Add Next-Generation Firewall (Branch) Sites
Before you add the next generation firewall (NGFW) branch site, check the cable connections, review the NAT and firewall ports and protocols, and check the Junos OS version of the NGFW device. For details, see Supported Devices for NGFW, and Ports and Protocols to Open.
To add a NGFW branch site:
Field |
Guideline |
---|---|
Site Information |
|
Site Name |
Enter a unique name for the site. The name can contain alphanumeric characters, and hyphens (-) and cannot exceed 32 characters. |
Device Host Name |
The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters. |
Site Group |
If you want the site to be part of a site group, select the site group. By default, None is selected, which means that the site doesn’t belong to any site group. |
Site Capabilities |
Because we’re configuring a next-generation firewall site, click the Security Services card. By default, Device Management is selected. |
Address and Contact Information |
Enter the address of the branch site and contact information in the fields provided. Although it is not mandatory, providing an address lets you visualize where the site is located on the geographical map on the Monitor Overview page. |
Advanced Configuration |
For the DNS and NTP servers, you can either use the defaults or specify DNS and NTP servers. |
Domain Name Server (DNS) |
Specify the IPv4 addresses of one or more DNS servers. |
NTP Server |
If needed, specify the IP addresses of one or more NTP servers. |
Select Timezone |
Select a time zone for the site. |
Field |
Guideline |
---|---|
Device Redundancy |
Disabled by default. Enable this option only for dual CPEs. |
Device Series |
Because only SRX Series devices can be configured as NGFW sites, this field displays SRX. |
Device Model |
Select the SRX model. |
Serial Number |
If you want CSO to proceed with the site activation immediately after you complete the site addition workflow, enter the serial number. If the serial number that you entered is already present in the system, CSO displays an error message. If the serial number is not present, then CSO displays a green check mark. If you want CSO to only model the site, leave this field blank. If you don’t enter a serial number, you must manually activate the site later. |
Device Root Password |
The default root password is fetched from the ENC _ROOT_PASSWORD field in the device template. You can retain the password or change it by entering a password in plain-text format. The password is encrypted and stored on the device |
Zero Touch Provisioning |
By default, Zero Touch Provisioning is enabled. If you want to disable ZTP, click the toggle button. Note:
By default, this button is disabled for vSRX. You can enable this button, if the Junos OS version running on vSRX supports phone-home client. To use ZTP, ensure the following:
If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image. If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device. Use any of the following options to copy the stage-1 configuration:
|
Auto Activate |
Click the toggle button to specify whether the site activation requires an activation code or not:
|
Management Interface Family |
Select the IP address type (IPv4 or IPv6) for the management interface. This field is displayed only if you have enabled Zero Touch Provisioning. |
Management Connectivity Note:
This section is displayed only if you disable Zero Touch Provisioning. |
|
Address Family |
Select the IP address type (IPv4 or IPv6). |
Interface Name |
Enter the management interface. |
Access Type |
Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link. |
Address assignment |
DHCP is selected by default. If you want to provide a static IP address, select STATIC. |
Management VLAN ID |
Enter a VLAN ID for the WAN link. |
PPPoE |
Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet). |
Boot Image |
This field is displayed only if ZTP is enabled. If you want to upgrade the next-generation firewall device with the latest supported Junos OS version, select the boot image from the list. The boot image is used to upgrade the device when CSO starts the zero touch provisioning (ZTP) process. If you don't specify a boot image, which is the default option (Use Image on Device) in the list, then the CSO skips the procedure to upgrade the device during ZTP. |
Device Template |
You must choose the device template that you want to use for the site from the carousel. For NGFW, the following predefined templates are available.
Note:
If modified versions of these templates are available, you can choose a different template. |
Device Information |
|
Secure Log Source Interface |
This field displays the default interface to be used for in-band management of the device, If you want to use a different interface, remove the default and select a different interface from the list. |
Firewall Policies |
This field is displayed only if you enable Zero Touch Provisioning. By default, CSO applies a default firewall policy to the next-generation firewall device. If you don’t want to apply the default policy, select None. |
NAT Policies |
This field is displayed only if you enable Zero Touch Provisioning. By default, CSO applies a default NAT policy to the next-generation firewall device. If you don’t want to apply the default policy, select None. |
Import Policy Configuration |
This field is displayed only if you disable Zero Touch Provisioning. Click the toggle button to enable the automatic import of previously configured NAT and firewall policies from the device to CSO, after the site is provisioned. By default, the automatic import of policies is disabled. However, you can import firewall and NAT policies manually using the Import workflow. For more information, see Importing Policies Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page). |
Field |
Guideline |
---|---|
Configuration Templates (Optional) |
If you want to deploy additional configuration, you can select one or more configuration templates and set the parameters for each template. For each configuration template that you select:
|