Add a Standalone Next-Generation Firewall Site

From CSO release 5.4.0 onward, the on-premises spoke (branch) site addition and site activation can be optionally separated, giving more flexibility to on-site installation of a CPE.

In SD-WAN deployments with next generation firewall (NGFW) capability comprising single or dual customer premises equipment (CPE), tenant administrators have an option to enter the serial number of the CPE device after adding the branch sites. The branch site can be added by a tenant administrator and activated manually by another authorized user. The authorized user must enter either the serial number and the activation code, or only the serial number when manually activating the CPE device later. The option to add branch sites without serial number of a CPE device is applicable to both SRX and NFX (NFX150 and NFX250) device templates.

You add the standalone NGFW site from the Site Management page.

To add a standalone NGFW site:

Select Resources > Site Management.

The Site Management page appears.
Click Add and select Add Branch Site (Manual).

The Add Branch Site page appears.
Complete the configuration settings according to the guidelines provided in Table 1.

Note:
Fields marked with an asterisk (*) are mandatory.
Click Next.

A summary page is displayed.
Review the configuration and modify the settings, if needed, from the Summary tab. Click OK.
- If you entered a serial number during activation and automatic activation is enabled, the Site Activation Progress page appears. The site activation process proceeds through the tasks explained in Troubleshooting Site Activation Issues.
  
  Click OK to close the Site Activation Progress page.
- If you did not enter a serial number and the automatic activation is disabled, you are returned to the Site Management page. CSO triggers a job and displays a confirmation message with a job link. Click the link to view the status of the job. After the job is finished, CSO displays a confirmation message with a job link. The status of the site changes to CREATED.
  
  You must manually activate the device to finish the activation process.
Note:
The following procedure is applicable if zero touch provisioning (ZTP) is set true in the device template. If ZTP is disabled in the device template, you must copy the stage-1 configuration and commit it on the device for CSO to proceed with the activation.

To manually activate the CPE (branch site) device:
1. Select the branch site CPE that has to be activated.
2. Click Activate Site link in the Site Management page.
  
  The Activate Site page appears.
3. Enter the serial number(s) of the device and the activation code. Click OK.
  
  The Site Activation Progress page appears displaying the progress of steps executed for activating the CPE device. On successful activation of the device, the Site Status changes from Created to Provisioned.
If you have enabled the Zero Touch Provisioning field, CSO applies the stage-1 configuration automatically.

Note:
The device is activated automatically, if you have already provided the activation code and device serial number while creating the firewall site.

If you have disabled the Zero Touch Provisioning field for the device, you must manually configure the stage-1 configuration on the device.
1. Click the Click to copy stage-1 config link next to the Prestage Device task on the Site Activation Progress page. If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site, under the Site Status column.
  
  Note:
  You can also copy the configuration from the Devices page (Resources > Devices). Select the device and click Stage1 Config.
  
  The Stage-1 Configuration page appears displaying the stage-1 configuration.
2. Copy the stage-1 configuration.
3. Log in to the device and enter Junos OS configuration mode.
4. Paste the configuration that you copied and commit the configuration.
  
  CSO applies the pre-script and stage-1 configuration (includes the device configuration). The status of the site changes to MANAGED on the Sites page.
If you selected Security Services while adding the device, then CSO generates the service provisioning configuration and applies it on the device. The firewall site status changes to PROVISIONED in the Site Management page.

If you did not select Security Services while adding the device, then the device remains in the MANAGED state until you apply the service. You can edit the site and add the service. After you add the service, CSO applies the service provisioning configuration and the device is provisioned.

Note:

You can also add a standalone firewall site using the site templates. For more information, see Add Branch Sites by Using a Site Template.

Table 1: Fields on the Add Branch Site Page (Standalone Firewall)
Field	Description
General
Site Information
Site Name	Enter a unique name for the firewall site. You can use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Device Host Name	The device host name is auto-generated and uses the format `tenant-name.host-name`. You cannot change the `tenant-name` part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
Site Group	Select a site group to which you want to assign the site.
Site Capabilities	Select Security Services as you are adding a NGFW site. Note that Device Management is selected by default.

Address and Contact Information
Street Address	Enter the street address of the site.
City	Enter the name of the city where the site is located.
State/Province	Select the state or province where the site is located.
ZIP/Postal Code	Enter the postal code for the site.
Country	Select the country where the site is located. You can click the Validate button to verify the address that you specified: The address verification successful message is displayed if the address can be verified. You can click the View location on the map link to see the address location. If the address cannot be verified, the Site address could not be validated message is displayed .
Contact Name	Enter the name of the contact person for the site.
Email	Enter the e-mail address of the contact person for the site.
Phone	Enter the phone number of the contact person for the site.
Advanced Configuration
Domain Name Server (DNS)	Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.
NTP Server	Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration.
Select Timezone	Select the time zone for the site.
Device
Device Redundancy	Disabled by default. Enable this option only for dual CPEs.
Device Series	SRX is displayed by default.
Device Model	Select the device model.
Device Root Password	The default root password is fetched from the ENC_ROOT_PASSWORD field in the device template. You can retain the password or change it by entering a password in plain-text format. The password is encrypted and stored on the device.
Serial Number	Enter the serial number of the firewall device. Note that the serial numbers are case-sensitive. If you do not enter the serial number, the branch site is created but the CPE device is not activated. See Step 5 for more information.
Zero Touch Provisioning	Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default. Note: By default, this button is disabled for vSRX Virtual Firewall. You can enable this button, if the Junos OS version running on vSRX Virtual Firewall supports phone-home client. To use ZTP, ensure the following: Device must have connectivity to CSO and Juniper phone-home server (https://redirect.juniper.net) Use telnet to verify connectivity: `telnet redirect.juniper.net:443` `telnet CSO Hostname/IP:443` If the connection is established, the device has connectivity to the phone-home server and CSO. Required certificates for phone-home server and CSO must be present on the device. If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image. If you disable ZTP, ensure that the device has connectivity to CSO. If the device is not prestaged/preconfigured, then you must provide the details under the Management Connectivity section so that CSO can generate the configuration as part of the stage-1 configuration. You can skip the Management Connectivity section if the device has connectivity to CSO. If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device to start the onboarding process. Use any of the following options to copy the stage-1 configuration: Click the Click to copy stage-1 config link next to Prestage Device task on the Site Activation Progress page. If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site under the Site Status column. On the Devices page (Resources > Devices), select the device and click Stage1 Config.
Auto Activate	Click the toggle button to enable or disable automatic activation of the device. This option is enabled by default. If you disable automatic activation, refer Activate a Device topic to manually activate the CPE.
Activation Code	If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.
Management Interface Family	Select the IP address type (IPv4 or IPv6) for the management interface. This field is displayed only if you have enabled Zero Touch Provisioning.
Boot Image	When the Zero Touch Provisioning field is enabled, select the boot image from the drop-down list to upgrade the image on the firewall device to a version that supports the phone-home client. The boot image is the device image that was previously uploaded to the image management system. The boot image is used to upgrade the device when the CSO starts the ZTP process. If the boot image is not provided, then the device skips the automatic upgrade procedure. The boot image is populated based on the device template that you have selected while creating a site. By default, the Use Image on Device option is selected.
Device Information
Secure Log Source Interface	Select the port that you want to configure as management interface and connect it to the management device. You can configure any of the ge-0/0/x ports, where x ranges from 0 to 14, as in-band management interfaces.
Firewall Policies	This field is displayed only if you enable Zero Touch Provisioning. Select the firewall policy that you want to deploy to the standalone firewall site. The firewall policy list is populated from the Configuration > Firewall > Firewall Policy page. Default: Factory_Default_Fw_Policy
NAT Policies	This field is displayed only if you enable Zero Touch Provisioning. Select the NAT policy that you want to deploy to the standalone firewall site. The NAT policy list is populated from the Configuration > NAT > NAT Policies page. Default: Factory_Default_NAT_Policy
Import Policy Configuration	This field is displayed only if you disable Zero Touch Provisioning. By default, this field is disabled. Click the toggle button to automatically import firewall policies and NAT policies from a NGFW device to CSO. The following are the firewall and NAT configurations that are imported for this site: Firewall rules (zone rules): Address objects (address group or address object) Service objects (custom service) Custom L7 applications or application groups SSL/Content Security profiles and schedulers Users (UserFW) NAT rules (Source/Destination/Static): NAT pools
Management Connectivity Note: This section is displayed only if you disable Zero Touch Provisioning.
Address Family	Select the IP address type (IPv4 or IPv6).
Interface Name	Enter the management interface.
Access Type	Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link.
Address assignment	By default, DHCP is selected. If you want to provide a static IP address, select STATIC.
Management VLAN ID	Enter a VLAN ID for the WAN link.
PPPoE	Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet).
`Configuration Templates (Optional)`
Configuration Templates List	(Optional) Select one or more configuration templates from the list. This list is filtered based on the device that you select. Configuration templates are stage-2 templates that are added by your OpCo administrators or SP administrators or Tenant administrators. To set the parameters for the selected configuration templates: After you select one or more configuration templates, click Set Parameters. The Device Configurations page appears. This page consists of two tabs—CONFIGURATION and SUMMARY. In the CONFIGURATION tab fill in the attributes for each of the configuration templates. (Optional) View the CLI commands in the Summary tab. Click Save. You have added and set the parameters for the configuration templates that are part of the site template that you are creating.

Add a Standalone Next-Generation Firewall Site

Related Documentation