from the drop-down list. |
|
Device Tab |
||
Device Redundancy |
Enable this option only for dual CPEs. |
|
Device Series |
Select the device series to which the CPE belongs (SRX, NFX150, or NFX250) and select a device template for the selected device series. The device template contains information for configuring a device. |
|
Device Model |
Select a device model from the list. |
|
Zero Touch Provisioning |
Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default. If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image. If ZTP is disabled, you must manually copy (by using CLI), the Stage-1 configuration on to the device. |
|
Is Cluster Already Formed? |
Click the toggle button to confirm whether the cluster is formed. |
|
Cluster ID |
Enter the device Cluster ID. The value is ignored if the cluster is already formed on the device. Cluster ID must be unique if more than one cluster is connected through the same switch. |
|
Auto Activate |
Click the toggle button to enable or disable automatic activation of the CPE when the CPE is detected by CSO ( management status of the device is Device_Detected). When you enable this field, zero-touch provisioning of the device is automatically triggered after the site with the CPE is added to CSO. |
|
Boot Image |
Select the boot image from the drop-down list if you want to upgrade the image for the CPE device. The boot image is the latest build image uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process. If the boot image is not provided, then the device skips the procedure to upgrade the device image. The boot image (NFX or SRX) is populated based on the device template that you have selected while adding a site. See Uploading a Device Image. |
|
Management Connectivity Note:
This section is displayed only when Zero Touch Provisioning is disabled. If you enabled device redundancy, enter the information for both the nodes. |
||
Interface Name |
Enter the management interface. |
|
Access Type |
Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link. |
|
Address assignment |
By default, DHCP is selected. If you want to enter a static IP address, select STATIC. |
|
DATA VLAN ID |
Enter a VLAN ID for the WAN link. |
|
PPPoE |
Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet). |
|
Secure Log Source Interface |
Select the port that you want to configure as management interface and connect it to the management device. You can configure any of the ge-0/0/x ports, where x ranges from 0 to 14, as in-band management interfaces. |
Security Services |
Firewall Policies |
Select the firewall policy that you want to deploy. The firewall policy list is populated from the Configuration > Firewall > Firewall Policy page. |
Security Services |
NAT Policies |
Select the NAT policy that you want to deploy to the standalone firewall site. The NAT policy list is populated from the Configuration > NAT > NAT Policies page. |
Security Services (Next Gen Firewall) |
Hub Configuration |
||
Primary Provider Hub |
Select a primary data hub for the SD-WAN site. |
|
Secondary Provider Hub |
Select a secondary data hub for the SD-WAN site. |
|
Primary Enterprise Hub |
Select a primary gateway hub for the SD-WAN site. |
|
Secondary Enterprise Hub |
Select a secondary gateway hub for the SD-WAN site. |
|
WAN 0 |
Click the toggle button to enable or disable this WAN link. By default, the WAN_0 link is enabled. When you enable a WAN link, fields related to the WAN link appear. Fields marked with an asterisk (*) must be configured. |
|
Link Type |
Select the underlay network type (MPLS or Internet) of the WAN link that is connected to the branch site. |
|
Access Type |
Select the access type for the underlay link.
You can select the LTE, ADSL, or VDSL access type for only one WAN link. |
|
PPPoE/PPP |
By default, this toggle button is disabled. Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet) or PPP (Point-to-Point Protocol). PPPoE works with Ethernet, ADSL, and VDSL access types. PPP works with the LTE access type. Note:
This toggle button is not available for Internet links with LTE as the access type. If you enable this toggle button, you must specify the PPPoE or PPP parameters (username, password, and authentication protocol) for the PPPoE or PPP server, respectively. The PPPoE or PPP server assigns an IP address to the WAN link after successful authentication. For more information, see the PPPoE/PPP Settings section in this table. If you have disabled this toggle button, select a method (DHCP or STATIC) to assign an IP address to the WAN link from the Address Assignment list. |
|
Egress Bandwidth |
Enter the maximum bandwidth (in mega bits per second [Mbps]) to be allowed for the WAN link. Range: 1 through 10,000 Note:
This option is not available for Internet and MPLS links with LTE access type. |
|
Underlay Address Families |
||
Address Assignment |
Select the method for IP address assignment. The options available are:
|
|
Advanced Settings |
||
Underlay Address Family |
||
Provider |
Enter the name of the service provider who is responsible for providing the WAN link. |
|
Cost/Month |
Enter the cost for using the WAN link per month and select the currency in which the cost is indicated from the adjacent drop-down list. Range: 1 through 10,000. In bandwidth-optimized SD-WAN, CSO uses this information to identify the least expensive link to route traffic when multiple WAN links meet SLA profile parameters. |
|
Enable Local Breakout |
Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled. |
|
Breakout Options |
Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic. |
|
Autocreate Source NAT Rule |
Click the toggle button to enable or disable the automatic creation of source NAT rules. By default, this field is enabled when local breakout is enabled on the WAN link. |
|
Translation |
Select the type of NAT to use for the traffic on the WAN link:
|
|
Preferred Breakout Link |
Click the toggle button to enable the WAN link as the most preferred breakout link. If you disable this option, then the breakout link is chosen using ECMP from the available breakout links. |
|
BGP Underlay Options |
Note:
This setting can be configured only if the address assignment is static and local breakout is enabled. Click the toggle button to enable BGP underlay routing. When you enable BGP underlay routing, route advertisements to the primary PE node and, if configured, the secondary PE node occur as follows:
Note:
If underlay BGP is enabled for a WAN link, then the routes learnt from BGP are installed for local breakout; CSO does not generate the static default route. |
|
Use For Fullmesh |
Click the toggle button to specify that the WAN link is part of a fullmesh topology. |
|
Mesh Overlay Link Type |
When Use for Fullmesh field is enabled, select the type of mesh overlay link—GRE and GRE_IPSEC. If the link type is Internet, by default, the value for mesh overlay link type is GRE_IPSEC. If the link type is MPLS, select one of the following options:
|
|
Mesh Tag |
When the Use for Fullmesh field is enabled, enter the tag to be associated with the WAN link for creating tunnels. You can assign only one tag to the link. Matching mesh tags is one of the criteria used to form tunnels between sites that support meshing.
For more information about mesh tags, see Mesh Tags Overview. |
|
Connects To Hub |
Click the toggle button to specify that the WAN link of the site connects to a hub. Note:
|
|
Backup Link |
Select a backup link through which traffic can be routed when the primary (other) links are unavailable. You can select any link other than the default links or links that are configured exclusively for local breakout traffic. |
|
Default Link |
Select one or more links to be used for routing traffic in the absence of matching SD-WAN policies. A site can have multiple default links to the hub site. If a site has more than one default link, equal-cost multipath (ECMP) is used to balance the traffic between the links. |
|
VLAN ID |
Enter the VLAN ID that is associated with the data link. A data VLAN identifier is an integer. Range: 0 through 65,535 |
|
WAN_1 (WAN-Interface-Name) |
Click the toggle button to enable or disable this WAN link. By default, the WAN_1 link is disabled. Refer to the fields described for WAN 0 for an explanation of the fields. |
|
WAN_2 (WAN-Interface-Name) |
Click the toggle button to enable or disable this WAN link. By default, the WAN_2 link is disabled. Refer to the fields described for WAN 0 for an explanation of the fields |
|
WAN_3 (WAN-Interface-Name) |
Click the toggle button to enable or disable this WAN link. By default, the WAN_3 link is disabled. Refer to the fields described for WAN 0 for an explanation of the fields |
|
Advanced Configuration |
||
OAM IP Prefix |
Enter an IPv4 address prefix for the loopback interface on the CPE device. The IP address prefix must be a /32 IP address prefix and must be unique across the entire management network. Note:
We recommend that you do not configure this setting (leave the IP Prefix field blank) because management connectivity is handled automatically by CSO. |
|
DVPN Threshold for Tunnel Creation |
Specify the minimum number of sessions that should be closed in two minutes to automatically trigger a tunnel creation. When the number of sessions closed exceeds the specified threshold, a tunnel is created between the branch site and the destination site. |
|
DVPN Threshold for Tunnel Deletion |
Specify the maximum number of tunnels that should be closed in 15 minutes to trigger a tunnel deletion. When the number of sessions closed is lower than the specified threshold, the tunnel between the branch site and destination site is deleted. |
|
LAN Segment Configuration |
Displays the VLANs and their IDs that you configure on the device.
|
|
Additional Configuration |
||
Configuration Templates (Optional) |
Select one or more configuration templates from the list. This list is filtered based on the device that you select. Configuration templates are stage-2 templates that are added by your OpCo administrators or SP administrators or Tenant administrators. Note:
You must set the parameters of the configuration templates that you have selected before you move to the LAN section. To set the parameters for the selected configuration templates:
|
|
Field |
Description |
|---|---|
Add LAN Segment |
|
Use for Overlay VPN |
When this option is enabled, the LAN segment is associated with the selected department (VRF + ZONE) for overlay traffic to other sites. When this option is disabled, the LAN segment is attached to the security zone for underlay breakout. Zone-based security policies must be defined by the user. |
Name |
Enter a name for the LAN segment. The name for a LAN segment should be a unique string of alphanumeric characters and some special characters (. -). No spaces are allowed and the maximum length is 15 characters. |
CPE Port |
Select the CPE device port. |
VLAN ID |
Enter the VLAN ID for the LAN segment. You can use VLAN IDs in the following ranges to configure LAN segments:
|
Use for Native VLAN |
When this option is enabled, the VLAN ID is used for untagged traffic. The selected interface is configured with native-vlan-id equal to the number specified for the VLAN ID. |
Department |
Select a department to which the LAN segment is to be assigned. Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Add a Department for details. You group LAN segments as departments for ease of management and for applying policies at the department-level. |
Gateway Address/Mask |
Specify a unique and valid IPv4 address with subnet mask (for example, 10.0.2.1/24). This address is the default gateway for endpoints in this LAN segment. Configuration of LAN subnets in the range 100.112.0.0 - 100.127.255.255 is not supported. |
DHCP |
For directly connected LAN segments, click the toggle button to enable DHCP. DHCP is disabled by default. You enable DHCP if you want to assign IP addresses by using a DHCP server. You disable DHCP if you want to assign a static IP address to the LAN segment. Note:
If you enable DHCP, fields related to DHCP-related parameters are displayed. You must configure the fields. |