Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Workflow for Onboarding a Device Using ZTP

This topic provides the steps that you need to perform for successfully onboarding a device to the network by using ZTP:

Prerequisites:

The following prerequisites are necessary for ZTP:

  • The device must have connectivity to CSO and the phone-home server (https://redirect.juniper.net). Use telnet to verify connectivity:

    • For phone-home server: telnet redirect.juniper.net:443

    • For CSO: telnet CSO Hostname/IP:443

    If the connection is established, the device has connectivity to the phone-home server and CSO.

  • The required certificates for phone-home server and CSO are present on the device.

  1. From Customer Portal, add a branch site or an enterprise site, and associate a device.

    You can choose one of the following options:

    • Add the site without specifying any services

    • Add the site with services

    • Add the site and specify the services later

    Note:

    You cannot add a cloud spoke site without specifying a service.

    For information about adding a branch site, see:

    For information about adding an enterprise hub, see Add Enterprise Hubs with SD-WAN Capability .

  2. Activate the device:

    • If you have enabled the Auto Activate field while adding a branch site or an enterprise hub, ZTP of the device is automatically triggered after the site is added to CSO.

    • If you have disabled the Auto Activate field while adding a branch site or an enterprise hub, you must manually activate the device.

      To manually activate the device:

      1. Select Resources > Site Management.

        The Site Management page appears.

      2. On the Site Management page, click the site that you want to activate.

        The detailed view of the site appears.

        Note:

        You can activate a site that is in the CONFIGURED state.

      3. Click the Devices tab.

      4. Select the device that you added to the site and click Activate Device to activate the device.

        The Activate Device page appears.

      5. On the Activate Device page, enter the activation code for the device. The activation code must match the activation code that you provided during the site addition workflow.

      6. Click Next.

        The progress of device activation is displayed.

      7. After the device is activated, click OK.

        The Sites page appears.

    • If you have to activate vSRX Virtual Firewall or SRX4X00 Services Gateway devices:

      1. Select Resources > Site Management.

        The Sites page appears.

      2. Click on the site that you want to activate.

        The Site-Name page appears.

      3. On the Devices tab, select the device that you want to activate and click Stage1 Config.

        A new page appears that displays the stage-1 configuration of the device.

      4. Click Copy to Clipboard to copy the stage-1 configuration of the device.

      5. Log in to the CLI of the device and enter the configuration mode.

      6. Paste the stage-1 configuration and commit.

      The activation process includes the following tasks:

      • CSO first models the site and generates the stage-1 configuration.

      • The device connects to CSO through the phone-home client (PHC) to the Redirect Server, which authenticates the device.

      • Based on the device serial number, the Redirect Server provides the CSO certificate and CSO host name to the device.

      • The device establishes an outbound SSH connection with CSO.

      • CSO applies the pre-scripts and stage-1 configuration (includes the device configuration).

      • The status of the device changes to MANAGED.

      • If you selected a service (security services or SD-WAN) while adding the device, then CSO generates the service provisioning configuration and applies it on the device to make it functional and ready for the intended functionality. The device is provisioned only after the service is applied.

        If you did not select a service while adding the device, then the device remains in the MANAGED state until you apply the service. You can edit the site and add the service. After you add the service, CSO applies the service provisioning configuration and the device is provisioned.

      For additional functionality, you can create a stage-2 template and apply the template on the device. For example, the stage-2 template can include LAN configuration, firewall policies, and so on.

      Use the Jobs page (Resources > Monitor >Jobs) to view the bootstrap logs, ZTP logs, and service provisioning logs. If any of the tasks (ZTP, bootstrap, or service provisioning) fail, you need not delete the site. You can go to the Jobs page (Monitor > Jobs), select the job, and click the Retry Job button. If the service provisioning fails, then the site remains in the Provision-Failed state. You can review the configuration to correct any settings by editing the site.

Related Documentation