CSO SD-WAN Deployment Workflow

CSO makes use of advanced features of the devices used in SD-WAN deployments. In order to use features such as link-switching based on application identification, or remote access IPsec VPNs on vSRX Series devices, you must purchase the required licenses. However, the underlay and overlay networks, and thus SD-WAN connectivity can be established without special licensing.

Starting in Release 6.0.0, CSO supports the following SD-WAN service types for a site:

Secure SD-WAN Essentials—Provides the basic SD-WAN services. This service is ideal for small enterprises, looking for simplified management of their network and comprehensive NGFW security services at the branch sites. The SD-WAN Essentials service allows Internet traffic to breakout locally, and thus avoids the need to backhaul web traffic over costly VPN or MPLS links. This service supports features such as intent-based firewall policies, WAN link management and control, CSO-controlled routing between sites connected through the static VPN, and site to site communication through MPLS or internet links. A tenant with the SD-WAN Essentials service level can create only SD-WAN Essentials sites.

Note:
You can upgrade the SD-WAN service level of a tenant from SD-WAN Essentials to SD-WAN Advanced by editing the tenant information from the CSO Administration portal, provided that you have purchased the corresponding license.
Secure SD-WAN Advanced—Provides the complete SD-WAN service. This service is ideal for enterprises with one or more data centers, requiring flexible topologies and dynamic application steering. You can establish site-to-site connectivity by using a hub in a hub-and-spoke topology or through static or dynamic full mesh VPN tunnels. Enterprise wide intent based SD-WAN policies and service-level agreement (SLA) measurements allow to differentiate and dynamically route traffic for different applications.

Note:
SD-WAN sites on CSO Release 5.4 or earlier versions are treated as SD-WAN Advanced sites. You cannot downgrade the SD-WAN service level of a tenant from SD-WAN Advanced to SD-WAN Essentials.

Note:

Ensure that the pre-deployment tasks related to SD-WAN are carried out before you follow the procedure outlined in this topic. See Pre-Deployment Tasks for CSO SD-WAN and Next-Generation Firewall.

The following tasks for configuring SD-WAN must be performed in the tenant scope in Customer Portal.

If you are a Tenant Administrator, log in to Customer Portal. If you are an SP Administrator (CSO on-premises) or OpCo Administrator (with appropriate permissions), switch scope to the tenant. See Switch Scope or Log in as Tenant Administrator.
Although the following optional tasks can be available in Customer Portal, these tasks are typically not performed in the tenant scope:
- (Optional) Customize configuration templates. See Configuration Templates Workflow.
- (Optional) Customize device templates. See Device Templates Workflow.
- (Optional) Upload the latest software images to CSO. See Device Images Workflow.
For SD-WAN Advanced service, you can add one or more provider hub sites, one or more enterprise hub sites, or a combination of provider hub sites and enterprise hub sites. For SD-WAN Essentials service, you can add only one provider hub site, one enterprise hub site, or a combination of one provider hub site and one enterprise hub site (SD-WAN Essentials service does not support multihoming):
1. Add provider hub sites. See Add Provider Hub Sites.
2. Add enterprise hub sites. See Add Enterprise Hub Sites.
  Starting in CSO Release 6.0.0, the ZTP process is simplified to separate the device and service provisioning processes for faster deployment. You can add a site without applying a service and then edit the site to add the SD-WAN service later. See Add Branch or Enterprise Hub Sites Without Provisioning a Service.
  
  Note:
  Starting in CSO Release 6.0.0, adding a hub site is optional for an SD-WAN deployment scenario.
If you added enterprise hub sites, perform post-processing tasks for the enterprise hub sites. See Post-Provisioning Tasks for Enterprise Hub and SD-WAN Spoke Sites.
Add one or more SD-WAN branch sites. See Add SD-WAN Branch Sites. To add a site without applying a SD-WAN service, see Add Branch or Enterprise Hub Sites Without Provisioning a Service.
Perform post-processing tasks for the SD-WAN branch sites. See Post-Provisioning Tasks for Enterprise Hub and SD-WAN Spoke Sites.
(Optional) Configure a cloud spoke site. See Adding Cloud Spoke Sites for SD-WAN Deployment and Provisioning a Cloud Spoke Site in AWS VPC in the CSO Administration Portal User Guide (available on the CSO Documentation page).
Monitor SD-WAN sites and devices. See Monitor SD-WAN Sites and Devices.