Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

SD-WAN and NGFW Workflows for a Tenant Administrator

This topic provides information on SD-WAN and Next-Generation Firewall (NGFW) workflows that a Tenant Administrator can perform in the Customer Portal.

Note:

Before you begin, ensure that your account is activated.

If you’re a Tenant Administrator, you can deploy the SD-WAN or NGFW service.

SD-WAN Deployment Workflow

If you deploy the SD-WAN service, CSO intelligently routes traffic through the optimal path based on the criteria you specify in CSO. For example, you can ensure that mission-critical application data is sent over the MPLS link (reliable and secure path) and the non-mission-critical application data is sent over the Internet link (best-effort, non-secure path). CSO also performs load balancing automatically and manages network congestion to route traffic efficiently.

To deploy SD-WAN:

  1. Login to the Customer Portal.
  2. For SD-WAN, you can add one or more provider hub sites, one or more enterprise hub sites, or a combination of provider hub sites and enterprise hub sites. For SD-WAN Essentials service, you can add only one provider hub site, one enterprise hub site, or a combination of one provider hub site and one enterprise hub site:
  3. If you added enterprise hub sites, perform post-processing tasks for the enterprise hub sites. See Post-Provisioning Tasks for Enterprise Hub and SD-WAN Spoke Sites.
  4. Add one or more SD-WAN branch sites. See Add SD-WAN Branch Sites. To add a site without applying a SD-WAN service, see Add Branch or Enterprise Hub Sites Without Provisioning a Service.
  5. Perform post-processing tasks for the SD-WAN branch sites. See Post-Provisioning Tasks for Enterprise Hub and SD-WAN Spoke Sites.
  6. (Optional) Configure a cloud spoke site. Adding Cloud Spoke Sites for SD-WAN Deployment
  7. Monitor SD-WAN sites and devices.

    If you want to view

    Then visit

    General information about the site, WAN overlay and underlay links, policies, and devices

    Resources > Site Management > Site-Name

    For more information, see Manage a Site

    General information about the device, and view recent alerts and alarms

    Resources > Devices > Device-Name.

    For more information, see Manage a Single CPE Device.

    Alerts generated by the SD-WAN CPE or enterprise hub devices

    Monitor > Alerts

    For more information, see About the Generated Alerts Page

    Alarms raised by the SD-WAN CPE or enterprise hub devices

    Monitor > Alarms

    For more information, see About the Alarms Page.

    SLA performance of the tenant’s sites that have met and not met the defined SLA values

    Monitor > Application SLA Performance

    For more information, see About the SLA Performance of a Single Tenant Page and Viewing the SLA Performance of a Site.

    Applications such as sessions, bandwidth consumed, and risk levels

    Monitor > Application Visibility

    For more information, see About the Application Visibility Page.

    Devices (such as top 50 devices accessing high bandwidth-consuming applications and establishing higher number of sessions) on your network

    Monitor > User Visibility

    For more information, see About the User Visibility Page

    View the traffic logs from different sites

    Monitor > Traffic Logs

    For more information, see About the Traffic Logs Page

    Predefined report definitions or create custom report definitions to generate SD-WAN performance, tenant performance, and site performance reports

    Reports > Report Definitions

    For more information, see About the SD-WAN Report Definitions Page.

NGFW Deployment Workflow

If you deploy the NGFW service at a branch site, you can implement network security at this site using an SRX Series NGFW device as the CPE. You don't need to modify your existing network infrastructure to use the NGFW service. You only need to connect the SRX Series NGFW device to an OAM hub for monitoring and management.

To deploy NGFW service:

  1. (Optional) Customize configuration templates. See About the Configuration Templates Page.
  2. (Optional) Customize device templates. See About the Device Template Page.
  3. Add next-generation firewall site. Add a Standalone Next-Generation Firewall Site.

    Starting in CSO Release 6.0.0, the ZTP process is simplified to separate the device and service provisioning processes for faster deployment. You can add a site without applying a service and then edit the site to add the NGFW service later. See Add Branch or Enterprise Hub Sites Without Provisioning a Service.

  4. Upload and install (push) device licenses. See Add a Device License File and Push a Device License File.
  5. Install the signature database. See Manually Installing Signatures.
  6. If you specified that policies should be imported during the activation process, you must deploy the imported policies in CSO:
    • If a firewall policy was imported, deploy the firewall policy.

    • If a NAT policy was imported, deploy the NAT policy.

  7. If you did not import the policies as part of the site activation, you can import the policies manually and deploy the policies:
    1. To import firewall policies, go to the Firewall Policy page (Configuration > Firewall > Firewall Policy) and click Import.

    2. To import NAT policies, go to the NAT Policy page (Configuration > NAT> NAT Policy) and click Import.

    3. Deploy the firewall policy and NAT policy.

  8. (Optional) Configure Content Security on the next-generation firewall. SeeCreating Content Security Profiles.
  9. (Optional) Configure SSL proxy on the next-generation firewall site. See Creating SSL Proxy Policy Intents.
  10. (Optional) Configure intrusion prevention system (IPS) on the next-generation firewall. See Create IPS Profiles.
  11. Add a firewall policy and zone-based intents and deploy the firewall policy. See Adding a Firewall Policy
  12. (Optional) Add a NAT policy and rules and deploy the NAT policy. See Creating NAT Policies and Deploying NAT Policies.
  13. Monitor the NGFW sites and devices.

    If you want to view

    Then visit

    General information about the site, WAN overlay and underlay links, policies, and devices

    Resources > Site Management > Site-Name

    For more information, see Manage a Site

    General information about the device, and view recent alerts and alarms

    Resources > Devices > Device-Name.

    For more information, see Manage a Single CPE Device.

    Alerts generated by the SD-WAN CPE or enterprise hub devices

    Monitor > Alerts

    For more information, see About the Generated Alerts Page

    Alarms raised by the SD-WAN CPE or enterprise hub devices

    Monitor > Alarms

    For more information, see About the Alarms Page.

    SLA performance of the tenant’s sites that have met and not met the defined SLA values

    Monitor > Application SLA Performance

    For more information, see About the SLA Performance of a Single Tenant Page and Viewing the SLA Performance of a Site.

    Applications such as sessions, bandwidth consumed, and risk levels

    Monitor > Application Visibility

    For more information, see About the Application Visibility Page.

    Devices (such as top 50 devices accessing high bandwidth-consuming applications and establishing higher number of sessions) on your network

    Monitor > User Visibility

    For more information, see About the User Visibility Page.

    View the traffic logs from different sites

    Monitor > Traffic Logs

    For more information, see About the Traffic Logs Page.

    Predefined report definitions or create custom report definitions to generate SD-WAN performance, tenant performance, and site performance reports

    Reports > Report Definitions

    For more information, see About the SD-WAN Report Definitions Page.

    Traffic logs generated by next-generation firewall devices

    Monitoring > Security Events > Traffic Logs.

    For more information, see About the Traffic Logs Page.

    Summary and detailed view of the security events in your network

    Monitor > Security Events > All Events

    For more information, see About the All Security Events Page.

    Summary and detailed view of the firewall-related security events

    Monitor > Security Events > Firewall.

    For more information, see About the Firewall Events Page.

    Summary and detailed view of the security events related to Web filtering

    Monitor > Security Events > Web Filtering

    For more information, see About the Web Filtering Events Page.

    Summary and detailed view of the security events related to IPsec VPNs

    Monitor > Security Events > IPsec VPNs

    For more information, see About the IPsec VPNs Events Page.

    Summary and detailed view of the security events related to content filtering

    Monitor > Security Events > Content Filtering

    For more information, see About the Content Filtering Events Page.

    Summary and detailed view of the security events related to spam

    Monitor > Security Events > Antispam

    For more information, see About the Antispam Events Page.

    Summary and detailed view of the security events related to viruses

    Monitor > Security Events > Antivirus

    For more information, see About the Antivirus Events Page.

    Summary and detailed view of the security events related to IPS

    Monitor > Security Events > IPS

    For more information, see About the IPS Events Page.

    Summary and detailed view screen events that occur as a result of the screen options configured on next-generation firewall devices

    Monitor > Security Events > Screen

    For more information, see About the Screen Events Page.

    Incoming and outgoing threats between geographic regions, view blocked and allowed threat events and so on

    Monitor > Threat Map (Live

    For more information, see About the Threats Map (Live) Page.