Add Branch or Enterprise Hub Sites Without Provisioning a Service

Starting from CSO Release 6.0.0, you can use the Device Management option to add a branch or enterprise hub site without specifying a service.

After you add the site, the status of the site changes to MANAGED. The site can remain in this state for any duration. You can perform the following tasks when the device is in the MANAGED state:

Apply stage-2 configuration or configuration templates
Access the device console
Reboot the device
Install licenses and certificates on the device
Install application signatures
Initiate RMA

You can deploy either a single or dual SRX CPE without adding a service. CSO Release 6.0.0 supports automatic cluster formation on SRX devices.

Note:

You cannot add a cloud spoke site with only device management capability. You must select a service for a cloud spoke site.

To configure SD-WAN or security features, you must assign a service to the device. You can edit the site to assign the services. After the service is assigned, the status of the device changes to PROVISIONED.

To add a site with only device management capability:

Select Resources > Site Management.
The Site Management page appears.
Click Add and select Branch Site (Manual) or Enterprise Hub.
The Add Branch Site or Add Enterprise Hub page appears.
Complete the configuration settings according to the guidelines provided in Table 1.
Note:
Fields marked with an asterisk (*) are mandatory.
Click Next.
A summary page is displayed.
Review the configuration and modify the settings, if needed, from the Summary tab.
If you did not enter serial number while creating the site, you must manually enter the serial number after adding the site, in order to activate the site.
To manually activate the site:
1. Click Activate Site link that appears next to Site Status.
  The Activate Site page appears.
2. Enter the serial number of the device associated with the site.
3. Click OK.
The Site Activation Progress page appears displaying the progress of steps executed for activating the CPE device.
If you enabled the Zero Touch Provisioning field, CSO pushes the prescript and stage-1 configurations, and the site status changes to MANAGED in the Sites page.
If you disabled the Zero Touch Provisioning field for the device, you must copy the stage-1 configuration from CSO and commit it on the device.
1. Click the Click to copy stage-1 config link next to the Prestage Device task in the Site Activation Progress page. If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site, under the Site Status column.
  Note:
  You can also copy the configuration from the Devices page (Resources > Devices). Select the device and click Stage1 Config.
  
  The Stage-1 Configuration page appears displaying the stage-1 configuration.
2. Copy the stage-1 configuration.
3. Log in to the device and enter Junos OS configuration mode.
4. Paste the configuration that you copied and commit the configuration.
  CSO applies the prescript and stage-1 configuration (includes the device configuration). The status of the site changes to MANAGED on the Sites page.

Note:

You can also add a site using the site templates. For more information, see Add Branch Sites by Using a Site Template.

Table 1: Fields on the Add Branch Site or Add Enterprise Hub Page (Only Device Management Capability)
Field	Description
General
Site Information
Site Name	Enter a unique name for the firewall site. You can use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Device Host Name	The device host name is auto-generated and uses the format `tenant-name.host-name`. You cannot change the `tenant-name` part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Site Group	Select a site group to assign the site.
Site Capabilities	Device Management is selected by default. You need not select the service.
Address and Contact Information
Street Address	Enter the street address of the site.
City	Enter the name of the city where the site is located.
State/Province	Select the state or province where the site is located.
ZIP/Postal Code	Enter the postal code for the site.
Country	Select the country where the site is located. Click the Validate button to verify the address that you specified. The Address verification successful message is displayed if the address is valid. You can click the View location on the map link to see the address location. If the address is invalid, the Site address could not be validated message is displayed.
Contact Name	Enter the name of the contact person for the site.
Email	Enter the e-mail address of the contact person for the site.
Phone	Enter the phone number of the contact person for the site.
Advanced Configuration
Domain Name Server (DNS)	Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type the address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.
NTP Server	Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net. The site must have DNS reachability to resolve the FQDN during site configuration.
Select Timezone	Select the time zone for the site.
Device Note: Some fields in this section are displayed only if you enable the Device Redundancy option.
Device Redundancy	Disabled by default. Enable this option for dual CPEs. The following prerequisites are necessary for enabling device redundancy: Ensure that the control and fabric ports between both the nodes are connected. Ensure that the device is preconfigured for management connectivity (factory-default or prestaged). Do not configure the control, fabric, and data (reth) ports as these ports will be reconfigured. To identify the control, fabric, management, and data ports for each SRX model, refer to the SRX High Availability Configurator tool. Note: Do not generate the configuration in the tool as CSO generates and applies the cluster configuration automatically. If you are using ZTP on SRX300 and SRX320 devices, use ge-0/0/7 as the predefined DHCP port instead of ge-0/0/0. Provide the fabric and data (reth) port information in the device template. The control and fxp0 ports are predefined. To change the control port, change it in the platform device template. To change the data (reth) port, change it in the SDWAN device template.
Device Series	Select the device series. Based on the device series that you select, the supported device templates (containing information for configuring devices) are listed. Select a device template for the selected device series.
Device Model	Select the device model.
Device Root Password	The default root password is fetched from the ENC_ROOT_PASSWORD field in the device template. You can retain the password or change it by entering a password in plain-text format. The password is encrypted and stored on the device.
Serial Number	Enter the serial number of the device. Note that the serial numbers are case-sensitive. If you do not enter the serial number, the branch site is created but not activated. See 6 to enter the serial number and activate the branch site later.
Node 0 Serial Number	For dual CPEs, enter the serial number of the primary CPE device. The serial number is case sensitive.
Node 1 Serial Number	For dual CPEs, enter the serial number of the secondary CPE device. The serial number is case sensitive.
Zero Touch Provisioning	Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default. Note: By default, this button is disabled for vSRX. You can enable this button, if the Junos OS version running on vSRX supports phone-home client. To use ZTP, ensure the following: Device must have connectivity to CSO and Juniper phone-home server (https://redirect.juniper.net) Use telnet to verify connectivity: `telnet redirect.juniper.net:443` `telnet CSO Hostname/IP:443` If the connection is established, the device has connectivity to the phone-home server and CSO. Required certificates for phone-home server and CSO are present on the device. If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the device is upgraded to the image that you select for the Boot Image.
Zero Touch Provisioning	If you disable ZTP, ensure that the device has connectivity to CSO. If the device is not prestaged or preconfigured, then you must provide the details under the Management Connectivity section so that CSO can generate the configuration as part of the stage-1 configuration. You can skip the Management Connectivity section if the device has connectivity to CSO. If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device to start the onboarding process. Use any of the following options to copy the stage-1 configuration: Click the Click to copy stage-1 config link next to the Prestage Device task on the Site Activation Progress page. If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site under the Site Status column. On the Devices page (Resources > Devices), select the device and click Stage1 Config.
Is Cluster Already Formed?	Select No if the cluster is not configured.
Cluster ID	Enter the device Cluster ID. The value is ignored if the cluster is already formed on the device. Cluster ID should be unique in case more than one cluster is connected through the same Ethernet switch.
Auto Activate	Click the toggle button to enable or disable automatic activation of the device. This option is enabled by default.
Activation Code	If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.
Node 0 Activation Code	If the automatic activation of dual CPEs is disabled, enter the activation code to manually activate the primary CPE device.
Node 1 Activation Code	If the automatic activation of dual CPEs is disabled, enter the activation code to manually activate the secondary CPE device.
Management Interface Family	Select the IP address type (IPv4 or IPv6) for the management interface. This field is displayed only if you have enabled Zero Touch Provisioning.
Boot Image	When the Zero Touch Provisioning field is enabled, select the boot image from the drop-down list to upgrade the image on the firewall device to a version that supports Phone-Home client. The boot image is the device image that was previously uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process. If the boot image is not provided, then the device skips the automatic upgrade procedure. The boot image is populated based on the device template that you selected while creating a site. By default, the Use Image on Device option is selected.
(Device Template)	Select a device template, which contains information for configuring a device.
Management Connectivity Note: This section is displayed only when Zero Touch Provisioning is disabled. If you are adding a chassis cluster, then you must provide the interface details for both the nodes.
Address Family	Select the IP address type (IPv4 or IPv6).
Interface Name	This is a WAN interface that the device uses to connect to CSO.
Access Type	Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link.
Address assignment	DHCP is selected by default. If you want to provide a static IP address, select STATIC.
Management VLAN ID	Enter a VLAN ID for the WAN link. Range: 0 through 4094
PPPoE	Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet).
ADSL/VDSL SFP Annex	Applicable only to MPLS or Internet links with ADSL or VDSL access types. Enable Annex J support with `x`DSL SFP module for ADSL and VDSL access types. Annex J is specified in ITU-T recommendations G.992.3 and G.992.5. If you keep this option disabled, you must use a Mini-PIM module for connectivity.
`Configuration Templates (Optional)`
Configuration Templates List	(Optional) Select one or more configuration templates from the list. This list is filtered based on the device that you select. Configuration templates are stage-2 templates that are added by your OpCo administrators, or SP administrators, or Tenant administrators. To set the parameters for the selected configuration templates: After you select one or more configuration templates, click Set Parameters. The Device Configurations page appears. This page consists of two tabs—CONFIGURATION and SUMMARY. In the CONFIGURATION tab, enter the attributes for each of the configuration templates. (Optional) View the CLI commands in the Summary tab. Click Save. You have added and set the parameters for the configuration templates that are part of the site template that you are creating.