SD-WAN and NGFW Workflows for a Tenant Administrator
This topic provides information on SD-WAN and Next-Generation Firewall (NGFW) workflows that a Tenant Administrator can perform in the Customer Portal.
Before you begin, ensure that your account is activated.
If you’re a Tenant Administrator, you can deploy the SD-WAN or NGFW service.
SD-WAN Deployment Workflow
If you deploy the SD-WAN service, CSO intelligently routes traffic through the optimal path based on the criteria you specify in CSO. For example, you can ensure that mission-critical application data is sent over the MPLS link (reliable and secure path) and the non-mission-critical application data is sent over the Internet link (best-effort, non-secure path). CSO also performs load balancing automatically and manages network congestion to route traffic efficiently.
To deploy SD-WAN:
- Login to the Customer Portal.
- For SD-WAN, you can add one or more provider hub sites,
one or more enterprise hub sites, or a combination of provider hub
sites and enterprise hub sites. For SD-WAN Essentials service, you
can add only one provider hub site, one enterprise hub site, or a
combination of one provider hub site and one enterprise hub site:
Add one or more provider hub sites. See Add Provider Hub Sites in SD-WAN Deployments.
Add one or more enterprise hub sites. See Add Enterprise Hubs with SD-WAN Capability
Starting in CSO Release 6.0.0, the ZTP process is simplified to separate the device and service provisioning processes for faster deployment. You can add a site without applying a service and then edit the site to add the SD-WAN service later. See Add Branch or Enterprise Hub Sites Without Provisioning a Service.
Note:Starting in CSO Release 6.0.0, adding a hub site is optional for an SD-WAN deployment scenario.
- If you added enterprise hub sites, perform post-processing tasks for the enterprise hub sites. See Post-Provisioning Tasks for Enterprise Hub and SD-WAN Spoke Sites.
- Add one or more SD-WAN branch sites. See Add SD-WAN Branch Sites. To add a site without applying a SD-WAN service, see Add Branch or Enterprise Hub Sites Without Provisioning a Service.
- Perform post-processing tasks for the SD-WAN branch sites. See Post-Provisioning Tasks for Enterprise Hub and SD-WAN Spoke Sites.
- (Optional) Configure a cloud spoke site. Adding Cloud Spoke Sites for SD-WAN Deployment
- Monitor SD-WAN sites and devices.
If you want to view
Then visit
General information about the site, WAN overlay and underlay links, policies, and devices
Resources > Site Management > Site-Name
For more information, see Manage a Site
General information about the device, and view recent alerts and alarms
Resources > Devices > Device-Name.
For more information, see Manage a Single CPE Device.
Alerts generated by the SD-WAN CPE or enterprise hub devices
Monitor > Alerts
For more information, see About the Generated Alerts Page
Alarms raised by the SD-WAN CPE or enterprise hub devices
Monitor > Alarms
For more information, see About the Alarms Page.
SLA performance of the tenant’s sites that have met and not met the defined SLA values
Monitor > Application SLA Performance
For more information, see About the SLA Performance of a Single Tenant Page and Viewing the SLA Performance of a Site.
Applications such as sessions, bandwidth consumed, and risk levels
Monitor > Application Visibility
For more information, see About the Application Visibility Page.
Devices (such as top 50 devices accessing high bandwidth-consuming applications and establishing higher number of sessions) on your network
Monitor > User Visibility
For more information, see About the User Visibility Page
View the traffic logs from different sites
Monitor > Traffic Logs
For more information, see About the Traffic Logs Page
Predefined report definitions or create custom report definitions to generate SD-WAN performance, tenant performance, and site performance reports
Reports > Report Definitions
For more information, see About the SD-WAN Report Definitions Page.
NGFW Deployment Workflow
If you deploy the NGFW service at a branch site, you can implement network security at this site using an SRX Series NGFW device as the CPE. You don't need to modify your existing network infrastructure to use the NGFW service. You only need to connect the SRX Series NGFW device to an OAM hub for monitoring and management.
To deploy NGFW service:
- (Optional) Customize configuration templates. See About the Configuration Templates Page.
- (Optional) Customize device templates. See About the Device Template Page.
- Add next-generation firewall site. Add a Standalone Next-Generation Firewall Site.
Starting in CSO Release 6.0.0, the ZTP process is simplified to separate the device and service provisioning processes for faster deployment. You can add a site without applying a service and then edit the site to add the NGFW service later. See Add Branch or Enterprise Hub Sites Without Provisioning a Service.
- Upload and install (push) device licenses. See Add a Device License File and Push a Device License File.
- Install the signature database. See Manually Installing Signatures.
- If you specified that policies should be imported during
the activation process, you must deploy the imported policies in CSO:
If a firewall policy was imported, deploy the firewall policy.
If a NAT policy was imported, deploy the NAT policy.
- If you did not import the policies as part of the site
activation, you can import the policies manually and deploy the policies:
To import firewall policies, go to the Firewall Policy page (Configuration > Firewall > Firewall Policy) and click Import.
To import NAT policies, go to the NAT Policy page (Configuration > NAT> NAT Policy) and click Import.
Deploy the firewall policy and NAT policy.
- (Optional) Configure Content Security on the next-generation firewall. SeeCreating Content Security Profiles.
- (Optional) Configure SSL proxy on the next-generation firewall site. See Creating SSL Proxy Policy Intents.
- (Optional) Configure intrusion prevention system (IPS) on the next-generation firewall. See Create IPS Profiles.
- Add a firewall policy and zone-based intents and deploy the firewall policy. See Adding a Firewall Policy
- (Optional) Add a NAT policy and rules and deploy the NAT policy. See Creating NAT Policies and Deploying NAT Policies.
- Monitor the NGFW sites and devices.
If you want to view
Then visit
General information about the site, WAN overlay and underlay links, policies, and devices
Resources > Site Management > Site-Name
For more information, see Manage a Site
General information about the device, and view recent alerts and alarms
Resources > Devices > Device-Name.
For more information, see Manage a Single CPE Device.
Alerts generated by the SD-WAN CPE or enterprise hub devices
Monitor > Alerts
For more information, see About the Generated Alerts Page
Alarms raised by the SD-WAN CPE or enterprise hub devices
Monitor > Alarms
For more information, see About the Alarms Page.
SLA performance of the tenant’s sites that have met and not met the defined SLA values
Monitor > Application SLA Performance
For more information, see About the SLA Performance of a Single Tenant Page and Viewing the SLA Performance of a Site.
Applications such as sessions, bandwidth consumed, and risk levels
Monitor > Application Visibility
For more information, see About the Application Visibility Page.
Devices (such as top 50 devices accessing high bandwidth-consuming applications and establishing higher number of sessions) on your network
Monitor > User Visibility
For more information, see About the User Visibility Page.
View the traffic logs from different sites
Monitor > Traffic Logs
For more information, see About the Traffic Logs Page.
Predefined report definitions or create custom report definitions to generate SD-WAN performance, tenant performance, and site performance reports
Reports > Report Definitions
For more information, see About the SD-WAN Report Definitions Page.
Traffic logs generated by next-generation firewall devices
Monitoring > Security Events > Traffic Logs.
For more information, see About the Traffic Logs Page.
Summary and detailed view of the security events in your network
Monitor > Security Events > All Events
For more information, see About the All Security Events Page.
Summary and detailed view of the firewall-related security events
Monitor > Security Events > Firewall.
For more information, see About the Firewall Events Page.
Summary and detailed view of the security events related to Web filtering
Monitor > Security Events > Web Filtering
For more information, see About the Web Filtering Events Page.
Summary and detailed view of the security events related to IPsec VPNs
Monitor > Security Events > IPsec VPNs
For more information, see About the IPsec VPNs Events Page.
Summary and detailed view of the security events related to content filtering
Monitor > Security Events > Content Filtering
For more information, see About the Content Filtering Events Page.
Summary and detailed view of the security events related to spam
Monitor > Security Events > Antispam
For more information, see About the Antispam Events Page.
Summary and detailed view of the security events related to viruses
Monitor > Security Events > Antivirus
For more information, see About the Antivirus Events Page.
Summary and detailed view of the security events related to IPS
Monitor > Security Events > IPS
For more information, see About the IPS Events Page.
Summary and detailed view screen events that occur as a result of the screen options configured on next-generation firewall devices
Monitor > Security Events > Screen
For more information, see About the Screen Events Page.
Incoming and outgoing threats between geographic regions, view blocked and allowed threat events and so on
Monitor > Threat Map (Live
For more information, see About the Threats Map (Live) Page.