Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add Next-Generation Firewall (Branch) Sites

Note:

Before you add the next generation firewall (NGFW) branch site, check the cable connections, review the NAT and firewall ports and protocols, and check the Junos OS version of the NGFW device. For details, see Supported Devices for NGFW, and Ports and Protocols to Open.

To add a NGFW branch site:

  1. Click Resources > Site Management.

    The Sites page appears.

  2. Click Add, and select Branch (Manual).

    The Branch Site wizard appears, displaying the General settings to be configured.

    Note:

    Fields marked with an asterisk (*) are mandatory.

  3. Configure the General settings as explained in Table 2, and click Next.

    You are taken to the Device section of the workflow.

  4. Configure the Device settings as explained in Table 3, and click Next.

    You are taken to the Configuration (Templates) section of the workflow.

  5. (Optional) Configure the templates as explained in Table 4, and click Next.

    You are taken to the Summary section of the workflow.

  6. Review the configuration in the Summary section and, if required, modify the settings.
  7. Click Finish.

    CSO triggers the activation of the site. See Table 1 for how the site activation proceeds for greenfield and brownfield sites.

    Table 1: Site Activation Process for Greenfield and Brownfield NGFW Sites

    Type of NGFW

    Serial Number

    Auto-Activate

    Site Activation Process

    Greenfield or Brownfield

    Not specified

    Disabled

    You are returned to the Sites page. CSO triggers a job and displays a confirmation message with a job link. Click the link to view the status of the job.

    After the job is finished, CSO displays a confirmation message and the status of the site changes to CREATED and an Activate Site link is displayed. You must manually activate the site to finish the activation process.

    For more information, see Manually Activate a Site.

    Greenfield or Brownfield

    Not specified

    Enabled

    Greenfield or Brownfield

    Specified

    Disabled

    Brownfield

    Specified

    Enabled

    CSO triggers the site activation and the Site Activation: Progress page appears. The site activation process proceeds through the tasks explained in Table 4.

    Note:

    Because you’re adding a brownfield NGFW site, you must copy the stage-1 configuration that CSO generates, paste it, and commit it on the NGFW device for the activation to proceed.

    Greenfield

    Specified

    Enabled

    CSO triggers the site activation and the Site Activation Progress page appears. The site activation process proceeds through the tasks explained in Table 4.

    If you don’t want to wait for the site activation to finish, you can close the Site Activation Progress page and monitor the status of the site activation from the Jobs page (Monitor > Jobs). The time taken for site activation varies depending on the device that CSO is activating.
Table 2: General Settings (Branch Site Page)

Field

Guideline

Site Information

  

Site Name

Enter a unique name for the site. The name can contain alphanumeric characters, and hyphens (-) and cannot exceed 32 characters.

Device Host Name

The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.

Site Group

If you want the site to be part of a site group, select the site group. By default, None is selected, which means that the site doesn’t belong to any site group.

Site Capabilities

Because we’re configuring a next-generation firewall site, click the Security Services card. By default, Device Management is selected.

Address and Contact Information

Enter the address of the branch site and contact information in the fields provided. Although it is not mandatory, providing an address lets you visualize where the site is located on the geographical map on the Monitor Overview page.

Advanced Configuration

For the DNS and NTP servers, you can either use the defaults or specify DNS and NTP servers.

Domain Name Server (DNS)

Specify the IPv4 addresses of one or more DNS servers.

NTP Server

If needed, specify the IP addresses of one or more NTP servers.

Select Timezone

Select a time zone for the site.
Table 3: Device Settings (Add Device Site )

Field

Guideline

Device Redundancy

Disabled by default. Enable this option only for dual CPEs.

Device Series

Because only SRX Series devices can be configured as NGFW sites, this field displays SRX.

Device Model

Select the SRX model.

Serial Number

If you want CSO to proceed with the site activation immediately after you complete the site addition workflow, enter the serial number. If the serial number that you entered is already present in the system, CSO displays an error message. If the serial number is not present, then CSO displays a green check mark.

If you want CSO to only model the site, leave this field blank. If you don’t enter a serial number, you must manually activate the site later.

Device Root Password

The default root password is fetched from the ENC _ROOT_PASSWORD field in the device template. You can retain the password or change it by entering a password in plain-text format. The password is encrypted and stored on the device

Zero Touch Provisioning

By default, Zero Touch Provisioning is enabled. If you want to disable ZTP, click the toggle button.

Note:

By default, this button is disabled for vSRX. You can enable this button, if the Junos OS version running on vSRX supports phone-home client.

To use ZTP, ensure the following:

  • Device must have connectivity to CSO and Juniper phone-home server (https://redirect.juniper.net)

    Use telnet to verify connectivity:

    telnet redirect.juniper.net:443

    telnet CSO Hostname/IP:443

    If the connection is established, the device has connectivity to the phone-home server and CSO.

  • Required certificates for phone-home server and CSO must be present on the device.

If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image.

If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device. Use any of the following options to copy the stage-1 configuration:

  • Click the Click to copy stage-1 config link next to Prestage Device task in the Site Activation Progress page.

    If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site under the Site Status column.

  • On the Devices page (Resources > Devices), select the device and click Stage1 Config.

Auto Activate

Click the toggle button to specify whether the site activation requires an activation code or not:

  • Enabled—The site is activated automatically without an activation code. This is the default setting.

  • Disabled—The site activation proceeds only after you enter an activation code. If you choose this setting, enter the activation code (in the Activation Code field) that must be entered to activate the device.

Management Interface Family

Select the IP address type (IPv4 or IPv6) for the management interface. This field is displayed only if you have enabled Zero Touch Provisioning.

Management Connectivity

Note:

This section is displayed only if you disable Zero Touch Provisioning.

Address Family

Select the IP address type (IPv4 or IPv6).

Interface Name

Enter the management interface.

Access Type

Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link.

Address assignment

DHCP is selected by default. If you want to provide a static IP address, select STATIC.

Management VLAN ID

Enter a VLAN ID for the WAN link.

PPPoE

Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet).

Boot Image

This field is displayed only if ZTP is enabled.

If you want to upgrade the next-generation firewall device with the latest supported Junos OS version, select the boot image from the list. The boot image is used to upgrade the device when CSO starts the zero touch provisioning (ZTP) process.

If you don't specify a boot image, which is the default option (Use Image on Device) in the list, then the CSO skips the procedure to upgrade the device during ZTP.

Device Template

You must choose the device template that you want to use for the site from the carousel. For NGFW, the following predefined templates are available.

  • SRX_Standalone_Pre_Staged_NonZTP—Select this template if you want to use a brownfield device, which is a device that already has existing firewall and NAT configurations that you want to import into CSO. If you select this template, CSO does not perform ZTP for the site.

  • SRX as Security Services CPE—Select this template if you’re using a greenfield device, which means that CSO will provision the device.

Note:

If modified versions of these templates are available, you can choose a different template.

Device Information

Secure Log Source Interface

This field displays the default interface to be used for in-band management of the device, If you want to use a different interface, remove the default and select a different interface from the list.

Firewall Policies

This field is displayed only if you enable Zero Touch Provisioning.

By default, CSO applies a default firewall policy to the next-generation firewall device. If you don’t want to apply the default policy, select None.

NAT Policies

This field is displayed only if you enable Zero Touch Provisioning.

By default, CSO applies a default NAT policy to the next-generation firewall device. If you don’t want to apply the default policy, select None.

Import Policy Configuration

This field is displayed only if you disable Zero Touch Provisioning.

Click the toggle button to enable the automatic import of previously configured NAT and firewall policies from the device to CSO, after the site is provisioned. By default, the automatic import of policies is disabled. However, you can import firewall and NAT policies manually using the Import workflow.

For more information, see Importing Policies Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).
 

Table 4: Configuration Templates (Branch Site Page)

Field

Guideline

Configuration Templates (Optional)

If you want to deploy additional configuration, you can select one or more configuration templates and set the parameters for each template. For each configuration template that you select:

  1. Select one or more configuration templates from the list that you want to deploy on the device.

  2. Click Set Parameters.

    The Device Configurations page appears. The names and configuration parameters of the configuration templates that you selected are displayed in the Configuration tab.

  3. For each configuration template, enter values for the parameters.

  4. (Optional) Click the Summary tab to view the Junos OS configuration commands that will be deployed on the device for the different configuration templates.

  5. Click Save.

    You are returned to the Configuration Templates tab. The Junos OS configuration commands will be deployed on the device.

See CSO Next-Generation Firewall (NFGW) Deployment Workflow.