ON THIS PAGE
Zero Touch Provisioning Overview
Zero Touch Provisioning (ZTP) enables you to configure and provision devices automatically, and thus reduces the manual intervention required for adding devices to a network.
Starting from CSO Release 6.0.0, the ZTP process is simplified to provide more flexibility and enable faster deployment of devices in a network. The device management and service provisioning processes are separated, thus reducing the time required for CSO to onboard and manage a device. For branch and enterprise hub devices, you can choose to either onboard a device with a service configured on it or configure the service later.
Additionally, ZTP supports automatic formation of an SRX chassis cluster during the onboarding process. You can now onboard a cluster without manually configuring each node on a cluster.
The following are the options available for onboarding a device:
-
Device Management—Enables you to onboard a device without specifying any service in a branch or an enterprise hub site. The device is connected to and managed by CSO. After the device is added, you can edit the site at any time to add the service. The Device Management option is selected by default. You cannot disable this option.
-
Security Services—Provides next-generation firewall (NGFW) services. This option is available only for branch sites.
-
Secure SD-WAN Essentials—Provides basic SD-WAN services.
-
Secure SD-WAN Advanced—Provides complete SD-WAN services, which includes Secure SD-WAN Essential services.
For more information about SD-WAN Essentials and Advanced services, see SD-WAN Overview.
Figure 1 provides a brief description of the simplified ZTP process.
Simplified ZTP involves the following high-level steps:
-
CSO activates the device that is associated with the site.
-
CSO establishes a management connection (outbound SSH) with the device.
-
CSO applies the stage-1 configuration (including the device configuration) and the status of the device changes to Managed state. The device can remain in the Managed state for any duration. You can perform the following tasks when the device is in the Managed state:
-
Apply stage-2 configuration or configuration templates
-
Access the device console
-
Reboot the device
-
Install licenses, certificates, and application signatures
-
RMA the device
-
-
CSO generates the service provisioning configuration and applies it on the device if you selected a service (Security Services or SD-WAN) while adding the device. The site status shows Provisioned only after the service is applied successfully.
Devices Supported
You can provision the following devices (including dual CPE devices, if applicable), by using the simplified ZTP process:
-
NFX150
-
SRX300, SRX320, SRX340, SRX345, SRX380, SRX550 High Memory (SRX550M), SRX4100, SRX4200, SRX4600, and SRX1500
-
vSRX Virtual Firewall on an x86 server
-
Dual CPEs (SRX Series Firewalls and vSRX Virtual Firewall)
Note:Starting from Release 6.2.0, CSO supports dual vSRX Virtual Firewall deployments.
Benefits
The simplified ZTP process offers the following benefits:
-
Simplified, faster, and automated deployment of configurations.
-
Quick access and remote management of the device.
-
Auto-generated configurations that are more accurate.
-
Faster scaling of the network because you need not manually apply configuration on each device in the network.
-
Automated cluster configuration for SRX Series Firewalls on branch and enterprise hub sites.
-
Enhanced monitoring and troubleshooting.